Dear maintainer,

I've prepared an NMU for giflib (versioned as 5.1.2-0.4) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.
Regards.
diff -Nru giflib-5.1.2/debian/changelog giflib-5.1.2/debian/changelog
--- giflib-5.1.2/debian/changelog       2016-04-15 19:12:41.000000000 +0200
+++ giflib-5.1.2/debian/changelog       2016-04-15 23:26:43.000000000 +0200
@@ -1,3 +1,14 @@
+giflib (5.1.2-0.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch:
+    - fix CVE-2016-3977 (Closes: #820526)
+  * debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch:
+    - fix upstream bug #82 (out of bounds read and write issues)
+      (Closes: #820594)
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Fri, 15 Apr 2016 
23:23:36 +0200
+
giflib (5.1.2-0.3) unstable; urgency=medium

* Non-maintainer upload.

diff -Nru 
giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch 
giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch
--- giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch  
1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch  
2016-04-15 23:33:54.000000000 +0200
@@ -0,0 +1,14 @@
+--- a/util/gif2rgb.c
++++ b/util/gif2rgb.c
+@@ -376,6 +376,11 @@
+           PrintGifError(Error);
+           exit(EXIT_FAILURE);
+       }
++    }
++
++    if (GifFile->SHeight == 0) {
++      fprintf(stderr, "Image of height 0\n");
++      exit(EXIT_FAILURE);
+     }
+
+     /*
diff -Nru 
giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch 
giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
--- giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch  
1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch  
2016-04-15 23:27:09.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/util/gif2rgb.c
++++ b/util/gif2rgb.c
+@@ -378,8 +378,8 @@
+       }
+     }
+
+-    if (GifFile->SHeight == 0) {
+-      fprintf(stderr, "Image of height 0\n");
++    if (GifFile->SHeight == 0 || GifFile->SWidth == 0) {
++      fprintf(stderr, "Image of width or height 0\n");
+       exit(EXIT_FAILURE);
+     }
+
diff -Nru 
giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch 
giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
--- giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch  
1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch  
2016-04-15 23:34:14.000000000 +0200
@@ -0,0 +1,69 @@
+Index: giflib-5.1.2/NEWS
+===================================================================
+--- giflib-5.1.2.orig/NEWS
++++ giflib-5.1.2/NEWS
+@@ -1,5 +1,13 @@
+                       GIFLIB NEWS
+
++Repository head
++===============
++
++Code Fixes
++----------
++
++* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).

++
+ Version 5.1.2
+ =============
+
+Index: giflib-5.1.2/lib/dgif_lib.c
+===================================================================
+--- giflib-5.1.2.orig/lib/dgif_lib.c
++++ giflib-5.1.2/lib/dgif_lib.c
+@@ -288,6 +288,11 @@
+         GifFile->SColorMap = NULL;
+     }
+
++    /*
++     * No check here for whether the background color is in range for the
++     * screen color map.  Possibly there should be.
++     */
++
+     return GIF_OK;
+ }
+
+Index: giflib-5.1.2/util/gif2rgb.c
+===================================================================
+--- giflib-5.1.2.orig/util/gif2rgb.c
++++ giflib-5.1.2/util/gif2rgb.c
+@@ -15,7 +15,7 @@
+
+ I (ESR) took this off the main to-do list in 2012 because I don't think
+ the GIFLIB project actually needs to be in the converters-and-tools business.
+-Plenty of hackers do that; our jub is to supply stable library capability
++Plenty of hackers do that; our job is to supply stable library capability
+ with our utilities mainly interesting as test tools.
+
+ ***************************************************************************/
+@@ -467,7 +467,7 @@
+               break;
+       }
+     } while (RecordType != TERMINATE_RECORD_TYPE);
+-
++
+     /* Lets dump it - set the global variables required and do it: */
+     ColorMap = (GifFile->Image.ColorMap
+               ? GifFile->Image.ColorMap
+@@ -477,6 +477,12 @@
+         exit(EXIT_FAILURE);
+     }
+
++    /* check that the background color isn't garbage (SF bug #87) */
++    if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= 
ColorMap->ColorCount) {
++        fprintf(stderr, "Background color out of range for colormap\n");
++        exit(EXIT_FAILURE);
++    }
++
+     DumpScreen2RGB(OutFileName, OneFileFlag,

+                  ColorMap,
+                  ScreenBuffer,
diff -Nru giflib-5.1.2/debian/patches/series giflib-5.1.2/debian/patches/series
--- giflib-5.1.2/debian/patches/series  2016-04-15 19:09:44.000000000 +0200
+++ giflib-5.1.2/debian/patches/series  2016-04-15 23:33:08.000000000 +0200
@@ -2,3 +2,6 @@
#04-fprintf_format_error.patch
issue81.diff
ef0cb9b4be572262b49fbc26fb2348683f44a517.patch
+ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
+259ba23dfaf5e55db5c64cc07849905757519e36.patch
+4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch



G.
diff -Nru giflib-5.1.2/debian/changelog giflib-5.1.2/debian/changelog
--- giflib-5.1.2/debian/changelog	2016-04-15 19:12:41.000000000 +0200
+++ giflib-5.1.2/debian/changelog	2016-04-15 23:26:43.000000000 +0200
@@ -1,3 +1,14 @@
+giflib (5.1.2-0.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch:
+    - fix CVE-2016-3977 (Closes: #820526)
+  * debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch:
+    - fix upstream bug #82 (out of bounds read and write issues)
+      (Closes: #820594)
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Fri, 15 Apr 2016 23:23:36 +0200
+
 giflib (5.1.2-0.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch
--- giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch	1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/259ba23dfaf5e55db5c64cc07849905757519e36.patch	2016-04-15 23:33:54.000000000 +0200
@@ -0,0 +1,14 @@
+--- a/util/gif2rgb.c
++++ b/util/gif2rgb.c
+@@ -376,6 +376,11 @@
+ 	    PrintGifError(Error);
+ 	    exit(EXIT_FAILURE);
+ 	}
++    }
++
++    if (GifFile->SHeight == 0) {
++	fprintf(stderr, "Image of height 0\n");
++	exit(EXIT_FAILURE);
+     }
+ 
+     /* 
diff -Nru giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch
--- giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch	1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch	2016-04-15 23:27:09.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/util/gif2rgb.c
++++ b/util/gif2rgb.c
+@@ -378,8 +378,8 @@
+ 	}
+     }
+ 
+-    if (GifFile->SHeight == 0) {
+-	fprintf(stderr, "Image of height 0\n");
++    if (GifFile->SHeight == 0 || GifFile->SWidth == 0) {
++	fprintf(stderr, "Image of width or height 0\n");
+ 	exit(EXIT_FAILURE);
+     }
+ 
diff -Nru giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
--- giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch	1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.1.2/debian/patches/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch	2016-04-15 23:34:14.000000000 +0200
@@ -0,0 +1,69 @@
+Index: giflib-5.1.2/NEWS
+===================================================================
+--- giflib-5.1.2.orig/NEWS
++++ giflib-5.1.2/NEWS
+@@ -1,5 +1,13 @@
+ 			GIFLIB NEWS
+ 
++Repository head
++===============
++
++Code Fixes
++----------
++
++* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
++
+ Version 5.1.2
+ =============
+ 
+Index: giflib-5.1.2/lib/dgif_lib.c
+===================================================================
+--- giflib-5.1.2.orig/lib/dgif_lib.c
++++ giflib-5.1.2/lib/dgif_lib.c
+@@ -288,6 +288,11 @@
+         GifFile->SColorMap = NULL;
+     }
+ 
++    /*
++     * No check here for whether the background color is in range for the
++     * screen color map.  Possibly there should be.
++     */
++    
+     return GIF_OK;
+ }
+ 
+Index: giflib-5.1.2/util/gif2rgb.c
+===================================================================
+--- giflib-5.1.2.orig/util/gif2rgb.c
++++ giflib-5.1.2/util/gif2rgb.c
+@@ -15,7 +15,7 @@
+ 
+ I (ESR) took this off the main to-do list in 2012 because I don't think
+ the GIFLIB project actually needs to be in the converters-and-tools business.
+-Plenty of hackers do that; our jub is to supply stable library capability
++Plenty of hackers do that; our job is to supply stable library capability
+ with our utilities mainly interesting as test tools.
+ 
+ ***************************************************************************/
+@@ -467,7 +467,7 @@
+ 		break;
+ 	}
+     } while (RecordType != TERMINATE_RECORD_TYPE);
+-
++    
+     /* Lets dump it - set the global variables required and do it: */
+     ColorMap = (GifFile->Image.ColorMap
+ 		? GifFile->Image.ColorMap
+@@ -477,6 +477,12 @@
+         exit(EXIT_FAILURE);
+     }
+ 
++    /* check that the background color isn't garbage (SF bug #87) */
++    if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) {
++        fprintf(stderr, "Background color out of range for colormap\n");
++        exit(EXIT_FAILURE);
++    }
++
+     DumpScreen2RGB(OutFileName, OneFileFlag,
+ 		   ColorMap,
+ 		   ScreenBuffer, 
diff -Nru giflib-5.1.2/debian/patches/series giflib-5.1.2/debian/patches/series
--- giflib-5.1.2/debian/patches/series	2016-04-15 19:09:44.000000000 +0200
+++ giflib-5.1.2/debian/patches/series	2016-04-15 23:33:08.000000000 +0200
@@ -2,3 +2,6 @@
 #04-fprintf_format_error.patch
 issue81.diff
 ef0cb9b4be572262b49fbc26fb2348683f44a517.patch
+ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88.patch
+259ba23dfaf5e55db5c64cc07849905757519e36.patch
+4cc68b315ff9a378aef6664e1be6b2144ad4a5e6.patch

Reply via email to