Your message dated Sun, 17 Jun 2018 19:11:47 +0100
with message-id <[email protected]>
and subject line Re: Bug#892032: jessie-pu: package wayland/1.6.0-2
has caused the Debian Bug report #892032,
regarding jessie-pu: package wayland/1.6.0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
892032: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892032
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hello,
I would like to apply oldstable fix for #889681 in oldstable.
I am attaching the patch I plan to upload to oldstable.
Note, I have requested security team if they want to handle it via
security queue or stable update instead.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
From 5df34123d130816a1acf506d8e9f1a1c3e3efcc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <[email protected]>
Date: Sun, 4 Mar 2018 12:29:17 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Héctor Orón Martínez <[email protected]>
---
debian/changelog | 11 +++++++++
debian/patches/CVE-2017-16612.patch | 47 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 59 insertions(+)
create mode 100644 debian/patches/CVE-2017-16612.patch
create mode 100644 debian/patches/series
diff --git a/debian/changelog b/debian/changelog
index 645a4bc..b6409a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.6.0-2+deb8u1) stretch; urgency=medium
+
+ * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+ - libXcursor before 1.1.15 has various integer overflows that could lead
+ to heap buffer overflows when processing malicious cursors, e.g., with
+ programs like GIMP. It is also possible that an attack vector exists
+ against the related code in cursor/xcursor.c in Wayland through
+ 1.14.0.
+
+ -- Héctor Orón Martínez <[email protected]> Sun, 04 Mar 2018 12:27:36 +0100
+
wayland (1.6.0-2) unstable; urgency=medium
* Switch back to use upstream tarball.
diff --git a/debian/patches/CVE-2017-16612.patch
b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 0000000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <[email protected]>
+Date: Tue Nov 28 21:38:07 2017 +0100
+
+ cursor: Fix heap overflows when parsing malicious files.
+
+ It is possible to trigger heap overflows due to an integer overflow
+ while parsing images.
+
+ The integer overflow occurs because the chosen limit 0x10000 for
+ dimensions is too large for 32 bit systems, because each pixel takes
+ 4 bytes. Properly chosen values allow an overflow which in turn will
+ lead to less allocated memory than needed for subsequent reads.
+
+ See also:
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+ Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+ Signed-off-by: Tobias Stoeckmann <[email protected]>
+ [Pekka: add link to the corresponding libXcursor commit]
+ Signed-off-by: Pekka Paalanen <[email protected]>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
++++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage *image;
+
++ if (width < 0 || height < 0)
++ return NULL;
++ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++ return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+ width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
+ if (!_XcursorReadUInt (file, &head.delay))
+ return NULL;
+ /* sanity check data */
+- if (head.width >= 0x10000 || head.height > 0x10000)
++ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
++ head.height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+ if (head.width == 0 || head.height == 0)
+ return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
--
2.16.2
--- End Message ---
--- Begin Message ---
Control: tag -1 wontfix
Hi,
This request was approved and tagged 'confirmed', but no upload was
subsequently made. With the final point release for Jessie now being
prepared, it's unfortunately too late for this package to be updated.
Thanks,
--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- End Message ---
