Bug#996695: buster-pu: package plib/plib_1.8.5-8+deb10u1

2021-11-01 Thread Salvatore Bonaccorso 
Hi Anton,

On Mon, Nov 01, 2021 at 10:19:03PM +0100, Salvatore Bonaccorso wrote:
> Hi Anton,
> 
> On Sun, Oct 17, 2021 at 03:20:41PM +0200, Anton Gladky wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Anton Gladky 
> >   
> > Anhänge15:17 (vor 1 Minute)
> >   
> > an Debian; Bcc: gladk
> > Package: release.debian.org
> > Severity: normal
> > Tags: bullseye
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > Dear release team,
> > 
> > the plib versioned 1.8.5-8+deb10u1 is prepared for the bullseye next
> > stable release.
> 
> Did you meant to fill this for bullseye-pu? (with a +deb11u1) suffix?
> I see that both versions are uploaded:
> 
> plib   | 1.8.5-8+deb10u1 | oldstable-new   | source
> plib   | 1.8.5-8+deb11u1 | stable-new  | source
> 
> Both buster and bullseye have the same version, but two separate bugs
> for the update in buster-pu and bullseye-pu would be needed.

Scratch that last part, while searching I missed #996694 and got
confused by the text in the report :).

Regards,
Salvatore

Bug#996695: buster-pu: package plib/plib_1.8.5-8+deb10u1

2021-11-01 Thread Salvatore Bonaccorso 
Hi Anton,

On Sun, Oct 17, 2021 at 03:20:41PM +0200, Anton Gladky wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Anton Gladky 
>   
> Anhänge15:17 (vor 1 Minute)
>   
> an Debian; Bcc: gladk
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Dear release team,
> 
> the plib versioned 1.8.5-8+deb10u1 is prepared for the bullseye next
> stable release.

Did you meant to fill this for bullseye-pu? (with a +deb11u1) suffix?
I see that both versions are uploaded:

plib   | 1.8.5-8+deb10u1 | oldstable-new   | source
plib   | 1.8.5-8+deb11u1 | stable-new  | source

Both buster and bullseye have the same version, but two separate bugs
for the update in buster-pu and bullseye-pu would be needed.

Regards,
Salvatore

Bug#996695: buster-pu: package plib/plib_1.8.5-8+deb10u1

2021-10-17 Thread Anton Gladky 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Anton Gladky 
  
Anhänge15:17 (vor 1 Minute)
  
an Debian; Bcc: gladk
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

the plib versioned 1.8.5-8+deb10u1 is prepared for the bullseye next
stable release.

[ Reason ]
This upload fixes a security issue CVE-2021-38714.

[ Impact ]
It should not have any impact on end users.

[ Tests ]
Salsa-ci is employed to check main package characteristics
https://salsa.debian.org/debian/plib/-/pipelines/303704

[ Risks ]
No risks are known.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
See attached diff. Sanitized values check is implemented.

Best regards

Anton
diff -Nru plib-1.8.5/debian/changelog plib-1.8.5/debian/changelog
--- plib-1.8.5/debian/changelog 2017-07-24 21:24:48.0 +0200
+++ plib-1.8.5/debian/changelog 2021-10-17 14:56:13.0 +0200
@@ -1,3 +1,10 @@
+plib (1.8.5-8+deb10u1) buster; urgency=medium
+
+  * Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714
+(Closes: #992973)
+
+ -- Anton Gladky   Sun, 17 Oct 2021 14:56:13 +0200
+
 plib (1.8.5-8) unstable; urgency=medium
 
   * QA upload.
diff -Nru plib-1.8.5/debian/.gitlab-ci.yml plib-1.8.5/debian/.gitlab-ci.yml
--- plib-1.8.5/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 +0100
+++ plib-1.8.5/debian/.gitlab-ci.yml2021-10-17 14:56:13.0 +0200
@@ -0,0 +1,7 @@
+include:
+  - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'buster'
+  SALSA_CI_COMPONENTS: 'main contrib non-free'
+  SALSA_CI_DISABLE_REPROTEST: 1
diff -Nru plib-1.8.5/debian/patches/08_CVE-2021-38714.patch 
plib-1.8.5/debian/patches/08_CVE-2021-38714.patch
--- plib-1.8.5/debian/patches/08_CVE-2021-38714.patch   1970-01-01 
01:00:00.0 +0100
+++ plib-1.8.5/debian/patches/08_CVE-2021-38714.patch   2021-10-10 
15:14:22.0 +0200
@@ -0,0 +1,64 @@
+Description: Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714
+Author: Anton Gladky 
+Bug-Debian: https://bugs.debian.org/992973
+Last-Update: 2021-10-02
+
+Index: plib/src/ssg/ssgLoadTGA.cxx
+===
+--- plib.orig/src/ssg/ssgLoadTGA.cxx
 plib/src/ssg/ssgLoadTGA.cxx
+@@ -23,6 +23,7 @@
+ 
+ 
+ #include "ssgLocal.h"
++#include 
+ 
+ #ifdef SSG_LOAD_TGA_SUPPORTED
+ 
+@@ -103,9 +104,9 @@ bool ssgLoadTGA ( const char *fname, ssg
+ 
+ // image info
+ int type = header[2];
+-int xsize = get16u(header + 12);
+-int ysize = get16u(header + 14);
+-int bits  = header[16];
++unsigned int xsize = get16u(header + 12);
++unsigned int ysize = get16u(header + 14);
++unsigned int bits  = header[16];
+ 
+ /* image types:
+  *
+@@ -169,9 +170,32 @@ bool ssgLoadTGA ( const char *fname, ssg
+ }
+ 
+ 
++const auto bytes_to_allocate = (bits / 8) * xsize * ysize;
++
++ulSetError( UL_DEBUG, "bytes_to_allocate=%ld xsize = %ld, ysize = %ld, 
%ld == %ld ", bytes_to_allocate, xsize, ysize, bytes_to_allocate / xsize, 
(ysize * (bits / 8)));
++
++if (xsize != 0 && ((ysize * (bits / 8)) != bytes_to_allocate / xsize))
++{
++  ulSetError( UL_WARNING, "Integer overflow in image size: xsize = %d, 
ysize = %d", xsize, ysize);
++  return false;
++}
++else
++{
++ulSetError( UL_DEBUG, "ssgLoadTGA: Allocating %ld bytes for the size 
%d x %d", bytes_to_allocate, xsize, ysize );
++}
++
+ // read image data
+ 
+-GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ];
++GLubyte *image;
++try
++{
++image = new GLubyte [ bytes_to_allocate ];
++}
++catch (const std::bad_alloc&)
++{
++ulSetError( UL_WARNING, "ssgLoadTGA:  Allocation of %d bytes 
failed!", bytes_to_allocate);
++  return false;
++}
+ 
+ if ((type & 8) != 0) 
+ {
diff -Nru plib-1.8.5/debian/patches/series plib-1.8.5/debian/patches/series
--- plib-1.8.5/debian/patches/series2017-07-24 20:11:17.0 +0200
+++ plib-1.8.5/debian/patches/series2021-10-02 13:24:19.0 +0200
@@ -6,3 +6,4 @@
 06_spelling_errors.diff
 05_CVE-2012-4552.diff
 07_dont_break_joystick_system_calibration.diff
+08_CVE-2021-38714.patch