Bug#1055944: bookworm-pu: package vips/8.14.1-3+deb12u1

[GCS]

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
Control: affects -1 + src:vips

Hi RMs,

[ Reason ]
A specially crafted SVG input can cause libvips versions 8.14.3 or
earlier to segfault when attempting to parse a malformed UTF-8
character. It is considered a security issue and has the
CVE-2023-40032 identifier.

[ Impact ]
It is an application crash and can't be used for more. Hence the
Security Team decided it doesn't get a DSA. But it would be nice to
get the package updated.

[ Tests ]
Upstream testsuite and Sid update doesn't report any regressions.

[ Risks ]
The proposed change has very little risk of side-effects.

[ Checklist ]
  [x] *all* changes are documents in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bookworm
  [x] the issue is verified as fixed in unstable

Thanks for considering,
Laszlo/GCS

diff -Nru vips-8.14.1/debian/changelog vips-8.14.1/debian/changelog
--- vips-8.14.1/debian/changelog	2023-02-13 10:48:58.000000000 +0100
+++ vips-8.14.1/debian/changelog	2023-11-14 16:05:39.000000000 +0100
@@ -1,3 +1,10 @@
+vips (8.14.1-3+deb12u1) bookworm; urgency=medium
+
+  * Backport upstream security fix for CVE-2023-40032: svgload: fix
+    null-pointer dereference.
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org>  Tue, 14 Nov 2023 16:05:39 +0100
+
 vips (8.14.1-3) unstable; urgency=medium
 
   * Double self-testing timeout on mips64el and mipsel architectures.
diff -Nru vips-8.14.1/debian/patches/CVE-2023-40032.patch vips-8.14.1/debian/patches/CVE-2023-40032.patch
--- vips-8.14.1/debian/patches/CVE-2023-40032.patch	1970-01-01 01:00:00.000000000 +0100
+++ vips-8.14.1/debian/patches/CVE-2023-40032.patch	2023-11-14 16:05:39.000000000 +0100
@@ -0,0 +1,71 @@
+From e091d65835966ef56d53a4105a7362cafdb1582b Mon Sep 17 00:00:00 2001
+From: Kleis Auke Wolthuizen <git...@kleisauke.nl>
+Date: Sun, 13 Aug 2023 15:48:54 +0200
+Subject: [PATCH] svgload: fix null-pointer dereference (#3604)
+
+`g_utf8_find_next_char()` might return NULL when called with a
+non-NULL second argument, indicating that the end of the string
+has been reached.
+---
+ ChangeLog                 |  4 ++++
+ libvips/foreign/svgload.c | 18 +++++++++++++++---
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index e47ee86bb4..b7544219e5 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,7 @@
++TBD 8.14.4
++
++- fix null-pointer dereference during svgload [kleisauke]
++
+ TBD 8.14.2
+ 
+ - dedupe FITS header write [ewelot]
+diff --git a/libvips/foreign/svgload.c b/libvips/foreign/svgload.c
+index 94072581d4..aefd412ed2 100644
+--- a/libvips/foreign/svgload.c
++++ b/libvips/foreign/svgload.c
+@@ -145,7 +145,7 @@ vips_foreign_load_svg_zfree( void *opaque, void *ptr )
+ /* Find a utf-8 substring within the first len_bytes (not characters). 
+  *
+  *   - case-insensitive
+- *   - needle must be zero-terminated, but hackstack need not be
++ *   - needle must be zero-terminated, but haystack need not be
+  *   - haystack can be null-terminated
+  *   - if haystack is shorter than len bytes, that'll end the search 
+  *   - if we hit invalid utf-8, we return NULL
+@@ -191,11 +191,14 @@ vips_utf8_strcasestr( const char *haystack_start, const char *needle_start,
+ 				b == (gunichar) -2 )
+                                 return( NULL );
+ 
+-                        /* End of haystack. There can't be a complete needle
+-                         * anywhere.
++                        /* Disallow codepoint U+0000 as it's a nul byte.
++                         * This is redundant with GLib >= 2.63.0, see:
++                         * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/967
+                          */
++#if !GLIB_CHECK_VERSION( 2, 63, 0 )
+                         if( a == (gunichar) 0 )
+                                 return( NULL );
++#endif
+ 
+                         /* Mismatch.
+                          */
+@@ -205,6 +208,15 @@ vips_utf8_strcasestr( const char *haystack_start, const char *needle_start,
+                         haystack_char = 
+ 				g_utf8_find_next_char( haystack_char, 
+ 					haystack_start + len_bytes );
++
++                        /* End of haystack. There can't be a complete needle
++                         * anywhere.
++                         */
++                        if( haystack_char == NULL )
++                                return( NULL );
++
++                        /* needle_char will never be NULL.
++                         */
+                         needle_char = 
+ 				g_utf8_find_next_char( needle_char, NULL );
+                 }
diff -Nru vips-8.14.1/debian/patches/series vips-8.14.1/debian/patches/series
--- vips-8.14.1/debian/patches/series	2023-02-12 08:52:21.000000000 +0100
+++ vips-8.14.1/debian/patches/series	2023-11-14 16:05:39.000000000 +0100
@@ -1,2 +1,3 @@
 dedupe_fits_header.patch
 fix_target_pnm_write.patch
+CVE-2023-40032.patch