Bug#998042: buster-pu: package jbig2dec/0.16-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for jbig2dec fixes CVE-2020-12268 in Buster.
This CVE is marked as no-dsa by the security team.
The patch just adds some checks to prevent an overflow, so the risk
should be small. The testsuite of the package showed no errors.
Thorsten
diff -Nru jbig2dec-0.16/debian/changelog jbig2dec-0.16/debian/changelog
--- jbig2dec-0.16/debian/changelog 2019-04-07 17:52:08.000000000 +0200
+++ jbig2dec-0.16/debian/changelog 2021-10-24 19:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+jbig2dec (0.16-1+deb10u1) buster; urgency=high
+
+ * Team upload (printing and LTS)
+ * CVE-2020-12268
+ avoid overflow with extreme values of x,y,w,h in function
+ jbig2_image_compose()
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sun, 24 Oct 2021 19:03:02 +0200
+
jbig2dec (0.16-1) unstable; urgency=high
[ upstream ]
diff -Nru jbig2dec-0.16/debian/patches/CVE-2020-12268.patch jbig2dec-0.16/debian/patches/CVE-2020-12268.patch
--- jbig2dec-0.16/debian/patches/CVE-2020-12268.patch 1970-01-01 01:00:00.000000000 +0100
+++ jbig2dec-0.16/debian/patches/CVE-2020-12268.patch 2021-10-24 19:03:02.000000000 +0200
@@ -0,0 +1,41 @@
+commit 0726320a4b55078e9d8deb590e477d598b3da66e
+Author: Robin Watts <Robin.Watts@artifex.com>
+Date: Mon Jan 27 10:12:24 2020 -0800
+
+ Fix OSS-Fuzz issue 20332: buffer overflow in jbig2_image_compose.
+
+ With extreme values of x/y/w/h we can get overflow. Test for this
+ and exit safely.
+
+ Thanks for OSS-Fuzz for reporting.
+
+Index: jbig2dec-0.16/jbig2_image.c
+===================================================================
+--- jbig2dec-0.16.orig/jbig2_image.c 2021-10-25 15:53:32.254308657 +0200
++++ jbig2dec-0.16/jbig2_image.c 2021-10-25 16:10:42.074548650 +0200
+@@ -33,6 +33,9 @@
+ #if !defined (INT32_MAX)
+ #define INT32_MAX 0x7fffffff
+ #endif
++#if !defined (UINT32_MAX)
++#define UINT32_MAX 0xffffffffu
++#endif
+
+ /* allocate a Jbig2Image structure and its associated bitmap */
+ Jbig2Image *
+@@ -258,6 +261,15 @@
+ if (src == NULL)
+ return 0;
+
++ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) ||
++ (UINT32_MAX - src->height < (y > 0 ? y : -y)))
++ {
++#ifdef JBIG2_DEBUG
++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
++#endif
++ return 0;
++ }
++
+ /* The optimized code for the OR operator below doesn't
+ handle the source image partially placed outside the
+ destination (above and/or to the left). The affected
diff -Nru jbig2dec-0.16/debian/patches/series jbig2dec-0.16/debian/patches/series
--- jbig2dec-0.16/debian/patches/series 2019-03-25 09:49:08.000000000 +0100
+++ jbig2dec-0.16/debian/patches/series 2021-10-24 19:03:02.000000000 +0200
@@ -1,3 +1,5 @@
1001_ignore_python_test.patch
1004_extract_infile_from_autogen-sh.patch
2001_disable_memento.patch
+
+CVE-2020-12268.patch
Reply to: