Bug#1113882: trixie-pu: package sail/0.9.8-1+deb13u1 (fix multiple CVEs)
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: sudipm.mukherjee@gmail.com
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
[ Reason ]
Few security vulnerabilities have been reported for this package,
via https://bugs.debian.org/1112346.
CVE-2025-32468
CVE-2025-35984
CVE-2025-46407
CVE-2025-50129
CVE-2025-52456
CVE-2025-52930
CVE-2025-53085
CVE-2025-53510
[ Impact ]
It is a security hole and is a risk if the package is not updated.
[ Tests ]
1. The upstream test-suite has been run to ensure there is no regression.
2. The sample apps have been built and executed to make sure they work.
[ Risks ]
All the patches are very simple and just introduces boundary checking before
using the buffer.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Please allow me to upload sail/0.9.8-1+deb13u1 as per attached debdiff.
--
Regards
Sudip
diff -Nru sail-0.9.8/debian/changelog sail-0.9.8/debian/changelog
--- sail-0.9.8/debian/changelog 2025-04-06 12:41:53.000000000 +0100
+++ sail-0.9.8/debian/changelog 2025-09-03 18:48:04.000000000 +0100
@@ -1,3 +1,17 @@
+sail (0.9.8-1+deb13u1) trixie; urgency=medium
+
+ * Fix security vulnerabilities. (Closes: #1112346)
+ - CVE-2025-32468
+ - CVE-2025-35984
+ - CVE-2025-46407
+ - CVE-2025-50129
+ - CVE-2025-52456
+ - CVE-2025-52930
+ - CVE-2025-53085
+ - CVE-2025-53510
+
+ -- Sudip Mukherjee <sudipm.mukherjee@gmail.com> Wed, 03 Sep 2025 18:48:04 +0100
+
sail (0.9.8-1) unstable; urgency=medium
* New upstream version 0.9.8
diff -Nru sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch
--- sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch 2025-09-03 18:47:26.000000000 +0100
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2025-46407
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/d46b6ca190938fc3bb6f216a888467c7808f3cf5
+Bug: https://github.com/HappySeaFox/sail/issues/223
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/common/bmp/bmp.c b/src/sail-codecs/common/bmp/bmp.c
+index 90b43f8c..a2144b8a 100644
+--- a/src/sail-codecs/common/bmp/bmp.c
++++ b/src/sail-codecs/common/bmp/bmp.c
+@@ -284,6 +284,14 @@ sail_status_t bmp_private_read_init(struct sail_io *io, const struct sail_load_o
+ SAIL_LOG_AND_RETURN(SAIL_ERROR_MISSING_PALETTE);
+ }
+
++ /* Validate and allocate palette. */
++ size_t max_palette_count = SIZE_MAX / sizeof(sail_rgba32_t);
++
++ if (bmp_state->palette_count > max_palette_count) {
++ SAIL_LOG_ERROR("BMP: Indexed image has too large palette");
++ SAIL_LOG_AND_RETURN(SAIL_ERROR_BROKEN_IMAGE);
++ }
++
+ void *ptr;
+ SAIL_TRY(sail_malloc(sizeof(sail_rgba32_t) * bmp_state->palette_count, &ptr));
+ bmp_state->palette = ptr;
+--
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch
--- sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch 2025-09-03 18:47:53.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix for CVE-2025-52930
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/1b7dfa9f4b7364d496015808cac76457e5ddcf0c
+Bug: https://github.com/HappySeaFox/sail/issues/229
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/common/bmp/bmp.c b/src/sail-codecs/common/bmp/bmp.c
+index c67c86b2..ed05d162 100644
+--- a/src/sail-codecs/common/bmp/bmp.c
++++ b/src/sail-codecs/common/bmp/bmp.c
+@@ -516,6 +516,9 @@ sail_status_t bmp_private_read_frame(void *state, struct sail_io *io, struct sai
+ uint8_t index;
+ SAIL_TRY(io->strict_read(io->stream, &index, sizeof(index)));
+
++ /* Round to the buffer size. */
++ marker = (pixel_index + marker) <= image->width ? marker : (image->width - pixel_index);
++
+ for (uint8_t k = 0; k < marker; k++) {
+ *scan++ = index;
+ }
+--
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch
--- sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch 2025-09-03 18:47:44.000000000 +0100
@@ -0,0 +1,33 @@
+Description: Fix for CVE-2025-53510
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/9d17b8f36e74a33247a0ccae4b81dddcba57ca5a
+Bug: https://github.com/HappySeaFox/sail/issues/226
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-common/utils.c b/src/sail-common/utils.c
+index 0f519ba4..4a00a67e 100644
+--- a/src/sail-common/utils.c
++++ b/src/sail-common/utils.c
+@@ -25,6 +25,7 @@
+
+ #include <ctype.h>
+ #include <errno.h>
++#include <limits.h> /* UINT_MAX */
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -412,7 +413,8 @@ bool sail_greater_bits_per_pixel(enum SailPixelFormat pixel_format1, enum SailPi
+ unsigned sail_bytes_per_line(unsigned width, enum SailPixelFormat pixel_format) {
+
+ const unsigned bits_per_pixel = sail_bits_per_pixel(pixel_format);
+- return (unsigned)(((double)width * bits_per_pixel + 7) / 8);
++ const double bytes_per_line = ((double)width * bits_per_pixel + 7) / 8;
++ return (bytes_per_line < UINT_MAX) ? (unsigned)bytes_per_line : 0;
+ }
+
+ bool sail_is_indexed(enum SailPixelFormat pixel_format) {
+--
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch
--- sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch 2025-09-03 18:47:34.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix for CVE-2025-35984
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/246fdcdaecae39f1258e58507048cafab6f8905a
+Bug: https://github.com/HappySeaFox/sail/issues/225
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/pcx/pcx.c b/src/sail-codecs/pcx/pcx.c
+index 62207e10..503d2c36 100644
+--- a/src/sail-codecs/pcx/pcx.c
++++ b/src/sail-codecs/pcx/pcx.c
+@@ -203,6 +203,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_pcx(void *state, struct sail_
+ value = marker;
+ }
+
++ /* Round to the buffer size. */
++ count = (bytes + count) < image->bytes_per_line ? count : (image->bytes_per_line - bytes);
++
+ bytes += count;
+
+ memset(pcx_state->scanline_buffer + buffer_offset, value, count);
+--
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch
--- sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch 2025-09-03 18:47:47.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix for CVE-2025-53085
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/4e94da2a191a89c788f0f14af258e49cacc7764f
+Bug: https://github.com/HappySeaFox/sail/issues/227
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/psd/psd.c b/src/sail-codecs/psd/psd.c
+index af0ee4d6..4e95990a 100644
+--- a/src/sail-codecs/psd/psd.c
++++ b/src/sail-codecs/psd/psd.c
+@@ -261,6 +261,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_psd(void *state, struct sail_
+ unsigned char value;
+ SAIL_TRY(psd_state->io->strict_read(psd_state->io->stream, &value, sizeof(value)));
+
++ /* Round to the buffer size. */
++ c = (count + c) <= image->width ? c : (image->width - count);
++
+ for (unsigned i = count; i < count + c; i++) {
+ unsigned char *scan = (unsigned char *)sail_scan_line(image, row) + i * bpp;
+ *(scan + channel) = value;
+--
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch
--- sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch 2025-09-03 18:47:39.000000000 +0100
@@ -0,0 +1,24 @@
+Description: Fix a memory leak
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/38834fe0e484563df31362ecd90b78197d6133ca
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail/sail_advanced.c b/src/sail/sail_advanced.c
+index f2979534..b28d8da6 100644
+--- a/src/sail/sail_advanced.c
++++ b/src/sail/sail_advanced.c
+@@ -106,7 +106,8 @@ sail_status_t sail_load_next_frame(void *state, struct sail_image **image) {
+ struct sail_image *image_local;
+ SAIL_TRY(state_of_mind->codec->v8->load_seek_next_frame(state_of_mind->state, &image_local));
+
+- SAIL_TRY(sail_check_image_skeleton_valid(image_local));
++ SAIL_TRY_OR_CLEANUP(sail_check_image_skeleton_valid(image_local),
++ /* cleanup */ sail_destroy_image(image_local));
+
+ if (image_local->pixels != NULL) {
+ SAIL_LOG_ERROR("Internal error in %s codec: codecs must not allocate pixels", state_of_mind->codec_info->name);
+--
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch
--- sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch 2025-09-03 18:47:31.000000000 +0100
@@ -0,0 +1,48 @@
+Description: Fix for CVE-2025-32468
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/efc1cd8f38e7ba3401698ecb2ad9b25d6f886596
+Bug: https://github.com/HappySeaFox/sail/issues/224
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail/sail_advanced.c b/src/sail/sail_advanced.c
+index dba064e7..9d9949f4 100644
+--- a/src/sail/sail_advanced.c
++++ b/src/sail/sail_advanced.c
+@@ -24,6 +24,7 @@
+ */
+
+ #include <stddef.h>
++#include <stdint.h> /* SIZE_MAX */
+ #include <stdlib.h>
+
+ #include <sail/sail.h>
+@@ -105,13 +106,23 @@ sail_status_t sail_load_next_frame(void *state, struct sail_image **image) {
+ struct sail_image *image_local;
+ SAIL_TRY(state_of_mind->codec->v8->load_seek_next_frame(state_of_mind->state, &image_local));
+
++ SAIL_TRY(sail_check_image_skeleton_valid(image_local));
++
+ if (image_local->pixels != NULL) {
+ SAIL_LOG_ERROR("Internal error in %s codec: codecs must not allocate pixels", state_of_mind->codec_info->name);
+ sail_destroy_image(image_local);
+ SAIL_LOG_AND_RETURN(SAIL_ERROR_CONFLICTING_OPERATION);
+ }
+
+- /* Allocate pixels. */
++ /* Validate and allocate pixels. */
++ const size_t max_height = SIZE_MAX / image_local->bytes_per_line;
++
++ if (image_local->height > max_height) {
++ SAIL_LOG_ERROR("Image height is too long");
++ sail_destroy_image(image_local);
++ SAIL_LOG_AND_RETURN(SAIL_ERROR_INCORRECT_IMAGE_DIMENSIONS);
++ }
++
+ const size_t pixels_size = (size_t)image_local->height * image_local->bytes_per_line;
+ SAIL_TRY_OR_CLEANUP(sail_malloc(pixels_size, &image_local->pixels),
+ /* cleanup */ sail_destroy_image(image_local));
+--
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch
--- sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch 2025-09-03 18:47:50.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix for CVE-2025-50129
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/4879e0df0bc9e99873e70d65be31b94f47b7d41d
+Bug: https://github.com/HappySeaFox/sail/issues/228
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/tga/tga.c b/src/sail-codecs/tga/tga.c
+index afc04288..cc7f471a 100644
+--- a/src/sail-codecs/tga/tga.c
++++ b/src/sail-codecs/tga/tga.c
+@@ -223,6 +223,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_tga(void *state, struct sail_
+
+ SAIL_TRY(tga_state->io->strict_read(tga_state->io->stream, pixel, pixel_size));
+
++ /* Round to the buffer size. */
++ count = (i + count) <= pixels_num ? count : (pixels_num - i);
++
+ for (unsigned j = 0; j < count; j++, i++) {
+ memcpy(pixels, pixel, pixel_size);
+ pixels += pixel_size;
+--
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/series sail-0.9.8/debian/patches/series
--- sail-0.9.8/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/series 2025-09-03 18:39:17.000000000 +0100
@@ -0,0 +1,8 @@
+0001-BMP-Fix-possible-buffer-overflow-closes-223.patch
+0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch
+0001-PCX-Fix-possible-buffer-overflow-closes-225.patch
+0001-SAIL-Fix-memory-leak-on-error.patch
+0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch
+0001-PSD-Fix-possible-buffer-overflow-closes-227.patch
+0001-TGA-Fix-possible-buffer-overflow-closes-228.patch
+0001-BMP-Fix-possible-buffer-overflow-closes-229.patch
Reply to: