Bug#1092025: bookworm-pu: package libebml/1.4.4-1+deb12u1

Fri, 03 Jan 2025 11:48:41 -0800 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libe...@packages.debian.org
Control: affects -1 + src:libebml
User: release.debian....@packages.debian.org
Usertags: pu

Fixes a minor security issues, tested with mkvtoolnix.

Cheers,
        Moritz

diff -Nru libebml-1.4.4/debian/changelog libebml-1.4.4/debian/changelog
--- libebml-1.4.4/debian/changelog      2022-10-09 16:22:47.000000000 +0200
+++ libebml-1.4.4/debian/changelog      2025-01-03 17:00:30.000000000 +0100
@@ -1,3 +1,9 @@
+libebml (1.4.4-1+deb12u1) bookworm; urgency=medium
+
+  * CVE-2023-52339 (Integer overflow in MemIOCallback::read)
+
+ -- Moritz Mühlenhoff <j...@debian.org>  Fri, 03 Jan 2025 17:00:30 +0100
+
 libebml (1.4.4-1) unstable; urgency=medium
 
   * Team upload
diff -Nru libebml-1.4.4/debian/patches/CVE-2023-52339.patch 
libebml-1.4.4/debian/patches/CVE-2023-52339.patch
--- libebml-1.4.4/debian/patches/CVE-2023-52339.patch   1970-01-01 
01:00:00.000000000 +0100
+++ libebml-1.4.4/debian/patches/CVE-2023-52339.patch   2025-01-03 
16:59:37.000000000 +0100
@@ -0,0 +1,29 @@
+From 4c0d757d6de529e8dda6bb6ca08369d5f9bffdb3 Mon Sep 17 00:00:00 2001
+From: Steve Lhomme <slho...@matroska.org>
+Date: Wed, 1 Nov 2023 09:02:36 +0100
+Subject: [PATCH] MemIOCallback: fix buffer overflow when reading too much data
+
+If the addition of 2 positive values is smaller than one of the values then we
+have an overflowing addition.
+
+In this case that means we are trying to read more data that is actually in
+our buffer. So we can use the same mechanism as reading too much data.
+
+(cherry picked from commit 4d577f5c3e267b2988d56dafebc82dedb4c45506)
+Signed-off-by: Steve Lhomme <slho...@matroska.org>
+---
+ src/MemIOCallback.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- libebml-1.4.4.orig/src/MemIOCallback.cpp
++++ libebml-1.4.4/src/MemIOCallback.cpp
+@@ -68,7 +68,8 @@ uint32 MemIOCallback::read(void *Buffer,
+   if (Buffer == nullptr || Size < 1)
+     return 0;
+   //If the size is larger than than the amount left in the buffer
+-  if (Size + dataBufferPos > dataBufferTotalSize) {
++  if (Size + dataBufferPos < Size || // overflow, reading too much
++      Size + dataBufferPos > dataBufferTotalSize) {
+     //We will only return the remaining data
+     memcpy(Buffer, dataBuffer + dataBufferPos, dataBufferTotalSize - 
dataBufferPos);
+     uint64 oldDataPos = dataBufferPos;
diff -Nru libebml-1.4.4/debian/patches/series 
libebml-1.4.4/debian/patches/series
--- libebml-1.4.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libebml-1.4.4/debian/patches/series 2025-01-03 16:59:17.000000000 +0100
@@ -0,0 +1 @@
+CVE-2023-52339.patch

Reply via email to