Hi, I have prepared the potrace update fixing CVE-2016-8685 and would like to upload it. However, I had to modify debian/rules slightly more than excepted because in its current state, the CFLAGS variable defined by debian/rules isn't passed properly to the configure script. Actually CFLAGS is neither exported, nor passed to ./configure as argument...
I don't understand that such a mistake is present in this rules file. Could somebody take a look at the debdiff and confirm me that these changes to debian/rules are pertinent ? Cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
diff -Nru potrace-1.10/debian/changelog potrace-1.10/debian/changelog --- potrace-1.10/debian/changelog 2016-10-25 10:52:48.000000000 +0200 +++ potrace-1.10/debian/changelog 2017-04-08 23:10:22.000000000 +0200 @@ -1,3 +1,14 @@ +potrace (1.10-1+deb7u2) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2016-8685 (Closes: #843861). + * Add -fwrapv to build flags in debian/rules to avoid + segfaults caused by optimization of code relying on + two's-complement wrapping behaviour on signed arithmetic. + * export CFLAGS variable in debian/rules. + + -- Hugo Lefeuvre <h...@debian.org> Sat, 08 Apr 2017 23:10:22 +0200 + potrace (1.10-1+deb7u1) wheezy-security; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru potrace-1.10/debian/patches/CVE-2016-8685.patch potrace-1.10/debian/patches/CVE-2016-8685.patch --- potrace-1.10/debian/patches/CVE-2016-8685.patch 1970-01-01 01:00:00.000000000 +0100 +++ potrace-1.10/debian/patches/CVE-2016-8685.patch 2017-04-08 23:10:22.000000000 +0200 @@ -0,0 +1,23 @@ +From: Hugo Lefeuvre <h...@debian.org> +Subject: Fix integer overflow causing segfault in findnext + For large enough bm->w in findnext, x+=BM_WORDBITS can result in + an integer overflow causing a segmentation fault when executing + *bm_index(bm, x, y). + . + We add a check that avoids entering into the loop if passed bm->w + is too large. +Bug-Debian: http://bugs.debian.org/843861 +--- a/src/decompose.c 2017-04-04 10:58:37.436084109 +0200 ++++ b/src/decompose.c 2017-04-04 11:22:02.957825883 +0200 +@@ -428,6 +428,11 @@ + + x0 = (*xp) & ~(BM_WORDBITS-1); + ++ /* check value of bm->w to avoid integer overflow of x in the loop. */ ++ if( bm->w >= INT_MAX - BM_WORDBITS ) { ++ return 1; ++ } ++ + for (y=*yp; y>=0; y--) { + for (x=x0; x<bm->w; x+=BM_WORDBITS) { + if (*bm_index(bm, x, y)) { diff -Nru potrace-1.10/debian/patches/series potrace-1.10/debian/patches/series --- potrace-1.10/debian/patches/series 2016-10-25 10:46:55.000000000 +0200 +++ potrace-1.10/debian/patches/series 2017-04-08 23:09:16.000000000 +0200 @@ -1,2 +1,3 @@ CVE-2013-7437.patch CVE-2016-8694.patch +CVE-2016-8685.patch diff -Nru potrace-1.10/debian/rules potrace-1.10/debian/rules --- potrace-1.10/debian/rules 2011-03-29 11:08:52.000000000 +0200 +++ potrace-1.10/debian/rules 2017-04-08 23:10:22.000000000 +0200 @@ -10,7 +10,7 @@ DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) -CFLAGS = -Wall -g +CFLAGS = -Wall -g -fwrapv ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CFLAGS += -O0 @@ -21,6 +21,8 @@ INSTALL_PROGRAM += -s endif +export CFLAGS + config.status: configure ${QUILT_STAMPFN} dh_testdir ifneq "$(wildcard /usr/share/misc/config.sub)" ""
signature.asc
Description: PGP signature