[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#993228: marked as done (buster-pu: package gthumb/3:3.6.2-4+deb10u1)

Your message dated Sat, 09 Oct 2021 12:11:43 +0100
with message-id <896b7609401ceb0e1c537222e26587ea2351415d.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in the 10.11 point release
has caused the Debian Bug report #993228,
regarding buster-pu: package gthumb/3:3.6.2-4+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
993228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993228
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for gthumb fixes CVE-2019-20326 in Buster.
The additional patch fixes another non-security related bug and is needed to apply the upstream patch for the CVE. 

The CVE is marked as no-dsa by the security team.
After upload of DLA-2066-1 to Jessie-LTS no one complained about something broken. 

  Thorsten

diff -Nru gthumb-3.6.2/debian/changelog gthumb-3.6.2/debian/changelog
--- gthumb-3.6.2/debian/changelog	2019-02-24 22:17:43.000000000 +0100
+++ gthumb-3.6.2/debian/changelog	2021-08-26 21:03:02.000000000 +0200
@@ -1,3 +1,15 @@
+gthumb (3:3.6.2-4+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-20326 (Closes: #948197)
+    A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg()
+    in extensions/cairo_io/cairo-image-surface-jpeg.c allows attackers to
+    cause a crash and potentially execute arbitrary code via a crafted JPEG
+    file.
+  * additional fix in case orientation swaps width and height
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Thu, 26 Aug 2021 21:03:02 +0200
+
 gthumb (3:3.6.2-4) unstable; urgency=medium
 
   * debian/control:
diff -Nru gthumb-3.6.2/debian/patches/CVE-2019-20326.patch gthumb-3.6.2/debian/patches/CVE-2019-20326.patch
--- gthumb-3.6.2/debian/patches/CVE-2019-20326.patch	1970-01-01 01:00:00.000000000 +0100
+++ gthumb-3.6.2/debian/patches/CVE-2019-20326.patch	2021-08-24 12:54:08.000000000 +0200
@@ -0,0 +1,105 @@
+Index: gthumb-3.6.2/extensions/cairo_io/cairo-image-surface-jpeg.c
+===================================================================
+--- gthumb-3.6.2.orig/extensions/cairo_io/cairo-image-surface-jpeg.c	2021-08-24 12:54:05.412649431 +0200
++++ gthumb-3.6.2/extensions/cairo_io/cairo-image-surface-jpeg.c	2021-08-24 12:54:05.408649432 +0200
+@@ -171,6 +171,7 @@
+ 	unsigned char                 *surface_row;
+ 	JSAMPARRAY                     buffer;
+ 	int                            buffer_stride;
++	int                            scanned_lines;
+ 	JDIMENSION                     n_lines;
+ 	JSAMPARRAY                     buffer_row;
+ 	int                            l;
+@@ -294,6 +295,7 @@
+ 	_cairo_metadata_set_has_alpha (metadata, FALSE);
+ 	surface_data = _cairo_image_surface_flush_and_get_data (surface);
+ 	surface_row = surface_data + line_start;
++	scanned_lines = 0;
+ 
+ 	switch (srcinfo.out_color_space) {
+ 	case JCS_CMYK:
+@@ -309,6 +311,8 @@
+ 					goto stop_loading;
+ 
+ 				n_lines = jpeg_read_scanlines (&srcinfo, buffer, srcinfo.rec_outbuf_height);
++				if (scanned_lines + n_lines > output_height)
++					n_lines = output_height - scanned_lines;
+ 
+ 				buffer_row = buffer;
+ 				for (l = 0; l < n_lines; l++) {
+@@ -345,6 +349,7 @@
+ 
+ 					surface_row += line_step;
+ 					buffer_row += buffer_stride;
++					scanned_lines += 1;
+ 				}
+ 			}
+ 		}
+@@ -357,6 +362,8 @@
+ 					goto stop_loading;
+ 
+ 				n_lines = jpeg_read_scanlines (&srcinfo, buffer, srcinfo.rec_outbuf_height);
++				if (scanned_lines + n_lines > output_height)
++					n_lines = output_height - scanned_lines;
+ 
+ 				buffer_row = buffer;
+ 				for (l = 0; l < n_lines; l++) {
+@@ -377,6 +384,7 @@
+ 
+ 					surface_row += line_step;
+ 					buffer_row += buffer_stride;
++					scanned_lines += 1;
+ 				}
+ 			}
+ 		}
+@@ -389,6 +397,8 @@
+ 					goto stop_loading;
+ 
+ 				n_lines = jpeg_read_scanlines (&srcinfo, buffer, srcinfo.rec_outbuf_height);
++				if (scanned_lines + n_lines > output_height)
++					n_lines = output_height - scanned_lines;
+ 
+ 				buffer_row = buffer;
+ 				for (l = 0; l < n_lines; l++) {
+@@ -411,6 +421,7 @@
+ 
+ 					surface_row += line_step;
+ 					buffer_row += buffer_stride;
++					scanned_lines += 1;
+ 				}
+ 			}
+ 		}
+@@ -436,6 +447,8 @@
+ 					goto stop_loading;
+ 
+ 				n_lines = jpeg_read_scanlines (&srcinfo, buffer, srcinfo.rec_outbuf_height);
++				if (scanned_lines + n_lines > output_height)
++					n_lines = output_height - scanned_lines;
+ 
+ 				buffer_row = buffer;
+ 				for (l = 0; l < n_lines; l++) {
+@@ -462,6 +475,7 @@
+ 
+ 					surface_row += line_step;
+ 					buffer_row += buffer_stride;
++					scanned_lines += 1;
+ 				}
+ 			}
+ 		}
+@@ -491,6 +505,8 @@
+ 					goto stop_loading;
+ 
+ 				n_lines = jpeg_read_scanlines (&srcinfo, buffer, srcinfo.rec_outbuf_height);
++				if (scanned_lines + n_lines > output_height)
++					n_lines = output_height - scanned_lines;
+ 
+ 				buffer_row = buffer;
+ 				for (l = 0; l < n_lines; l++) {
+@@ -524,6 +540,7 @@
+ 
+ 					surface_row += line_step;
+ 					buffer_row += buffer_stride;
++					scanned_lines += 1;
+ 				}
+ 			}
+ 		}
diff -Nru gthumb-3.6.2/debian/patches/error_if_orientation_swaps_width_and_height.patch gthumb-3.6.2/debian/patches/error_if_orientation_swaps_width_and_height.patch
--- gthumb-3.6.2/debian/patches/error_if_orientation_swaps_width_and_height.patch	1970-01-01 01:00:00.000000000 +0100
+++ gthumb-3.6.2/debian/patches/error_if_orientation_swaps_width_and_height.patch	2021-08-24 16:22:05.000000000 +0200
@@ -0,0 +1,117 @@
+Index: gthumb-3.6.2/extensions/cairo_io/cairo-image-surface-jpeg.c
+===================================================================
+--- gthumb-3.6.2.orig/extensions/cairo_io/cairo-image-surface-jpeg.c	2021-08-24 16:15:47.663965223 +0200
++++ gthumb-3.6.2/extensions/cairo_io/cairo-image-surface-jpeg.c	2021-08-24 16:22:02.507863935 +0200
+@@ -155,6 +155,8 @@
+ 	JpegInfoFlags		       info_flags;
+ 	gboolean                       load_scaled;
+ 	GthTransform                   orientation;
++	int                            output_width;
++	int                            output_height;
+ 	int                            destination_width;
+ 	int                            destination_height;
+ 	int                            line_start;
+@@ -264,9 +266,11 @@
+ 
+ 	jpeg_start_decompress (&srcinfo);
+ 
++	output_width = MIN (srcinfo.output_width, CAIRO_MAX_IMAGE_SIZE);
++	output_height = MIN (srcinfo.output_height, CAIRO_MAX_IMAGE_SIZE);
+ 	_cairo_image_surface_transform_get_steps (CAIRO_FORMAT_ARGB32,
+-						  MIN (srcinfo.output_width, CAIRO_MAX_IMAGE_SIZE),
+-						  MIN (srcinfo.output_height, CAIRO_MAX_IMAGE_SIZE),
++						  output_width,
++						  output_height,
+ 						  orientation,
+ 						  &destination_width,
+ 						  &destination_height,
+@@ -306,7 +310,7 @@
+ 			CMYK_table_init ();
+ 			cmyk_tab = CMYK_Tab;
+ 
+-			while (srcinfo.output_scanline < srcinfo.output_height) {
++			while (srcinfo.output_scanline < output_height) {
+ 				if (g_cancellable_is_cancelled (cancellable))
+ 					goto stop_loading;
+ 
+@@ -322,7 +326,7 @@
+ 					if (g_cancellable_is_cancelled (cancellable))
+ 						goto stop_loading;
+ 
+-					for (x = 0; x < srcinfo.output_width; x++) {
++					for (x = 0; x < output_width; x++) {
+ 						if (srcinfo.saw_Adobe_marker) {
+ 							c = p_buffer[0];
+ 							m = p_buffer[1];
+@@ -357,7 +361,7 @@
+ 
+ 	case JCS_GRAYSCALE:
+ 		{
+-			while (srcinfo.output_scanline < srcinfo.output_height) {
++			while (srcinfo.output_scanline < output_height) {
+ 				if (g_cancellable_is_cancelled (cancellable))
+ 					goto stop_loading;
+ 
+@@ -373,7 +377,7 @@
+ 					if (g_cancellable_is_cancelled (cancellable))
+ 						goto stop_loading;
+ 
+-					for (x = 0; x < srcinfo.output_width; x++) {
++					for (x = 0; x < output_width; x++) {
+ 						r = g = b = p_buffer[0];
+ 						pixel = CAIRO_RGBA_TO_UINT32 (r, g, b, 0xff);
+ 						memcpy (p_surface, &pixel, sizeof (guint32));
+@@ -392,7 +396,7 @@
+ 
+ 	case JCS_RGB:
+ 		{
+-			while (srcinfo.output_scanline < srcinfo.output_height) {
++			while (srcinfo.output_scanline < output_height) {
+ 				if (g_cancellable_is_cancelled (cancellable))
+ 					goto stop_loading;
+ 
+@@ -408,7 +412,7 @@
+ 					if (g_cancellable_is_cancelled (cancellable))
+ 						goto stop_loading;
+ 
+-					for (x = 0; x < srcinfo.output_width; x++) {
++					for (x = 0; x < output_width; x++) {
+ 						r = p_buffer[0];
+ 						g = p_buffer[1];
+ 						b = p_buffer[2];
+@@ -442,7 +446,7 @@
+ 			g_cr_tab = YCbCr_G_Cr_Tab;
+ 			b_cb_tab = YCbCr_B_Cb_Tab;
+ 
+-			while (srcinfo.output_scanline < srcinfo.output_height) {
++			while (srcinfo.output_scanline < output_height) {
+ 				if (g_cancellable_is_cancelled (cancellable))
+ 					goto stop_loading;
+ 
+@@ -458,7 +462,7 @@
+ 					if (g_cancellable_is_cancelled (cancellable))
+ 						goto stop_loading;
+ 
+-					for (x = 0; x < srcinfo.output_width; x++) {
++					for (x = 0; x < output_width; x++) {
+ 						Y = p_buffer[0];
+ 						Cb = p_buffer[1];
+ 						Cr = p_buffer[2];
+@@ -500,7 +504,7 @@
+ 			CMYK_table_init ();
+ 			cmyk_tab = CMYK_Tab;
+ 
+-			while (srcinfo.output_scanline < srcinfo.output_height) {
++			while (srcinfo.output_scanline < output_height) {
+ 				if (g_cancellable_is_cancelled (cancellable))
+ 					goto stop_loading;
+ 
+@@ -516,7 +520,7 @@
+ 					if (g_cancellable_is_cancelled (cancellable))
+ 						goto stop_loading;
+ 
+-					for (x = 0; x < srcinfo.output_width; x++) {
++					for (x = 0; x < output_width; x++) {
+ 						Y = p_buffer[0];
+ 						Cb = p_buffer[1];
+ 						Cr = p_buffer[2];
diff -Nru gthumb-3.6.2/debian/patches/series gthumb-3.6.2/debian/patches/series
--- gthumb-3.6.2/debian/patches/series	2019-02-24 22:13:21.000000000 +0100
+++ gthumb-3.6.2/debian/patches/series	2021-08-24 16:03:13.000000000 +0200
@@ -4,3 +4,6 @@
 contact_sheet_theme_not_loaded.patch
 02-preserve_upstream_files.patch
 privacy-breach-C-legal.patch
+
+CVE-2019-20326.patch
+error_if_orientation_swaps_width_and_height.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.11

Hi,

The updates relating to these bugs were included in this morning's
10.11 point release for buster.

Regards,

Adam

--- End Message ---
Reply to: