Control: tags -1 patch pending Dear maintainer,
I've prepared an NMU for xcftools versioned as 1.0.7-6.1 and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Markus
diff -Nru xcftools-1.0.7/debian/changelog xcftools-1.0.7/debian/changelog --- xcftools-1.0.7/debian/changelog 2016-05-18 12:34:05.000000000 +0200 +++ xcftools-1.0.7/debian/changelog 2021-02-09 23:15:22.000000000 +0100 @@ -1,3 +1,16 @@ +xcftools (1.0.7-6.1) unstable; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix CVE-2019-5086 and CVE-2019-5087: + An exploitable integer overflow vulnerability exists in the + flattenIncrementally function in the xcf2png and xcf2pnm binaries of + xcftools. An integer overflow can occur while walking through tiles that + could be exploited to corrupt memory and execute arbitrary code. In order + to trigger this vulnerability, a victim would need to open a specially + crafted XCF file. + + -- Markus Koschany <a...@debian.org> Tue, 9 Feb 2021 23:15:22 +0100 + xcftools (1.0.7-6) unstable; urgency=medium * Team upload (collab-maint) diff -Nru xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch --- xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch 1970-01-01 01:00:00.000000000 +0100 +++ xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch 2021-02-09 23:15:22.000000000 +0100 @@ -0,0 +1,60 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 8 Feb 2021 17:57:56 +0100 +Subject: CVE-2019-5086 and CVE-2019-5087 + +Patch by Anton Gladky. + +Bug-Debian: https://bugs.debian.org/945317 +Origin: https://github.com/j-jorge/xcftools/pull/15 +--- + xcf-general.c | 16 ++++++++++++++++ + xcftools.h | 2 +- + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/xcf-general.c b/xcf-general.c +index 9d0b4dc..50be927 100644 +--- a/xcf-general.c ++++ b/xcf-general.c +@@ -19,6 +19,7 @@ + #include "xcftools.h" + #include <string.h> + #include <errno.h> ++#include <limits.h> + #ifdef HAVE_ICONV + # include <iconv.h> + #elif !defined(ICONV_CONST) +@@ -182,6 +183,21 @@ xcfString(uint32_t ptr,uint32_t *after) + void + computeDimensions(struct tileDimensions *d) + { ++ // [ CVE-2019-5086 and CVE-2019-5087 ] ++ // This part of code is the check to prevent integer overflow, see CVE-2019-5086 and CVE-2019-5087 ++ ++ if ((d->c.l + d->width)*4 > INT_MAX) { ++ fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), (d->c.l + d->width)); ++ exit(0); ++ } ++ ++ if ((d->c.t + d->height)*4 > INT_MAX) { ++ fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), (d->c.t + d->height)); ++ exit(0); ++ } ++ ++ // [ CVE-2019-5086 and CVE-2019-5087 ] ++ + d->c.r = d->c.l + d->width ; + d->c.b = d->c.t + d->height ; + d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ; +diff --git a/xcftools.h b/xcftools.h +index e05637a..26d1a23 100644 +--- a/xcftools.h ++++ b/xcftools.h +@@ -121,7 +121,7 @@ FILE* openout(const char*); + void closeout(FILE *,const char*); + + struct rect { +- int t, b, l, r ; ++ int64_t t, b, l, r ; + }; + + #define isSubrect(A,B) \ diff -Nru xcftools-1.0.7/debian/patches/series xcftools-1.0.7/debian/patches/series --- xcftools-1.0.7/debian/patches/series 2016-05-18 12:27:32.000000000 +0200 +++ xcftools-1.0.7/debian/patches/series 2021-02-09 23:15:22.000000000 +0100 @@ -4,3 +4,4 @@ fix-as-needed-linking libpng16.patch fix-test-UTF8.patch +CVE-2019-5086-and-CVE-2019-5087.patch
signature.asc
Description: This is a digitally signed message part
