Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package chafa for openSUSE:Factory checked
in at 2022-04-25 23:35:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/chafa (Old)
and /work/SRC/openSUSE:Factory/.chafa.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "chafa"
Mon Apr 25 23:35:26 2022 rev:12 rq:972507 version:1.10.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/chafa/chafa.changes 2022-04-04
19:27:20.851880232 +0200
+++ /work/SRC/openSUSE:Factory/.chafa.new.1538/chafa.changes 2022-04-25
23:35:36.650423475 +0200
@@ -1,0 +2,10 @@
+Mon Apr 25 08:21:26 UTC 2022 - Michael Vetter <mvet...@suse.com>
+
+- Update to 1.10.2:
+ * Added disclosure guidelines in SECURITY.md
+ * Fix huntr.dev: Null pointer dereference in libnsgif with crafted GIF file
+ * [unfiled] File magic would not effectively rule out internal loaders.
+ * [unfiled] Very big images could cause absurd allocation requests
+ triggering an abort in the loader.
+
+-------------------------------------------------------------------
Old:
----
chafa-1.10.1.tar.xz
New:
----
chafa-1.10.2.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ chafa.spec ++++++
--- /var/tmp/diff_new_pack.GvamiE/_old 2022-04-25 23:35:37.134424153 +0200
+++ /var/tmp/diff_new_pack.GvamiE/_new 2022-04-25 23:35:37.138424159 +0200
@@ -17,7 +17,7 @@
Name: chafa
-Version: 1.10.1
+Version: 1.10.2
Release: 0
Summary: Image-to-text converter for terminal
License: LGPL-3.0-or-later
++++++ chafa-1.10.1.tar.xz -> chafa-1.10.2.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/Makefile.am new/chafa-1.10.2/Makefile.am
--- old/chafa-1.10.1/Makefile.am 2022-02-17 18:54:27.000000000 +0100
+++ new/chafa-1.10.2/Makefile.am 2022-04-25 00:31:49.000000000 +0200
@@ -3,6 +3,7 @@
EXTRA_DIST = \
HACKING \
README.md \
+ SECURITY.md \
autogen.sh \
chafa.pc.in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/Makefile.in new/chafa-1.10.2/Makefile.in
--- old/chafa-1.10.1/Makefile.in 2022-04-04 00:13:19.000000000 +0200
+++ new/chafa-1.10.2/Makefile.in 2022-04-25 00:39:22.000000000 +0200
@@ -387,6 +387,7 @@
EXTRA_DIST = \
HACKING \
README.md \
+ SECURITY.md \
autogen.sh \
chafa.pc.in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/NEWS new/chafa-1.10.2/NEWS
--- old/chafa-1.10.1/NEWS 2022-04-04 00:11:55.000000000 +0200
+++ new/chafa-1.10.2/NEWS 2022-04-25 00:31:49.000000000 +0200
@@ -1,6 +1,21 @@
Chafa releases
==============
+1.10.2 (2022-04-25)
+-------------------
+
+This release adds security/responsible disclosure guidelines and fixes a few
+issues with input validation in the 'chafa' command-line tool.
+
+* Added disclosure guidelines in SECURITY.md (suggested by Jamie Slome).
+
+* Bug fixes:
+ huntr.dev Null pointer dereference in libnsgif with crafted GIF file
+ (reported by @JieyongMa).
+ [unfiled] File magic would not effectively rule out internal loaders.
+ [unfiled] Very big images could cause absurd allocation requests triggering
+ an abort in the loader.
+
1.10.1 (2022-04-04)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/SECURITY.md new/chafa-1.10.2/SECURITY.md
--- old/chafa-1.10.1/SECURITY.md 1970-01-01 01:00:00.000000000 +0100
+++ new/chafa-1.10.2/SECURITY.md 2022-04-25 00:31:49.000000000 +0200
@@ -0,0 +1,38 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for Chafa.
+
+## Reporting a Bug
+
+We are grateful for the testing and analysis carried out by the community. All
+bug reports are taken seriously.
+
+Normally, bugs can be filed directly in the public GitHub issue tracker, but if
+you believe there is a security impact, please contact the lead maintainer at
+his e-mail address <h...@hpjansson.org> instead.
+
+We will most likely respond within 48 hours, but since Chafa is a volunteer
+project, please allow up to a week for those rare times we're away from the
+keyboard or general connectivity.
+
+When a fix is published, you will receive credit under your real name or bug
+tracker handle in the NEWS document and possibly elsewhere (GitHub, blog post,
+etc). If you prefer to remain anonymous or pseudonymous, you should mention
+this in your e-mail.
+
+## Disclosure Policy
+
+The maintainer will coordinate the fix and release process, involving the
+following steps:
+
+ * Confirm the problem and determine the affected versions.
+ * Audit code to find any potential similar problems.
+ * Prepare fixes for all releases still under maintenance. These fixes will be
+ released as fast as possible.
+
+You may be asked to provide further information in pursuit of a fix.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved, please submit an
+issue or pull request.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/configure new/chafa-1.10.2/configure
--- old/chafa-1.10.1/configure 2022-04-04 00:13:20.000000000 +0200
+++ new/chafa-1.10.2/configure 2022-04-25 00:39:23.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for chafa 1.10.1.
+# Generated by GNU Autoconf 2.69 for chafa 1.10.2.
#
# Report bugs to <h...@hpjansson.org>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='chafa'
PACKAGE_TARNAME='chafa'
-PACKAGE_VERSION='1.10.1'
-PACKAGE_STRING='chafa 1.10.1'
+PACKAGE_VERSION='1.10.2'
+PACKAGE_STRING='chafa 1.10.2'
PACKAGE_BUGREPORT='h...@hpjansson.org'
PACKAGE_URL=''
@@ -1392,7 +1392,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures chafa 1.10.1 to adapt to many kinds of systems.
+\`configure' configures chafa 1.10.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1462,7 +1462,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of chafa 1.10.1:";;
+ short | recursive ) echo "Configuration of chafa 1.10.2:";;
esac
cat <<\_ACEOF
@@ -1604,7 +1604,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-chafa configure 1.10.1
+chafa configure 1.10.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1973,7 +1973,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by chafa $as_me 1.10.1, which was
+It was created by chafa $as_me 1.10.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2831,7 +2831,7 @@
# Define the identity of the package.
PACKAGE='chafa'
- VERSION='1.10.1'
+ VERSION='1.10.2'
cat >>confdefs.h <<_ACEOF
@@ -2933,8 +2933,8 @@
CHAFA_MAJOR_VERSION=1
CHAFA_MINOR_VERSION=10
-CHAFA_MICRO_VERSION=1
-CHAFA_VERSION=1.10.1
+CHAFA_MICRO_VERSION=2
+CHAFA_VERSION=1.10.2
@@ -2948,7 +2948,7 @@
$as_echo "#define CHAFA_MINOR_VERSION 10" >>confdefs.h
-$as_echo "#define CHAFA_MICRO_VERSION 1" >>confdefs.h
+$as_echo "#define CHAFA_MICRO_VERSION 2" >>confdefs.h
cat >>confdefs.h <<_ACEOF
@@ -15463,7 +15463,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by chafa $as_me 1.10.1, which was
+This file was extended by chafa $as_me 1.10.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15529,7 +15529,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-chafa config.status 1.10.1
+chafa config.status 1.10.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/configure.ac
new/chafa-1.10.2/configure.ac
--- old/chafa-1.10.1/configure.ac 2022-04-04 00:12:06.000000000 +0200
+++ new/chafa-1.10.2/configure.ac 2022-04-25 00:32:46.000000000 +0200
@@ -6,7 +6,7 @@
m4_define([chafa_major_version], [1])
m4_define([chafa_minor_version], [10])
-m4_define([chafa_micro_version], [1])
+m4_define([chafa_micro_version], [2])
m4_define([chafa_version],
[chafa_major_version.chafa_minor_version.chafa_micro_version])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/docs/chafa.1
new/chafa-1.10.2/docs/chafa.1
--- old/chafa-1.10.1/docs/chafa.1 2022-04-04 00:13:33.000000000 +0200
+++ new/chafa-1.10.2/docs/chafa.1 2022-04-25 00:39:40.000000000 +0200
@@ -2,7 +2,7 @@
.\" Title: chafa
.\" Author: Hans Petter Jansson
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 04/04/2022
+.\" Date: 04/25/2022
.\" Manual: User Commands
.\" Source: chafa
.\" Language: English
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/docs/html/index.html
new/chafa-1.10.2/docs/html/index.html
--- old/chafa-1.10.1/docs/html/index.html 2022-04-04 00:13:52.000000000
+0200
+++ new/chafa-1.10.2/docs/html/index.html 2022-04-25 00:39:53.000000000
+0200
@@ -15,7 +15,7 @@
<div>
<div><table class="navigation" id="top" width="100%" cellpadding="2"
cellspacing="0"><tr><th valign="middle"><p class="title">Chafa Reference
Manual</p></th></tr></table></div>
<div><p class="releaseinfo">
- For Chafa version 1.10.1
+ For Chafa version 1.10.2
.
The latest version of this documentation can be found online at
<a class="ulink" href="https://hpjansson.org/chafa/ref/index.html";
target="_top">https://hpjansson.org/chafa/ref/</a>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/libnsgif/libnsgif.c
new/chafa-1.10.2/libnsgif/libnsgif.c
--- old/chafa-1.10.1/libnsgif/libnsgif.c 2021-02-20 13:13:26.000000000
+0100
+++ new/chafa-1.10.2/libnsgif/libnsgif.c 2022-04-25 00:31:49.000000000
+0200
@@ -595,6 +595,12 @@
unsigned int x, y, decode_y, burst_bytes;
register unsigned char colour;
+ /* If the GIF has no frame data, frame holders will not be allocated in
+ * gif_initialise() */
+ if (gif->frames == NULL) {
+ return GIF_INSUFFICIENT_DATA;
+ }
+
/* Ensure this frame is supposed to be decoded */
if (gif->frames[frame].display == false) {
return GIF_OK;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/tools/chafa/file-mapping.c
new/chafa-1.10.2/tools/chafa/file-mapping.c
--- old/chafa-1.10.1/tools/chafa/file-mapping.c 2022-04-02 02:38:27.000000000
+0200
+++ new/chafa-1.10.2/tools/chafa/file-mapping.c 2022-04-25 00:31:49.000000000
+0200
@@ -280,7 +280,7 @@
if (file_mapping->data)
{
if (ofs + length <= file_mapping->length
- && !memcmp ((const guint8 *) data + ofs, data, length))
+ && !memcmp ((const guint8 *) file_mapping->data + ofs, data,
length))
return TRUE;
return FALSE;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/tools/chafa/im-loader.c
new/chafa-1.10.2/tools/chafa/im-loader.c
--- old/chafa-1.10.1/tools/chafa/im-loader.c 2022-02-17 18:54:27.000000000
+0100
+++ new/chafa-1.10.2/tools/chafa/im-loader.c 2022-04-25 00:31:49.000000000
+0200
@@ -228,27 +228,42 @@
im_loader_get_frame_data (ImLoader *loader, ChafaPixelType *pixel_type_out,
gint *width_out, gint *height_out, gint
*rowstride_out)
{
+ gint width, height, rowstride;
+
g_return_val_if_fail (loader != NULL, NULL);
auto_orient_image (loader->wand);
- *width_out = MagickGetImageWidth (loader->wand);
- *height_out = MagickGetImageHeight (loader->wand);
- *rowstride_out = *width_out * 4;
+ width = MagickGetImageWidth (loader->wand);
+ height = MagickGetImageHeight (loader->wand);
+ rowstride = width * 4;
+
+ if (width < 1 || width >= (1 << 28)
+ || height < 1 || height >= (1 << 28)
+ || (width * (guint64) height >= (1 << 29)))
+ goto out;
if (!loader->current_frame_data)
{
- loader->current_frame_data = g_malloc (*height_out * *rowstride_out);
+ loader->current_frame_data = g_malloc (height * (guint64) rowstride);
MagickExportImagePixels (loader->wand,
0, 0,
- *width_out, *height_out,
+ width, height,
"RGBA",
CharPixel,
(void *) loader->current_frame_data);
}
- *pixel_type_out = CHAFA_PIXEL_RGBA8_UNASSOCIATED;
+ if (pixel_type_out)
+ *pixel_type_out = CHAFA_PIXEL_RGBA8_UNASSOCIATED;
+ if (width_out)
+ *width_out = width;
+ if (height_out)
+ *height_out = height;
+ if (rowstride_out)
+ *rowstride_out = rowstride;
+out:
return loader->current_frame_data;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/tools/chafa/png-loader.c
new/chafa-1.10.2/tools/chafa/png-loader.c
--- old/chafa-1.10.1/tools/chafa/png-loader.c 2022-03-16 23:08:03.000000000
+0100
+++ new/chafa-1.10.2/tools/chafa/png-loader.c 2022-04-25 00:31:49.000000000
+0200
@@ -55,7 +55,7 @@
PngLoader *loader = NULL;
gboolean success = FALSE;
guint width, height;
- unsigned char *frame_data;
+ unsigned char *frame_data = NULL;
gint lode_error;
g_return_val_if_fail (mapping != NULL, NULL);
@@ -75,7 +75,8 @@
loader->file_data,
loader->file_data_len)) != 0)
goto out;
- if (width > (1 << 30) || height > (1 << 30))
+ if (width < 1 || width >= (1 << 28)
+ || height < 1 || height >= (1 << 28))
goto out;
loader->frame_data = frame_data;
@@ -92,6 +93,9 @@
g_free (loader);
loader = NULL;
}
+
+ if (frame_data)
+ free (frame_data);
}
return loader;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/chafa-1.10.1/tools/chafa/xwd-loader.c
new/chafa-1.10.2/tools/chafa/xwd-loader.c
--- old/chafa-1.10.1/tools/chafa/xwd-loader.c 2022-02-17 18:54:27.000000000
+0100
+++ new/chafa-1.10.2/tools/chafa/xwd-loader.c 2022-04-25 00:31:49.000000000
+0200
@@ -239,7 +239,8 @@
XwdLoader *
xwd_loader_new_from_mapping (FileMapping *mapping)
{
- XwdLoader *loader;
+ XwdLoader *loader = NULL;
+ gboolean success = FALSE;
g_return_val_if_fail (mapping != NULL, NULL);
@@ -254,6 +255,20 @@
DEBUG (dump_header (&loader->header));
+ if (loader->header.pixmap_width < 1 || loader->header.pixmap_width >= (1
<< 28)
+ || loader->header.pixmap_height < 1 || loader->header.pixmap_height >=
(1 << 28)
+ || (loader->header.pixmap_width * (guint64)
loader->header.pixmap_height >= (1 << 29)))
+ goto out;
+
+ success = TRUE;
+
+out:
+ if (!success)
+ {
+ g_free (loader);
+ loader = NULL;
+ }
+
return loader;
}
