Bug#1006494: buster-pu: htmldoc/1.9.3-1+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for htmldoc fixes CVE-2022-0534, CVE-2021-43579 and
CVE-2021-40985 in Buster. These CVEs are marked as uninportant by the
security team, yet they are bugs. CVE-2021-43579 even has the possibility
of remote code execution.
Thorsten
diff -Nru htmldoc-1.9.3/debian/changelog htmldoc-1.9.3/debian/changelog
--- htmldoc-1.9.3/debian/changelog 2021-06-07 16:25:54.000000000 +0200
+++ htmldoc-1.9.3/debian/changelog 2022-02-25 22:03:02.000000000 +0100
@@ -1,3 +1,19 @@
+htmldoc (1.9.3-1+deb10u3) buster; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2022-0534
+ A crafted GIF file could lead to a stack out-of-bounds read,
+ which could result in a crash (segmentation fault).
+ * CVE-2021-43579
+ Converting an HTML document, which links to a crafted BMP file,
+ could lead to a stack-based buffer overflow, which could result
+ in remote code execution.
+ * CVE-2021-40985
+ A crafted BMP image could lead to a buffer overflow, which could
+ cause a denial of service.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Fri, 25 Feb 2022 22:03:02 +0100
+
htmldoc (1.9.3-1+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch
--- htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch 2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,38 @@
+commit f12b9666e582a8e7b70f11b28e5ffc49ad625d43
+Author: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Sat Sep 11 18:12:33 2021 -0400
+
+ Fix BMP crash bug (Issue #444)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx 2022-02-26 01:01:53.117543638 +0100
++++ htmldoc-1.9.3/htmldoc/image.cxx 2022-02-26 01:01:53.117543638 +0100
+@@ -900,6 +900,9 @@
+ colors_used = (int)read_dword(fp);
+ read_dword(fp);
+
++ if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
++ return (-1);
++
+ if (info_size > 40)
+ for (info_size -= 40; info_size > 0; info_size --)
+ getc(fp);
+@@ -911,7 +914,7 @@
+ fread(colormap, (size_t)colors_used, 4, fp);
+
+ // Setup image and buffers...
+- img->depth = gray ? 1 : 3;
++ img->depth = gray ? 1 : 3;
+
+ // If this image is indexed and we are writing an encrypted PDF file, bump the use count so
+ // we create an image object (Acrobat 6 bug workaround)
+@@ -1061,7 +1064,7 @@
+ if (bit == 0xf0)
+ {
+ if (color < 0)
+- temp = getc(fp);
++ temp = getc(fp) & 255;
+ else
+ temp = color;
+
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch
--- htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch 2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,27 @@
+commit 27d08989a5a567155d506ac870ae7d8cc88fa58b
+Author: Michael R Sweet <msweet@msweet.org>
+Date: Fri Nov 5 09:35:10 2021 -0400
+
+ Fix potential BMP stack overflow (Issue #453)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx 2022-02-26 01:02:38.045520508 +0100
++++ htmldoc-1.9.3/htmldoc/image.cxx 2022-02-26 01:02:38.045520508 +0100
+@@ -904,12 +904,16 @@
+ return (-1);
+
+ if (info_size > 40)
++ {
+ for (info_size -= 40; info_size > 0; info_size --)
+ getc(fp);
++ }
+
+ // Get colormap...
+ if (colors_used == 0 && depth <= 8)
+ colors_used = 1 << depth;
++ else if (colors_used > 256)
++ return (-1);
+
+ fread(colormap, (size_t)colors_used, 4, fp);
+
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch
--- htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch 2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,38 @@
+commit 776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50
+Author: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri Jan 7 10:21:58 2022 -0500
+
+ Fix potential stack overflow with GIF images (Issue #463)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx 2022-02-26 01:03:05.161506575 +0100
++++ htmldoc-1.9.3/htmldoc/image.cxx 2022-02-26 01:03:05.161506575 +0100
+@@ -213,8 +213,7 @@
+
+ if (done)
+ {
+- progress_error(HD_ERROR_READ_ERROR,
+- "Not enough data left to read GIF compression code.");
++ progress_error(HD_ERROR_READ_ERROR, "Not enough data left to read GIF compression code.");
+ return (-1); /* Sorry, no more... */
+ }
+
+@@ -238,7 +237,7 @@
+ * Read in another buffer...
+ */
+
+- if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
++ if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
+ {
+ /*
+ * Whoops, no more data!
+@@ -252,7 +251,7 @@
+ * Update buffer state...
+ */
+
+- curbit = (curbit - lastbit) + 8 * last_byte;
++ curbit = curbit + 8 * last_byte - lastbit;
+ last_byte += (unsigned)count;
+ lastbit = last_byte * 8;
+ }
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2022-0534-2.patch htmldoc-1.9.3/debian/patches/CVE-2022-0534-2.patch
--- htmldoc-1.9.3/debian/patches/CVE-2022-0534-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2022-0534-2.patch 2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,32 @@
+commit 312f0f9c12f26fbe015cd0e6cefa40e4b99017d9
+Author: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri Jan 7 18:21:53 2022 -0500
+
+ Block GIF images with a code size > 12 (Issue #463)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx 2022-02-26 01:03:09.413504393 +0100
++++ htmldoc-1.9.3/htmldoc/image.cxx 2022-02-26 01:03:09.409504395 +0100
+@@ -293,6 +293,12 @@
+ pass = 0;
+ code_size = (uchar)getc(fp);
+
++ if (code_size > 12)
++ {
++ progress_error(HD_ERROR_READ_ERROR, "Bad GIF file \"%s\" - invalid code size %d.", img->filename, code_size);
++ return (-1);
++ }
++
+ if (gif_read_lzw(fp, 1, code_size) < 0)
+ return (-1);
+
+@@ -420,7 +426,7 @@
+ if (sp > stack)
+ return (*--sp);
+
+- while ((code = gif_get_code (fp, code_size, 0)) >= 0)
++ while ((code = gif_get_code(fp, code_size, 0)) >= 0)
+ {
+ if (code == clear_code)
+ {
diff -Nru htmldoc-1.9.3/debian/patches/series htmldoc-1.9.3/debian/patches/series
--- htmldoc-1.9.3/debian/patches/series 2021-06-07 16:25:54.000000000 +0200
+++ htmldoc-1.9.3/debian/patches/series 2022-02-25 22:03:02.000000000 +0100
@@ -12,3 +12,9 @@
CVE-2021-23206.patch
CVE-2021-26259.patch
CVE-2021-26948.patch
+
+CVE-2021-40985.patch
+CVE-2021-43579.patch
+CVE-2022-0534-1.patch
+CVE-2022-0534-2.patch
+
Reply to: