Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Hi Please unblock package libcroco The upload addresses two CVEs, CVE-2017-7960 and the disputed (if it security relevant) CVE-2017-7961, both covered via #860961. The changelog reads as: >libcroco (0.6.11-3) unstable; urgency=medium > > * CVE-2017-7960-heap-buffer-overflow.patch: > - CVE-2017-7960: check end of input before reading from buffer. > * CVE-2017-7961-double-to-long-check.patch: > - CVE-2017-7961: check color value before converting to long. > * The above closes: #860961. > > -- Emilio Pozuelo Monfort <[email protected]> Sun, 23 Apr 2017 13:17:31 +0200 and attached is the full debdiff. unblock libcroco/0.6.11-3 Regards, Salvatore
diff -Nru libcroco-0.6.11/debian/changelog libcroco-0.6.11/debian/changelog --- libcroco-0.6.11/debian/changelog 2016-09-21 04:15:28.000000000 +0200 +++ libcroco-0.6.11/debian/changelog 2017-04-23 13:17:31.000000000 +0200 @@ -1,3 +1,13 @@ +libcroco (0.6.11-3) unstable; urgency=medium + + * CVE-2017-7960-heap-buffer-overflow.patch: + - CVE-2017-7960: check end of input before reading from buffer. + * CVE-2017-7961-double-to-long-check.patch: + - CVE-2017-7961: check color value before converting to long. + * The above closes: #860961. + + -- Emilio Pozuelo Monfort <[email protected]> Sun, 23 Apr 2017 13:17:31 +0200 + libcroco (0.6.11-2) unstable; urgency=medium * Convert from cdbs to dh. diff -Nru libcroco-0.6.11/debian/control libcroco-0.6.11/debian/control --- libcroco-0.6.11/debian/control 2016-09-21 04:15:28.000000000 +0200 +++ libcroco-0.6.11/debian/control 2017-04-23 13:17:31.000000000 +0200 @@ -6,7 +6,7 @@ Section: libs Priority: optional Maintainer: Debian GNOME Maintainers <[email protected]> -Uploaders: Andreas Henriksson <[email protected]>, Josselin Mouette <[email protected]>, Martin Pitt <[email protected]>, Michael Biebl <[email protected]> +Uploaders: Andreas Henriksson <[email protected]>, Emilio Pozuelo Monfort <[email protected]>, Josselin Mouette <[email protected]>, Michael Biebl <[email protected]> Build-Depends: debhelper (>= 10), gtk-doc-tools, gnome-pkg-tools (>= 0.7), diff -Nru libcroco-0.6.11/debian/patches/CVE-2017-7960-heap-buffer-overflow.patch libcroco-0.6.11/debian/patches/CVE-2017-7960-heap-buffer-overflow.patch --- libcroco-0.6.11/debian/patches/CVE-2017-7960-heap-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcroco-0.6.11/debian/patches/CVE-2017-7960-heap-buffer-overflow.patch 2017-04-23 13:16:44.000000000 +0200 @@ -0,0 +1,58 @@ +From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro <[email protected]> +Date: Sun, 16 Apr 2017 13:13:43 +0200 +Subject: input: check end of input before reading a byte + +When reading bytes we weren't check that the index wasn't +out of bound and this could produce an invalid read which +could deal to a security bug. +--- + src/cr-input.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cr-input.c b/src/cr-input.c +index 49000b1..3b63a88 100644 +--- a/src/cr-input.c ++++ b/src/cr-input.c +@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) + *we should free buf here because it's own by CRInput. + *(see the last parameter of cr_input_new_from_buf(). + */ +- buf = NULL ; ++ buf = NULL; + } + + cleanup: +@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) + enum CRStatus + cr_input_read_byte (CRInput * a_this, guchar * a_byte) + { ++ gulong nb_bytes_left = 0; ++ + g_return_val_if_fail (a_this && PRIVATE (a_this) + && a_byte, CR_BAD_PARAM_ERROR); + +@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) + if (PRIVATE (a_this)->end_of_input == TRUE) + return CR_END_OF_INPUT_ERROR; + ++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this); ++ ++ if (nb_bytes_left < 1) { ++ return CR_END_OF_INPUT_ERROR; ++ } ++ + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; + + if (PRIVATE (a_this)->nb_bytes - +@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) + if (*a_char == '\n') { + PRIVATE (a_this)->end_of_line = TRUE; + } +- + } + + return status; +-- +cgit v0.12 + diff -Nru libcroco-0.6.11/debian/patches/CVE-2017-7961-double-to-long-check.patch libcroco-0.6.11/debian/patches/CVE-2017-7961-double-to-long-check.patch --- libcroco-0.6.11/debian/patches/CVE-2017-7961-double-to-long-check.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcroco-0.6.11/debian/patches/CVE-2017-7961-double-to-long-check.patch 2017-04-23 13:16:44.000000000 +0200 @@ -0,0 +1,42 @@ +From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro <[email protected]> +Date: Sun, 16 Apr 2017 13:56:09 +0200 +Subject: tknzr: support only max long rgb values + +This fixes a possible out of bound when reading rgbs which +are longer than the support MAXLONG +--- + src/cr-tknzr.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c +index 1a7cfeb..1548c35 100644 +--- a/src/cr-tknzr.c ++++ b/src/cr-tknzr.c +@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) + status = cr_tknzr_parse_num (a_this, &num); + ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + ++ if (num->val > G_MAXLONG) { ++ status = CR_PARSING_ERROR; ++ goto error; ++ } ++ + red = num->val; + cr_num_destroy (num); + num = NULL; +@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) + status = cr_tknzr_parse_num (a_this, &num); + ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + ++ if (num->val > G_MAXLONG) { ++ status = CR_PARSING_ERROR; ++ goto error; ++ } ++ + PEEK_BYTE (a_this, 1, &next_bytes[0]); + if (next_bytes[0] == '%') { + SKIP_CHARS (a_this, 1); +-- +cgit v0.12 + diff -Nru libcroco-0.6.11/debian/patches/series libcroco-0.6.11/debian/patches/series --- libcroco-0.6.11/debian/patches/series 2012-02-10 07:11:51.000000000 +0100 +++ libcroco-0.6.11/debian/patches/series 2017-04-23 13:16:44.000000000 +0200 @@ -0,0 +1,2 @@ +CVE-2017-7960-heap-buffer-overflow.patch +CVE-2017-7961-double-to-long-check.patch

