Bug#1006493: bullseye-pu: htmldoc/1.9.11-4+deb11u2
Package: release.debian.org
Severity: normal
Tags: bulleye
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for htmldoc fixes CVE-2022-0534 in Bullseye. This
CVE has been marked as uninportant by the security team, yet it is a bug.
Thorsten
diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
--- htmldoc-1.9.11/debian/changelog 2021-11-15 17:13:36.000000000 +0100
+++ htmldoc-1.9.11/debian/changelog 2022-02-25 22:03:02.000000000 +0100
@@ -1,3 +1,12 @@
+htmldoc (1.9.11-4+deb11u2) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2022-0534
+ A crafted GIF file could lead to a stack out-of-bounds read,
+ which could result in a crash (segmentation fault).
+
+ -- Thorsten Alteholz <debian@alteholz.de> Fri, 25 Feb 2022 22:03:02 +0100
+
htmldoc (1.9.11-4+deb11u1) bullseye; urgency=medium
* Add patch from upstream to fix CVEs:
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2022-0534-1.patch htmldoc-1.9.11/debian/patches/CVE-2022-0534-1.patch
--- htmldoc-1.9.11/debian/patches/CVE-2022-0534-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2022-0534-1.patch 2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,38 @@
+commit 776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50
+Author: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri Jan 7 10:21:58 2022 -0500
+
+ Fix potential stack overflow with GIF images (Issue #463)
+
+Index: htmldoc-1.9.11/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.11.orig/htmldoc/image.cxx 2022-02-26 01:11:08.773261658 +0100
++++ htmldoc-1.9.11/htmldoc/image.cxx 2022-02-26 01:11:08.773261658 +0100
+@@ -213,8 +213,7 @@
+
+ if (done)
+ {
+- progress_error(HD_ERROR_READ_ERROR,
+- "Not enough data left to read GIF compression code.");
++ progress_error(HD_ERROR_READ_ERROR, "Not enough data left to read GIF compression code.");
+ return (-1); /* Sorry, no more... */
+ }
+
+@@ -238,7 +237,7 @@
+ * Read in another buffer...
+ */
+
+- if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
++ if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
+ {
+ /*
+ * Whoops, no more data!
+@@ -252,7 +251,7 @@
+ * Update buffer state...
+ */
+
+- curbit = (curbit - lastbit) + 8 * last_byte;
++ curbit = curbit + 8 * last_byte - lastbit;
+ last_byte += (unsigned)count;
+ lastbit = last_byte * 8;
+ }
diff -Nru htmldoc-1.9.11/debian/patches/CVE-2022-0534-2.patch htmldoc-1.9.11/debian/patches/CVE-2022-0534-2.patch
--- htmldoc-1.9.11/debian/patches/CVE-2022-0534-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/CVE-2022-0534-2.patch 2022-02-25 22:03:02.000000000 +0100
@@ -0,0 +1,32 @@
+commit 312f0f9c12f26fbe015cd0e6cefa40e4b99017d9
+Author: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Fri Jan 7 18:21:53 2022 -0500
+
+ Block GIF images with a code size > 12 (Issue #463)
+
+Index: htmldoc-1.9.11/htmldoc/image.cxx
+===================================================================
+--- htmldoc-1.9.11.orig/htmldoc/image.cxx 2022-02-26 01:11:13.177259451 +0100
++++ htmldoc-1.9.11/htmldoc/image.cxx 2022-02-26 01:11:13.173259454 +0100
+@@ -293,6 +293,12 @@
+ pass = 0;
+ code_size = (uchar)getc(fp);
+
++ if (code_size > 12)
++ {
++ progress_error(HD_ERROR_READ_ERROR, "Bad GIF file \"%s\" - invalid code size %d.", img->filename, code_size);
++ return (-1);
++ }
++
+ if (gif_read_lzw(fp, 1, code_size) < 0)
+ return (-1);
+
+@@ -420,7 +426,7 @@
+ if (sp > stack)
+ return (*--sp);
+
+- while ((code = gif_get_code (fp, code_size, 0)) >= 0)
++ while ((code = gif_get_code(fp, code_size, 0)) >= 0)
+ {
+ if (code == clear_code)
+ {
diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series
--- htmldoc-1.9.11/debian/patches/series 2021-11-15 17:13:36.000000000 +0100
+++ htmldoc-1.9.11/debian/patches/series 2022-02-25 22:03:02.000000000 +0100
@@ -14,3 +14,7 @@
CVE-2021-26948.patch
CVE-2021-40985.patch
CVE-2021-43579.patch
+
+CVE-2022-0534-1.patch
+CVE-2022-0534-2.patch
+
Reply to: