Bug#998902: bullseye-pu: package htmldoc/1.9.11-4
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: haavard_aasen@yahoo.no
Fix: CVE-2021-40985.
[ Reason ]
Fix for the recent CVE.
[ Impact ]
Insecure application.
[ Tests ]
Manually tested with the poc, attached within the issue on GitHub.
[ Risks ]
Small patch taken from upstream. Minor/none risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Patch taken from upstream to fix a buffer underflow regarding BMP
images.
[ Other info ]
No.
Regards,
Håvard
diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
--- htmldoc-1.9.11/debian/changelog 2021-06-03 21:29:16.000000000 +0200
+++ htmldoc-1.9.11/debian/changelog 2021-11-08 22:49:21.000000000 +0100
@@ -1,3 +1,9 @@
+htmldoc (1.9.11-4+deb11u1) bullseye; urgency=medium
+
+ * Fix BMP crash bug. Fix: CVE-2021-40985.
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Mon, 08 Nov 2021 22:49:21 +0100
+
htmldoc (1.9.11-4) unstable; urgency=medium
* Add patches to fix many CVE's. Closes: #989437
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-40985.patch htmldoc-1.9.11/debian/patches/CVE-2021-40985.patch
--- htmldoc-1.9.11/debian/patches/CVE-2021-40985.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2021-40985.patch 2021-11-08 22:49:21.000000000 +0100
@@ -0,0 +1,41 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Sat, 11 Sep 2021 18:12:33 -0400
+Subject: CVE-2021-40985
+
+Fix BMP crash bug (Issue #444)
+---
+ htmldoc/image.cxx | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 74abfac..caa764d 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -900,6 +900,9 @@ image_load_bmp(image_t *img, /* I - Image to load into */
+ colors_used = (int)read_dword(fp);
+ read_dword(fp);
+
++ if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
++ return (-1);
++
+ if (info_size > 40)
+ for (info_size -= 40; info_size > 0; info_size --)
+ getc(fp);
+@@ -911,7 +914,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
+ fread(colormap, (size_t)colors_used, 4, fp);
+
+ // Setup image and buffers...
+- img->depth = gray ? 1 : 3;
++ img->depth = gray ? 1 : 3;
+
+ // If this image is indexed and we are writing an encrypted PDF file, bump the use count so
+ // we create an image object (Acrobat 6 bug workaround)
+@@ -1061,7 +1064,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
+ if (bit == 0xf0)
+ {
+ if (color < 0)
+- temp = getc(fp);
++ temp = getc(fp) & 255;
+ else
+ temp = color;
+
diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series
--- htmldoc-1.9.11/debian/patches/series 2021-06-03 21:29:16.000000000 +0200
+++ htmldoc-1.9.11/debian/patches/series 2021-11-08 22:49:21.000000000 +0100
@@ -12,3 +12,4 @@
CVE-2021-23206.patch
CVE-2021-26259.patch
CVE-2021-26948.patch
+CVE-2021-40985.patch
Reply to: