Package: release.debian.org Severity: important Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, A global buffer overflow vulnerability was found by Red Hat on pngcheck-2.4.0 [1]. It was found and reported by the Debian Security Team that the vulnerability also affects the versions found on the Debian archive [2]. The bug was already fixed on unstable [2]. I have prepared a revision for buster-security for pngcheck/2.3.0-7 with the backported changes from unstable. The proposed update builds correctly on a minimal up-to-date buster chroot. I didn't coordinate with the security team, as the vulnerability is marked "no-dsa" in the Debian Security Tracker [3]. If the update is deemed correct, I can make it available on mentors, and open an RFS as I don't have uploading rights. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1902011 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976350 [3] https://security-tracker.debian.org/tracker/CVE-2020-27818 Regards, Polverari
diff -Nru pngcheck-2.3.0/debian/changelog pngcheck-2.3.0/debian/changelog --- pngcheck-2.3.0/debian/changelog 2013-06-26 09:28:27.000000000 +0000 +++ pngcheck-2.3.0/debian/changelog 2020-12-04 21:22:18.000000000 +0000 @@ -1,3 +1,10 @@ +pngcheck (2.3.0-7+deb10u1) buster-security; urgency=high + + * debian/patches/60-fix-buffer-overflow.patch: added to fix CVE-2020-27818. + Thanks to Salvatore Bonaccorso <car...@debian.org>. (Closes: #976350) + + -- David da Silva Polverari <david.polver...@gmail.com> Fri, 04 Dec 2020 21:22:18 +0000 + pngcheck (2.3.0-7) unstable; urgency=low * debian/control diff -Nru pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch --- pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch 2020-12-04 21:22:18.000000000 +0000 @@ -0,0 +1,26 @@ +Description: Fix buffer overflow reported in RHBZ #1897485. + When char is signed, casting to a (signed) int directly could produce a + negative offset into the ASCII lookup table; adding an intermediate cast to + uch (a typedef for unsigned char) ensures a nonnegative offset no greater than + 255, which always corresponds to a valid table index. +Origin: vendor, https://src.fedoraproject.org/rpms/pngcheck/blob/cc48791e34201caf7b686084b735d06cef66c974/f/pngcheck-2.4.0-overflow-bz1897485.patch +Bug-Debian: https://bugs.debian.org/976350 +Forwarded: no +Reviewed-By: David da Silva Polverari <david.polver...@gmail.com> +Last-Update: 2020-12-04 + +--- a/pngcheck.c ++++ b/pngcheck.c +@@ -4895,8 +4895,10 @@ + /* GRR 20061203: now EBCDIC-safe */ + int check_chunk_name(char *chunk_name, char *fname) + { +- if (isASCIIalpha((int)chunk_name[0]) && isASCIIalpha((int)chunk_name[1]) && +- isASCIIalpha((int)chunk_name[2]) && isASCIIalpha((int)chunk_name[3])) ++ if (isASCIIalpha((int)(uch)chunk_name[0]) && ++ isASCIIalpha((int)(uch)chunk_name[1]) && ++ isASCIIalpha((int)(uch)chunk_name[2]) && ++ isASCIIalpha((int)(uch)chunk_name[3])) + return 0; + + printf("%s%s invalid chunk name \"%.*s\" (%02x %02x %02x %02x)\n", diff -Nru pngcheck-2.3.0/debian/patches/series pngcheck-2.3.0/debian/patches/series --- pngcheck-2.3.0/debian/patches/series 2013-06-26 09:28:27.000000000 +0000 +++ pngcheck-2.3.0/debian/patches/series 2020-12-04 21:22:18.000000000 +0000 @@ -1,2 +1,3 @@ 10-pngsplit-format-strings.patch 20-pngsplit-long-options.patch +60-fix-buffer-overflow.patch