Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700,
CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.
Please find the attached debdiff.
- --
Cheers,
Andrew
-----BEGIN PGP SIGNATURE-----
iQExBAEBCAAbBQJYDyGDFBxhbmRyZXdzaEBkZWJpYW4ub3JnAAoJEJ1bI/kYT6UU
dKUH/iQWfyPMdenlZQriv65nCzANS7qmg7Yav+06HuLIbH1MDxiQ5ZNVWuiYOjG2
ZYI90szkknb6936nx2QbMelC8oYZSbOTnMsxauR/3wTXjd71XhU4uPnNtsVgYglu
ZlJ0tn3aWC2PW/ZxC6rHnsP5BOcin5PynMLLPxI/yZ36855gmedJuJxI27sEeXWx
6NU8wiEVuSnieBipy1Lim9G7TLPfe9GugabtYRLJAgDsbTQ8lxZFQWXe9loVZjB/
meZ1fB96f748KbBPCZW3W3CWDVHaavwCfpsh0XpiSb4B3uKc0q0UxVR21ZcG0/iR
K66NT4jeZMM9thHDHXJVaZfIlS4=
=y46j
-----END PGP SIGNATURE-----
diff -Nru potrace-1.12/debian/changelog potrace-1.12/debian/changelog
--- potrace-1.12/debian/changelog 2015-04-12 14:15:25.000000000 +0200
+++ potrace-1.12/debian/changelog 2016-10-25 11:04:34.000000000 +0200
@@ -1,3 +1,13 @@
+potrace (1.12-1+deb8u1) jessie; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2016-8694, CVE-2016-8695, CVE-2016-8696,
+ CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
+ CVE-2016-8700, CVE-2016-8701, CVE-2016-8702,
+ CVE-2016-8703.
+
+ -- Andrew Shadura <andre...@debian.org> Tue, 25 Oct 2016 11:04:34 +0200
+
potrace (1.12-1) unstable; urgency=high
* New upstream version.
diff -Nru potrace-1.12/debian/patches/CVE-2016-8694.patch potrace-1.12/debian/patches/CVE-2016-8694.patch
--- potrace-1.12/debian/patches/CVE-2016-8694.patch 1970-01-01 01:00:00.000000000 +0100
+++ potrace-1.12/debian/patches/CVE-2016-8694.patch 2016-10-25 11:04:08.000000000 +0200
@@ -0,0 +1,206 @@
+Author: Peter Selinger <selin...@mathstat.dal.ca>
+Description: Fix CVE-2016-8694.
+Origin: upstream
+
+--- a/src/bitmap.h
++++ b/src/bitmap.h
+@@ -8,6 +8,7 @@
+ #include <string.h>
+ #include <stdlib.h>
+ #include <errno.h>
++#include <stddef.h>
+
+ /* The bitmap type is defined in potracelib.h */
+ #include "potracelib.h"
+@@ -28,7 +29,7 @@
+ /* macros for accessing pixel at index (x,y). U* macros omit the
+ bounds check. */
+
+-#define bm_scanline(bm, y) ((bm)->map + (ssize_t)(y)*(ssize_t)(bm)->dy)
++#define bm_scanline(bm, y) ((bm)->map + (ptrdiff_t)(y)*(ptrdiff_t)(bm)->dy)
+ #define bm_index(bm, x, y) (&bm_scanline(bm, y)[(x)/BM_WORDBITS])
+ #define bm_mask(x) (BM_HIBIT >> ((x) & (BM_WORDBITS-1)))
+ #define bm_range(x, a) ((int)(x) >= 0 && (int)(x) < (a))
+@@ -57,10 +58,10 @@
+ static inline potrace_bitmap_t *bm_new(int w, int h) {
+ potrace_bitmap_t *bm;
+ int dy = w == 0 ? 0 : (w - 1) / BM_WORDBITS + 1;
+- ssize_t size = (ssize_t)dy * (ssize_t)h * (ssize_t)BM_WORDSIZE;
++ ptrdiff_t size = (ptrdiff_t)dy * (ptrdiff_t)h * (ptrdiff_t)BM_WORDSIZE;
+
+ /* check for overflow error */
+- if (size < 0 || size / h / dy != BM_WORDSIZE) {
++ if (size < 0 || (h != 0 && dy != 0 && size / h / dy != BM_WORDSIZE)) {
+ errno = ENOMEM;
+ return NULL;
+ }
+@@ -83,15 +84,15 @@
+ /* clear the given bitmap. Set all bits to c. */
+ static inline void bm_clear(potrace_bitmap_t *bm, int c) {
+ /* Note: if the bitmap was created with bm_new, then it is
+- guaranteed that size will fit into the ssize_t type. */
+- ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE;
++ guaranteed that size will fit into the ptrdiff_t type. */
++ ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE;
+ memset(bm->map, c ? -1 : 0, size);
+ }
+
+ /* duplicate the given bitmap. Return NULL on error with errno set. */
+ static inline potrace_bitmap_t *bm_dup(const potrace_bitmap_t *bm) {
+ potrace_bitmap_t *bm1 = bm_new(bm->w, bm->h);
+- ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE;
++ ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE;
+ if (!bm1) {
+ return NULL;
+ }
+@@ -101,8 +102,8 @@
+
+ /* invert the given bitmap. */
+ static inline void bm_invert(potrace_bitmap_t *bm) {
+- ssize_t i;
+- ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h;
++ ptrdiff_t i;
++ ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h;
+
+ for (i = 0; i < size; i++) {
+ bm->map[i] ^= BM_ALLBITS;
+--- a/src/bitmap_io.c
++++ b/src/bitmap_io.c
+@@ -4,7 +4,6 @@
+
+
+ /* Routines for manipulating bitmaps, including reading pbm files. */
+-
+ #include <stdio.h>
+
+ #include "bitmap.h"
+@@ -424,6 +423,9 @@
+ /* correct y-coordinate for top-down format */
+ #define ycorr(y) (bmpinfo.topdown ? bmpinfo.h-1-y : y)
+
++/* safe colortable access */
++#define COLTABLE(c) ((c) < bmpinfo.ncolors ? coltable[(c)] : 0)
++
+ /* read BMP stream after magic number. Return values as for bm_read.
+ We choose to be as permissive as possible, since there are many
+ programs out there which produce BMP. For instance, ppmtobmp can
+@@ -509,6 +511,10 @@
+ goto format_error;
+ }
+
++ if (bmpinfo.comp > 3 || bmpinfo.bits > 32) {
++ goto format_error;
++ }
++
+ /* forward to color table (e.g., if bmpinfo.InfoSize == 64) */
+ TRY(bmp_forward(f, 14+bmpinfo.InfoSize));
+
+@@ -598,7 +604,7 @@
+ b = bitbuf >> (INTBITS - bmpinfo.bits);
+ bitbuf <<= bmpinfo.bits;
+ n -= bmpinfo.bits;
+- BM_UPUT(bm, x, ycorr(y), coltable[b]);
++ BM_UPUT(bm, x, ycorr(y), COLTABLE(b));
+ }
+ TRY(bmp_pad(f));
+ }
+@@ -643,13 +649,14 @@
+ case 0x204: /* 4-bit runlength compressed encoding (RLE4) */
+ x = 0;
+ y = 0;
++
+ while (1) {
+ TRY_EOF(bmp_readint(f, 1, &b)); /* opcode */
+ TRY_EOF(bmp_readint(f, 1, &c)); /* argument */
+ if (b>0) {
+ /* repeat count */
+- col[0] = coltable[(c>>4) & 0xf];
+- col[1] = coltable[c & 0xf];
++ col[0] = COLTABLE((c>>4) & 0xf);
++ col[1] = COLTABLE(c & 0xf);
+ for (i=0; i<b && x<bmpinfo.w; i++) {
+ if (x>=bmpinfo.w) {
+ x=0;
+@@ -687,7 +694,7 @@
+ if (y>=bmpinfo.h) {
+ break;
+ }
+- BM_PUT(bm, x, ycorr(y), coltable[(b>>(4-4*(i&1))) & 0xf]);
++ BM_PUT(bm, x, ycorr(y), COLTABLE((b>>(4-4*(i&1))) & 0xf));
+ x++;
+ }
+ if ((c+1) & 2) {
+@@ -714,7 +721,7 @@
+ if (y>=bmpinfo.h) {
+ break;
+ }
+- BM_UPUT(bm, x, ycorr(y), coltable[c]);
++ BM_UPUT(bm, x, ycorr(y), COLTABLE(c));
+ x++;
+ }
+ } else if (c == 0) {
+@@ -741,7 +748,7 @@
+ if (y>=bmpinfo.h) {
+ break;
+ }
+- BM_PUT(bm, x, ycorr(y), coltable[b]);
++ BM_PUT(bm, x, ycorr(y), COLTABLE(b));
+ x++;
+ }
+ if (c & 1) {
+@@ -770,7 +777,7 @@
+ format_error:
+ try_error:
+ free(coltable);
+- free(bm);
++ bm_free(bm);
+ if (!bm_read_error) {
+ bm_read_error = "invalid bmp file";
+ }
+@@ -778,7 +785,7 @@
+
+ std_error:
+ free(coltable);
+- free(bm);
++ bm_free(bm);
+ return -1;
+ }
+
+--- a/src/greymap.c
++++ b/src/greymap.c
+@@ -10,6 +10,7 @@
+ #include <string.h>
+ #include <math.h>
+ #include <errno.h>
++#include <stddef.h>
+
+ #include "greymap.h"
+ #include "bitops.h"
+@@ -28,7 +29,7 @@
+ Assumes w, h >= 0. */
+ greymap_t *gm_new(int w, int h) {
+ greymap_t *gm;
+- ssize_t size = (ssize_t)w * (ssize_t)h * (ssize_t)sizeof(signed short int);
++ ptrdiff_t size = (ptrdiff_t)w * (ptrdiff_t)h * (ptrdiff_t)sizeof(signed short int);
+
+ /* check for overflow error */
+ if (size < 0 || size / w / h != sizeof(signed short int)) {
+--- a/src/greymap.h
++++ b/src/greymap.h
+@@ -8,6 +8,7 @@
+
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stddef.h>
+
+ /* internal format for greymaps. Note: in this format, rows are
+ ordered from bottom to top. The pixels in each row are given from
+@@ -23,7 +24,7 @@
+ /* macros for accessing pixel at index (x,y). Note that the origin is
+ in the *lower* left corner. U* macros omit the bounds check. */
+
+-#define gm_index(gm, x, y) (&(gm)->map[(x)+(y)*(ssize_t)(gm)->w])
++#define gm_index(gm, x, y) (&(gm)->map[(x)+(y)*(ptrdiff_t)(gm)->w])
+ #define gm_safe(gm, x, y) ((int)(x)>=0 && (int)(x)<(gm)->w && (int)(y)>=0 && (int)(y)<(gm)->h)
+ #define gm_bound(x, m) ((x)<0 ? 0 : (x)>=(m) ? (m)-1 : (x))
+ #define GM_UGET(gm, x, y) (*gm_index(gm, x, y))
diff -Nru potrace-1.12/debian/patches/series potrace-1.12/debian/patches/series
--- potrace-1.12/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ potrace-1.12/debian/patches/series 2016-10-25 11:03:56.000000000 +0200
@@ -0,0 +1 @@
+CVE-2016-8694.patch
