Your message dated Mon, 15 May 2023 20:32:08 +0000 with message-id <e1pyery-009nql...@fasolo.debian.org> and subject line Bug#1028986: fixed in sgt-puzzles 20191231.79a5378-3+deb11u1 has caused the Debian Bug report #1028986, regarding Multiple integer overflow and buffer overflow issues in game loading to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1028986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028986 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: sgt-puzzles Version: 20220801.89391ba-1 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Ben Harris found multiple issues in sgt-puzzles where a malformed game description or save file can lead to integer overflow or buffer overflow. These were fixed upstream today, and I'll upload the changes to unstable shortly. The Debian package doesn't register any media type handler for save files, so I think this can only be exploited by social-engineering a user into loading such a file or description. Ben. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.0.0-6-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sgt-puzzles depends on: ii libc6 2.36-6 ii libcairo2 1.16.0-7 ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1 ii libglib2.0-0 2.74.3-1 ii libgtk-3-0 3.24.35-3 ii libpango-1.0-0 1.50.12+ds-1 ii libpangocairo-1.0-0 1.50.12+ds-1 Versions of packages sgt-puzzles recommends: ii chromium [www-browser] 108.0.5359.124-1 ii firefox [www-browser] 108.0-2 ii lynx [www-browser] 2.9.0dev.10-1+b1 ii xdg-utils 1.1.3-4.1 sgt-puzzles suggests no packages. -- debconf-show failed
--- End Message ---
--- Begin Message ---Source: sgt-puzzles Source-Version: 20191231.79a5378-3+deb11u1 Done: Ben Hutchings <b...@debian.org> We believe that the bug you reported is fixed in the latest version of sgt-puzzles, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1028...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ben Hutchings <b...@debian.org> (supplier of updated sgt-puzzles package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 30 Apr 2023 17:35:04 +0200 Source: sgt-puzzles Architecture: source Version: 20191231.79a5378-3+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Ben Hutchings <b...@decadent.org.uk> Changed-By: Ben Hutchings <b...@debian.org> Closes: 905852 1028986 1034190 Changes: sgt-puzzles (20191231.79a5378-3+deb11u1) bullseye; urgency=medium . * Fix various security issues in game loading (Closes: #1028986, #1034190): - Mines: add validation for negative mine count. - Galaxies: fix assertion failure when adding out-of-bounds association. - Filling: fix assertion failure in 3x1 game generation. - Map: add missing sresize in new_game_desc(). - Add more validation to midend deserialisation routine - Correct and enable the range check on statepos when loading - Add an assertion to check the format of encoded parameters - Add assertions that game descriptions consist only of printable ASCII. - Hex-encode non-ASCII random seeds in save files - Assert that everything written to a save file is printable ASCII - Build fix: take declarations out of for loops. - galaxies: Use the same code for handling all dropped arrows - magnets: Area constraints; fix message. - lightup: Ban 2x2 with either 4-way type - Remove _() introduced from Android port. - Solo: Set max difficulty for small jigsaw puzzles - Add a macro of an upper bound on the formatted length of an integer - Guess: Don't allow any moves once the game is solved (CVE-2023-24283) - Guess: validate peg colours in decode_ui() (CVE-2023-24284) - Netslide: Reject moves wider than the grid (CVE-2023-24285) - Sixteen: limit length of moves - Undead: check for valid commands in execute_move() - Undead: fix buffer overrun in "M" command (CVE-2023-24287) - Correct RANGECHECK macro in Black Box - Range-check normal moves in Undead - Range-check record lengths when deserialising games (CVE-2023-24291) - Don't load too many states just because there's no STATEPOS (CVE-2023-24288) - Palisade: forbid moves that remove grid edges - Last-ditch maximum size limit for Bridges - Last-ditch grid-size limit for Dominosa - Last-ditch grid-size limit for Galaxies - Last-ditch grid-size limit for Fifteen - Last-ditch maximum size limit for Flip - Last-ditch grid-size limit for Flood - Insist that Flood grids must have non-zero size - Last-ditch grid-size limit for Inertia - Last-ditch maximum size limit for Light Up - Limit maximum grid size in Loopy - Last-ditch maximum size limit for Magnets - Last-ditch maximum size limit for Map - Last-ditch maximum size limit for Mines - Also check for tiny grids in Mines - Last-ditch maximum size limit for Net - Last-ditch maximum size limit for Netslide - Integer overflow protection in Pattern - Last-ditch maximum size limit for Palisade - Last-ditch maximum size limit for Pearl - Last-ditch maximum size limit for Pegs - Also limit Pegs to at least 1x1 even when not doing full validation - Last-ditch maximum size limit for Same Game - Last-ditch maximum size limit for Signpost - Last-ditch maximum size limit for Sixteen - Limit size of puzzle in Tents to avoid integer overflow - Last-ditch maximum size limit for Tracks - Last-ditch maximum size limit for Twiddle - Adjust Undead upper grid-size limit to avoid overflow - Last-ditch point-count limit for Untangle - Black Box: correct order of validation checks for "F" commands - Palisade: don't leak memory on a bad move - Don't allow negative clues in Pattern - When loading, don't decode_ui unless we have a UI - Palisade: remove assertion from decode_ui() - Same Game: reject moves with unexpected characters in - Filling: validate length of auto-solve move strings - Tighten Bridges' validate_desc() - Untangle: forbid descriptions that connect a node to itself - Mines: No moving once you're dead! - Towers: reject descriptions with odd characters at the end - Tracks: make sure moves are valid in execute_move() - Tracks: let solve make illegal moves - Tracks: tighten up the 'illegal solve submoves' fix. - Allow repeated "solve" operations in Guess - Black Box: reject negative ball counts in game_params. - Add validate_params bounds checks in a few more games. - Don't allow Bridges games with < 2 islands - Forbid moves that fill with the current colour in Flood - Cleanly reject ill-formed solve moves in Flood - Don't segfault on premature solve moves in Mines - Limit number of mines in Mines game description - Validate the number of pegs and holes in a Pegs game ID - Mines: forbid moves that flag or unflag an exposed square - Mines: Don't check if the player has won if they've already lost - Avoid invalid moves when solving Tracks - Fix move validation in Netslide - Tighten validation of Tents game descriptions - Dominosa: require the two halves of a domino to be adjacent - Forbid lines off the grid in Pearl - Tolerate incorrect solutions in Inertia - Palisade: replace dfs_dsf() with a simple iteration. - latin_solver_alloc: handle clashing numbers in input grid. - Pearl: fix assertion failure on bad puzzle. - Pearl: fix bounds check in previous commit. - Unequal: Don't insist that solve moves must actually solve - Range: Don't fail an assertion on an all-black board - Limit width and height to SHRT_MAX in Mines - Mines: Add assertions to range-check conversions to short - Unequal: fix sense error in latin_solver_alloc fix. - Forbid impossible moves in Bridges - Forbid game descriptions with joined islands in Bridges - Check state is valid at the end of a move in Pearl - Cleanly reject more ill-formed solve moves in Flood - Don't allow moves that change the constraints in Unequal - Fix memory leaks in Keen's validate_desc() - Don't leak grids in Loopy's validate_desc() - Remember to free the to_draw member from Net's drawstate - Undead: check the return value of sscanf() in execute_move() - Don't leak duplicate edges in Untangle - Remember to free the numcolours array from Pattern's drawstate - Twiddle: don't read off the end of parameter strings ending 'm' - Loopy: free the grid description string if it's invalid - Avoid division by zero in Cube grid-size checks - Validate that save file values are ASCII (mostly) - More validation of solve moves in Flood - Make sure that moves in Flood use only valid colours - Tighten grid-size limit in Mines - Tracks: set drag_s{x,y} even if starting off-grid - Undead: be a bit more careful about sprintf buffer sizes - Fix memory leak in midend_game_id_int() - Flood: don't read off the end of some parameter strings - Be more careful with type of left operand of << - Map: reduce maximum size - Correctly handle some short save files - Inertia: insist that solutions must be non-empty - Galaxies: fix recursion depth limit in solver. - Correct a range check in Magnets' layout verification - Magnets: add a check that magnets don't wrap between lines - Net: assert that cx and cy are in range in compute_active() - Don't allow zero clues in Pattern * Solo: cope with pencil marks when tilesize == 1 (Closes: #905852) Checksums-Sha1: 7f996f5dc1bca17b0e28dd0600a6c5f8f84fdb2d 2067 sgt-puzzles_20191231.79a5378-3+deb11u1.dsc 1ac3e583d5e42d22d46ed8b7ca44e080f3b689e2 167904 sgt-puzzles_20191231.79a5378-3+deb11u1.debian.tar.xz 88b456057fd10c4145fb21464af49b9b07f8ed5d 14750 sgt-puzzles_20191231.79a5378-3+deb11u1_source.buildinfo Checksums-Sha256: f5b69b6253056a53e3c53429094708e27d0c07e47f69fad27ef4806e1d82164a 2067 sgt-puzzles_20191231.79a5378-3+deb11u1.dsc a27f1ec910b314468fe5b1c9c0ba25d3c9fc94865024beebe284356b7d6f5bd9 167904 sgt-puzzles_20191231.79a5378-3+deb11u1.debian.tar.xz b94b8010c061db3848f1c1c9a01151de64671afa288ebfe268a51545aaa40a76 14750 sgt-puzzles_20191231.79a5378-3+deb11u1_source.buildinfo Files: a111034e756c54f52ef76eed32a8a558 2067 games optional sgt-puzzles_20191231.79a5378-3+deb11u1.dsc 320ce6fb19359cb4623b660b3f7a622e 167904 games optional sgt-puzzles_20191231.79a5378-3+deb11u1.debian.tar.xz 5aa094930916f060f955965730c939c3 14750 games optional sgt-puzzles_20191231.79a5378-3+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmROm1MACgkQ57/I7JWG EQmDqw/+NEVX3kR7E1ecsreeTIN+XvslXZTBixZUJV9lV+VFzy3TtAhFsKLUG5MP 4F06xLylAt73a6Z7F4qaaiObPJOxwzNaLn9JDl0Lp0nji5N3RW+eOpDAhXtZ1JHi K33EF06wJIZU/qsv2Q+HyDrp8peSGDc+1wGCBBW6mTYPlvjtEh2f6Jwq6A1zjg/9 /4FWvKhR9kcOuGFktMM2PUtqM5Pur7N2Y66VdYenzc+fQrZDJ1oik5SFB+G3ZAI3 nwrcZUUKMD786ToC+mC7sM0ePC7N7m3aGpLWaXYmEcm9ca2FRkgFydTO9mKLTkrv qRmVyKtKnjwjFPVklF4CXJnhqWimAYADYLoOSTY3wNolssNi4/UXmjLLHbN5OIEy YZM2Gt/xdFhQN4vnRo8KBhvHmiYLi0GiMdIHeIpbivQNgPX04P+Tqv1DOKCrPe6K HLYFfaqQLe86qkASliRhSlNtR39Yvt5goJ2OTTy5gfnd3l2nL0vitzHc1zSU5d1W RJIl6h1ja5ulpW2lpA8+0nM763xFA3zJy9AuyQAroIitlPi2roxwte9LYXu+FdfY MxMnwDn4934a54kfUTN2x+NlFHJubktZQiJMEONCaukSibEqI+JvWK7y0525NELS PuGg3TyYCUcKkSBXu7jYU+0u4wpYXs3NFKbUgv7ftWfhvt+oOY8= =wPAx -----END PGP SIGNATURE-----
--- End Message ---
