Bug#984886: buster-pu: package xcftools/1.0.7-6
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org
Dear release team,
[ Reason ]
I would like to fix CVE-2019-5086 and CVE-2019-5087. The same fix has
been applied in unstable and stretch already. The security team marked
these issues as no-dsa.
[ Impact ]
xcftools would still be vulnerable if not approved.
[ Tests ]
Tested with a manipulated xcf file.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards,
Markus
diff -Nru xcftools-1.0.7/debian/changelog xcftools-1.0.7/debian/changelog
--- xcftools-1.0.7/debian/changelog 2016-05-18 12:34:05.000000000 +0200
+++ xcftools-1.0.7/debian/changelog 2021-02-09 23:17:14.000000000 +0100
@@ -1,3 +1,16 @@
+xcftools (1.0.7-6+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2019-5086 and CVE-2019-5087:
+ An exploitable integer overflow vulnerability exists in the
+ flattenIncrementally function in the xcf2png and xcf2pnm binaries of
+ xcftools. An integer overflow can occur while walking through tiles that
+ could be exploited to corrupt memory and execute arbitrary code. In order
+ to trigger this vulnerability, a victim would need to open a specially
+ crafted XCF file.
+
+ -- Markus Koschany <apo@debian.org> Tue, 09 Feb 2021 23:17:14 +0100
+
xcftools (1.0.7-6) unstable; urgency=medium
* Team upload (collab-maint)
diff -Nru xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch
--- xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch 1970-01-01 01:00:00.000000000 +0100
+++ xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch 2021-02-09 23:17:14.000000000 +0100
@@ -0,0 +1,53 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 8 Feb 2021 17:57:56 +0100
+Subject: CVE-2019-5086 and CVE-2019-5087
+
+Patch by Anton Gladky and Markus Koschany.
+
+Bug-Debian: https://bugs.debian.org/945317
+Origin: https://github.com/j-jorge/xcftools/pull/15
+---
+ xcf-general.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/xcf-general.c b/xcf-general.c
+index 9d0b4dc..7cb1613 100644
+--- a/xcf-general.c
++++ b/xcf-general.c
+@@ -19,6 +19,8 @@
+ #include "xcftools.h"
+ #include <string.h>
+ #include <errno.h>
++#include <limits.h>
++#include <stdlib.h>
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+ #elif !defined(ICONV_CONST)
+@@ -182,6 +184,27 @@ xcfString(uint32_t ptr,uint32_t *after)
+ void
+ computeDimensions(struct tileDimensions *d)
+ {
++ // [ CVE-2019-5086 and CVE-2019-5087 ]
++ // This part of the code is the check to prevent integer overflow, see CVE-2019-5086 and CVE-2019-5087
++
++ if (d->c.l < INT_MIN/4) {
++ fprintf(stderr,("d->c.l is too small (%d)! Stopping execution...\n"), (d->c.l));
++ exit(0);
++ }
++ if (d->c.t < INT_MIN/4) {
++ fprintf(stderr,("d->c.t is too small (%d)! Stopping execution...\n"), (d->c.t));
++ exit(0);
++ }
++ if (d->width > (INT_MAX - d->c.l)/4) {
++ fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), (d->c.l + d->width));
++ exit(0);
++ }
++ if (d->height > (INT_MAX - d->c.t)/4) {
++ fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), (d->c.t + d->height));
++ exit(0);
++ }
++ // [ CVE-2019-5086 and CVE-2019-5087 ]
++
+ d->c.r = d->c.l + d->width ;
+ d->c.b = d->c.t + d->height ;
+ d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ;
diff -Nru xcftools-1.0.7/debian/patches/series xcftools-1.0.7/debian/patches/series
--- xcftools-1.0.7/debian/patches/series 2016-05-18 12:27:32.000000000 +0200
+++ xcftools-1.0.7/debian/patches/series 2021-02-09 23:17:14.000000000 +0100
@@ -4,3 +4,4 @@
fix-as-needed-linking
libpng16.patch
fix-test-UTF8.patch
+CVE-2019-5086-and-CVE-2019-5087.patch
Reply to: