[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989448: marked as done (unblock: htmldoc/1.9.11-4)

Your message dated Tue, 08 Jun 2021 21:19:27 +0000
with message-id <E1lqj8B-00009f-I4@respighi.debian.org>
and subject line unblock htmldoc
has caused the Debian Bug report #989448,
regarding unblock: htmldoc/1.9.11-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989448: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989448
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: haavard_aasen@yahoo.no

Please unblock package htmldoc

This release adds patches to fix 8 CVE's and closes: #989437.

There are two things which is not needed in this release.
Though the changes is not related to the code. I added the file
'debian/gbp.conf' since I changed the repository layout. I also fixed a
minor error in the previous changelog entry, added a missing '#' in a
'close bug' statement.

[ Reason ]
CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191,
CVE-2021-23206, CVE-2021-26252, CVE-2021-26259 and CVE-2021-26948

[ Impact ]

[ Tests ]
I have manually tested CVE-2021-23158, CVE-2021-23165, CVE-2021-23180,
CVE-2021-23206 and CVE-2021-26252
The issues in GitHub provided files that failed, before the fix was
applied, and succeeded with this release.

[ Risks ]
I consider this to be of minor risk. Code is coming from upstream, which
also has released a new version with the changes.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock htmldoc/1.9.11-4

Regards,
Håvard

diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
--- htmldoc-1.9.11/debian/changelog	2021-05-10 16:10:41.000000000 +0200
+++ htmldoc-1.9.11/debian/changelog	2021-06-03 21:29:16.000000000 +0200
@@ -1,7 +1,16 @@
+htmldoc (1.9.11-4) unstable; urgency=medium
+
+  * Add patches to fix many CVE's. Closes: #989437
+    Fix: CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191,
+    CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, CVE-2021-26948.
+  * Switch to DEP-14 layout
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Thu, 03 Jun 2021 21:29:16 +0200
+
 htmldoc (1.9.11-3) unstable; urgency=medium
 
   * Add patch to mitigate buffer-overflow caused by integer-overflow in
-    image_load_gif() Closes: 984765 and fixes CVE-2021-20308
+    image_load_gif() Closes: #984765 and fixes CVE-2021-20308
 
  -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Mon, 10 May 2021 16:10:41 +0200
 
diff -Nru htmldoc-1.9.11/debian/gbp.conf htmldoc-1.9.11/debian/gbp.conf
--- htmldoc-1.9.11/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/gbp.conf	2021-05-23 08:32:55.000000000 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/latest
+upstream-branch = upstream/latest
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch	2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,128 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 09:37:58 -0400
+Subject: CVE-2021-23158, CVE-2021-23191, CVE-2021-26252
+
+Fix JPEG error handling (Issue #415)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc
+Bug: https://github.com/michaelrsweet/htmldoc/issues/412
+Bug: https://github.com/michaelrsweet/htmldoc/issues/414
+Bug: https://github.com/michaelrsweet/htmldoc/issues/415
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c     |  9 ++++++++-
+ htmldoc/image.cxx  | 38 +++++++++++++++++++++++++++++++-------
+ htmldoc/ps-pdf.cxx |  5 +++++
+ 3 files changed, 44 insertions(+), 8 deletions(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index 20229c1..9f017de 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -1000,8 +1000,15 @@ file_rlookup(const char *filename)	/* I - Filename */
+ 
+ 
+   for (i = web_files, wc = web_cache; i > 0; i --, wc ++)
++  {
+     if (!strcmp(wc->name, filename))
+-      return (wc->url);
++    {
++      if (!strncmp(wc->url, "data:", 5))
++        return ("data URL");
++      else
++        return (wc->url);
++    }
++  }
+ 
+   return (filename);
+ }
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 8f53050..74abfac 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -1336,6 +1336,15 @@ image_load_gif(image_t *img,	/* I - Image pointer */
+ }
+ 
+ 
++typedef struct hd_jpeg_err_s	// JPEG error manager extension
++{
++  struct jpeg_error_mgr	jerr;	// JPEG error manager information
++  jmp_buf	retbuf;		// setjmp() return buffer
++  char		message[JMSG_LENGTH_MAX];
++				// Last error message
++} hd_jpeg_err_t;
++
++
+ /*
+  * 'image_load_jpeg()' - Load a JPEG image file.
+  */
+@@ -1347,14 +1356,21 @@ image_load_jpeg(image_t *img,	/* I - Image pointer */
+                 int     load_data)/* I - 1 = load image data, 0 = just info */
+ {
+   struct jpeg_decompress_struct	cinfo;		/* Decompressor info */
+-  struct jpeg_error_mgr		jerr;		/* Error handler info */
+-  JSAMPROW			row;		/* Sample row pointer */
++  hd_jpeg_err_t			jerr;		// JPEG error handler
++JSAMPROW			row;		/* Sample row pointer */
+ 
+ 
+-  jpeg_std_error(&jerr);
+-  jerr.error_exit = jpeg_error_handler;
++  jpeg_std_error(&jerr.jerr);
++  jerr.jerr.error_exit = jpeg_error_handler;
+ 
+-  cinfo.err = &jerr;
++  if (setjmp(jerr.retbuf))
++  {
++    progress_error(HD_ERROR_BAD_FORMAT, "%s (%s)", jerr.message,  file_rlookup(img->filename));
++    jpeg_destroy_decompress(&cinfo);
++    return (-1);
++  }
++
++  cinfo.err = (struct jpeg_error_mgr *)&jerr;
+   jpeg_create_decompress(&cinfo);
+   jpeg_stdio_src(&cinfo, fp);
+   jpeg_read_header(&cinfo, (boolean)1);
+@@ -1797,9 +1813,17 @@ image_unload(image_t *img)	// I - Image
+  */
+ 
+ static void
+-jpeg_error_handler(j_common_ptr)
++jpeg_error_handler(j_common_ptr p)	// Common JPEG data
+ {
+-  return;
++  hd_jpeg_err_t	*jerr = (hd_jpeg_err_t *)p->err;
++					// JPEG error handler
++
++
++  // Save the error message in the string buffer...
++  (jerr->jerr.format_message)(p, jerr->message);
++
++  // Return to the point we called setjmp()...
++  longjmp(jerr->retbuf, 1);
+ }
+ 
+ 
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index af1a55e..499f487 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -1404,6 +1404,8 @@ pspdf_prepare_page(int page)		/* I - Page number */
+ 
+ 
+   DEBUG_printf(("pspdf_prepare_page(%d)\n", page));
++  if (page < 0 || page >= num_pages)
++    return;
+ 
+  /*
+   * Make a page number; use roman numerals for the table of contents
+@@ -12258,6 +12260,9 @@ write_trailer(FILE  *out,		/* I - Output file */
+ 
+       for (j = 1; j <= TocDocCount; j ++)
+       {
++        if (chapter_starts[j] < 0)
++          continue;
++
+         page  = pages + chapter_starts[j];
+ 	start = chapter_starts[j] - chapter_starts[1] + 1;
+ 	type  = 'D';
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch	2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,26 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 09:47:56 -0400
+Subject: CVE-2021-23165
+
+Fix a number-up crash bug (Issue #413)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6e8a95561988500b5b5ae4861b3b0cbf4fba517f
+Bug: https://github.com/michaelrsweet/htmldoc/issues/413
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 8804df4..7fbc345 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -1318,7 +1318,7 @@ pspdf_prepare_outpages()
+     chapter_outstarts[c] = num_outpages;
+ 
+     for (i = chapter_starts[c], j = 0, nup = -1, page = pages + i;
+-         i <= chapter_ends[c];
++         i <= chapter_ends[c] && num_outpages < num_pages;
+ 	 i ++, page ++)
+     {
+       if (nup != page->nup)
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch	2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,35 @@
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 26 Jan 2021 08:02:32 -0500
+Subject: CVE-2021-23180
+
+Fix a crash bug with malformed URIs (Issue #418)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a
+Bug: https://github.com/michaelrsweet/htmldoc/issues/418
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index 9f017de..eee89af 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -304,6 +304,7 @@ const char *			/* O - File extension */
+ file_extension(const char *s)	/* I - Filename or URL */
+ {
+   const char	*extension;	/* Pointer to directory separator */
++  char		*bufptr;	/* Pointer into buffer */
+   static char	buf[1024];	/* Buffer for files with targets */
+ 
+ 
+@@ -334,7 +335,8 @@ file_extension(const char *s)	/* I - Filename or URL */
+ 
+   strlcpy(buf, extension, sizeof(buf));
+ 
+-  *(char *)strchr(buf, '#') = '\0';
++  if ((bufptr = strchr(buf, '#')) != NULL)
++    *bufptr = '\0';
+ 
+   return (buf);
+ }
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch	2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,61 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 08:21:57 -0400
+Subject: CVE-2021-23206
+
+Fix crash bugs with bogus table attributes (Issue #416)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/ba61a3ece382389ae4482c7027af8b32e8ab4cc8
+Bug: https://github.com/michaelrsweet/htmldoc/issues/416
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 499f487..bb8a5b9 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -5735,7 +5735,7 @@ render_table_row(hdtable_t &table,
+       if ((var = htmlGetVariable(cells[row][col], (uchar *)"ROWSPAN")) != NULL)
+         table.row_spans[col] = atoi((char *)var);
+ 
+-      if (table.row_spans[col] == 1)
++      if (table.row_spans[col] <= 1)
+         table.row_spans[col] = 0;
+ 
+       if (table.row_spans[col] > (table.num_rows - row))
+@@ -6555,7 +6555,12 @@ parse_table(tree_t *t,			// I - Tree to parse
+         {
+ 	  // Handle colspan and rowspan stuff...
+           if ((var = htmlGetVariable(tempcol, (uchar *)"COLSPAN")) != NULL)
+-            colspan = atoi((char *)var);
++          {
++            if ((colspan = atoi((char *)var)) < 1)
++              colspan = 1;
++            else if (colspan > (MAX_COLUMNS - col))
++              colspan = MAX_COLUMNS - col;
++          }
+           else
+             colspan = 1;
+ 
+@@ -6563,7 +6568,7 @@ parse_table(tree_t *t,			// I - Tree to parse
+ 	  {
+             table.row_spans[col] = atoi((char *)var);
+ 
+-	    if (table.row_spans[col] == 1)
++	    if (table.row_spans[col] <= 1)
+ 	      table.row_spans[col] = 0;
+ 
+ 	    for (tcol = 1; tcol < colspan; tcol ++)
+@@ -6585,6 +6590,11 @@ parse_table(tree_t *t,			// I - Tree to parse
+ 	    {
+               col_width -= 2.0 * table.cellpadding;
+ 	    }
++
++	    if (col_width <= 0.0f)
++	      col_width = 0.0f;
++	    else if (col_width > PageWidth)
++	      col_width = PageWidth;
+ 	  }
+ 	  else
+ 	    col_width = 0.0f;
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch	2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,71 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 08:14:29 -0400
+Subject: CVE-2021-26259
+
+Fix a crash bug with bogus table attributes (Issue #417)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5
+Bug: https://github.com/michaelrsweet/htmldoc/issues/417
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index bb8a5b9..8804df4 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -6379,6 +6379,9 @@ parse_table(tree_t *t,			// I - Tree to parse
+       table_width = (float)(atof((char *)var) * (right - left) / 100.0f);
+     else
+       table_width = (float)(atoi((char *)var) * PagePrintWidth / _htmlBrowserWidth);
++
++    if (table_width < 0.0f || table_width > PagePrintWidth)
++      table_width = right - left;
+   }
+   else
+     table_width = right - left;
+@@ -6396,19 +6399,31 @@ parse_table(tree_t *t,			// I - Tree to parse
+   DEBUG_printf(("table_width = %.1f\n", table_width));
+ 
+   if ((var = htmlGetVariable(t, (uchar *)"CELLPADDING")) != NULL)
+-    table.cellpadding = atoi((char *)var);
++  {
++    if ((table.cellpadding = atoi((char *)var)) < 0.0f)
++      table.cellpadding = 0.0f;
++    else if (table.cellpadding > 20.0f)
++      table.cellpadding = 20.0f;
++  }
+   else
+     table.cellpadding = 1.0f;
+ 
+   if ((var = htmlGetVariable(t, (uchar *)"CELLSPACING")) != NULL)
+-    cellspacing = atoi((char *)var);
++  {
++    if ((cellspacing = atoi((char *)var)) < 0.0f)
++      cellspacing = 0.0f;
++    else if (cellspacing > 20.0f)
++      cellspacing = 20.0f;
++  }
+   else
+     cellspacing = 0.0f;
+ 
+   if ((var = htmlGetVariable(t, (uchar *)"BORDER")) != NULL)
+   {
+-    if ((table.border = (float)atof((char *)var)) == 0.0 && var[0] != '0')
++    if ((table.border = (float)atof((char *)var)) <= 0.0 && var[0] != '0')
+       table.border = 1.0f;
++    else if (table.border > 20.0f)
++      table.border = 20.0f;
+ 
+     table.cellpadding += table.border;
+   }
+@@ -6438,7 +6453,7 @@ parse_table(tree_t *t,			// I - Tree to parse
+ 
+   table.border_size = table.border - 1.0f;
+ 
+-  cellspacing *= PagePrintWidth / _htmlBrowserWidth;
++  cellspacing       *= PagePrintWidth / _htmlBrowserWidth;
+   table.cellpadding *= PagePrintWidth / _htmlBrowserWidth;
+   table.border      *= PagePrintWidth / _htmlBrowserWidth;
+   table.border_size *= PagePrintWidth / _htmlBrowserWidth;
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch	2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,65 @@
+From: =?utf-8?q?H=C3=A5vard_Flaget_Aasen?= <haavard_aasen@yahoo.no>
+Date: Thu, 3 Jun 2021 21:15:52 +0200
+Subject: CVE-2021-26948
+
+Fix crash bug with data: URIs (Issue #410)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/008861d8339c6ec777e487770b70b95b1ed0c1d2
+Bug: https://github.com/michaelrsweet/htmldoc/issues/410
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index eee89af..9a5f3e2 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -624,11 +624,13 @@ file_find(const char *path,		/* I - Path "dir;dir;dir" */
+   */
+ 
+   for (i = 0; i < (int)web_files; i ++)
++  {
+     if (strcmp(s, web_cache[i].name) == 0)
+     {
+       DEBUG_printf(("file_find: Returning cache file \"%s\"!\n", s));
+       return (s);
+     }
++  }
+ 
+   DEBUG_printf(("file_find: \"%s\" not in web cache of %d files...\n", s, (int)web_files));
+ 
+@@ -637,11 +639,14 @@ file_find(const char *path,		/* I - Path "dir;dir;dir" */
+   */
+ 
+   if (strchr(s, '%') == NULL)
++  {
+     strlcpy(basename, s, sizeof(basename));
++  }
+   else
+   {
+     for (sptr = s, temp = basename;
+ 	 *sptr && temp < (basename + sizeof(basename) - 1);)
++    {
+       if (*sptr == '%' && isxdigit(sptr[1]) && isxdigit(sptr[2]))
+       {
+        /*
+@@ -664,6 +669,7 @@ file_find(const char *path,		/* I - Path "dir;dir;dir" */
+       }
+       else
+ 	*temp++ = *sptr++;
++    }
+ 
+     *temp = '\0';
+   }
+@@ -918,7 +924,9 @@ file_localize(const char *filename,	/* I - Filename */
+ const char *			/* O - Method string ("http", "ftp", etc.) */
+ file_method(const char *s)	/* I - Filename or URL */
+ {
+-  if (strncmp(s, "http:", 5) == 0)
++  if (strncmp(s, "data:", 5) == 0)
++    return ("data");
++  else if (strncmp(s, "http:", 5) == 0)
+     return ("http");
+   else if (strncmp(s, "https:", 6) == 0)
+     return ("https");
diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series
--- htmldoc-1.9.11/debian/patches/series	2021-05-10 16:10:41.000000000 +0200
+++ htmldoc-1.9.11/debian/patches/series	2021-06-03 21:29:16.000000000 +0200
@@ -6,3 +6,9 @@
 disable_libz.patch
 remove-os-check.patch
 Fix-crash-bug-with-bad-GIFs-Issue-423.patch
+CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch
+CVE-2021-23165.patch
+CVE-2021-23180.patch
+CVE-2021-23206.patch
+CVE-2021-26259.patch
+CVE-2021-26948.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: