[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#984886: marked as done (buster-pu: package xcftools/1.0.7-6)

Your message dated Sat, 27 Mar 2021 10:26:45 +0000
with message-id <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.9 point release
has caused the Debian Bug report #984886,
regarding buster-pu: package xcftools/1.0.7-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
984886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984886
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org

Dear release team,

[ Reason ]

I would like to fix CVE-2019-5086 and CVE-2019-5087. The same fix has
been applied in unstable and stretch already. The security team marked
these issues as no-dsa.

[ Impact ]

xcftools would still be vulnerable if not approved.

[ Tests ]
Tested with a manipulated xcf file.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus

diff -Nru xcftools-1.0.7/debian/changelog xcftools-1.0.7/debian/changelog
--- xcftools-1.0.7/debian/changelog	2016-05-18 12:34:05.000000000 +0200
+++ xcftools-1.0.7/debian/changelog	2021-02-09 23:17:14.000000000 +0100
@@ -1,3 +1,16 @@
+xcftools (1.0.7-6+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2019-5086 and CVE-2019-5087:
+    An exploitable integer overflow vulnerability exists in the
+    flattenIncrementally function in the xcf2png and xcf2pnm binaries of
+    xcftools. An integer overflow can occur while walking through tiles that
+    could be exploited to corrupt memory and execute arbitrary code. In order
+    to trigger this vulnerability, a victim would need to open a specially
+    crafted XCF file.
+
+ -- Markus Koschany <apo@debian.org>  Tue, 09 Feb 2021 23:17:14 +0100
+
 xcftools (1.0.7-6) unstable; urgency=medium
 
   * Team upload (collab-maint)
diff -Nru xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch
--- xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch	1970-01-01 01:00:00.000000000 +0100
+++ xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch	2021-02-09 23:17:14.000000000 +0100
@@ -0,0 +1,53 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 8 Feb 2021 17:57:56 +0100
+Subject: CVE-2019-5086 and CVE-2019-5087
+
+Patch by Anton Gladky and Markus Koschany.
+
+Bug-Debian: https://bugs.debian.org/945317
+Origin: https://github.com/j-jorge/xcftools/pull/15
+---
+ xcf-general.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/xcf-general.c b/xcf-general.c
+index 9d0b4dc..7cb1613 100644
+--- a/xcf-general.c
++++ b/xcf-general.c
+@@ -19,6 +19,8 @@
+ #include "xcftools.h"
+ #include <string.h>
+ #include <errno.h>
++#include <limits.h>
++#include <stdlib.h>
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+ #elif !defined(ICONV_CONST)
+@@ -182,6 +184,27 @@ xcfString(uint32_t ptr,uint32_t *after)
+ void
+ computeDimensions(struct tileDimensions *d)
+ {
++  // [ CVE-2019-5086 and CVE-2019-5087 ]
++  // This part of the code is the check to prevent integer overflow, see CVE-2019-5086 and CVE-2019-5087
++
++  if (d->c.l < INT_MIN/4) {
++    fprintf(stderr,("d->c.l is too small (%d)! Stopping execution...\n"), (d->c.l));
++    exit(0);
++  }
++  if (d->c.t < INT_MIN/4) {
++    fprintf(stderr,("d->c.t is too small (%d)! Stopping execution...\n"), (d->c.t));
++    exit(0);
++  }
++  if (d->width > (INT_MAX - d->c.l)/4) {
++    fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), (d->c.l + d->width));
++    exit(0);
++  }
++  if (d->height > (INT_MAX - d->c.t)/4) {
++    fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), (d->c.t + d->height));
++    exit(0);
++  }
++  // [ CVE-2019-5086 and CVE-2019-5087 ]
++
+   d->c.r = d->c.l + d->width ;
+   d->c.b = d->c.t + d->height ;
+   d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ;
diff -Nru xcftools-1.0.7/debian/patches/series xcftools-1.0.7/debian/patches/series
--- xcftools-1.0.7/debian/patches/series	2016-05-18 12:27:32.000000000 +0200
+++ xcftools-1.0.7/debian/patches/series	2021-02-09 23:17:14.000000000 +0100
@@ -4,3 +4,4 @@
 fix-as-needed-linking
 libpng16.patch
 fix-test-UTF8.patch
+CVE-2019-5086-and-CVE-2019-5087.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.9

Hi,

Each of the updates referenced in these bugs was included in the 10.9
point release today.

Regards,

Adam

--- End Message ---
Reply to: