Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hello, I would like to update sam2p in Jessie. This package is currently affected by several security vulnerabilities. Please find attached the debdiff. Regards, Markus
diff -Nru sam2p-0.49.2/debian/changelog sam2p-0.49.2/debian/changelog --- sam2p-0.49.2/debian/changelog 2017-11-22 21:39:20.000000000 +0100 +++ sam2p-0.49.2/debian/changelog 2018-04-07 17:48:42.000000000 +0200 @@ -1,3 +1,13 @@ +sam2p (0.49.2-3+deb8u2) jessie; urgency=high + + * Non-maintainer upload. + * Fix CVE-2018-7487, CVE-2018-7551, CVE-2018-7552, CVE-2018-7553 and + CVE-2018-7554. Multiple invalid frees and buffer-overflow vulnerabilities + were discovered in sam2p that may lead to a denial-of-service (application + crash) or unspecified other impact. + + -- Markus Koschany <a...@debian.org> Sat, 07 Apr 2018 17:48:42 +0200 + sam2p (0.49.2-3+deb8u1) jessie; urgency=high * Non-maintainer upload. diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7487.patch sam2p-0.49.2/debian/patches/CVE-2018-7487.patch --- sam2p-0.49.2/debian/patches/CVE-2018-7487.patch 1970-01-01 01:00:00.000000000 +0100 +++ sam2p-0.49.2/debian/patches/CVE-2018-7487.patch 2018-04-07 17:48:42.000000000 +0200 @@ -0,0 +1,22 @@ +From: Markus Koschany <a...@debian.org> +Date: Wed, 4 Apr 2018 22:58:32 +0200 +Subject: CVE-2018-7487 + +Bug-Upstream: https://github.com/pts/sam2p/issues/18 +--- + in_pcx.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/in_pcx.cpp b/in_pcx.cpp +index f04e4c1..e8e1ce1 100644 +--- a/in_pcx.cpp ++++ b/in_pcx.cpp +@@ -239,7 +239,7 @@ static Image::Sampled *LoadPCX + if (fread(pinfo->pal, 1, colors*3, fp) != colors * 3 + 0U || + ferror(fp) || feof(fp)) { + pcxError(bname,"Error reading PCX colormap. Using grayscale."); +- for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i; ++ for (i=0; i<colors; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i; + } + } + else if (colors<=16) { /* internal colormap */ diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7551.patch sam2p-0.49.2/debian/patches/CVE-2018-7551.patch --- sam2p-0.49.2/debian/patches/CVE-2018-7551.patch 1970-01-01 01:00:00.000000000 +0100 +++ sam2p-0.49.2/debian/patches/CVE-2018-7551.patch 2018-04-07 17:48:42.000000000 +0200 @@ -0,0 +1,75 @@ +From: Markus Koschany <a...@debian.org> +Date: Thu, 5 Apr 2018 11:02:16 +0200 +Subject: CVE-2018-7551 + +Bug-Upstream: https://github.com/pts/sam2p/issues/28 +Origin: https://github.com/pts/sam2p/commit/a6621e996f976912252018be8a8836ee6a966ee3 +--- + input-pnm.ci | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/input-pnm.ci b/input-pnm.ci +index 1645071..033a8ca 100644 +--- a/input-pnm.ci ++++ b/input-pnm.ci +@@ -177,6 +177,18 @@ static struct struct_pnm_types + { 0 , 0, 0, 0, NULL} + }; + ++static slen_t multiply_check(slen_t a, slen_t b) { ++ slen_t result; ++ if (a == 0) return 0; ++ /* Check for overflow. Works only if everything is unsigned. */ ++ if ((result = a * b) / a != b) FATALP("PNM: can't open file\n"); ++ return result; ++} ++ ++static slen_t multiply_check(slen_t a, slen_t b, slen_t c) { ++ return multiply_check(multiply_check(a, b), c); ++} ++ + #if PTS_SAM2P + bitmap_type pnm_load_image (FILEE* filename) + #else +@@ -265,8 +277,8 @@ bitmap_type pnm_load_image (at_string filename) + BITMAP_HEIGHT (bitmap) = (at_dimen_t) pnminfo->yres; + + BITMAP_PLANES (bitmap) = (pnminfo->np)?(pnminfo->np):1; +- /* BITMAP_BITS (bitmap) = (unsigned char *) malloc (pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap)); */ +- XMALLOCT(BITMAP_BITS (bitmap), unsigned char *, pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap)); ++ /* BITMAP_BITS (bitmap) = (unsigned char *) malloc ((slen_t)pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap)); */ ++ XMALLOCT(BITMAP_BITS (bitmap), unsigned char *, multiply_check(pnminfo->yres, pnminfo->xres, BITMAP_PLANES (bitmap))); + pnminfo->loader (scan, pnminfo, BITMAP_BITS (bitmap)); + /* vvv Dat: We detect truncation late truncated files will just have garbage :-( */ + if (pnmscanner_eof(scan)) +@@ -299,7 +311,7 @@ pnm_load_ascii (PNMScanner *scan, + #endif + d = data; + if (info->np==0) { /* PBM */ +- dend=d+info->xres*info->yres; ++ dend=d+(slen_t)info->xres*info->yres; + while (d!=dend) { + /* pnmscanner_getsmalltoken(scan, (unsigned char *)buf); */ + pnmscanner_eatwhitespace(scan); +@@ -307,7 +319,7 @@ pnm_load_ascii (PNMScanner *scan, + pnmscanner_getchar(scan); + } + } else { /* PGM or PPM */ /**** pts ****/ +- dend=d+info->xres*info->yres*info->np; ++ dend=d+(slen_t)info->xres*info->yres*info->np; + switch (s=info->maxval) { + case 255: + while (d!=dend) { +@@ -350,10 +362,10 @@ pnm_load_raw (PNMScanner *scan, + + scanlines = info->yres; + d = data; +- delta=info->xres * info->np; ++ delta=(slen_t)info->xres * info->np; + dend=d+delta*scanlines; + while (d!=dend) { +- if (info->xres*info->np != fread_FILEE((char*)d, delta, fd)) return; ++ if (delta != fread_FILEE((char*)d, delta, fd)) return; + d+=delta; + } + d=data; diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7553.patch sam2p-0.49.2/debian/patches/CVE-2018-7553.patch --- sam2p-0.49.2/debian/patches/CVE-2018-7553.patch 1970-01-01 01:00:00.000000000 +0100 +++ sam2p-0.49.2/debian/patches/CVE-2018-7553.patch 2018-04-07 17:48:42.000000000 +0200 @@ -0,0 +1,67 @@ +From: Markus Koschany <a...@debian.org> +Date: Wed, 4 Apr 2018 23:01:09 +0200 +Subject: CVE-2018-7553 + +Bug-Upstream: https://github.com/pts/sam2p/issues/32 +Origin: https://github.com/pts/sam2p/commit/2ca32ec848fd97074367bc26b239fa25bbf0e720 +--- + in_pcx.cpp | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/in_pcx.cpp b/in_pcx.cpp +index e8e1ce1..456c150 100644 +--- a/in_pcx.cpp ++++ b/in_pcx.cpp +@@ -109,6 +109,12 @@ static void pcxLoadRaster PARM((FILE *, byte *, int, byte *, dimen, dimen)); + static int pcxError PARM((char *, char *)); + #endif + ++static slen_t add_check(PCX_SIZE_T a, PCX_SIZE_T b) { ++ /* Check for overflow. Works only if everything is unsigned. */ ++ if (b > (PCX_SIZE_T)-1 - a) FatalError("Image too large."); ++ return a + b; ++} ++ + static PCX_SIZE_T multiply_check(PCX_SIZE_T a, PCX_SIZE_T b) { + const PCX_SIZE_T result = a * b; + /* Check for overflow. Works only if everything is unsigned. */ +@@ -327,7 +333,8 @@ static int pcxLoadImage8 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr), + + byte *image; + +- image = (byte *) malloc_byte(multiply_check(pinfo->h, pinfo->w)); ++ /* Adding 7 bytes as a sentinel for depth == 1 in pcxLoadRaster. */ ++ image = (byte *) malloc_byte(add_check(multiply_check(pinfo->h, pinfo->w), 7)); + if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()"); + + xvbzero((char *) image, multiply_check(pinfo->h, pinfo->w)); +@@ -449,14 +456,17 @@ static void pcxLoadRaster ___((FILE *fp, byte *image, int depth, byte *hdr, dime + { + /* was supported: 8 bits per pixel, 1 plane, or 1 bit per pixel, 1-8 planes */ + +- unsigned row, bcnt, bperlin, pad, cnt, pmask, i, pleft; ++ unsigned row, cnt, pmask, pleft; ++ PCX_SIZE_T bperlin, pad, bcnt; + int b; + byte *oldimage; + + bperlin = hdr[PCX_BPRL] + ((dimen) hdr[PCX_BPRH]<<8); +- pad = (depth == 1) ? bperlin * 8 : bperlin; +- if (pad < w) FatalError("pad too small"); ++ pad = multiply_check(bperlin, 8 / depth); ++ if (pad < w) FatalError("bperlin too small"); + pad -= w; ++ /* image (including sentinel) isn't large enough for bperlin. */ ++ if (pad > 7) FatalError("bperlin too large"); + + row = bcnt = 0; + +@@ -471,7 +481,7 @@ static void pcxLoadRaster ___((FILE *fp, byte *image, int depth, byte *hdr, dime + } + else cnt = 1; + +- for (i=0; i<cnt; i++) { ++ while (cnt-- > 0) { + switch (depth) { + case 1: + *image++|=(b&0x80)?pmask:0; diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7554.patch sam2p-0.49.2/debian/patches/CVE-2018-7554.patch --- sam2p-0.49.2/debian/patches/CVE-2018-7554.patch 1970-01-01 01:00:00.000000000 +0100 +++ sam2p-0.49.2/debian/patches/CVE-2018-7554.patch 2018-04-07 17:48:42.000000000 +0200 @@ -0,0 +1,193 @@ +From: Markus Koschany <a...@debian.org> +Date: Thu, 5 Apr 2018 11:25:44 +0200 +Subject: CVE-2018-7554 + +This is also the fix for CVE-2018-7552. Verified by testing the patch against +the reproducer. + +Bug-Upstream: https://github.com/pts/sam2p/issues/29 +Origin: https://github.com/pts/sam2p/commit/118cb8102b767df4100d8a14184e44b33a822861 +Origin: https://github.com/pts/sam2p/commit/1e43ec5fe34b009cb43f90a9d562442ca347cd75 +Origin: https://github.com/pts/sam2p/commit/beea3bd8dd05a731fddfa447ff0bad19fe32c973 +Origin: https://github.com/pts/sam2p/commit/47378716ab03d6b39ee959c949df551c643942f1 +--- + input-bmp.ci | 57 ++++++++++++++++++++++++++++++++++++--------------------- + input-pnm.ci | 4 +++- + 2 files changed, 39 insertions(+), 22 deletions(-) + +diff --git a/input-bmp.ci b/input-bmp.ci +index 8aadcfc..64f7947 100644 +--- a/input-bmp.ci ++++ b/input-bmp.ci +@@ -81,7 +81,7 @@ bitmap_type bmp_load_image (at_string filename) + FILE *fd; + unsigned char buffer[64]; + int ColormapSize, Maps=0, Grey; +- at_dimen_t rowbytes; ++ at_dimen_t rowbytes, wd_bpp; + unsigned char ColorMap[256][3]; + bitmap_type image; + +@@ -167,6 +167,14 @@ bitmap_type bmp_load_image (at_string filename) + else + FATALP ("BMP: Error reading BMP file header #4"); + ++ switch (Bitmap_Head.biBitCnt) { ++ case 32: case 24: case 16: case 8: case 4: case 2: case 1: break; ++ default: ++ FATALP ("BMP: Invalid bpp."); ++ } ++ ++ if (Maps != 3 && Maps != 4) FATALP("BMP: Bad color_size."); ++ + /* Valid options 1, 4, 8, 16, 24, 32 */ + /* 16 is awful, we should probably shoot whoever invented it */ + +@@ -191,8 +199,8 @@ bitmap_type bmp_load_image (at_string filename) + /* Windows and OS/2 declare filler so that rows are a multiple of + * word length (32 bits == 4 bytes) + */ +- +- rowbytes = ((multiply_check(Bitmap_Head.biWidth, Bitmap_Head.biBitCnt) >> 3) + 3) & ~3; ++ wd_bpp = multiply_check(Bitmap_Head.biWidth, Bitmap_Head.biBitCnt); ++ rowbytes = ((wd_bpp >> 5) + (wd_bpp & 31 ? 1 : 0)) << 2; + + #ifdef DEBUG + printf("\nSize: %u, Colors: %u, Bits: %u, Width: %u, Height: %u, Comp: %u, Zeile: %u\n", +@@ -227,27 +235,31 @@ bitmap_type bmp_load_image (at_string filename) + + static int + ReadColorMap (FILE *fd, +- unsigned char buffer[256][3], +- int number, +- int size, ++ unsigned char cmap[256][3], ++ int color_count, ++ int color_size, /* 3 or 4. */ + int *grey) + { + int i; + unsigned char rgb[4]; + +- *grey=(number>2); +- for (i = 0; i < number ; i++) ++#ifdef DEBUG ++ fprintf(stderr, "color_size=%d\n", color_size); ++#endif ++ *grey=(color_count>2); ++ for (i = 0; i < color_count ; i++) + { +- if (!ReadOK (fd, rgb, size)) ++ if (!ReadOK (fd, rgb, color_size)) + FATALP ("BMP: Bad colormap"); + + /* Bitmap save the colors in another order! But change only once! */ + +- buffer[i][0] = rgb[2]; +- buffer[i][1] = rgb[1]; +- buffer[i][2] = rgb[0]; ++ cmap[i][0] = rgb[2]; ++ cmap[i][1] = rgb[1]; ++ cmap[i][2] = rgb[0]; + *grey = ((*grey) && (rgb[0]==rgb[1]) && (rgb[1]==rgb[2])); + } ++ memset(&cmap[i], 0, (256 - i) * 3); + return 0; + } + +@@ -285,6 +297,7 @@ ReadImage (FILE *fd, + } + + XMALLOCT (image, unsigned char*, multiply_check(wdht, channels)); ++ memset(image, 0, wdht * channels); + XMALLOCT (buffer, unsigned char*, rowbytes); + rowstride = multiply_check(width, channels); + +@@ -303,7 +316,7 @@ ReadImage (FILE *fd, + *(temp++)= buffer[xpos * 4 + 1]; + *(temp++)= buffer[xpos * 4]; + } +- --ypos; /* next line */ ++ if (ypos-- == 0) break; /* next line */ + } + } + break; +@@ -319,7 +332,7 @@ ReadImage (FILE *fd, + *(temp++)= buffer[xpos * 3 + 1]; + *(temp++)= buffer[xpos * 3]; + } +- --ypos; /* next line */ ++ if (ypos-- == 0) break; /* next line */ + } + } + break; +@@ -336,7 +349,7 @@ ReadImage (FILE *fd, + *(temp++)= (unsigned char)(((rgb >> 5) & 0x1f) * 8); + *(temp++)= (unsigned char)(((rgb) & 0x1f) * 8); + } +- --ypos; /* next line */ ++ if (ypos-- == 0) break; /* next line */ + } + } + break; +@@ -347,23 +360,25 @@ ReadImage (FILE *fd, + { + if (compression == 0) + { ++ const int bpp8 = 8 / bpp; ++ const at_dimen_t rowpad = rowbytes - (width * bpp + 7) / 8; ++#ifdef DEBUG ++ fprintf(stderr, "BMP bpp=%d width=%d height=%d channels=%d malloced=%d rowbytes=%d\n", bpp, width, height, channls, width * height * channels, rowbytes); ++#endif + while (ReadOK (fd, &v, 1)) + { +- for (i = 1; (i <= (8 / bpp)) && (xpos < width); i++, xpos++) ++ for (i = 1; i <= bpp8 && xpos < width; i++, xpos++) + { + temp = (unsigned char*) (image + (ypos * rowstride) + (xpos * channels)); + *temp= (unsigned char)(( v & ( ((1<<bpp)-1) << (8-(i*bpp)) ) ) >> (8-(i*bpp))); + } + if (xpos == width) + { +- (void) ReadOK (fd, buffer, rowbytes - 1 - +- (width * bpp - 1) / 8); +- ypos--; ++ if (!ReadOK (fd, buffer, rowpad)) break; ++ if (ypos-- == 0) break; /* next line */ + xpos = 0; + + } +- if ((int)ypos < 0) +- break; + } + break; + } +diff --git a/input-pnm.ci b/input-pnm.ci +index 23de594..2c07b00 100644 +--- a/input-pnm.ci ++++ b/input-pnm.ci +@@ -236,6 +236,7 @@ bitmap_type pnm_load_image (at_string filename) + FATALP ("PNM: is not a valid file"); + + /* Look up magic number to see what type of PNM this is */ ++ pnminfo->loader = NULL; + for (ctr=0; pnm_types[ctr].name; ctr++) + if (buf[1] == pnm_types[ctr].name) + { +@@ -243,6 +244,7 @@ bitmap_type pnm_load_image (at_string filename) + pnminfo->asciibody = pnm_types[ctr].asciibody; + pnminfo->maxval = pnm_types[ctr].maxval; + pnminfo->loader = pnm_types[ctr].loader; ++ break; + } + if (!pnminfo->loader) + FATALP ("PNM: file not in a supported format"); +@@ -402,7 +404,7 @@ pnm_load_rawpbm (PNMScanner *scan, + + fd = pnmscanner_fd(scan); + /****pts****/ /* rowlen = (unsigned int)ceil((double)(info->xres)/8.0);*/ +- rowlen=(info->xres+7)>>3; ++ rowlen = (info->xres >> 3) + (info->xres & 3 ? 1 : 0); + /* buf = (unsigned char *)malloc(rowlen*sizeof(unsigned char)); */ + XMALLOCT(buf, unsigned char*, rowlen*sizeof(unsigned char)); + diff -Nru sam2p-0.49.2/debian/patches/series sam2p-0.49.2/debian/patches/series --- sam2p-0.49.2/debian/patches/series 2017-11-22 21:39:20.000000000 +0100 +++ sam2p-0.49.2/debian/patches/series 2018-04-07 17:48:42.000000000 +0200 @@ -8,3 +8,7 @@ CVE-2017-14631.patch CVE-2017-14629.patch CVE-2017-16663.patch +CVE-2018-7551.patch +CVE-2018-7554.patch +CVE-2018-7487.patch +CVE-2018-7553.patch
