Hello security team, hello Hugo, I hope you are doing well! I have just uploaded a NMU for xcftools fixing CVE-2019-5086 and CVE-2019-5087. The new patch also addresses the 32 bit portability issues. The basic idea behind it is to limit possible values of width and height (which can only be positive) and the offset (which can be positive and negative) to one quarter of INT_MAX/INT_MIN. This works for reasonably large images but will of course fail for some extreme corner cases now. Since the computeDimensions function is responsible for determining these values, you can find the guards there. I have attached the POC from Anton Gladky (a manipulated xcf file) which simulates extremely large values for height and width. To reproduce the guard is working:
xcfinfo small_manipulated.xcf
xcf2png -o test.png small_manipulated.xcf -C
I propose to use this patch also for Buster either for a point update or
security release. Feedback always welcome.
Regards,
Markus
signature.asc
Description: This is a digitally signed message part
