Bug#988365: buster-pu: package htmldoc/1.9.3-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988365: buster-pu: package htmldoc/1.9.3-1
From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
Date: Tue, 11 May 2021 12:55:42 +0200
Message-id: <[🔎] 162073054200.144464.12906504140595599395.reportbug@desktop.bs-production.no>
Reply-to: Håvard Flaget Aasen <haavard_aasen@yahoo.no>, 988365@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: haavard_aasen@yahoo.no

This updates fixes CVE-2019-19630 and CVE-2021-20308 which is bug:
#984765. Both patches is from upstream and has very small changes.

CVE-2019-19630 is marked with no DSA and CVE-2021-20308 is marked
unimportant, so I have not contacted the security team.

[ Reason ]
Fix CVE-2019-19630 and CVE-2021-20308

[ Impact ]
Minor

[ Tests ]
None

[ Risks ]
Small to none

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The patches adds additional if-statements to prevent buffer-overflows.

Regards,
Håvard

https://security-tracker.debian.org/tracker/CVE-2019-19630
https://security-tracker.debian.org/tracker/CVE-2021-20308
https://bugs.debian.org/#984765

diff -Nru htmldoc-1.9.3/debian/changelog htmldoc-1.9.3/debian/changelog
--- htmldoc-1.9.3/debian/changelog	2018-04-11 20:04:27.000000000 +0200
+++ htmldoc-1.9.3/debian/changelog	2021-05-11 12:03:14.000000000 +0200
@@ -1,3 +1,13 @@
+htmldoc (1.9.3-1+deb10u1) buster; urgency=medium
+
+  * QA upload.
+  * Add patch to fix a stack-based buffer overflow in the hd_strlcpy()
+    Fixes: CVE-2019-19630
+  * Add patch to fix buffer-overflow caused by integer-overflow
+    Closes: #984765 Fixes: CVE-2021-20308
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Tue, 11 May 2021 12:03:14 +0200
+
 htmldoc (1.9.3-1) unstable; urgency=medium
 
   * QA upload.
diff -Nru htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch
--- htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch	2021-05-11 11:55:58.000000000 +0200
@@ -0,0 +1,28 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Sun, 8 Dec 2019 14:00:26 -0500
+Subject: Fix a buffer underflow issue with GCC on Linux (Issue #360)
+
+CVE-2019-19630
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/8a129c520e90fc967351f3e165f967128a88f09c
+Bug: https://github.com/michaelrsweet/htmldoc/issues/370
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-19630
+---
+ htmldoc/ps-pdf.cxx | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 78a0183..5d96591 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -3721,7 +3721,9 @@ render_contents(tree_t *t,		/* I - Tree to parse */
+          nptr < (number + sizeof(number) - 1) && width < right;
+ 	 width += dot_width)
+       *nptr++ = '.';
+-    nptr --;
++
++    if (nptr > number)
++      nptr --;
+ 
+     strlcpy((char *)nptr, pages[hpage].page_text, sizeof(number) - (size_t)(nptr - number));
+ 
diff -Nru htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch
--- htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch	2021-05-11 11:55:58.000000000 +0200
@@ -0,0 +1,27 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Wed, 31 Mar 2021 20:18:00 -0400
+Subject: Fix crash bug with bad GIFs (Issue #423)
+
+CVE-2021-20308
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6a8322a718b2ba5c440bd33e6f26d9e281c39654
+Bug: https://github.com/michaelrsweet/htmldoc/issues/423
+Bug-Debian: https://bugs.debian.org/#984765
+---
+ htmldoc/image.cxx | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 907db8f..9d36a41 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -1245,6 +1245,9 @@ image_load_gif(image_t *img,	/* I - Image pointer */
+   img->height = (buf[9] << 8) | buf[8];
+   ncolors     = 2 << (buf[10] & 0x07);
+ 
++  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
++    return (-1);
++
+   // If we are writing an encrypted PDF file, bump the use count so we create
+   // an image object (Acrobat 6 bug workaround)
+   if (Encryption)
diff -Nru htmldoc-1.9.3/debian/patches/series htmldoc-1.9.3/debian/patches/series
--- htmldoc-1.9.3/debian/patches/series	2018-04-11 20:04:27.000000000 +0200
+++ htmldoc-1.9.3/debian/patches/series	2021-05-11 11:55:58.000000000 +0200
@@ -4,3 +4,5 @@
 autoheader_support.patch
 disable_libz.patch
 remove-os-check.patch
+Fix-crash-bug-with-bad-GIFs-Issue-423.patch
+Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch

Reply to:

Follow-Ups:
- Bug#988365: htmldoc 1.9.3-1+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#988325: marked as done (unblock: htmldoc/1.9.11-3)
Next by Date: Bug#988372: unblock: debian-edu-config/2.11.55
Previous by thread: Processed: uploaded to unstable
Next by thread: Bug#988365: htmldoc 1.9.3-1+deb10u1 flagged for acceptance
Index(es):
- Date
- Thread