[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1016199: marked as done (bullseye-pu: package gif2apng/1.9+srconly-3+deb11u1)



Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1016199,
regarding bullseye-pu: package gif2apng/1.9+srconly-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1016199: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016199
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: havard.f.aasen@pfft.no
Severity: normal

This upload fixes three CVE's;
* CVE-2021-45909, Closes: #1002668:
  heap based buffer overflow in the DecodeLZW
* CVE-2021-45910, Closes: #1002667:
  heap-based buffer overflow within the main function
* CVE-2021-45911, Closes: #1002687:
  heap based buffer overflow in processing of delays in the main function

In Debian, oldoldstable, oldstable and stable have the same upstream
version, so the same fix can go into every release. This is a copy of
the work Anton Gladky provided for oldoldstable (2022-03-07).

The package has been removed from both testing and unstable, it's no
longer possible to have a 'verified fix in unstable'.

[ Reason ]
Fix three CVE's

[ Impact ]
Continued vulnerability.

[ Tests ]
Changes has been manually tested against the poc provided in their
respective bugs.

[ Risks ]
Changes are mostly trivial, adding if statements to have more control
over the input file.

The changes was supplied along with the bug report and poc.

Project is unmaintained upstream, so it's unlikely that there exists
alternatives.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]

[ Other info ]


Regards,
Håvard
diff -Nru gif2apng-1.9+srconly/debian/changelog gif2apng-1.9+srconly/debian/changelog
--- gif2apng-1.9+srconly/debian/changelog	2019-07-19 21:33:19.000000000 +0200
+++ gif2apng-1.9+srconly/debian/changelog	2022-07-28 23:21:32.000000000 +0200
@@ -1,3 +1,15 @@
+gif2apng (1.9+srconly-3+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2021-45909, Closes: #1002668:
+    heap based buffer overflow in the DecodeLZW
+  * CVE-2021-45910, Closes: #1002667:
+    heap-based buffer overflow within the main function
+  * CVE-2021-45911, Closes: #1002687:
+    heap based buffer overflow in processing of delays in the main function
+
+ -- Håvard F. Aasen <havard.f.aasen@pfft.no>  Thu, 28 Jul 2022 23:21:32 +0200
+
 gif2apng (1.9+srconly-3) unstable; urgency=medium
 
   * QA upload.
diff -Nru gif2apng-1.9+srconly/debian/patches/CVE-2021-45909.patch gif2apng-1.9+srconly/debian/patches/CVE-2021-45909.patch
--- gif2apng-1.9+srconly/debian/patches/CVE-2021-45909.patch	1970-01-01 01:00:00.000000000 +0100
+++ gif2apng-1.9+srconly/debian/patches/CVE-2021-45909.patch	2022-07-28 23:21:32.000000000 +0200
@@ -0,0 +1,91 @@
+Index: gif2apng/gif2apng.cpp
+===================================================================
+--- gif2apng.orig/gif2apng.cpp
++++ gif2apng/gif2apng.cpp
+@@ -99,7 +99,7 @@ int cmp_colors( const void *arg1, const
+   return (int)(((COLORS*)arg1)->b) - (int)(((COLORS*)arg2)->b);
+ }
+ 
+-void DecodeLZW(unsigned char * img, FILE * f1)
++void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1)
+ {
+   int i, bits, codesize, codemask, clearcode, nextcode, lastcode;
+   unsigned int   j;
+@@ -113,6 +113,7 @@ void DecodeLZW(unsigned char * img, FILE
+   unsigned char *pstr = str;
+   unsigned char *pout = img;
+   unsigned char  mincodesize;
++  unsigned int   bytes_written = 0;
+ 
+   if (fread(&mincodesize, 1, 1, f1) != 1) return;
+ 
+@@ -156,7 +157,15 @@ void DecodeLZW(unsigned char * img, FILE
+ 
+         if (lastcode == -1)
+         {
+-          *pout++ = suffix[code];
++          if (bytes_written < img_size)
++          {
++            *pout++ = suffix[code];
++            bytes_written++;
++          } else
++          {
++             printf("Invalid image size\n");
++             exit(1);
++          }
+           firstchar = lastcode = code;
+           continue;
+         }
+@@ -191,7 +200,14 @@ void DecodeLZW(unsigned char * img, FILE
+ 
+         do
+         {
+-          *pout++ = *--pstr;
++          if (bytes_written < img_size)
++          {
++            *pout++ = *--pstr;
++            bytes_written++;
++          } else {
++            printf("Invalid image size\n");
++            exit(1);
++          }
+         }
+         while (pstr > str);
+       }
+@@ -478,6 +494,7 @@ int main(int argc, char** argv)
+   unsigned char  * over2;
+   unsigned char  * over3;
+   unsigned short * delays;
++  unsigned int     buffer_size = 0; //  size of the buffer
+ 
+   printf("\ngif2apng 1.9");
+ 
+@@ -598,8 +615,9 @@ int main(int argc, char** argv)
+     rowbytes = w;
+     imagesize = w*h;
+     grayscale = 1;
++    buffer_size = imagesize*2; // imagesize is overwritten at some point
+ 
+-    buffer = (unsigned char *)malloc(imagesize*2);
++    buffer = (unsigned char *)malloc(buffer_size);
+     if (buffer == NULL)
+     {
+       printf("Error: not enough memory\n");
+@@ -660,7 +678,7 @@ int main(int argc, char** argv)
+         }
+         imagesize = w0*h0;
+ 
+-        DecodeLZW(buffer, f1);
++        DecodeLZW(buffer, buffer_size, f1);
+ 
+         for (i=0; i<256; i++)
+           num[i] = 0;
+@@ -1110,7 +1128,7 @@ int main(int argc, char** argv)
+ 
+           memcpy(rest, frame0, imagesize);
+ 
+-          DecodeLZW(buffer, f1);
++          DecodeLZW(buffer, buffer_size, f1);
+ 
+           h2 = (h0-1)/2;
+ 
diff -Nru gif2apng-1.9+srconly/debian/patches/CVE-2021-45910.patch gif2apng-1.9+srconly/debian/patches/CVE-2021-45910.patch
--- gif2apng-1.9+srconly/debian/patches/CVE-2021-45910.patch	1970-01-01 01:00:00.000000000 +0100
+++ gif2apng-1.9+srconly/debian/patches/CVE-2021-45910.patch	2022-07-28 23:21:32.000000000 +0200
@@ -0,0 +1,37 @@
+Description: fix heap based buffer overflow within the main function
+Author: Kolja Grassmann <koljagrassmann@mailbox.org>
+Debian-Bug: https://bugs.debian.org/1002667
+Last-Update: 2022-02-28
+
+Index: gif2apng/gif2apng.cpp
+===================================================================
+--- gif2apng.orig/gif2apng.cpp
++++ gif2apng/gif2apng.cpp
+@@ -1139,6 +1139,13 @@ int main(int argc, char** argv)
+               k = j; if (interlaced) k = (j>h2) ? (j-h2)*2-1 : (j>h2/2) ? (j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
+               src = buffer + j*w0;
+               dst = frame0 + ((k+y0)*w + x0)*3;
++              if (((j*w0 + w0) > buffer_size) ||
++                  (((((k+y0)*w + x0)*3) + w0 * 3 ) > imagesize) ||
++                  ((((k+y0)*w + x0)*3) < 0 ) ||
++                  ((j*w0) < 0)) {
++                    printf("Something is wrong with the size values\n");
++                    exit(1);
++                   }
+               for (i=0; i<w0; i++, src++, dst+=3)
+                 if (!has_t || *src != t)
+                   memcpy(dst, &pal_l[*src][0], 3);
+@@ -1151,6 +1158,13 @@ int main(int argc, char** argv)
+               k = j; if (interlaced) k = (j>h2) ? (j-h2)*2-1 : (j>h2/2) ? (j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
+               src = buffer + j*w0;
+               dst = frame0 + (k+y0)*w + x0;
++              if (((j*w0 + w0) > buffer_size) ||
++                  ((((k+y0)*w + x0) + w0 ) > imagesize) ||
++                  ((((k+y0)*w + x0)) < 0 ) ||
++                  ((j*w0) < 0)) {
++                    printf("Something is wrong with the size values\n");
++                    exit(1);
++              }
+               if (shuffle)
+               {
+                 for (i=0; i<w0; i++, src++, dst++)
diff -Nru gif2apng-1.9+srconly/debian/patches/CVE-2021-45911.patch gif2apng-1.9+srconly/debian/patches/CVE-2021-45911.patch
--- gif2apng-1.9+srconly/debian/patches/CVE-2021-45911.patch	1970-01-01 01:00:00.000000000 +0100
+++ gif2apng-1.9+srconly/debian/patches/CVE-2021-45911.patch	2022-07-28 23:21:32.000000000 +0200
@@ -0,0 +1,15 @@
+diff --git a/gif2apng.cpp b/gif2apng.cpp
+index a7ad042..3eee394 100644
+--- a/gif2apng.cpp
++++ b/gif2apng.cpp
+@@ -1054,7 +1054,9 @@ int main(int argc, char** argv)
+             dispose_op = (flags >> 2) & 7;
+             if (dispose_op > 3) dispose_op = 3;
+             if (dispose_op == 3 && n == 0) dispose_op = 2;
+-            if (delay > 1) delays[n] = delay;
++            if (delay > 1 && n < frames) {
++              if (delay > 1) delays[n] = delay;
++            }
+           }
+           else
+           {
diff -Nru gif2apng-1.9+srconly/debian/patches/series gif2apng-1.9+srconly/debian/patches/series
--- gif2apng-1.9+srconly/debian/patches/series	2019-07-19 21:33:19.000000000 +0200
+++ gif2apng-1.9+srconly/debian/patches/series	2022-07-28 23:21:32.000000000 +0200
@@ -1 +1,4 @@
 10-7z.patch
+CVE-2021-45909.patch
+CVE-2021-45910.patch
+CVE-2021-45911.patch

--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.5

Hi,

The updates referred to in each of these bugs were included in today's
11.5 point release.

Regards,

Adam

--- End Message ---

Reply to: