--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package htmldoc/1.9.3-1
- From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
- Date: Tue, 11 May 2021 12:55:42 +0200
- Message-id: <162073054200.144464.12906504140595599395.reportbug@desktop.bs-production.no>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: haavard_aasen@yahoo.no
This updates fixes CVE-2019-19630 and CVE-2021-20308 which is bug:
#984765. Both patches is from upstream and has very small changes.
CVE-2019-19630 is marked with no DSA and CVE-2021-20308 is marked
unimportant, so I have not contacted the security team.
[ Reason ]
Fix CVE-2019-19630 and CVE-2021-20308
[ Impact ]
Minor
[ Tests ]
None
[ Risks ]
Small to none
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The patches adds additional if-statements to prevent buffer-overflows.
Regards,
Håvard
https://security-tracker.debian.org/tracker/CVE-2019-19630
https://security-tracker.debian.org/tracker/CVE-2021-20308
https://bugs.debian.org/#984765
diff -Nru htmldoc-1.9.3/debian/changelog htmldoc-1.9.3/debian/changelog
--- htmldoc-1.9.3/debian/changelog 2018-04-11 20:04:27.000000000 +0200
+++ htmldoc-1.9.3/debian/changelog 2021-05-11 12:03:14.000000000 +0200
@@ -1,3 +1,13 @@
+htmldoc (1.9.3-1+deb10u1) buster; urgency=medium
+
+ * QA upload.
+ * Add patch to fix a stack-based buffer overflow in the hd_strlcpy()
+ Fixes: CVE-2019-19630
+ * Add patch to fix buffer-overflow caused by integer-overflow
+ Closes: #984765 Fixes: CVE-2021-20308
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Tue, 11 May 2021 12:03:14 +0200
+
htmldoc (1.9.3-1) unstable; urgency=medium
* QA upload.
diff -Nru htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch
--- htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch 2021-05-11 11:55:58.000000000 +0200
@@ -0,0 +1,28 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Sun, 8 Dec 2019 14:00:26 -0500
+Subject: Fix a buffer underflow issue with GCC on Linux (Issue #360)
+
+CVE-2019-19630
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/8a129c520e90fc967351f3e165f967128a88f09c
+Bug: https://github.com/michaelrsweet/htmldoc/issues/370
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-19630
+---
+ htmldoc/ps-pdf.cxx | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 78a0183..5d96591 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -3721,7 +3721,9 @@ render_contents(tree_t *t, /* I - Tree to parse */
+ nptr < (number + sizeof(number) - 1) && width < right;
+ width += dot_width)
+ *nptr++ = '.';
+- nptr --;
++
++ if (nptr > number)
++ nptr --;
+
+ strlcpy((char *)nptr, pages[hpage].page_text, sizeof(number) - (size_t)(nptr - number));
+
diff -Nru htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch
--- htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch 2021-05-11 11:55:58.000000000 +0200
@@ -0,0 +1,27 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Wed, 31 Mar 2021 20:18:00 -0400
+Subject: Fix crash bug with bad GIFs (Issue #423)
+
+CVE-2021-20308
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6a8322a718b2ba5c440bd33e6f26d9e281c39654
+Bug: https://github.com/michaelrsweet/htmldoc/issues/423
+Bug-Debian: https://bugs.debian.org/#984765
+---
+ htmldoc/image.cxx | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 907db8f..9d36a41 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -1245,6 +1245,9 @@ image_load_gif(image_t *img, /* I - Image pointer */
+ img->height = (buf[9] << 8) | buf[8];
+ ncolors = 2 << (buf[10] & 0x07);
+
++ if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
++ return (-1);
++
+ // If we are writing an encrypted PDF file, bump the use count so we create
+ // an image object (Acrobat 6 bug workaround)
+ if (Encryption)
diff -Nru htmldoc-1.9.3/debian/patches/series htmldoc-1.9.3/debian/patches/series
--- htmldoc-1.9.3/debian/patches/series 2018-04-11 20:04:27.000000000 +0200
+++ htmldoc-1.9.3/debian/patches/series 2021-05-11 11:55:58.000000000 +0200
@@ -4,3 +4,5 @@
autoheader_support.patch
disable_libz.patch
remove-os-check.patch
+Fix-crash-bug-with-bad-GIFs-Issue-423.patch
+Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch
--- End Message ---