[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1055944: marked as done (bookworm-pu: package vips/8.14.1-3+deb12u1)

Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055944,
regarding bookworm-pu: package vips/8.14.1-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1055944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055944
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
Control: affects -1 + src:vips

Hi RMs,

[ Reason ]
A specially crafted SVG input can cause libvips versions 8.14.3 or
earlier to segfault when attempting to parse a malformed UTF-8
character. It is considered a security issue and has the
CVE-2023-40032 identifier.

[ Impact ]
It is an application crash and can't be used for more. Hence the
Security Team decided it doesn't get a DSA. But it would be nice to
get the package updated.

[ Tests ]
Upstream testsuite and Sid update doesn't report any regressions.

[ Risks ]
The proposed change has very little risk of side-effects.

[ Checklist ]
  [x] *all* changes are documents in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bookworm
  [x] the issue is verified as fixed in unstable

Thanks for considering,
Laszlo/GCS

diff -Nru vips-8.14.1/debian/changelog vips-8.14.1/debian/changelog
--- vips-8.14.1/debian/changelog	2023-02-13 10:48:58.000000000 +0100
+++ vips-8.14.1/debian/changelog	2023-11-14 16:05:39.000000000 +0100
@@ -1,3 +1,10 @@
+vips (8.14.1-3+deb12u1) bookworm; urgency=medium
+
+  * Backport upstream security fix for CVE-2023-40032: svgload: fix
+    null-pointer dereference.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 14 Nov 2023 16:05:39 +0100
+
 vips (8.14.1-3) unstable; urgency=medium
 
   * Double self-testing timeout on mips64el and mipsel architectures.
diff -Nru vips-8.14.1/debian/patches/CVE-2023-40032.patch vips-8.14.1/debian/patches/CVE-2023-40032.patch
--- vips-8.14.1/debian/patches/CVE-2023-40032.patch	1970-01-01 01:00:00.000000000 +0100
+++ vips-8.14.1/debian/patches/CVE-2023-40032.patch	2023-11-14 16:05:39.000000000 +0100
@@ -0,0 +1,71 @@
+From e091d65835966ef56d53a4105a7362cafdb1582b Mon Sep 17 00:00:00 2001
+From: Kleis Auke Wolthuizen <github@kleisauke.nl>
+Date: Sun, 13 Aug 2023 15:48:54 +0200
+Subject: [PATCH] svgload: fix null-pointer dereference (#3604)
+
+`g_utf8_find_next_char()` might return NULL when called with a
+non-NULL second argument, indicating that the end of the string
+has been reached.
+---
+ ChangeLog                 |  4 ++++
+ libvips/foreign/svgload.c | 18 +++++++++++++++---
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index e47ee86bb4..b7544219e5 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,7 @@
++TBD 8.14.4
++
++- fix null-pointer dereference during svgload [kleisauke]
++
+ TBD 8.14.2
+ 
+ - dedupe FITS header write [ewelot]
+diff --git a/libvips/foreign/svgload.c b/libvips/foreign/svgload.c
+index 94072581d4..aefd412ed2 100644
+--- a/libvips/foreign/svgload.c
++++ b/libvips/foreign/svgload.c
+@@ -145,7 +145,7 @@ vips_foreign_load_svg_zfree( void *opaque, void *ptr )
+ /* Find a utf-8 substring within the first len_bytes (not characters). 
+  *
+  *   - case-insensitive
+- *   - needle must be zero-terminated, but hackstack need not be
++ *   - needle must be zero-terminated, but haystack need not be
+  *   - haystack can be null-terminated
+  *   - if haystack is shorter than len bytes, that'll end the search 
+  *   - if we hit invalid utf-8, we return NULL
+@@ -191,11 +191,14 @@ vips_utf8_strcasestr( const char *haystack_start, const char *needle_start,
+ 				b == (gunichar) -2 )
+                                 return( NULL );
+ 
+-                        /* End of haystack. There can't be a complete needle
+-                         * anywhere.
++                        /* Disallow codepoint U+0000 as it's a nul byte.
++                         * This is redundant with GLib >= 2.63.0, see:
++                         * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/967
+                          */
++#if !GLIB_CHECK_VERSION( 2, 63, 0 )
+                         if( a == (gunichar) 0 )
+                                 return( NULL );
++#endif
+ 
+                         /* Mismatch.
+                          */
+@@ -205,6 +208,15 @@ vips_utf8_strcasestr( const char *haystack_start, const char *needle_start,
+                         haystack_char = 
+ 				g_utf8_find_next_char( haystack_char, 
+ 					haystack_start + len_bytes );
++
++                        /* End of haystack. There can't be a complete needle
++                         * anywhere.
++                         */
++                        if( haystack_char == NULL )
++                                return( NULL );
++
++                        /* needle_char will never be NULL.
++                         */
+                         needle_char = 
+ 				g_utf8_find_next_char( needle_char, NULL );
+                 }
diff -Nru vips-8.14.1/debian/patches/series vips-8.14.1/debian/patches/series
--- vips-8.14.1/debian/patches/series	2023-02-12 08:52:21.000000000 +0100
+++ vips-8.14.1/debian/patches/series	2023-11-14 16:05:39.000000000 +0100
@@ -1,2 +1,3 @@
 dedupe_fits_header.patch
 fix_target_pnm_write.patch
+CVE-2023-40032.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam

--- End Message ---
Reply to: