Hi Salvatore and Boyuan, I saw libavif is marked in dsa-needed and Salvatore is working on it. I'm also working on it (started today) as part of (E)LTS work sponsored by Freexian and would like to offer help here.
The upload to unstable was on 17th and there wasn't a DSA so far, so I'm assuming other stuff got in the way and/or it's not an easy backport. I'll work more on it tomorrow but I'd like to provide what I've accomplished so far in case any of you wants to start before me (timezone differences are hard!). CVE-2025-48174 was easier to fix, though the proper apparatus to handle AVIF_RESULT_INVALID_ARGUMENT was introduced later and is a big change, so I've decided to not backport and just exit on overflow. CVE-2025-48175 is a bit more tricky because the code is different. [1b4ce5ca24a] introduces the local variables to make the code easier to read and the CVE was identified on them. Changing some of them to size_t is the fix so multiplication is conduced in size_t. On bookworm, the variable used for calculations in also uint32_t, but it encapsulated on avifRGBImage which is a public exposed struct. So changing it can break the ABI and I assume is a no go for a stable update. This is the point where I stopped today (need to sleep now!). I was thinking about either cherry-picking [1b4ce5ca24a] or trying to cast the size_t in the multiplication to avoid the overflow. Will think harder about it tomorrow. Anyway, I'll send what I have now in the hope it can be helpfull to you. Cheers, Charles [1b4ce5ca24a]: https://github.com/AOMediaCodec/libavif/commit/1b4ce5ca24a
diff -Nru libavif-0.11.1/debian/changelog libavif-0.11.1/debian/changelog --- libavif-0.11.1/debian/changelog 2022-10-25 12:39:25.000000000 -0300 +++ libavif-0.11.1/debian/changelog 2025-05-23 23:37:21.000000000 -0300 @@ -1,3 +1,12 @@ +libavif (0.11.1-1+deb12u1) bookworm-security; urgency=medium + + * Non-maintainer upload by the Security Team. + * d/p/CVE-2025-48174.patch: backport patch to fix CVE-2025-48174. + (Closes: #1105885) + - Integer overflow resulting in buffer overflow. + + -- Carlos Henrique Lima Melara <charlesmel...@riseup.net> Fri, 23 May 2025 23:37:21 -0300 + libavif (0.11.1-1) unstable; urgency=medium * New upstream version 0.11.1. diff -Nru libavif-0.11.1/debian/patches/CVE-2025-48174.patch libavif-0.11.1/debian/patches/CVE-2025-48174.patch --- libavif-0.11.1/debian/patches/CVE-2025-48174.patch 1969-12-31 21:00:00.000000000 -0300 +++ libavif-0.11.1/debian/patches/CVE-2025-48174.patch 2025-05-23 23:37:21.000000000 -0300 @@ -0,0 +1,39 @@ +From 50a743062938a3828581d725facc9c2b92a1d109 Mon Sep 17 00:00:00 2001 +From: DanisJiang <43723722+danisji...@users.noreply.github.com> +Date: Mon, 21 Apr 2025 10:45:59 +0800 +Subject: [PATCH] Add integer overflow check to makeRoom. + +Backport changes: + - exit() on overflow since this version doesn't have AVIF_CHECKRES and + makeRoom returns void; + - Add stdlib.h so we can call exit(). + +Origin: upstream, https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109 +Forwarded: not-needed +Last-Update: 2025-05-23 +--- + src/stream.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stream.c b/src/stream.c +index a5935b4..a5c529f 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -6,6 +6,7 @@ + #include <assert.h> + #include <inttypes.h> + #include <stdint.h> ++#include <stdlib.h> + #include <string.h> + + // --------------------------------------------------------------------------- +@@ -234,6 +235,9 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024) + static void makeRoom(avifRWStream * stream, size_t size) + { ++ if (size > SIZE_MAX - stream->offset) { ++ exit(1); ++ } + size_t neededSize = stream->offset + size; + size_t newSize = stream->raw->size; + while (newSize < neededSize) { diff -Nru libavif-0.11.1/debian/patches/series libavif-0.11.1/debian/patches/series --- libavif-0.11.1/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ libavif-0.11.1/debian/patches/series 2025-05-23 23:37:21.000000000 -0300 @@ -0,0 +1 @@ +CVE-2025-48174.patch
