Bug#550424: NMU

Wed, 21 Oct 2009 15:41:00 -0700 

Hi,

Attached is a debdiff of the changes I made for 1.6.1-4.1 0-day NMU.

Cheers,
Giuseppe

diff -u openexr-1.6.1/debian/changelog openexr-1.6.1/debian/changelog
--- openexr-1.6.1/debian/changelog
+++ openexr-1.6.1/debian/changelog
@@ -1,3 +1,14 @@
+openexr (1.6.1-4.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed CVE-2009-1720: Integer overflows in Imf::PreviewImage::PreviewImage
+    and integer overflows in compressor constructors
+  * Fixed CVE-2009-1721: uninitialized pointers in Imf::hufUncompress
+  * Patch stolen from stable-security, thanks to Cyril Brulebois
+    (Closes: #550424)
+
+ -- Giuseppe Iuculano <iucul...@debian.org>  Wed, 21 Oct 2009 23:54:35 +0200
+
 openexr (1.6.1-4) unstable; urgency=low
 
   * Adopt the package within pkg-phototools (Closes: #494877):
diff -u openexr-1.6.1/debian/patches/series openexr-1.6.1/debian/patches/series
--- openexr-1.6.1/debian/patches/series
+++ openexr-1.6.1/debian/patches/series
@@ -1,0 +2,3 @@
+CVE-2009-1720-1.diff
+CVE-2009-1720-2.diff
+CVE-2009-1721.diff
only in patch2:
unchanged:
--- openexr-1.6.1.orig/debian/patches/CVE-2009-1720-1.diff
+++ openexr-1.6.1/debian/patches/CVE-2009-1720-1.diff
@@ -0,0 +1,22 @@
+Fix integer overflow in Imf::PreviewImage::PreviewImage, CVE-2009-1720 [1/2].
+--- a/IlmImf/ImfPreviewImage.cpp
++++ b/IlmImf/ImfPreviewImage.cpp
+@@ -40,6 +40,7 @@
+ 
//-----------------------------------------------------------------------------
+ 
+ #include <ImfPreviewImage.h>
++#include <climits>
+ #include "Iex.h"
+ 
+ namespace Imf {
+@@ -51,6 +52,10 @@ PreviewImage::PreviewImage (unsigned int
+ {
+     _width = width;
+     _height = height;
++
++    if ((_height && (_width > UINT_MAX / _height)) || (_width * _height > 
UINT_MAX / sizeof(PreviewRgba)))
++        throw Iex::ArgExc ("Invalid height and width.");
++
+     _pixels = new PreviewRgba [_width * _height];
+ 
+     if (pixels)
only in patch2:
unchanged:
--- openexr-1.6.1.orig/debian/patches/CVE-2009-1721.diff
+++ openexr-1.6.1/debian/patches/CVE-2009-1721.diff
@@ -0,0 +1,12 @@
+Fix freeing uninitialized pointers in Imf::hufUncompress, CVE-2009-1721.
+--- a/IlmImf/ImfAutoArray.h
++++ b/IlmImf/ImfAutoArray.h
+@@ -57,7 +57,7 @@ namespace Imf {
+     {
+       public:
+ 
+-       AutoArray (): _data (new T [size]) {}
++       AutoArray (): _data (new T [size]) {memset(_data, 0, size * 
sizeof(T));}
+       ~AutoArray () {delete [] _data;}
+ 
+       operator T * ()                 {return _data;}
only in patch2:
unchanged:
--- openexr-1.6.1.orig/debian/patches/CVE-2009-1720-2.diff
+++ openexr-1.6.1/debian/patches/CVE-2009-1720-2.diff
@@ -0,0 +1,81 @@
+Fix integer overflows in compressor constructors, CVE-2009-1720 [2/2].
+--- a/IlmImf/ImfPizCompressor.cpp
++++ b/IlmImf/ImfPizCompressor.cpp
+@@ -53,6 +53,7 @@
+ #include <ImfAutoArray.h>
+ #include <string.h>
+ #include <assert.h>
++#include <climits>
+ 
+ namespace Imf {
+ 
+@@ -181,6 +182,9 @@ PizCompressor::PizCompressor
+     _channels (hdr.channels()),
+     _channelData (0)
+ {
++    if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192) / (unsigned) 
numScanLines)
++        throw InputExc ("Error: maxScanLineSize * numScanLines would 
overflow.");
++
+     _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
+     _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
+ 
+--- a/IlmImf/ImfPxr24Compressor.cpp
++++ b/IlmImf/ImfPxr24Compressor.cpp
+@@ -73,6 +73,7 @@
+ #include <zlib.h>
+ #include <assert.h>
+ #include <algorithm>
++#include <climits>
+ 
+ using namespace std;
+ using namespace Imath;
+@@ -187,6 +188,9 @@ Pxr24Compressor::Pxr24Compressor (const 
+ {
+     int maxInBytes = maxScanLineSize * numScanLines;
+ 
++    if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines)
++        throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would 
overflow.");
++
+     _tmpBuffer = new unsigned char [maxInBytes];
+     _outBuffer = new char [int (ceil (maxInBytes * 1.01)) + 100];
+ 
+--- a/IlmImf/ImfRleCompressor.cpp
++++ b/IlmImf/ImfRleCompressor.cpp
+@@ -41,6 +41,7 @@
+ 
//-----------------------------------------------------------------------------
+ 
+ #include <ImfRleCompressor.h>
++#include <climits>
+ #include "Iex.h"
+ 
+ namespace Imf {
+@@ -164,6 +165,9 @@ RleCompressor::RleCompressor (const Head
+     _tmpBuffer (0),
+     _outBuffer (0)
+ {
++    if ((unsigned) maxScanLineSize > INT_MAX / 3)
++        throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow");
++
+     _tmpBuffer = new char [maxScanLineSize];
+     _outBuffer = new char [maxScanLineSize * 3 / 2];
+ }
+--- a/IlmImf/ImfZipCompressor.cpp
++++ b/IlmImf/ImfZipCompressor.cpp
+@@ -43,6 +43,7 @@
+ #include <ImfZipCompressor.h>
+ #include "Iex.h"
+ #include <zlib.h>
++#include <climits>
+ 
+ namespace Imf {
+ 
+@@ -58,6 +59,9 @@ ZipCompressor::ZipCompressor
+     _tmpBuffer (0),
+     _outBuffer (0)
+ {
++    if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines)
++        throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would 
overflow.");
++
+     _tmpBuffer =
+       new char [maxScanLineSize * numScanLines];
+

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to