--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
- From: Timo Röhling <roehling@debian.org>
- Date: Sun, 02 Oct 2022 19:38:11 +0200
- Message-id: <166473229121.76870.7625158437602863429.reportbug@roehling2.fkie.fraunhofer.de>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear release team,
I'd like to update tinyexr in bullseye
[ Reason ]
The update fixes two vulnerabilities with low priority, i.e.
the security team has decided not to issue a DSA.
[ Impact ]
CVE-2022-34300: Heap overflow in DecodePixelData
CVE-2022-38529: Heap overflow in rleUncompress
[ Tests ]
I have verified that the changes fix the aforementioned vulnerabilities
and do not cause regressions in the package test suite.
[ Risks ]
tinyexr is a low popcon package with two reverse dependencies
(both of which I maintain).
Both code fixes are localized and unlikely to cause further issues.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The update patches two statements in two functions
Cheers
Timo
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmM5zIAACgkQ+C8H+466
LVnfmAv7BCTx2RPhA8gGGRGpHjQGY9o8gwWoTfKocWmPfJgEz3KLt3HntP7jo3fn
x6QooHIYCJ8iveUPD1J0zK5wgr//22Z9iER1Uuk/48SVAVKXDbuvak3wJer5ssDl
pAwluYXdMNREfOcu49sJ0cs5WmaPFsv7Kt1LLWfsTBRru3ekLwYI4AkHrCFpSfy0
SVEm4zF/99athm4Pd/teV1znvXcmhAW64UxoypsSJpdJm46kyZ2fHZPxMOVkaQGe
Vz4mROOoAMA60stDL0ot/iFjiUCen/dUlR/K8VP3h3l3NI6/hgLiGW7QvrVom07j
J0knQxnnMn+RVJGQRxaWFm/Qculk9xvY8H/uekvgZglWMxoW2FmJCvTnlizETCB6
MxIf0aHQRDgY+0g1VbAGsOZ12xjkTV5BhsKADN+eOHI0hfwiNJEkjMLVOnUNdnhC
qHYZILTfH4sTXs/xNlGJ49KJlFYmizsNwEIL0CTi6eVf062whzUFiRmDN/JYMvax
+/SrWuWb
=WbEi
-----END PGP SIGNATURE-----
diff -Nru tinyexr-1.0.1+dfsg/debian/changelog tinyexr-1.0.1+dfsg/debian/changelog
--- tinyexr-1.0.1+dfsg/debian/changelog 2021-08-29 20:43:34.000000000 +0200
+++ tinyexr-1.0.1+dfsg/debian/changelog 2022-10-01 23:13:34.000000000 +0200
@@ -1,3 +1,11 @@
+tinyexr (1.0.1+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Fix low-priority vulnerabilities
+ - CVE-2022-34300: Heap overflow in DecodePixelData
+ - CVE-2022-38529: Heap overflow in rleUncompress
+
+ -- Timo Röhling <roehling@debian.org> Sat, 01 Oct 2022 23:13:34 +0200
+
tinyexr (1.0.1+dfsg-1) unstable; urgency=medium
* New upstream version 1.0.1+dfsg
diff -Nru tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch
--- tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch 1970-01-01 01:00:00.000000000 +0100
+++ tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch 2022-10-01 23:13:34.000000000 +0200
@@ -0,0 +1,25 @@
+From: =?utf-8?q?Timo_R=C3=B6hling?= <roehling@debian.org>
+Date: Thu, 8 Sep 2022 19:31:26 +0200
+Subject: CVE-2022-38529
+
+Fix heap buffer overflow in rleUncompress.
+Backported from upstream commit cc1b199dd17b700c3130a53866ea462ab88e7f82
+
+Forwarded: not-needed
+---
+ tinyexr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tinyexr.h b/tinyexr.h
+index eb5e5c0..ba05fdf 100644
+--- a/tinyexr.h
++++ b/tinyexr.h
+@@ -1480,7 +1480,7 @@ static int rleUncompress(int inLength, int maxLength, const signed char in[],
+ int count = *in++;
+ inLength -= 2;
+
+- if (0 > (maxLength -= count + 1)) return 0;
++ if (0 > (maxLength -= count + 1) || inLength < 0) return 0;
+
+ memset(out, *reinterpret_cast<const char *>(in), count + 1);
+ out += count + 1;
diff -Nru tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch
--- tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch 1970-01-01 01:00:00.000000000 +0100
+++ tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch 2022-10-01 23:13:34.000000000 +0200
@@ -0,0 +1,26 @@
+From: =?utf-8?q?Timo_R=C3=B6hling?= <roehling@debian.org>
+Date: Thu, 8 Sep 2022 20:38:54 +0200
+Subject: CVE-2022-34300
+
+Fix heap buffer overflow in DecodePixelData.
+
+Forwarded: https://github.com/syoyo/tinyexr/pull/175
+---
+ tinyexr.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tinyexr.h b/tinyexr.h
+index ba05fdf..c36e6ec 100644
+--- a/tinyexr.h
++++ b/tinyexr.h
+@@ -3568,8 +3568,8 @@ static bool DecodePixelData(/* out */ unsigned char **out_images,
+ assert(requested_pixel_types[c] == TINYEXR_PIXELTYPE_FLOAT);
+ for (size_t v = 0; v < static_cast<size_t>(num_lines); v++) {
+ const float *line_ptr = reinterpret_cast<float *>(&outBuf.at(
+- v * pixel_data_size * static_cast<size_t>(x_stride) +
+- channel_offset_list[c] * static_cast<size_t>(x_stride)));
++ v * pixel_data_size * static_cast<size_t>(width) +
++ channel_offset_list[c] * static_cast<size_t>(width)));
+ for (size_t u = 0; u < static_cast<size_t>(width); u++) {
+ float val;
+ // val = line_ptr[u];
diff -Nru tinyexr-1.0.1+dfsg/debian/patches/series tinyexr-1.0.1+dfsg/debian/patches/series
--- tinyexr-1.0.1+dfsg/debian/patches/series 2021-08-29 20:43:34.000000000 +0200
+++ tinyexr-1.0.1+dfsg/debian/patches/series 2022-10-01 23:13:34.000000000 +0200
@@ -2,3 +2,5 @@
0002-Explicitly-export-required-symbols.patch
0003-Fix-CMake-build-system.patch
0004-Add-test-executable-for-CTest.patch
+0005-CVE-2022-38529.patch
+0006-CVE-2022-34300.patch
--- End Message ---