--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: haavard_aasen@yahoo.no
Please unblock package htmldoc
This release adds patches to fix 8 CVE's and closes: #989437.
There are two things which is not needed in this release.
Though the changes is not related to the code. I added the file
'debian/gbp.conf' since I changed the repository layout. I also fixed a
minor error in the previous changelog entry, added a missing '#' in a
'close bug' statement.
[ Reason ]
CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191,
CVE-2021-23206, CVE-2021-26252, CVE-2021-26259 and CVE-2021-26948
[ Impact ]
[ Tests ]
I have manually tested CVE-2021-23158, CVE-2021-23165, CVE-2021-23180,
CVE-2021-23206 and CVE-2021-26252
The issues in GitHub provided files that failed, before the fix was
applied, and succeeded with this release.
[ Risks ]
I consider this to be of minor risk. Code is coming from upstream, which
also has released a new version with the changes.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
unblock htmldoc/1.9.11-4
Regards,
Håvard
diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
--- htmldoc-1.9.11/debian/changelog 2021-05-10 16:10:41.000000000 +0200
+++ htmldoc-1.9.11/debian/changelog 2021-06-03 21:29:16.000000000 +0200
@@ -1,7 +1,16 @@
+htmldoc (1.9.11-4) unstable; urgency=medium
+
+ * Add patches to fix many CVE's. Closes: #989437
+ Fix: CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191,
+ CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, CVE-2021-26948.
+ * Switch to DEP-14 layout
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Thu, 03 Jun 2021 21:29:16 +0200
+
htmldoc (1.9.11-3) unstable; urgency=medium
* Add patch to mitigate buffer-overflow caused by integer-overflow in
- image_load_gif() Closes: 984765 and fixes CVE-2021-20308
+ image_load_gif() Closes: #984765 and fixes CVE-2021-20308
-- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Mon, 10 May 2021 16:10:41 +0200
diff -Nru htmldoc-1.9.11/debian/gbp.conf htmldoc-1.9.11/debian/gbp.conf
--- htmldoc-1.9.11/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/gbp.conf 2021-05-23 08:32:55.000000000 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/latest
+upstream-branch = upstream/latest
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch 2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,128 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 09:37:58 -0400
+Subject: CVE-2021-23158, CVE-2021-23191, CVE-2021-26252
+
+Fix JPEG error handling (Issue #415)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc
+Bug: https://github.com/michaelrsweet/htmldoc/issues/412
+Bug: https://github.com/michaelrsweet/htmldoc/issues/414
+Bug: https://github.com/michaelrsweet/htmldoc/issues/415
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c | 9 ++++++++-
+ htmldoc/image.cxx | 38 +++++++++++++++++++++++++++++++-------
+ htmldoc/ps-pdf.cxx | 5 +++++
+ 3 files changed, 44 insertions(+), 8 deletions(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index 20229c1..9f017de 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -1000,8 +1000,15 @@ file_rlookup(const char *filename) /* I - Filename */
+
+
+ for (i = web_files, wc = web_cache; i > 0; i --, wc ++)
++ {
+ if (!strcmp(wc->name, filename))
+- return (wc->url);
++ {
++ if (!strncmp(wc->url, "data:", 5))
++ return ("data URL");
++ else
++ return (wc->url);
++ }
++ }
+
+ return (filename);
+ }
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 8f53050..74abfac 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -1336,6 +1336,15 @@ image_load_gif(image_t *img, /* I - Image pointer */
+ }
+
+
++typedef struct hd_jpeg_err_s // JPEG error manager extension
++{
++ struct jpeg_error_mgr jerr; // JPEG error manager information
++ jmp_buf retbuf; // setjmp() return buffer
++ char message[JMSG_LENGTH_MAX];
++ // Last error message
++} hd_jpeg_err_t;
++
++
+ /*
+ * 'image_load_jpeg()' - Load a JPEG image file.
+ */
+@@ -1347,14 +1356,21 @@ image_load_jpeg(image_t *img, /* I - Image pointer */
+ int load_data)/* I - 1 = load image data, 0 = just info */
+ {
+ struct jpeg_decompress_struct cinfo; /* Decompressor info */
+- struct jpeg_error_mgr jerr; /* Error handler info */
+- JSAMPROW row; /* Sample row pointer */
++ hd_jpeg_err_t jerr; // JPEG error handler
++JSAMPROW row; /* Sample row pointer */
+
+
+- jpeg_std_error(&jerr);
+- jerr.error_exit = jpeg_error_handler;
++ jpeg_std_error(&jerr.jerr);
++ jerr.jerr.error_exit = jpeg_error_handler;
+
+- cinfo.err = &jerr;
++ if (setjmp(jerr.retbuf))
++ {
++ progress_error(HD_ERROR_BAD_FORMAT, "%s (%s)", jerr.message, file_rlookup(img->filename));
++ jpeg_destroy_decompress(&cinfo);
++ return (-1);
++ }
++
++ cinfo.err = (struct jpeg_error_mgr *)&jerr;
+ jpeg_create_decompress(&cinfo);
+ jpeg_stdio_src(&cinfo, fp);
+ jpeg_read_header(&cinfo, (boolean)1);
+@@ -1797,9 +1813,17 @@ image_unload(image_t *img) // I - Image
+ */
+
+ static void
+-jpeg_error_handler(j_common_ptr)
++jpeg_error_handler(j_common_ptr p) // Common JPEG data
+ {
+- return;
++ hd_jpeg_err_t *jerr = (hd_jpeg_err_t *)p->err;
++ // JPEG error handler
++
++
++ // Save the error message in the string buffer...
++ (jerr->jerr.format_message)(p, jerr->message);
++
++ // Return to the point we called setjmp()...
++ longjmp(jerr->retbuf, 1);
+ }
+
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index af1a55e..499f487 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -1404,6 +1404,8 @@ pspdf_prepare_page(int page) /* I - Page number */
+
+
+ DEBUG_printf(("pspdf_prepare_page(%d)\n", page));
++ if (page < 0 || page >= num_pages)
++ return;
+
+ /*
+ * Make a page number; use roman numerals for the table of contents
+@@ -12258,6 +12260,9 @@ write_trailer(FILE *out, /* I - Output file */
+
+ for (j = 1; j <= TocDocCount; j ++)
+ {
++ if (chapter_starts[j] < 0)
++ continue;
++
+ page = pages + chapter_starts[j];
+ start = chapter_starts[j] - chapter_starts[1] + 1;
+ type = 'D';
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch 2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,26 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 09:47:56 -0400
+Subject: CVE-2021-23165
+
+Fix a number-up crash bug (Issue #413)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6e8a95561988500b5b5ae4861b3b0cbf4fba517f
+Bug: https://github.com/michaelrsweet/htmldoc/issues/413
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 8804df4..7fbc345 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -1318,7 +1318,7 @@ pspdf_prepare_outpages()
+ chapter_outstarts[c] = num_outpages;
+
+ for (i = chapter_starts[c], j = 0, nup = -1, page = pages + i;
+- i <= chapter_ends[c];
++ i <= chapter_ends[c] && num_outpages < num_pages;
+ i ++, page ++)
+ {
+ if (nup != page->nup)
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch 2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,35 @@
+From: Michael R Sweet <msweet@msweet.org>
+Date: Tue, 26 Jan 2021 08:02:32 -0500
+Subject: CVE-2021-23180
+
+Fix a crash bug with malformed URIs (Issue #418)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a
+Bug: https://github.com/michaelrsweet/htmldoc/issues/418
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index 9f017de..eee89af 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -304,6 +304,7 @@ const char * /* O - File extension */
+ file_extension(const char *s) /* I - Filename or URL */
+ {
+ const char *extension; /* Pointer to directory separator */
++ char *bufptr; /* Pointer into buffer */
+ static char buf[1024]; /* Buffer for files with targets */
+
+
+@@ -334,7 +335,8 @@ file_extension(const char *s) /* I - Filename or URL */
+
+ strlcpy(buf, extension, sizeof(buf));
+
+- *(char *)strchr(buf, '#') = '\0';
++ if ((bufptr = strchr(buf, '#')) != NULL)
++ *bufptr = '\0';
+
+ return (buf);
+ }
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch 2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,61 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 08:21:57 -0400
+Subject: CVE-2021-23206
+
+Fix crash bugs with bogus table attributes (Issue #416)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/ba61a3ece382389ae4482c7027af8b32e8ab4cc8
+Bug: https://github.com/michaelrsweet/htmldoc/issues/416
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 499f487..bb8a5b9 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -5735,7 +5735,7 @@ render_table_row(hdtable_t &table,
+ if ((var = htmlGetVariable(cells[row][col], (uchar *)"ROWSPAN")) != NULL)
+ table.row_spans[col] = atoi((char *)var);
+
+- if (table.row_spans[col] == 1)
++ if (table.row_spans[col] <= 1)
+ table.row_spans[col] = 0;
+
+ if (table.row_spans[col] > (table.num_rows - row))
+@@ -6555,7 +6555,12 @@ parse_table(tree_t *t, // I - Tree to parse
+ {
+ // Handle colspan and rowspan stuff...
+ if ((var = htmlGetVariable(tempcol, (uchar *)"COLSPAN")) != NULL)
+- colspan = atoi((char *)var);
++ {
++ if ((colspan = atoi((char *)var)) < 1)
++ colspan = 1;
++ else if (colspan > (MAX_COLUMNS - col))
++ colspan = MAX_COLUMNS - col;
++ }
+ else
+ colspan = 1;
+
+@@ -6563,7 +6568,7 @@ parse_table(tree_t *t, // I - Tree to parse
+ {
+ table.row_spans[col] = atoi((char *)var);
+
+- if (table.row_spans[col] == 1)
++ if (table.row_spans[col] <= 1)
+ table.row_spans[col] = 0;
+
+ for (tcol = 1; tcol < colspan; tcol ++)
+@@ -6585,6 +6590,11 @@ parse_table(tree_t *t, // I - Tree to parse
+ {
+ col_width -= 2.0 * table.cellpadding;
+ }
++
++ if (col_width <= 0.0f)
++ col_width = 0.0f;
++ else if (col_width > PageWidth)
++ col_width = PageWidth;
+ }
+ else
+ col_width = 0.0f;
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch 2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,71 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 1 Apr 2021 08:14:29 -0400
+Subject: CVE-2021-26259
+
+Fix a crash bug with bogus table attributes (Issue #417)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5
+Bug: https://github.com/michaelrsweet/htmldoc/issues/417
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/ps-pdf.cxx | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index bb8a5b9..8804df4 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -6379,6 +6379,9 @@ parse_table(tree_t *t, // I - Tree to parse
+ table_width = (float)(atof((char *)var) * (right - left) / 100.0f);
+ else
+ table_width = (float)(atoi((char *)var) * PagePrintWidth / _htmlBrowserWidth);
++
++ if (table_width < 0.0f || table_width > PagePrintWidth)
++ table_width = right - left;
+ }
+ else
+ table_width = right - left;
+@@ -6396,19 +6399,31 @@ parse_table(tree_t *t, // I - Tree to parse
+ DEBUG_printf(("table_width = %.1f\n", table_width));
+
+ if ((var = htmlGetVariable(t, (uchar *)"CELLPADDING")) != NULL)
+- table.cellpadding = atoi((char *)var);
++ {
++ if ((table.cellpadding = atoi((char *)var)) < 0.0f)
++ table.cellpadding = 0.0f;
++ else if (table.cellpadding > 20.0f)
++ table.cellpadding = 20.0f;
++ }
+ else
+ table.cellpadding = 1.0f;
+
+ if ((var = htmlGetVariable(t, (uchar *)"CELLSPACING")) != NULL)
+- cellspacing = atoi((char *)var);
++ {
++ if ((cellspacing = atoi((char *)var)) < 0.0f)
++ cellspacing = 0.0f;
++ else if (cellspacing > 20.0f)
++ cellspacing = 20.0f;
++ }
+ else
+ cellspacing = 0.0f;
+
+ if ((var = htmlGetVariable(t, (uchar *)"BORDER")) != NULL)
+ {
+- if ((table.border = (float)atof((char *)var)) == 0.0 && var[0] != '0')
++ if ((table.border = (float)atof((char *)var)) <= 0.0 && var[0] != '0')
+ table.border = 1.0f;
++ else if (table.border > 20.0f)
++ table.border = 20.0f;
+
+ table.cellpadding += table.border;
+ }
+@@ -6438,7 +6453,7 @@ parse_table(tree_t *t, // I - Tree to parse
+
+ table.border_size = table.border - 1.0f;
+
+- cellspacing *= PagePrintWidth / _htmlBrowserWidth;
++ cellspacing *= PagePrintWidth / _htmlBrowserWidth;
+ table.cellpadding *= PagePrintWidth / _htmlBrowserWidth;
+ table.border *= PagePrintWidth / _htmlBrowserWidth;
+ table.border_size *= PagePrintWidth / _htmlBrowserWidth;
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch 2021-06-03 21:29:16.000000000 +0200
@@ -0,0 +1,65 @@
+From: =?utf-8?q?H=C3=A5vard_Flaget_Aasen?= <haavard_aasen@yahoo.no>
+Date: Thu, 3 Jun 2021 21:15:52 +0200
+Subject: CVE-2021-26948
+
+Fix crash bug with data: URIs (Issue #410)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/008861d8339c6ec777e487770b70b95b1ed0c1d2
+Bug: https://github.com/michaelrsweet/htmldoc/issues/410
+Bug-Debian: https://bugs.debian.org/989437
+---
+ htmldoc/file.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/htmldoc/file.c b/htmldoc/file.c
+index eee89af..9a5f3e2 100644
+--- a/htmldoc/file.c
++++ b/htmldoc/file.c
+@@ -624,11 +624,13 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */
+ */
+
+ for (i = 0; i < (int)web_files; i ++)
++ {
+ if (strcmp(s, web_cache[i].name) == 0)
+ {
+ DEBUG_printf(("file_find: Returning cache file \"%s\"!\n", s));
+ return (s);
+ }
++ }
+
+ DEBUG_printf(("file_find: \"%s\" not in web cache of %d files...\n", s, (int)web_files));
+
+@@ -637,11 +639,14 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */
+ */
+
+ if (strchr(s, '%') == NULL)
++ {
+ strlcpy(basename, s, sizeof(basename));
++ }
+ else
+ {
+ for (sptr = s, temp = basename;
+ *sptr && temp < (basename + sizeof(basename) - 1);)
++ {
+ if (*sptr == '%' && isxdigit(sptr[1]) && isxdigit(sptr[2]))
+ {
+ /*
+@@ -664,6 +669,7 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */
+ }
+ else
+ *temp++ = *sptr++;
++ }
+
+ *temp = '\0';
+ }
+@@ -918,7 +924,9 @@ file_localize(const char *filename, /* I - Filename */
+ const char * /* O - Method string ("http", "ftp", etc.) */
+ file_method(const char *s) /* I - Filename or URL */
+ {
+- if (strncmp(s, "http:", 5) == 0)
++ if (strncmp(s, "data:", 5) == 0)
++ return ("data");
++ else if (strncmp(s, "http:", 5) == 0)
+ return ("http");
+ else if (strncmp(s, "https:", 6) == 0)
+ return ("https");
diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series
--- htmldoc-1.9.11/debian/patches/series 2021-05-10 16:10:41.000000000 +0200
+++ htmldoc-1.9.11/debian/patches/series 2021-06-03 21:29:16.000000000 +0200
@@ -6,3 +6,9 @@
disable_libz.patch
remove-os-check.patch
Fix-crash-bug-with-bad-GIFs-Issue-423.patch
+CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch
+CVE-2021-23165.patch
+CVE-2021-23180.patch
+CVE-2021-23206.patch
+CVE-2021-26259.patch
+CVE-2021-26948.patch
--- End Message ---