Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi SRMs, There are two security issues in VIPS, which don't warrant a DSA. I would like to update it via PU. Debdiff is attached. Thanks in advance, Laszlo/GCS
diff -Nru vips-8.4.5/debian/changelog vips-8.4.5/debian/changelog --- vips-8.4.5/debian/changelog 2016-12-21 19:04:52.000000000 +0100 +++ vips-8.4.5/debian/changelog 2019-01-18 19:15:36.000000000 +0100 @@ -1,3 +1,12 @@ +vips (8.4.5-1+deb9u1) stretch; urgency=medium + + * Fix CVE-2018-7998: NULL function pointer dereference vulnerability in the + vips_region_generate() function. + * Fix CVE-2019-6976: zero memory on malloc to prevent write of uninit + memory under some error conditions. + + -- Laszlo Boszormenyi (GCS) <g...@debian.org> Fri, 18 Jan 2019 18:15:36 +0000 + vips (8.4.5-1) unstable; urgency=low * New upstream release. diff -Nru vips-8.4.5/debian/patches/fix_a_crash_with_delayed_load.patch vips-8.4.5/debian/patches/fix_a_crash_with_delayed_load.patch --- vips-8.4.5/debian/patches/fix_a_crash_with_delayed_load.patch 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.4.5/debian/patches/fix_a_crash_with_delayed_load.patch 2019-01-18 19:15:36.000000000 +0100 @@ -0,0 +1,101 @@ +From 20d840e6da15c1574b3ed998bc92f91d1e36c2a5 Mon Sep 17 00:00:00 2001 +From: John Cupitt <jcup...@gmail.com> +Date: Mon, 5 Mar 2018 14:42:09 +0000 +Subject: [PATCH] fix a crash with delayed load + +If a delayed load failed, it could leave the pipeline only half-set up. +Sebsequent threads could then segv. + +Set a load-has-failed flag and test before generate. + +See https://github.com/jcupitt/libvips/issues/893 +--- + ChangeLog | 1 + + libvips/foreign/foreign.c | 25 +++++++++++++++++++------ + libvips/include/vips/foreign.h | 5 +++++ + 3 files changed, 25 insertions(+), 6 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 68f646540..08aaab8c2 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,6 @@ ++12/2/18 started 8.6.3 ++- fix a crash if a delayed load failed [gsharpsh00ter] ++ + 8/12/16 started 8.4.5 + - allow libgsf-1.14.26 to help centos, thanks tdiprima + +diff --git a/libvips/foreign/foreign.c b/libvips/foreign/foreign.c +index 35ad2be52..fb03fd746 100644 +--- a/libvips/foreign/foreign.c ++++ b/libvips/foreign/foreign.c +@@ -14,6 +14,8 @@ + * - forward progress signals from load + * 23/5/16 + * - remove max-alpha stuff, this is now automatic ++ * 5/3/18 ++ * - block _start if one start fails, see #893 + */ + + /* +@@ -761,6 +763,11 @@ vips_foreign_load_start( VipsImage *out, void *a, void *b ) + VipsForeignLoad *load = VIPS_FOREIGN_LOAD( b ); + VipsForeignLoadClass *class = VIPS_FOREIGN_LOAD_GET_CLASS( load ); + ++ /* If this start has failed before in another thread, we can fail now. ++ */ ++ if( load->error ) ++ return( NULL ); ++ + if( !load->real ) { + if( !(load->real = vips_foreign_load_temp( load )) ) + return( NULL ); +@@ -777,19 +784,25 @@ vips_foreign_load_start( VipsImage *out, + */ + load->real->progress_signal = load->out; + +- if( class->load( load ) || +- vips_image_pio_input( load->real ) ) +- return( NULL ); +- +- /* ->header() read the header into @out, load has read the ++ /* Load the image and check the result. ++ * ++ * ->header() read the header into @out, load has read the + * image into @real. They must match exactly in size, bands, + * format and coding for the copy to work. + * + * Some versions of ImageMagick give different results between + * Ping and Load for some formats, for example. ++ * ++ * If the load fails, we need to stop + */ +- if( !vips_foreign_load_iscompat( load->real, out ) ) ++ if( class->load( load ) || ++ vips_image_pio_input( load->real ) || ++ !vips_foreign_load_iscompat( load->real, out ) ) { ++ vips_operation_invalidate( VIPS_OPERATION( load ) ); ++ load->error = TRUE; ++ + return( NULL ); ++ } + + /* We have to tell vips that out depends on real. We've set + * the demand hint below, but not given an input there. +diff --git a/libvips/include/vips/foreign.h b/libvips/include/vips/foreign.h +index 47e285e37..dcbf21c82 100644 +--- a/libvips/include/vips/foreign.h ++++ b/libvips/include/vips/foreign.h +@@ -149,6 +149,11 @@ typedef struct _VipsForeignLoad { + /* Set this to tag the operation as nocache. + */ + gboolean nocache; ++ ++ /* Set if a start function fails. We want to prevent the other starts ++ * from also triggering the load. ++ */ ++ gboolean error; + } VipsForeignLoad; + + typedef struct _VipsForeignLoadClass { diff -Nru vips-8.4.5/debian/patches/series vips-8.4.5/debian/patches/series --- vips-8.4.5/debian/patches/series 2016-08-18 21:23:54.000000000 +0200 +++ vips-8.4.5/debian/patches/series 2019-01-18 19:15:36.000000000 +0100 @@ -1 +1,3 @@ reproducible-build.patch +fix_a_crash_with_delayed_load.patch +zero_memory_on_malloc.patch diff -Nru vips-8.4.5/debian/patches/zero_memory_on_malloc.patch vips-8.4.5/debian/patches/zero_memory_on_malloc.patch --- vips-8.4.5/debian/patches/zero_memory_on_malloc.patch 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.4.5/debian/patches/zero_memory_on_malloc.patch 2019-01-18 19:15:36.000000000 +0100 @@ -0,0 +1,49 @@ +From 00622428bda8d7521db8d74260b519fa41d69d0a Mon Sep 17 00:00:00 2001 +From: John Cupitt <jcup...@gmail.com> +Date: Fri, 18 Jan 2019 10:10:43 +0000 +Subject: [PATCH] zero memory on malloc + +to prevent write of uninit memory under some error conditions + +thanks Balint +--- + ChangeLog | 5 ++++- + libvips/iofuncs/memory.c | 4 ++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index e80313a8d..057adf95d 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,9 @@ ++4/1/19 started 8.7.4 ++- magicksave with magick6 API did not chain exceptions correctly causing a ++ memory leak under some conditions [kleisauke] ++- zero memory on allocate to prevent write of uninitialized memory under some ++ error conditions [Balint Varga-Perke] ++ + 12/2/18 started 8.6.3 + - fix a crash if a delayed load failed [gsharpsh00ter] + +diff --git a/libvips/iofuncs/memory.c b/libvips/iofuncs/memory.c +index d877e2e0f..9f9b55f83 100644 +--- a/libvips/iofuncs/memory.c ++++ b/libvips/iofuncs/memory.c +@@ -164,7 +164,7 @@ vips_malloc( VipsObject *object, size_t size ) + { + void *buf; + +- buf = g_malloc( size ); ++ buf = g_malloc0( size ); + + if( object ) { + g_signal_connect( object, "postclose", +@@ -302,7 +302,7 @@ vips_tracked_malloc( size_t size ) + */ + size += 16; + +- if( !(buf = g_try_malloc( size )) ) { ++ if( !(buf = g_try_malloc0( size )) ) { + #ifdef DEBUG + g_assert_not_reached(); + #endif /*DEBUG*/
