Hi, Please, find attached the debdiffs that fix CVE-2015-7557 in wheezy and jessie. Since this is a no-dsa issue, it could address a next point release.
Cheers, Santiago
diff -Nru librsvg-2.36.1/debian/changelog librsvg-2.36.1/debian/changelog --- librsvg-2.36.1/debian/changelog 2013-12-04 21:16:12.000000000 +0100 +++ librsvg-2.36.1/debian/changelog 2016-03-24 10:53:07.000000000 +0100 @@ -1,3 +1,10 @@ +librsvg (2.36.1-2+deb7u1) wheezy; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file. + + -- Santiago Ruano Rincón <santiag...@riseup.net> Thu, 24 Mar 2016 09:18:51 +0100 + librsvg (2.36.1-2) stable; urgency=low [ Raphaël Geissert ] diff -Nru librsvg-2.36.1/debian/patches/CVE-2015-7557.patch librsvg-2.36.1/debian/patches/CVE-2015-7557.patch --- librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 1970-01-01 01:00:00.000000000 +0100 +++ librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 2016-03-24 09:18:37.000000000 +0100 @@ -0,0 +1,50 @@ +From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001 +From: Federico Mena Quintero <feder...@gnome.org> +Date: Thu, 5 Feb 2015 18:08:25 -0600 +Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an + odd number of elements + +Lists of points come in coordinate pairs, but we didn't have any checking for that. +It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate +of an x,y pair, that was in fact missing, leading to an out-of-bounds array read. + +In that case, we now reuse the last-known y coordinate. + +Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050 + +Signed-off-by: Federico Mena Quintero <feder...@gnome.org> +--- + rsvg-shapes.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/rsvg-shapes.c b/rsvg-shapes.c +index c13b90c..e4a705d 100644 +--- a/rsvg-shapes.c ++++ b/rsvg-shapes.c +@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value, + + /* "L %f %f " */ + for (i = 2; i < pointlist_len; i += 2) { ++ double p; ++ + g_string_append (d, " L "); + g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i])); + g_string_append_c (d, ' '); +- g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1])); ++ ++ /* We expect points to come in coordinate pairs. But if there is a ++ * missing part of one pair in a corrupt SVG, we'll have an incomplete ++ * list. In that case, we reuse the last-known Y coordinate. ++ */ ++ if (i + 1 < pointlist_len) ++ p = pointlist[i + 1]; ++ else ++ p = pointlist[i - 1]; ++ ++ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p)); + } + + if (close_path) +-- +cgit v0.11.2 + diff -Nru librsvg-2.36.1/debian/patches/series librsvg-2.36.1/debian/patches/series --- librsvg-2.36.1/debian/patches/series 2013-12-04 15:09:40.000000000 +0100 +++ librsvg-2.36.1/debian/patches/series 2016-03-24 09:18:37.000000000 +0100 @@ -3,3 +3,4 @@ 10_rsvg-gz.patch 20_rsvg_compat.patch 99_ltmain_as-needed.patch +CVE-2015-7557.patch
diff -Nru librsvg-2.40.5/debian/changelog librsvg-2.40.5/debian/changelog --- librsvg-2.40.5/debian/changelog 2014-10-14 16:48:24.000000000 +0200 +++ librsvg-2.40.5/debian/changelog 2016-03-24 11:04:24.000000000 +0100 @@ -1,3 +1,10 @@ +librsvg (2.40.5-1+deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file. + + -- Santiago Ruano Rincón <santiag...@riseup.net> Thu, 24 Mar 2016 11:02:20 +0100 + librsvg (2.40.5-1) unstable; urgency=medium * New upstream release. diff -Nru librsvg-2.40.5/debian/patches/CVE-2015-7557.patch librsvg-2.40.5/debian/patches/CVE-2015-7557.patch --- librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 1970-01-01 01:00:00.000000000 +0100 +++ librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 2016-03-24 11:05:21.000000000 +0100 @@ -0,0 +1,50 @@ +From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001 +From: Federico Mena Quintero <feder...@gnome.org> +Date: Thu, 5 Feb 2015 18:08:25 -0600 +Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an + odd number of elements + +Lists of points come in coordinate pairs, but we didn't have any checking for that. +It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate +of an x,y pair, that was in fact missing, leading to an out-of-bounds array read. + +In that case, we now reuse the last-known y coordinate. + +Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050 + +Signed-off-by: Federico Mena Quintero <feder...@gnome.org> +--- + rsvg-shapes.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/rsvg-shapes.c b/rsvg-shapes.c +index c13b90c..e4a705d 100644 +--- a/rsvg-shapes.c ++++ b/rsvg-shapes.c +@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value, + + /* "L %f %f " */ + for (i = 2; i < pointlist_len; i += 2) { ++ double p; ++ + g_string_append (d, " L "); + g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i])); + g_string_append_c (d, ' '); +- g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1])); ++ ++ /* We expect points to come in coordinate pairs. But if there is a ++ * missing part of one pair in a corrupt SVG, we'll have an incomplete ++ * list. In that case, we reuse the last-known Y coordinate. ++ */ ++ if (i + 1 < pointlist_len) ++ p = pointlist[i + 1]; ++ else ++ p = pointlist[i - 1]; ++ ++ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p)); + } + + if (close_path) +-- +cgit v0.11.2 + diff -Nru librsvg-2.40.5/debian/patches/series librsvg-2.40.5/debian/patches/series --- librsvg-2.40.5/debian/patches/series 2014-09-15 00:58:58.000000000 +0200 +++ librsvg-2.40.5/debian/patches/series 2016-03-24 11:05:21.000000000 +0100 @@ -1,2 +1,3 @@ 10_rsvg-gz.patch 20_rsvg_compat.patch +CVE-2015-7557.patch
signature.asc
Description: PGP signature
