Your message dated Sat, 09 Mar 2019 16:30:29 +0000
with message-id <[email protected]>
and subject line Re: Bug#892031: marked as done (stretch-pu: package
wayland/1.12.0-1)
has caused the Debian Bug report #892031,
regarding stretch-pu: package wayland/1.12.0-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
892031: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892031
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
Hello,
I would like to apply fix in stable for #889681.
I have asked security team if they want the fix via security queue or stable
update, however I have gotten no reply yet. I am attaching the patch I intend
to upload to stable if you acknowledge it.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
From 2471b0463e9395bd981f8b875e3280f1fc6b995f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <[email protected]>
Date: Sun, 4 Mar 2018 11:54:40 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Héctor Orón Martínez <[email protected]>
---
debian/changelog | 11 +++++++++
debian/patches/CVE-2017-16612.patch | 47 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 59 insertions(+)
create mode 100644 debian/patches/CVE-2017-16612.patch
create mode 100644 debian/patches/series
diff --git a/debian/changelog b/debian/changelog
index 2f84b50..7495ef3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.12.0-1+deb9u1) stretch; urgency=medium
+
+ * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+ - libXcursor before 1.1.15 has various integer overflows that could lead
+ to heap buffer overflows when processing malicious cursors, e.g., with
+ programs like GIMP. It is also possible that an attack vector exists
+ against the related code in cursor/xcursor.c in Wayland through
+ 1.14.0.
+
+ -- Héctor Orón Martínez <[email protected]> Sun, 04 Mar 2018 11:43:29 +0100
+
wayland (1.12.0-1) unstable; urgency=medium
* New upstream release. Closes: #840752.
diff --git a/debian/patches/CVE-2017-16612.patch
b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 0000000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <[email protected]>
+Date: Tue Nov 28 21:38:07 2017 +0100
+
+ cursor: Fix heap overflows when parsing malicious files.
+
+ It is possible to trigger heap overflows due to an integer overflow
+ while parsing images.
+
+ The integer overflow occurs because the chosen limit 0x10000 for
+ dimensions is too large for 32 bit systems, because each pixel takes
+ 4 bytes. Properly chosen values allow an overflow which in turn will
+ lead to less allocated memory than needed for subsequent reads.
+
+ See also:
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+ Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+ Signed-off-by: Tobias Stoeckmann <[email protected]>
+ [Pekka: add link to the corresponding libXcursor commit]
+ Signed-off-by: Pekka Paalanen <[email protected]>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
++++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage *image;
+
++ if (width < 0 || height < 0)
++ return NULL;
++ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++ return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+ width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
+ if (!_XcursorReadUInt (file, &head.delay))
+ return NULL;
+ /* sanity check data */
+- if (head.width >= 0x10000 || head.height > 0x10000)
++ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
++ head.height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+ if (head.width == 0 || head.height == 0)
+ return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
--
2.16.2
--- End Message ---
--- Begin Message ---
Version: 9.8
On Tue, 2018-12-18 at 21:59 +0000, Adam D. Barratt wrote:
> Control: reopen -1
>
> On Tue, 2018-12-18 at 20:42 +0000, Debian Bug Tracking System wrote:
> > Your message dated Tue, 18 Dec 2018 20:41:35 +0000
> > with message-id <[email protected]>
> > and subject line Bug#892031: fixed in wayland 1.12.0-1+deb9u1
> > has caused the Debian Bug report #892031,
> > regarding stretch-pu: package wayland/1.12.0-1
> > to be marked as done.
>
> * debian/patches/CVE-2017-16612.patch: (Closes: #889681, #892031)
>
> Please don't do that. The release.d.o bug will be closed once the
> updated package is in stable, not before - and certainly not simply
> because the upload reached p-u.
This fix was actually included in 9.8, but we missed closing the bug
because the above removed the "pending" tag...
Regards,
Adam
--- End Message ---
