[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1113882: marked as done (trixie-pu: package sail/0.9.8-1+deb13u1 (fix multiple CVEs))

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1113882,
regarding trixie-pu: package sail/0.9.8-1+deb13u1 (fix multiple CVEs)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1113882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113882
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: sudipm.mukherjee@gmail.com
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[ Reason ]

Few security vulnerabilities have been reported for this package,
via https://bugs.debian.org/1112346.

CVE-2025-32468
CVE-2025-35984
CVE-2025-46407
CVE-2025-50129
CVE-2025-52456
CVE-2025-52930
CVE-2025-53085
CVE-2025-53510

[ Impact ]

It is a security hole and is a risk if the package is not updated.

[ Tests ]

1. The upstream test-suite has been run to ensure there is no regression.
2. The sample apps have been built and executed to make sure they work.

[ Risks ]

All the patches are very simple and just introduces boundary checking before
using the buffer.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Please allow me to upload sail/0.9.8-1+deb13u1 as per attached debdiff.

-- 
Regards
Sudip

diff -Nru sail-0.9.8/debian/changelog sail-0.9.8/debian/changelog
--- sail-0.9.8/debian/changelog	2025-04-06 12:41:53.000000000 +0100
+++ sail-0.9.8/debian/changelog	2025-09-03 18:48:04.000000000 +0100
@@ -1,3 +1,17 @@
+sail (0.9.8-1+deb13u1) trixie; urgency=medium
+
+  * Fix security vulnerabilities. (Closes: #1112346)
+    - CVE-2025-32468
+    - CVE-2025-35984
+    - CVE-2025-46407
+    - CVE-2025-50129
+    - CVE-2025-52456
+    - CVE-2025-52930
+    - CVE-2025-53085
+    - CVE-2025-53510
+
+ -- Sudip Mukherjee <sudipm.mukherjee@gmail.com>  Wed, 03 Sep 2025 18:48:04 +0100
+
 sail (0.9.8-1) unstable; urgency=medium
 
   * New upstream version 0.9.8
diff -Nru sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch
--- sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch	2025-09-03 18:47:26.000000000 +0100
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2025-46407
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/d46b6ca190938fc3bb6f216a888467c7808f3cf5
+Bug: https://github.com/HappySeaFox/sail/issues/223
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/common/bmp/bmp.c b/src/sail-codecs/common/bmp/bmp.c
+index 90b43f8c..a2144b8a 100644
+--- a/src/sail-codecs/common/bmp/bmp.c
++++ b/src/sail-codecs/common/bmp/bmp.c
+@@ -284,6 +284,14 @@ sail_status_t bmp_private_read_init(struct sail_io *io, const struct sail_load_o
+             SAIL_LOG_AND_RETURN(SAIL_ERROR_MISSING_PALETTE);
+         }
+ 
++        /* Validate and allocate palette. */
++        size_t max_palette_count = SIZE_MAX / sizeof(sail_rgba32_t);
++
++        if (bmp_state->palette_count > max_palette_count) {
++            SAIL_LOG_ERROR("BMP: Indexed image has too large palette");
++            SAIL_LOG_AND_RETURN(SAIL_ERROR_BROKEN_IMAGE);
++        }
++
+         void *ptr;
+         SAIL_TRY(sail_malloc(sizeof(sail_rgba32_t) * bmp_state->palette_count, &ptr));
+         bmp_state->palette = ptr;
+-- 
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch
--- sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch	2025-09-03 18:47:53.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix for CVE-2025-52930
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/1b7dfa9f4b7364d496015808cac76457e5ddcf0c
+Bug: https://github.com/HappySeaFox/sail/issues/229
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/common/bmp/bmp.c b/src/sail-codecs/common/bmp/bmp.c
+index c67c86b2..ed05d162 100644
+--- a/src/sail-codecs/common/bmp/bmp.c
++++ b/src/sail-codecs/common/bmp/bmp.c
+@@ -516,6 +516,9 @@ sail_status_t bmp_private_read_frame(void *state, struct sail_io *io, struct sai
+                     uint8_t index;
+                     SAIL_TRY(io->strict_read(io->stream, &index, sizeof(index)));
+ 
++                    /* Round to the buffer size. */
++                    marker = (pixel_index + marker) <= image->width ? marker : (image->width - pixel_index);
++
+                     for (uint8_t k = 0; k < marker; k++) {
+                         *scan++ = index;
+                     }
+-- 
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch
--- sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch	2025-09-03 18:47:44.000000000 +0100
@@ -0,0 +1,33 @@
+Description: Fix for CVE-2025-53510
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/9d17b8f36e74a33247a0ccae4b81dddcba57ca5a
+Bug: https://github.com/HappySeaFox/sail/issues/226
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-common/utils.c b/src/sail-common/utils.c
+index 0f519ba4..4a00a67e 100644
+--- a/src/sail-common/utils.c
++++ b/src/sail-common/utils.c
+@@ -25,6 +25,7 @@
+ 
+ #include <ctype.h>
+ #include <errno.h>
++#include <limits.h> /* UINT_MAX */
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -412,7 +413,8 @@ bool sail_greater_bits_per_pixel(enum SailPixelFormat pixel_format1, enum SailPi
+ unsigned sail_bytes_per_line(unsigned width, enum SailPixelFormat pixel_format) {
+ 
+     const unsigned bits_per_pixel = sail_bits_per_pixel(pixel_format);
+-    return (unsigned)(((double)width * bits_per_pixel + 7) / 8);
++    const double bytes_per_line = ((double)width * bits_per_pixel + 7) / 8;
++    return (bytes_per_line < UINT_MAX) ? (unsigned)bytes_per_line : 0;
+ }
+ 
+ bool sail_is_indexed(enum SailPixelFormat pixel_format) {
+-- 
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch
--- sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch	2025-09-03 18:47:34.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix for CVE-2025-35984
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/246fdcdaecae39f1258e58507048cafab6f8905a
+Bug: https://github.com/HappySeaFox/sail/issues/225
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/pcx/pcx.c b/src/sail-codecs/pcx/pcx.c
+index 62207e10..503d2c36 100644
+--- a/src/sail-codecs/pcx/pcx.c
++++ b/src/sail-codecs/pcx/pcx.c
+@@ -203,6 +203,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_pcx(void *state, struct sail_
+                     value = marker;
+                 }
+ 
++                /* Round to the buffer size. */
++                count = (bytes + count) < image->bytes_per_line ? count : (image->bytes_per_line - bytes);
++
+                 bytes += count;
+ 
+                 memset(pcx_state->scanline_buffer + buffer_offset, value, count);
+-- 
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch
--- sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch	2025-09-03 18:47:47.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix for CVE-2025-53085
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/4e94da2a191a89c788f0f14af258e49cacc7764f
+Bug: https://github.com/HappySeaFox/sail/issues/227
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/psd/psd.c b/src/sail-codecs/psd/psd.c
+index af0ee4d6..4e95990a 100644
+--- a/src/sail-codecs/psd/psd.c
++++ b/src/sail-codecs/psd/psd.c
+@@ -261,6 +261,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_psd(void *state, struct sail_
+                         unsigned char value;
+                         SAIL_TRY(psd_state->io->strict_read(psd_state->io->stream, &value, sizeof(value)));
+ 
++                        /* Round to the buffer size. */
++                        c = (count + c) <= image->width ? c : (image->width - count);
++                        
+                         for (unsigned i = count; i < count + c; i++) {
+                             unsigned char *scan = (unsigned char *)sail_scan_line(image, row) + i * bpp;
+                             *(scan + channel) = value;
+-- 
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch
--- sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch	2025-09-03 18:47:39.000000000 +0100
@@ -0,0 +1,24 @@
+Description: Fix a memory leak
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/38834fe0e484563df31362ecd90b78197d6133ca
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail/sail_advanced.c b/src/sail/sail_advanced.c
+index f2979534..b28d8da6 100644
+--- a/src/sail/sail_advanced.c
++++ b/src/sail/sail_advanced.c
+@@ -106,7 +106,8 @@ sail_status_t sail_load_next_frame(void *state, struct sail_image **image) {
+     struct sail_image *image_local;
+     SAIL_TRY(state_of_mind->codec->v8->load_seek_next_frame(state_of_mind->state, &image_local));
+ 
+-    SAIL_TRY(sail_check_image_skeleton_valid(image_local));
++    SAIL_TRY_OR_CLEANUP(sail_check_image_skeleton_valid(image_local),
++                        /* cleanup */ sail_destroy_image(image_local));
+ 
+     if (image_local->pixels != NULL) {
+         SAIL_LOG_ERROR("Internal error in %s codec: codecs must not allocate pixels", state_of_mind->codec_info->name);
+-- 
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch
--- sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch	2025-09-03 18:47:31.000000000 +0100
@@ -0,0 +1,48 @@
+Description: Fix for CVE-2025-32468
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/efc1cd8f38e7ba3401698ecb2ad9b25d6f886596
+Bug: https://github.com/HappySeaFox/sail/issues/224
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail/sail_advanced.c b/src/sail/sail_advanced.c
+index dba064e7..9d9949f4 100644
+--- a/src/sail/sail_advanced.c
++++ b/src/sail/sail_advanced.c
+@@ -24,6 +24,7 @@
+ */
+ 
+ #include <stddef.h>
++#include <stdint.h> /* SIZE_MAX */
+ #include <stdlib.h>
+ 
+ #include <sail/sail.h>
+@@ -105,13 +106,23 @@ sail_status_t sail_load_next_frame(void *state, struct sail_image **image) {
+     struct sail_image *image_local;
+     SAIL_TRY(state_of_mind->codec->v8->load_seek_next_frame(state_of_mind->state, &image_local));
+ 
++    SAIL_TRY(sail_check_image_skeleton_valid(image_local));
++
+     if (image_local->pixels != NULL) {
+         SAIL_LOG_ERROR("Internal error in %s codec: codecs must not allocate pixels", state_of_mind->codec_info->name);
+         sail_destroy_image(image_local);
+         SAIL_LOG_AND_RETURN(SAIL_ERROR_CONFLICTING_OPERATION);
+     }
+ 
+-    /* Allocate pixels. */
++    /* Validate and allocate pixels. */
++    const size_t max_height = SIZE_MAX / image_local->bytes_per_line;
++
++    if (image_local->height > max_height) {
++        SAIL_LOG_ERROR("Image height is too long");
++        sail_destroy_image(image_local);
++        SAIL_LOG_AND_RETURN(SAIL_ERROR_INCORRECT_IMAGE_DIMENSIONS);
++    }
++
+     const size_t pixels_size = (size_t)image_local->height * image_local->bytes_per_line;
+     SAIL_TRY_OR_CLEANUP(sail_malloc(pixels_size, &image_local->pixels),
+                         /* cleanup */ sail_destroy_image(image_local));
+-- 
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch
--- sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch	2025-09-03 18:47:50.000000000 +0100
@@ -0,0 +1,25 @@
+Description: Fix for CVE-2025-50129
+
+Origin: upstream, https://github.com/HappySeaFox/sail/commit/4879e0df0bc9e99873e70d65be31b94f47b7d41d
+Bug: https://github.com/HappySeaFox/sail/issues/228
+Bug-Debian: https://bugs.debian.org/1112346
+Last-Update: 2025-09-03
+---
+
+diff --git a/src/sail-codecs/tga/tga.c b/src/sail-codecs/tga/tga.c
+index afc04288..cc7f471a 100644
+--- a/src/sail-codecs/tga/tga.c
++++ b/src/sail-codecs/tga/tga.c
+@@ -223,6 +223,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_tga(void *state, struct sail_
+ 
+                     SAIL_TRY(tga_state->io->strict_read(tga_state->io->stream, pixel, pixel_size));
+ 
++                    /* Round to the buffer size. */
++                    count = (i + count) <= pixels_num ? count : (pixels_num - i);
++
+                     for (unsigned j = 0; j < count; j++, i++) {
+                         memcpy(pixels, pixel, pixel_size);
+                         pixels += pixel_size;
+-- 
+2.39.5
+
diff -Nru sail-0.9.8/debian/patches/series sail-0.9.8/debian/patches/series
--- sail-0.9.8/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ sail-0.9.8/debian/patches/series	2025-09-03 18:39:17.000000000 +0100
@@ -0,0 +1,8 @@
+0001-BMP-Fix-possible-buffer-overflow-closes-223.patch
+0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch
+0001-PCX-Fix-possible-buffer-overflow-closes-225.patch
+0001-SAIL-Fix-memory-leak-on-error.patch
+0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch
+0001-PSD-Fix-possible-buffer-overflow-closes-227.patch
+0001-TGA-Fix-possible-buffer-overflow-closes-228.patch
+0001-BMP-Fix-possible-buffer-overflow-closes-229.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam

--- End Message ---
Reply to: