[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1006494: buster-pu: htmldoc/1.9.3-1+deb10u3

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for htmldoc fixes CVE-2022-0534, CVE-2021-43579 and CVE-2021-40985 in Buster. These CVEs are marked as uninportant by the security team, yet they are bugs. CVE-2021-43579 even has the possibility of remote code execution. 

  Thorsten


diff -Nru htmldoc-1.9.3/debian/changelog htmldoc-1.9.3/debian/changelog
--- htmldoc-1.9.3/debian/changelog	2021-06-07 16:25:54.000000000 +0200
+++ htmldoc-1.9.3/debian/changelog	2022-02-25 22:03:02.000000000 +0100
@@ -1,3 +1,19 @@
+htmldoc (1.9.3-1+deb10u3) buster; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2022-0534
+    A crafted GIF file could lead to a stack out-of-bounds read,
+    which could result in a crash (segmentation fault).
+  * CVE-2021-43579
+    Converting an HTML document, which links to a crafted BMP file,
+    could lead to a stack-based buffer overflow, which could result
+    in remote code execution.
+  * CVE-2021-40985
+    A crafted BMP image could lead to a buffer overflow, which could
+    cause a denial of service.
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Fri, 25 Feb 2022 22:03:02 +0100
+
 htmldoc (1.9.3-1+deb10u2) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch
--- htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2021-40985.patch	2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,38 @@
+commit f12b9666e582a8e7b70f11b28e5ffc49ad625d43
+Author: Michael R Sweet <michael.r.sweet@gmail.com>
+Date:   Sat Sep 11 18:12:33 2021 -0400
+
+    Fix BMP crash bug (Issue #444)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx	2022-02-26 01:01:53.117543638 +0100
++++ htmldoc-1.9.3/htmldoc/image.cxx	2022-02-26 01:01:53.117543638 +0100
+@@ -900,6 +900,9 @@
+   colors_used      = (int)read_dword(fp);
+   read_dword(fp);
+ 
++  if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
++    return (-1);
++
+   if (info_size > 40)
+     for (info_size -= 40; info_size > 0; info_size --)
+       getc(fp);
+@@ -911,7 +914,7 @@
+   fread(colormap, (size_t)colors_used, 4, fp);
+ 
+   // Setup image and buffers...
+-  img->depth  = gray ? 1 : 3;
++  img->depth = gray ? 1 : 3;
+ 
+   // If this image is indexed and we are writing an encrypted PDF file, bump the use count so
+   // we create an image object (Acrobat 6 bug workaround)
+@@ -1061,7 +1064,7 @@
+             if (bit == 0xf0)
+ 	    {
+               if (color < 0)
+-		temp = getc(fp);
++		temp = getc(fp) & 255;
+ 	      else
+ 		temp = color;
+ 
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch
--- htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2021-43579.patch	2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,27 @@
+commit 27d08989a5a567155d506ac870ae7d8cc88fa58b
+Author: Michael R Sweet <msweet@msweet.org>
+Date:   Fri Nov 5 09:35:10 2021 -0400
+
+    Fix potential BMP stack overflow (Issue #453)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx	2022-02-26 01:02:38.045520508 +0100
++++ htmldoc-1.9.3/htmldoc/image.cxx	2022-02-26 01:02:38.045520508 +0100
+@@ -904,12 +904,16 @@
+     return (-1);
+ 
+   if (info_size > 40)
++  {
+     for (info_size -= 40; info_size > 0; info_size --)
+       getc(fp);
++  }
+ 
+   // Get colormap...
+   if (colors_used == 0 && depth <= 8)
+     colors_used = 1 << depth;
++  else if (colors_used > 256)
++    return (-1);
+ 
+   fread(colormap, (size_t)colors_used, 4, fp);
+ 
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch
--- htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2022-0534-1.patch	2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,38 @@
+commit 776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50
+Author: Michael R Sweet <michael.r.sweet@gmail.com>
+Date:   Fri Jan 7 10:21:58 2022 -0500
+
+    Fix potential stack overflow with GIF images (Issue #463)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx	2022-02-26 01:03:05.161506575 +0100
++++ htmldoc-1.9.3/htmldoc/image.cxx	2022-02-26 01:03:05.161506575 +0100
+@@ -213,8 +213,7 @@
+ 
+     if (done)
+     {
+-      progress_error(HD_ERROR_READ_ERROR,
+-                     "Not enough data left to read GIF compression code.");
++      progress_error(HD_ERROR_READ_ERROR, "Not enough data left to read GIF compression code.");
+       return (-1);	/* Sorry, no more... */
+     }
+ 
+@@ -238,7 +237,7 @@
+     * Read in another buffer...
+     */
+ 
+-    if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
++    if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
+     {
+      /*
+       * Whoops, no more data!
+@@ -252,7 +251,7 @@
+     * Update buffer state...
+     */
+ 
+-    curbit    = (curbit - lastbit) + 8 * last_byte;
++    curbit    = curbit + 8 * last_byte - lastbit;
+     last_byte += (unsigned)count;
+     lastbit   = last_byte * 8;
+   }
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2022-0534-2.patch htmldoc-1.9.3/debian/patches/CVE-2022-0534-2.patch
--- htmldoc-1.9.3/debian/patches/CVE-2022-0534-2.patch	1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2022-0534-2.patch	2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,32 @@
+commit 312f0f9c12f26fbe015cd0e6cefa40e4b99017d9
+Author: Michael R Sweet <michael.r.sweet@gmail.com>
+Date:   Fri Jan 7 18:21:53 2022 -0500
+
+    Block GIF images with a code size > 12 (Issue #463)
+
+Index: htmldoc-1.9.3/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.3.orig/htmldoc/image.cxx	2022-02-26 01:03:09.413504393 +0100
++++ htmldoc-1.9.3/htmldoc/image.cxx	2022-02-26 01:03:09.409504395 +0100
+@@ -293,6 +293,12 @@
+   pass      = 0;
+   code_size = (uchar)getc(fp);
+ 
++  if (code_size > 12)
++  {
++    progress_error(HD_ERROR_READ_ERROR, "Bad GIF file \"%s\" - invalid code size %d.", img->filename, code_size);
++    return (-1);
++  }
++
+   if (gif_read_lzw(fp, 1, code_size) < 0)
+     return (-1);
+ 
+@@ -420,7 +426,7 @@
+   if (sp > stack)
+     return (*--sp);
+ 
+-  while ((code = gif_get_code (fp, code_size, 0)) >= 0)
++  while ((code = gif_get_code(fp, code_size, 0)) >= 0)
+   {
+     if (code == clear_code)
+     {
diff -Nru htmldoc-1.9.3/debian/patches/series htmldoc-1.9.3/debian/patches/series
--- htmldoc-1.9.3/debian/patches/series	2021-06-07 16:25:54.000000000 +0200
+++ htmldoc-1.9.3/debian/patches/series	2022-02-25 22:03:02.000000000 +0100
@@ -12,3 +12,9 @@
 CVE-2021-23206.patch
 CVE-2021-26259.patch
 CVE-2021-26948.patch
+
+CVE-2021-40985.patch
+CVE-2021-43579.patch
+CVE-2022-0534-1.patch
+CVE-2022-0534-2.patch
+
Reply to: