Bug#1016198: buster-pu: package gif2apng/1.9+srconly-2+deb10u1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
X-Debbugs-Cc: havard.f.aasen@pfft.no
Severity: normal
This upload fixes three CVE's;
* CVE-2021-45909, Closes: #1002668:
heap based buffer overflow in the DecodeLZW
* CVE-2021-45910, Closes: #1002667:
heap-based buffer overflow within the main function
* CVE-2021-45911, Closes: #1002687:
heap based buffer overflow in processing of delays in the main function
In Debian, oldoldstable, oldstable and stable have the same upstream
version, so the same fix can go into every release. This is a copy of
the work Anton Gladky provided for oldoldstable (2022-03-07).
The package has been removed from both testing and unstable, it's no
longer possible to have a 'verified fix in unstable'.
[ Reason ]
Fix three CVE's
[ Impact ]
Continued vulnerability.
[ Tests ]
Changes has been manually tested against the poc provided in their
respective bugs.submit@bugs.debian.org
[ Risks ]
Changes are mostly trivial, adding if statements to have more control
over the input file.
The changes was supplied along with the bug report and poc.
Project is unmaintained upstream, so it's unlikely that there exists
alternatives.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
[ Changes ]
[ Other info ]
Without an upload to oldstable, there will be a problem to upgrade
from oldoldstable to oldstable. The package in stretch-security is
considered newer then in buster.
Regards,
Håvard
diff -Nru gif2apng-1.9+srconly/debian/changelog gif2apng-1.9+srconly/debian/changelog
--- gif2apng-1.9+srconly/debian/changelog 2016-11-11 06:49:20.000000000 +0100
+++ gif2apng-1.9+srconly/debian/changelog 2022-07-28 23:56:21.000000000 +0200
@@ -1,3 +1,15 @@
+gif2apng (1.9+srconly-2+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2021-45909, Closes: #1002668:
+ heap based buffer overflow in the DecodeLZW
+ * CVE-2021-45910, Closes: #1002667:
+ heap-based buffer overflow within the main function
+ * CVE-2021-45911, Closes: #1002687:
+ heap based buffer overflow in processing of delays in the main function
+
+ -- Håvard F. Aasen <havard.f.aasen@pfft.no> Thu, 28 Jul 2022 23:56:21 +0200
+
gif2apng (1.9+srconly-2) unstable; urgency=medium
* debian/copyright
diff -Nru gif2apng-1.9+srconly/debian/patches/CVE-2021-45909.patch gif2apng-1.9+srconly/debian/patches/CVE-2021-45909.patch
--- gif2apng-1.9+srconly/debian/patches/CVE-2021-45909.patch 1970-01-01 01:00:00.000000000 +0100
+++ gif2apng-1.9+srconly/debian/patches/CVE-2021-45909.patch 2022-07-28 23:56:21.000000000 +0200
@@ -0,0 +1,91 @@
+Index: gif2apng/gif2apng.cpp
+===================================================================
+--- gif2apng.orig/gif2apng.cpp
++++ gif2apng/gif2apng.cpp
+@@ -99,7 +99,7 @@ int cmp_colors( const void *arg1, const
+ return (int)(((COLORS*)arg1)->b) - (int)(((COLORS*)arg2)->b);
+ }
+
+-void DecodeLZW(unsigned char * img, FILE * f1)
++void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1)
+ {
+ int i, bits, codesize, codemask, clearcode, nextcode, lastcode;
+ unsigned int j;
+@@ -113,6 +113,7 @@ void DecodeLZW(unsigned char * img, FILE
+ unsigned char *pstr = str;
+ unsigned char *pout = img;
+ unsigned char mincodesize;
++ unsigned int bytes_written = 0;
+
+ if (fread(&mincodesize, 1, 1, f1) != 1) return;
+
+@@ -156,7 +157,15 @@ void DecodeLZW(unsigned char * img, FILE
+
+ if (lastcode == -1)
+ {
+- *pout++ = suffix[code];
++ if (bytes_written < img_size)
++ {
++ *pout++ = suffix[code];
++ bytes_written++;
++ } else
++ {
++ printf("Invalid image size\n");
++ exit(1);
++ }
+ firstchar = lastcode = code;
+ continue;
+ }
+@@ -191,7 +200,14 @@ void DecodeLZW(unsigned char * img, FILE
+
+ do
+ {
+- *pout++ = *--pstr;
++ if (bytes_written < img_size)
++ {
++ *pout++ = *--pstr;
++ bytes_written++;
++ } else {
++ printf("Invalid image size\n");
++ exit(1);
++ }
+ }
+ while (pstr > str);
+ }
+@@ -478,6 +494,7 @@ int main(int argc, char** argv)
+ unsigned char * over2;
+ unsigned char * over3;
+ unsigned short * delays;
++ unsigned int buffer_size = 0; // size of the buffer
+
+ printf("\ngif2apng 1.9");
+
+@@ -598,8 +615,9 @@ int main(int argc, char** argv)
+ rowbytes = w;
+ imagesize = w*h;
+ grayscale = 1;
++ buffer_size = imagesize*2; // imagesize is overwritten at some point
+
+- buffer = (unsigned char *)malloc(imagesize*2);
++ buffer = (unsigned char *)malloc(buffer_size);
+ if (buffer == NULL)
+ {
+ printf("Error: not enough memory\n");
+@@ -660,7 +678,7 @@ int main(int argc, char** argv)
+ }
+ imagesize = w0*h0;
+
+- DecodeLZW(buffer, f1);
++ DecodeLZW(buffer, buffer_size, f1);
+
+ for (i=0; i<256; i++)
+ num[i] = 0;
+@@ -1110,7 +1128,7 @@ int main(int argc, char** argv)
+
+ memcpy(rest, frame0, imagesize);
+
+- DecodeLZW(buffer, f1);
++ DecodeLZW(buffer, buffer_size, f1);
+
+ h2 = (h0-1)/2;
+
diff -Nru gif2apng-1.9+srconly/debian/patches/CVE-2021-45910.patch gif2apng-1.9+srconly/debian/patches/CVE-2021-45910.patch
--- gif2apng-1.9+srconly/debian/patches/CVE-2021-45910.patch 1970-01-01 01:00:00.000000000 +0100
+++ gif2apng-1.9+srconly/debian/patches/CVE-2021-45910.patch 2022-07-28 23:56:21.000000000 +0200
@@ -0,0 +1,37 @@
+Description: fix heap based buffer overflow within the main function
+Author: Kolja Grassmann <koljagrassmann@mailbox.org>
+Debian-Bug: https://bugs.debian.org/1002667
+Last-Update: 2022-02-28
+
+Index: gif2apng/gif2apng.cpp
+===================================================================
+--- gif2apng.orig/gif2apng.cpp
++++ gif2apng/gif2apng.cpp
+@@ -1139,6 +1139,13 @@ int main(int argc, char** argv)
+ k = j; if (interlaced) k = (j>h2) ? (j-h2)*2-1 : (j>h2/2) ? (j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
+ src = buffer + j*w0;
+ dst = frame0 + ((k+y0)*w + x0)*3;
++ if (((j*w0 + w0) > buffer_size) ||
++ (((((k+y0)*w + x0)*3) + w0 * 3 ) > imagesize) ||
++ ((((k+y0)*w + x0)*3) < 0 ) ||
++ ((j*w0) < 0)) {
++ printf("Something is wrong with the size values\n");
++ exit(1);
++ }
+ for (i=0; i<w0; i++, src++, dst+=3)
+ if (!has_t || *src != t)
+ memcpy(dst, &pal_l[*src][0], 3);
+@@ -1151,6 +1158,13 @@ int main(int argc, char** argv)
+ k = j; if (interlaced) k = (j>h2) ? (j-h2)*2-1 : (j>h2/2) ? (j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
+ src = buffer + j*w0;
+ dst = frame0 + (k+y0)*w + x0;
++ if (((j*w0 + w0) > buffer_size) ||
++ ((((k+y0)*w + x0) + w0 ) > imagesize) ||
++ ((((k+y0)*w + x0)) < 0 ) ||
++ ((j*w0) < 0)) {
++ printf("Something is wrong with the size values\n");
++ exit(1);
++ }
+ if (shuffle)
+ {
+ for (i=0; i<w0; i++, src++, dst++)
diff -Nru gif2apng-1.9+srconly/debian/patches/CVE-2021-45911.patch gif2apng-1.9+srconly/debian/patches/CVE-2021-45911.patch
--- gif2apng-1.9+srconly/debian/patches/CVE-2021-45911.patch 1970-01-01 01:00:00.000000000 +0100
+++ gif2apng-1.9+srconly/debian/patches/CVE-2021-45911.patch 2022-07-28 23:56:21.000000000 +0200
@@ -0,0 +1,15 @@
+diff --git a/gif2apng.cpp b/gif2apng.cpp
+index a7ad042..3eee394 100644
+--- a/gif2apng.cpp
++++ b/gif2apng.cpp
+@@ -1054,7 +1054,9 @@ int main(int argc, char** argv)
+ dispose_op = (flags >> 2) & 7;
+ if (dispose_op > 3) dispose_op = 3;
+ if (dispose_op == 3 && n == 0) dispose_op = 2;
+- if (delay > 1) delays[n] = delay;
++ if (delay > 1 && n < frames) {
++ if (delay > 1) delays[n] = delay;
++ }
+ }
+ else
+ {
diff -Nru gif2apng-1.9+srconly/debian/patches/series gif2apng-1.9+srconly/debian/patches/series
--- gif2apng-1.9+srconly/debian/patches/series 2016-11-11 06:49:20.000000000 +0100
+++ gif2apng-1.9+srconly/debian/patches/series 2022-07-28 23:56:21.000000000 +0200
@@ -1 +1,4 @@
10-7z.patch
+CVE-2021-45909.patch
+CVE-2021-45910.patch
+CVE-2021-45911.patch
Reply to: