Bug#1011030: buster-pu: package htmldoc/1.9.3-1+deb10u4
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: havard.f.aasen@pfft.no
Fixes three CVE's CVE-2022-24191, CVE-2022-27114 and CVE-2022-28085
[ Reason ]
One minor issue, two unimportant, still nice to have them all fixed at
the same time.
[ Impact ]
Images is now limited to 4GiB of memory usage (37837x37837 pixels).
Shouldn't really be any issue.
[ Tests ]
All CVE's comes with POC, have tested before and after, and can confirm
that the provided patches actually fixes the CVE's.
[ Risks ]
Most of the patches is more comparison and size checking.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Three patches, all taken from upstream.
Regards,
Håvard
diff -Nru htmldoc-1.9.3/debian/changelog htmldoc-1.9.3/debian/changelog
--- htmldoc-1.9.3/debian/changelog 2022-02-25 22:03:02.000000000 +0100
+++ htmldoc-1.9.3/debian/changelog 2022-05-15 20:00:35.000000000 +0200
@@ -1,3 +1,22 @@
+htmldoc (1.9.3-1+deb10u4) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2022-24191
+ Infinite loop in the gif_read_lzw function can lead to a
+ pointer arbitrarily pointing to heap memory and resulting
+ in a buffer overflow.
+ * CVE-2022-27114
+ Integer Overflow bugs in image.cxx, malloc function may
+ return a heap block smaller than the expected size, and
+ it will cause a buffer overflow/Address boundary error in
+ the jpeg_read_scanlines function.
+ * CVE-2022-28085
+ A heap buffer overflow in the function pdf_write_names
+ in ps-pdf.cxx may lead to arbitrary code execution and
+ Denial of Service (DoS).
+
+ -- Håvard F. Aasen <havard.f.aasen@pfft.no> Sun, 15 May 2022 20:00:35 +0200
+
htmldoc (1.9.3-1+deb10u3) buster; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2022-24191.patch htmldoc-1.9.3/debian/patches/CVE-2022-24191.patch
--- htmldoc-1.9.3/debian/patches/CVE-2022-24191.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2022-24191.patch 2022-05-15 20:00:35.000000000 +0200
@@ -0,0 +1,49 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Tue, 25 Jan 2022 18:11:34 -0500
+Subject: CVE-2022-24191
+
+Fix a potential stack overflow bug with GIF images (Issue #470)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/fb0334a51300988e9b83b9870d4063e86002b077
+---
+ htmldoc/image.cxx | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 5db4734..82d6eef 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -453,7 +453,6 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
+ {
+ uchar buf[260];
+
+-
+ if (!gif_eof)
+ while (gif_get_block(fp, buf) > 0);
+
+@@ -470,17 +469,23 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
+
+ while (code >= clear_code)
+ {
++ if (sp >= (stack + sizeof(stack)))
++ return (255);
++
+ *sp++ = table[1][code];
++
+ if (code == table[0][code])
+ return (255);
+
+ code = table[0][code];
+ }
+
++ if (sp >= (stack + sizeof(stack)))
++ return (255);
++
+ *sp++ = firstcode = table[1][code];
+- code = max_code;
+
+- if (code < 4096)
++ if ((code = max_code) < 4096)
+ {
+ table[0][code] = oldcode;
+ table[1][code] = firstcode;
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2022-27114.patch htmldoc-1.9.3/debian/patches/CVE-2022-27114.patch
--- htmldoc-1.9.3/debian/patches/CVE-2022-27114.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2022-27114.patch 2022-05-15 20:00:35.000000000 +0200
@@ -0,0 +1,89 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 10 Mar 2022 15:29:36 -0500
+Subject: CVE-2022-27114
+
+Fix a potential integer overflow bug in the JPEG and PNG loaders (Issue #471)
+
+All images are now limited to 4GiB of memory usage (37837x37837 pixels).
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/31f780487e5ddc426888638786cdc47631687275
+---
+ htmldoc/image.cxx | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 82d6eef..ef66566 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -21,6 +21,13 @@ extern "C" { /* Workaround for JPEG header problems... */
+ #include <png.h> /* Portable Network Graphics (PNG) definitions */
+
+
++/*
++ * Limits...
++ */
++
++#define IMAGE_MAX_DIM 37837 // Maximum dimension - sqrt(4GiB / 3)
++
++
+ /*
+ * GIF definitions...
+ */
+@@ -910,7 +917,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
+ colors_used = (int)read_dword(fp);
+ read_dword(fp);
+
+- if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192)
++ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+ return (-1);
+
+ if (info_size > 40)
+@@ -1262,7 +1269,7 @@ image_load_gif(image_t *img, /* I - Image pointer */
+ img->height = (buf[9] << 8) | buf[8];
+ ncolors = 2 << (buf[10] & 0x07);
+
+- if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
++ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+ return (-1);
+
+ // If we are writing an encrypted PDF file, bump the use count so we create
+@@ -1306,6 +1313,13 @@ image_load_gif(image_t *img, /* I - Image pointer */
+ return (-1);
+ }
+
++ img->width = (buf[5] << 8) | buf[4];
++ img->height = (buf[7] << 8) | buf[6];
++ img->depth = gray ? 1 : 3;
++
++ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
++ return (-1);
++
+ if (transparent >= 0)
+ {
+ /*
+@@ -1422,6 +1436,12 @@ JSAMPROW row; /* Sample row pointer */
+ img->height = (int)cinfo.output_height;
+ img->depth = (int)cinfo.output_components;
+
++ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
++ {
++ jpeg_destroy_decompress(&cinfo);
++ return (-1);
++ }
++
+ if (!load_data)
+ {
+ jpeg_destroy_decompress(&cinfo);
+@@ -1569,6 +1589,12 @@ image_load_png(image_t *img, /* I - Image pointer */
+ img->width = (int)png_get_image_width(pp, info);
+ img->height = (int)png_get_image_height(pp, info);
+
++ if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
++ {
++ png_destroy_read_struct(&pp, &info, NULL);
++ return (-1);
++ }
++
+ if (color_type & PNG_COLOR_MASK_ALPHA)
+ {
+ if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)
diff -Nru htmldoc-1.9.3/debian/patches/CVE-2022-28085.patch htmldoc-1.9.3/debian/patches/CVE-2022-28085.patch
--- htmldoc-1.9.3/debian/patches/CVE-2022-28085.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/CVE-2022-28085.patch 2022-05-15 20:00:35.000000000 +0200
@@ -0,0 +1,24 @@
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Thu, 24 Mar 2022 16:30:07 -0400
+Subject: CVE-2022-28085
+
+Call check_pages when writing links (Issue #480)
+
+Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/46c8ec2b9bccb8ccabff52d998c5eee77a228348
+---
+ htmldoc/ps-pdf.cxx | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
+index 1604cfb..d654155 100644
+--- a/htmldoc/ps-pdf.cxx
++++ b/htmldoc/ps-pdf.cxx
+@@ -3503,6 +3503,8 @@ pdf_write_names(FILE *out) /* I - Output file */
+ pdf_start_object(out);
+ float x, y;
+
++ check_pages(link->page);
++
+ x = 0.0f;
+ y = link->top + pages[link->page].bottom;
+ pspdf_transform_coords(pages + link->page, x, y);
diff -Nru htmldoc-1.9.3/debian/patches/series htmldoc-1.9.3/debian/patches/series
--- htmldoc-1.9.3/debian/patches/series 2022-02-25 22:03:02.000000000 +0100
+++ htmldoc-1.9.3/debian/patches/series 2022-05-15 20:00:35.000000000 +0200
@@ -18,3 +18,6 @@
CVE-2022-0534-1.patch
CVE-2022-0534-2.patch
+CVE-2022-24191.patch
+CVE-2022-27114.patch
+CVE-2022-28085.patch
Reply to: