Hi Markus, On Wed, Feb 10, 2021 at 12:27:38AM +0100, Markus Koschany wrote: > Control: tags -1 patch pending > > Dear maintainer, > > I've prepared an NMU for xcftools versioned as 1.0.7-6.1 and > uploaded it to DELAYED/5. Please feel free to tell me if I > should delay it longer. > > Regards, > > Markus
> diff -Nru xcftools-1.0.7/debian/changelog xcftools-1.0.7/debian/changelog > --- xcftools-1.0.7/debian/changelog 2016-05-18 12:34:05.000000000 +0200 > +++ xcftools-1.0.7/debian/changelog 2021-02-09 23:15:22.000000000 +0100 > @@ -1,3 +1,16 @@ > +xcftools (1.0.7-6.1) unstable; urgency=high > + > + * Non-maintainer upload by the LTS team. > + * Fix CVE-2019-5086 and CVE-2019-5087: > + An exploitable integer overflow vulnerability exists in the > + flattenIncrementally function in the xcf2png and xcf2pnm binaries of > + xcftools. An integer overflow can occur while walking through tiles that > + could be exploited to corrupt memory and execute arbitrary code. In order > + to trigger this vulnerability, a victim would need to open a specially > + crafted XCF file. > + > + -- Markus Koschany <a...@debian.org> Tue, 9 Feb 2021 23:15:22 +0100 > + > xcftools (1.0.7-6) unstable; urgency=medium > > * Team upload (collab-maint) > diff -Nru xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch > xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch > --- xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch > 2021-02-09 23:15:22.000000000 +0100 > @@ -0,0 +1,60 @@ > +From: Markus Koschany <a...@debian.org> > +Date: Mon, 8 Feb 2021 17:57:56 +0100 > +Subject: CVE-2019-5086 and CVE-2019-5087 > + > +Patch by Anton Gladky. > + > +Bug-Debian: https://bugs.debian.org/945317 > +Origin: https://github.com/j-jorge/xcftools/pull/15 > +--- > + xcf-general.c | 16 ++++++++++++++++ > + xcftools.h | 2 +- > + 2 files changed, 17 insertions(+), 1 deletion(-) > + > +diff --git a/xcf-general.c b/xcf-general.c > +index 9d0b4dc..50be927 100644 > +--- a/xcf-general.c > ++++ b/xcf-general.c > +@@ -19,6 +19,7 @@ > + #include "xcftools.h" > + #include <string.h> > + #include <errno.h> > ++#include <limits.h> > + #ifdef HAVE_ICONV > + # include <iconv.h> > + #elif !defined(ICONV_CONST) > +@@ -182,6 +183,21 @@ xcfString(uint32_t ptr,uint32_t *after) > + void > + computeDimensions(struct tileDimensions *d) > + { > ++ // [ CVE-2019-5086 and CVE-2019-5087 ] > ++ // This part of code is the check to prevent integer overflow, see > CVE-2019-5086 and CVE-2019-5087 > ++ > ++ if ((d->c.l + d->width)*4 > INT_MAX) { > ++ fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), > (d->c.l + d->width)); > ++ exit(0); > ++ } > ++ > ++ if ((d->c.t + d->height)*4 > INT_MAX) { > ++ fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), > (d->c.t + d->height)); > ++ exit(0); > ++ } > ++ > ++ // [ CVE-2019-5086 and CVE-2019-5087 ] > ++ > + d->c.r = d->c.l + d->width ; > + d->c.b = d->c.t + d->height ; > + d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ; > +diff --git a/xcftools.h b/xcftools.h > +index e05637a..26d1a23 100644 > +--- a/xcftools.h > ++++ b/xcftools.h > +@@ -121,7 +121,7 @@ FILE* openout(const char*); > + void closeout(FILE *,const char*); > + > + struct rect { > +- int t, b, l, r ; > ++ int64_t t, b, l, r ; > + }; > + > + #define isSubrect(A,B) \ > diff -Nru xcftools-1.0.7/debian/patches/series > xcftools-1.0.7/debian/patches/series > --- xcftools-1.0.7/debian/patches/series 2016-05-18 12:27:32.000000000 > +0200 > +++ xcftools-1.0.7/debian/patches/series 2021-02-09 23:15:22.000000000 > +0100 > @@ -4,3 +4,4 @@ > fix-as-needed-linking > libpng16.patch > fix-test-UTF8.patch > +CVE-2019-5086-and-CVE-2019-5087.patch Question back on this. Is it confirmed that it fixes both CVE-2019-5086 (TALOS-2019-0878, https://github.com/j-jorge/xcftools/issues/12) and CVE-2019-5087 (TALOS-2019-0879, https://github.com/j-jorge/xcftools/issues/13) which were slight different issues? Unfortunately upstream itself is at best dormant. There was lot of discussion back then basically just around CVE-2019-5086 but not covering CVE-2019-5087 involving Brian May and a patch from Anton. Hugo, Brian, Anton does the final patch you were aiming and posted address both issues, did any of you got some feedback from Talos because of TALOS-2019-0878 and TALOS-2019-0879? Regards, Salvatore
