Bug#988325: marked as done (unblock: htmldoc/1.9.11-3)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#988325: marked as done (unblock: htmldoc/1.9.11-3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 11 May 2021 10:03:03 +0000
Message-id: <[🔎] handler.988325.D988325.16207272484741.ackdone@bugs.debian.org>
Reply-to: 988325@bugs.debian.org
References: <E1lgPC0-0001TG-3O@respighi.debian.org> <[🔎] 162065843476.90152.7227049062215869313.reportbug@desktop.bs-production.no>

Your message dated Tue, 11 May 2021 10:00:44 +0000
with message-id <E1lgPC0-0001TG-3O@respighi.debian.org>
and subject line unblock htmldoc
has caused the Debian Bug report #988325,
regarding unblock: htmldoc/1.9.11-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988325
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: htmldoc/1.9.11-3
From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
Date: Mon, 10 May 2021 16:53:54 +0200
Message-id: <[🔎] 162065843476.90152.7227049062215869313.reportbug@desktop.bs-production.no>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: haavard_aasen@yahoo.no

Please unblock package htmldoc

The bug #984765 [0] is only of severity normal, but it got a CVE number some days
ago, it has been deemed unimportant by the security team.

The patch is cherry-picked from upstream.

[ Reason ]
buffer-overflow caused by integer-overflow in image_load_gif(), which is
CVE-2021-20308 [1]

[ Impact ]
Probably quite small.

[ Tests ]
None.

[ Risks ]
Small risk.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock htmldoc/1.9.11-3

Regards,
Håvard

[0] https://bugs.debian.org/#984765
[1] https://security-tracker.debian.org/tracker/CVE-2021-20308

diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
--- htmldoc-1.9.11/debian/changelog	2021-02-08 15:46:44.000000000 +0100
+++ htmldoc-1.9.11/debian/changelog	2021-05-10 16:10:41.000000000 +0200
@@ -1,3 +1,10 @@
+htmldoc (1.9.11-3) unstable; urgency=medium
+
+  * Add patch to mitigate buffer-overflow caused by integer-overflow in
+    image_load_gif() Closes: 984765 and fixes CVE-2021-20308
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Mon, 10 May 2021 16:10:41 +0200
+
 htmldoc (1.9.11-2) unstable; urgency=medium
 
   * Update build-dependency to libfltk1.3-dev Closes: #982276
diff -Nru htmldoc-1.9.11/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch htmldoc-1.9.11/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch
--- htmldoc-1.9.11/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch	2021-05-10 16:10:41.000000000 +0200
@@ -0,0 +1,27 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Wed, 31 Mar 2021 20:18:00 -0400
+Subject: Fix crash bug with bad GIFs (Issue #423)
+
+CVE-2021-20308
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6a8322a718b2ba5c440bd33e6f26d9e281c39654
+Bug: https://github.com/michaelrsweet/htmldoc/issues/423
+Bug-Debian: https://bugs.debian.org/#984765
+---
+ htmldoc/image.cxx | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 68d6b92..8f53050 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -1245,6 +1245,9 @@ image_load_gif(image_t *img,	/* I - Image pointer */
+   img->height = (buf[9] << 8) | buf[8];
+   ncolors     = 2 << (buf[10] & 0x07);
+ 
++  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
++    return (-1);
++
+   // If we are writing an encrypted PDF file, bump the use count so we create
+   // an image object (Acrobat 6 bug workaround)
+   if (Encryption)
diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series
--- htmldoc-1.9.11/debian/patches/series	2021-02-08 14:38:12.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/series	2021-05-10 16:10:41.000000000 +0200
@@ -5,3 +5,4 @@
 autoheader_support.patch
 disable_libz.patch
 remove-os-check.patch
+Fix-crash-bug-with-bad-GIFs-Issue-423.patch

--- End Message ---

--- Begin Message ---

To: 988325-done@bugs.debian.org

Subject: unblock htmldoc

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Tue, 11 May 2021 10:00:44 +0000

Message-id: <E1lgPC0-0001TG-3O@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#988325: unblock: htmldoc/1.9.11-3
  - From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

Prev by Date: Processed: uploaded to unstable
Next by Date: Bug#988365: buster-pu: package htmldoc/1.9.3-1
Previous by thread: Processed: Re: Bug#988325: unblock: htmldoc/1.9.11-3
Next by thread: Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
Index(es):
- Date
- Thread