Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@packages.debian.org Control: affects -1 + src:timg
[ Reason ] Fixing CVE-2023-40968 (buffer overflow vulnerability) [ Risks ] Patch is trivial, taken from uptream; local testing done. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable
diff -Nru timg-1.4.5/debian/changelog timg-1.4.5/debian/changelog --- timg-1.4.5/debian/changelog 2022-11-30 20:09:18.000000000 +0100 +++ timg-1.4.5/debian/changelog 2023-09-09 19:07:01.000000000 +0200 @@ -1,3 +1,9 @@ +timg (1.4.5-1+deb12u1) bookworm; urgency=medium + + * Cherry-pick upstream fix for CVE-2023-40968 (Closes: #1051231) + + -- Tobias Frost <t...@debian.org> Sat, 09 Sep 2023 19:07:01 +0200 + timg (1.4.5-1) unstable; urgency=medium [ Tobias Frost ] diff -Nru timg-1.4.5/debian/patches/CVE-2023-40968.patch timg-1.4.5/debian/patches/CVE-2023-40968.patch --- timg-1.4.5/debian/patches/CVE-2023-40968.patch 1970-01-01 01:00:00.000000000 +0100 +++ timg-1.4.5/debian/patches/CVE-2023-40968.patch 2023-09-09 19:07:01.000000000 +0200 @@ -0,0 +1,23 @@ +Description: CVE-2023-40968 buffer overflow vulnerability +Origin: https://github.com/hzeller/timg/commit/2e9414e668144bbe0afc074dac17b74ef4acfdcf +Bug: https://github.com/hzeller/timg/issues/115 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051231 +--- a/src/unicode-block-canvas.cc ++++ b/src/unicode-block-canvas.cc +@@ -417,13 +417,14 @@ + + SCREEN_END_OF_LINE_LEN); // Finishing a line. + + // Depending on even/odd situation, we might need one extra row. +- const size_t new_backing = width * (height + 1) * sizeof(rgba_t); ++ // For quarter, we have one extra possible pixel wider. ++ const size_t new_backing = (width + 1) * (height + 1) * sizeof(rgba_t); + if (new_backing > backing_buffer_size_) { + backing_buffer_ = (rgba_t *)realloc(backing_buffer_, new_backing); + backing_buffer_size_ = new_backing; + } + +- const size_t new_empty = width * sizeof(rgba_t); ++ const size_t new_empty = (width + 1) * sizeof(rgba_t); + if (new_empty > empty_line_size_) { + empty_line_ = (rgba_t *)realloc(empty_line_, new_empty); + empty_line_size_ = new_empty; diff -Nru timg-1.4.5/debian/patches/series timg-1.4.5/debian/patches/series --- timg-1.4.5/debian/patches/series 2022-11-30 19:52:10.000000000 +0100 +++ timg-1.4.5/debian/patches/series 2023-09-09 19:07:01.000000000 +0200 @@ -1 +1,2 @@ use-system-qui.patch +CVE-2023-40968.patch
