Bug#998907: buster-pu: package htmldoc/1.9.3-1+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: haavard_aasen@yahoo.no
Fix: CVE-2021-40985
[ Reason ]
Fix for the recent CVE.
[ Impact ]
Insecure application.
[ Tests ]
Manually tested with the poc, attached within the issue on GitHub.
[ Risks ]
Small patch taken from upstream. Minor/none risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Patch taken from upstream to fix buffer-overflow, regarding BMP
images.
[ Other info ]
No.
Regards,
Håvard
diff -Nru htmldoc-1.9.3/debian/changelog htmldoc-1.9.3/debian/changelog
--- htmldoc-1.9.3/debian/changelog 2021-06-07 16:25:54.000000000 +0200
+++ htmldoc-1.9.3/debian/changelog 2021-11-09 19:55:47.000000000 +0100
@@ -1,3 +1,9 @@
+htmldoc (1.9.3-1+deb10u3) buster; urgency=medium
+
+ * Patch to fix buffer-overflow with BMP images. Fix: CVE-2021-40985
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Tue, 09 Nov 2021 19:55:47 +0100
+
htmldoc (1.9.3-1+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch
--- htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch 2021-11-09 19:55:47.000000000 +0100
@@ -0,0 +1,40 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Sat, 11 Sep 2021 18:12:33 -0400
+Subject: Fix BMP crash bug (Issue #444)
+
+---
+ htmldoc/image.cxx | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 87bfecb..1525ab8 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -900,6 +900,9 @@ image_load_bmp(image_t *img, /* I - Image to load into */
+ colors_used = (int)read_dword(fp);
+ read_dword(fp);
+
++ if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
++ return (-1);
++
+ if (info_size > 40)
+ for (info_size -= 40; info_size > 0; info_size --)
+ getc(fp);
+@@ -911,7 +914,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
+ fread(colormap, (size_t)colors_used, 4, fp);
+
+ // Setup image and buffers...
+- img->depth = gray ? 1 : 3;
++ img->depth = gray ? 1 : 3;
+
+ // If this image is indexed and we are writing an encrypted PDF file, bump the use count so
+ // we create an image object (Acrobat 6 bug workaround)
+@@ -1061,7 +1064,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
+ if (bit == 0xf0)
+ {
+ if (color < 0)
+- temp = getc(fp);
++ temp = getc(fp) & 255;
+ else
+ temp = color;
+
diff -Nru htmldoc-1.9.3/debian/patches/series htmldoc-1.9.3/debian/patches/series
--- htmldoc-1.9.3/debian/patches/series 2021-06-07 16:25:54.000000000 +0200
+++ htmldoc-1.9.3/debian/patches/series 2021-11-09 19:55:47.000000000 +0100
@@ -12,3 +12,4 @@
CVE-2021-23206.patch
CVE-2021-26259.patch
CVE-2021-26948.patch
+CVE-2021-40985.patch
Reply to: