--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package timg/1.4.5-1+deb12u1
- From: Tobias Frost <tobi@debian.org>
- Date: Sat, 09 Sep 2023 19:20:18 +0200
- Message-id: <169428001843.96313.14777229218719804280.reportbug@isildor2.loewenhoehle.ip>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: timg@packages.debian.org
Control: affects -1 + src:timg
[ Reason ]
Fixing CVE-2023-40968 (buffer overflow vulnerability)
[ Risks ]
Patch is trivial, taken from uptream; local testing done.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru timg-1.4.5/debian/changelog timg-1.4.5/debian/changelog
--- timg-1.4.5/debian/changelog 2022-11-30 20:09:18.000000000 +0100
+++ timg-1.4.5/debian/changelog 2023-09-09 19:07:01.000000000 +0200
@@ -1,3 +1,9 @@
+timg (1.4.5-1+deb12u1) bookworm; urgency=medium
+
+ * Cherry-pick upstream fix for CVE-2023-40968 (Closes: #1051231)
+
+ -- Tobias Frost <tobi@debian.org> Sat, 09 Sep 2023 19:07:01 +0200
+
timg (1.4.5-1) unstable; urgency=medium
[ Tobias Frost ]
diff -Nru timg-1.4.5/debian/patches/CVE-2023-40968.patch timg-1.4.5/debian/patches/CVE-2023-40968.patch
--- timg-1.4.5/debian/patches/CVE-2023-40968.patch 1970-01-01 01:00:00.000000000 +0100
+++ timg-1.4.5/debian/patches/CVE-2023-40968.patch 2023-09-09 19:07:01.000000000 +0200
@@ -0,0 +1,23 @@
+Description: CVE-2023-40968 buffer overflow vulnerability
+Origin: https://github.com/hzeller/timg/commit/2e9414e668144bbe0afc074dac17b74ef4acfdcf
+Bug: https://github.com/hzeller/timg/issues/115
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051231
+--- a/src/unicode-block-canvas.cc
++++ b/src/unicode-block-canvas.cc
+@@ -417,13 +417,14 @@
+ + SCREEN_END_OF_LINE_LEN); // Finishing a line.
+
+ // Depending on even/odd situation, we might need one extra row.
+- const size_t new_backing = width * (height + 1) * sizeof(rgba_t);
++ // For quarter, we have one extra possible pixel wider.
++ const size_t new_backing = (width + 1) * (height + 1) * sizeof(rgba_t);
+ if (new_backing > backing_buffer_size_) {
+ backing_buffer_ = (rgba_t *)realloc(backing_buffer_, new_backing);
+ backing_buffer_size_ = new_backing;
+ }
+
+- const size_t new_empty = width * sizeof(rgba_t);
++ const size_t new_empty = (width + 1) * sizeof(rgba_t);
+ if (new_empty > empty_line_size_) {
+ empty_line_ = (rgba_t *)realloc(empty_line_, new_empty);
+ empty_line_size_ = new_empty;
diff -Nru timg-1.4.5/debian/patches/series timg-1.4.5/debian/patches/series
--- timg-1.4.5/debian/patches/series 2022-11-30 19:52:10.000000000 +0100
+++ timg-1.4.5/debian/patches/series 2023-09-09 19:07:01.000000000 +0200
@@ -1 +1,2 @@
use-system-qui.patch
+CVE-2023-40968.patch
--- End Message ---