Hi, On Sat, Mar 22, 2025 at 11:08:18AM -0300, Carlos Henrique Lima Melara wrote: > I'm planning to fix [CVE-2025-27795] and [CVE-2025-27796] for Debian LTS > (disclaimer: it's a pro-bono upload as part of onboarding in Freexian's > LTS team) and I saw they also affect bookworm. Therefore I'd be more > than happy to help fix them in our current stable release.
Turns out CVE-2025-27795 and CVE-2025-27796 don't affect bullseye. CVE-2025-27796 also doesn't affect bookworm, but CVE-2025-27795 does so I prepared the fix and attached the debdiff against the current version in bookworm. I didn't know if it's going to be via security team or proposed-updates, so I picked one - but can change on request. I also tested it in bookworm to see if it fixed the vulnerability and it indeed refuses to allocate resources to a very big jpeg-XL file (attached an example from the upstream). Cheers, Charles
diff -Nru graphicsmagick-1.4+really1.3.40/debian/changelog graphicsmagick-1.4+really1.3.40/debian/changelog --- graphicsmagick-1.4+really1.3.40/debian/changelog 2023-04-17 14:17:10.000000000 -0300 +++ graphicsmagick-1.4+really1.3.40/debian/changelog 2025-03-31 21:25:25.000000000 -0300 @@ -1,3 +1,11 @@ +graphicsmagick (1.4+really1.3.40-4+deb12u1) bookworm-security; urgency=medium + + * Non-maintainer upload by the Security Team. + * d/p/CVE-2025-27795.patch: fix CVE-2025-27795 by adding image dimension + resource limits. (Closes: #1099955) + + -- Carlos Henrique Lima Melara <charlesmel...@riseup.net> Mon, 31 Mar 2025 21:25:25 -0300 + graphicsmagick (1.4+really1.3.40-4) unstable; urgency=medium * Remove development ifdef from memory leak fix. diff -Nru graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-27795.patch graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-27795.patch --- graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-27795.patch 1969-12-31 21:00:00.000000000 -0300 +++ graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-27795.patch 2025-03-31 21:25:25.000000000 -0300 @@ -0,0 +1,38 @@ +From: Bob Friesenhahn <bfrie...@graphicsmagick.org> +Date: Mon, 9 Sep 2024 08:01:43 -0500 +Subject: ReadJXLImage(): Apply image dimension resource limits. Addresses + oss-fuzz Issue 69728 + +Backported to Debian by Carlos Henrique Lima Melara <char...@debian.org> + +Changes: + - Drop changes to changelog and version files. +Origin: upstream, https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42 +Bug-Debian: https://bugs.debian.org/1099955 +Last-Update: 2025-03-31 +--- + coders/jxl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/coders/jxl.c b/coders/jxl.c +index b8a85fd..8a370fe 100644 +--- a/coders/jxl.c ++++ b/coders/jxl.c +@@ -531,6 +531,7 @@ static Image *ReadJXLImage(const ImageInfo *image_info, + basic_info.alpha_bits, basic_info.num_color_channels, + basic_info.have_animation == JXL_FALSE ? "False" : "True"); + } ++ + if (basic_info.num_extra_channels) + { + size_t index; +@@ -579,6 +580,9 @@ static Image *ReadJXLImage(const ImageInfo *image_info, + + image->orientation=convert_orientation(basic_info.orientation); + ++ if (CheckImagePixelLimits(image, exception) != MagickPass) ++ ThrowJXLReaderException(ResourceLimitError,ImagePixelLimitExceeded,image); ++ + pixel_format.endianness=JXL_NATIVE_ENDIAN; + pixel_format.align=0; + if (basic_info.num_color_channels == 1) diff -Nru graphicsmagick-1.4+really1.3.40/debian/patches/series graphicsmagick-1.4+really1.3.40/debian/patches/series --- graphicsmagick-1.4+really1.3.40/debian/patches/series 2023-04-17 14:17:10.000000000 -0300 +++ graphicsmagick-1.4+really1.3.40/debian/patches/series 2025-03-31 21:25:25.000000000 -0300 @@ -2,3 +2,4 @@ semaphore_O0_ppc64el.patch fix_bounds_issue_when_concatenating_string.patch eliminate_memory_leak_when_handling_EXIFOrientation.patch +CVE-2025-27795.patch
signature.asc
Description: PGP signature
