Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for leptonlib fixes five CVEs in Buster:
- CVE-2020-36277
- CVE-2020-36278
- CVE-2020-36279
- CVE-2020-36280
- CVE-2020-36281
According to Moritz, they should have been marked as no-dsa by the
security team.
The fix has been uploaded to Jessie long time ago and nobody complained up
to now. It already made it to unstable and will soon migrate to testing.
So Buster is the only release that is missing the patches.
Thorsten
diff -Nru leptonlib-1.76.0/debian/changelog leptonlib-1.76.0/debian/changelog
--- leptonlib-1.76.0/debian/changelog 2018-05-10 21:47:10.000000000 +0200
+++ leptonlib-1.76.0/debian/changelog 2021-04-18 10:03:02.000000000 +0200
@@ -1,3 +1,24 @@
+leptonlib (1.76.0-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ (Closes: #985089)
+ * CVE-2020-36277
+ denial of service (application crash) via an incorrect left
+ shift in pixConvert2To8 in pixconv.c
+ * CVE-2020-36278
+ heap-based buffer over-read in findNextBorderPixel in ccbord.c
+ * CVE-2020-36279
+ heap-based buffer over-read in rasteropGeneralLow, related to
+ adaptmap_reg.c and adaptmap.c
+ * CVE-2020-36280
+ heap-based buffer over-read in pixReadFromTiffStream, related
+ to tiffio.c.
+ * CVE-2020-36281
+ heap-based buffer over-read in pixFewColorsOctcubeQuantMixed
+ in colorquant1.c
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Sun, 18 Apr 2021 10:03:02 +0200
+
leptonlib (1.76.0-1) unstable; urgency=medium
* New upstream release
diff -Nru leptonlib-1.76.0/debian/patches/CVE-2020-36277.patch
leptonlib-1.76.0/debian/patches/CVE-2020-36277.patch
--- leptonlib-1.76.0/debian/patches/CVE-2020-36277.patch 1970-01-01
01:00:00.000000000 +0100
+++ leptonlib-1.76.0/debian/patches/CVE-2020-36277.patch 2021-04-18
10:03:02.000000000 +0200
@@ -0,0 +1,39 @@
+Index: leptonlib-1.76.0/src/sel1.c
+===================================================================
+--- leptonlib-1.76.0.orig/src/sel1.c 2021-03-30 18:09:15.527294113 +0200
++++ leptonlib-1.76.0/src/sel1.c 2021-03-30 18:10:04.324105823 +0200
+@@ -1408,7 +1408,7 @@
+ SEL *
+ selReadStream(FILE *fp)
+ {
+-char *selname;
++char selname[256];
+ char linebuf[L_BUFSIZE];
+ l_int32 sy, sx, cy, cx, i, j, version, ignore;
+ SEL *sel;
+@@ -1425,17 +1425,14 @@
+
+ if (fgets(linebuf, L_BUFSIZE, fp) == NULL)
+ return (SEL *)ERROR_PTR("error reading into linebuf", procName, NULL);
+- selname = stringNew(linebuf);
+ sscanf(linebuf, " ------ %200s ------", selname);
+
+ if (fscanf(fp, " sy = %d, sx = %d, cy = %d, cx = %d\n",
+ &sy, &sx, &cy, &cx) != 4) {
+- LEPT_FREE(selname);
+ return (SEL *)ERROR_PTR("dimensions not read", procName, NULL);
+ }
+
+ if ((sel = selCreate(sy, sx, selname)) == NULL) {
+- LEPT_FREE(selname);
+ return (SEL *)ERROR_PTR("sel not made", procName, NULL);
+ }
+ selSetOrigin(sel, cy, cx);
+@@ -1448,7 +1445,6 @@
+ }
+ ignore = fscanf(fp, "\n");
+
+- LEPT_FREE(selname);
+ return sel;
+ }
+
diff -Nru leptonlib-1.76.0/debian/patches/CVE-2020-36278.patch
leptonlib-1.76.0/debian/patches/CVE-2020-36278.patch
--- leptonlib-1.76.0/debian/patches/CVE-2020-36278.patch 1970-01-01
01:00:00.000000000 +0100
+++ leptonlib-1.76.0/debian/patches/CVE-2020-36278.patch 2021-04-18
10:03:02.000000000 +0200
@@ -0,0 +1,13 @@
+Index: leptonlib-1.76.0/src/ccbord.c
+===================================================================
+--- leptonlib-1.76.0.orig/src/ccbord.c 2021-03-30 18:10:14.856275465 +0200
++++ leptonlib-1.76.0/src/ccbord.c 2021-03-30 18:10:14.848275336 +0200
+@@ -1077,6 +1077,8 @@
+ pos = (qpos + i) % 8;
+ npx = px + xpostab[pos];
+ npy = py + ypostab[pos];
++ if (npx < 0 || npx >= w || npy < 0 || npy >= h)
++ continue;
+ line = data + npy * wpl;
+ val = GET_DATA_BIT(line, npx);
+ if (val) {
diff -Nru leptonlib-1.76.0/debian/patches/CVE-2020-36279.patch
leptonlib-1.76.0/debian/patches/CVE-2020-36279.patch
--- leptonlib-1.76.0/debian/patches/CVE-2020-36279.patch 1970-01-01
01:00:00.000000000 +0100
+++ leptonlib-1.76.0/debian/patches/CVE-2020-36279.patch 2021-04-18
10:03:02.000000000 +0200
@@ -0,0 +1,90 @@
+Index: leptonlib-1.76.0/prog/adaptmap_reg.c
+===================================================================
+--- leptonlib-1.76.0.orig/prog/adaptmap_reg.c 2021-03-30 18:10:19.724353961
+0200
++++ leptonlib-1.76.0/prog/adaptmap_reg.c 2021-03-30 18:10:19.716353832
+0200
+@@ -53,7 +53,7 @@
+ l_int32 w, h;
+ PIX *pixs, *pixg, *pixim, *pixgm, *pixmi, *pix1, *pix2;
+ PIX *pixmr, *pixmg, *pixmb, *pixmri, *pixmgi, *pixmbi;
+-PIXA *pixa;
++PIXA *pixa, *pixa2;
+ L_REGPARAMS *rp;
+
+ if (regTestSetup(argc, argv, &rp))
+@@ -155,10 +155,31 @@
+ pixaAddPix(pixa, pix2, L_INSERT);
+ pixDestroy(&pixim);
+
++ /* Check pixFillMapHoles() */
++ pixa2 = pixaCreate(3);
++ pix1 = pixRead("weasel8.png"); /* use this as the map */
++ pixGammaTRC(pix1, pix1, 1.0, 0, 270); /* darken white pixels */
++ pixaAddPix(pixa2, pix1, L_COPY);
++ pixGetDimensions(pix1, &w, &h, NULL);
++ pixRasterop(pix1, 0, 0, 5, h, PIX_SET, NULL, 0, 0); /* add white holes */
++ pixRasterop(pix1, 20, 0, 2, h, PIX_SET, NULL, 0, 0);
++ pixRasterop(pix1, 40, 0, 3, h, PIX_SET, NULL, 0, 0);
++ pixRasterop(pix1, 0, 0, w, 3, PIX_SET, NULL, 0, 0);
++ pixRasterop(pix1, 0, 15, w, 3, PIX_SET, NULL, 0, 0);
++ pixRasterop(pix1, 0, 35, w, 2, PIX_SET, NULL, 0, 0);
++ pixaAddPix(pixa2, pix1, L_COPY);
++ pixFillMapHoles(pix1, w, h, L_FILL_WHITE);
++ pixaAddPix(pixa2, pix1, L_INSERT);
++ pix2 = pixaDisplayTiledInColumns(pixa2, 3, 1.0, 20, 1);
++ regTestWritePixAndCheck(rp, pix2, IFF_PNG); /* 14 */
++ pixDisplayWithTitle(pix2, 50, 850, NULL, rp->display);
++ pixaDestroy(&pixa2);
++ pixDestroy(&pix2);
++
+ /* Display results */
+ pix1 = pixaDisplayTiledAndScaled(pixa, 32, 400, 4, 0, 20, 2);
+ pixWrite("/tmp/lept/adapt/results.jpg", pix1, IFF_JFIF_JPEG);
+- pixDisplayWithTitle(pix1, 100, 0, NULL, rp->display);
++ pixDisplayWithTitle(pix1, 50, 0, NULL, rp->display);
+ pixDestroy(&pix1);
+ pixaDestroy(&pixa);
+
+Index: leptonlib-1.76.0/src/adaptmap.c
+===================================================================
+--- leptonlib-1.76.0.orig/src/adaptmap.c 2021-03-30 18:10:19.724353961
+0200
++++ leptonlib-1.76.0/src/adaptmap.c 2021-03-30 18:10:19.716353832 +0200
+@@ -1458,7 +1458,6 @@
+ l_int32 w, h, y, nmiss, goodcol, i, j, found, ival, valtest;
+ l_uint32 val, lastval;
+ NUMA *na; /* indicates if there is any data in the column */
+-PIX *pixt;
+
+ PROCNAME("pixFillMapHoles");
+
+@@ -1510,7 +1509,6 @@
+
+ /* ---------- Fill in missing columns by replication ----------- */
+ if (nmiss > 0) { /* replicate columns */
+- pixt = pixCopy(NULL, pix);
+ /* Find the first good column */
+ goodcol = 0;
+ for (j = 0; j < w; j++) {
+@@ -1521,20 +1519,16 @@
+ }
+ }
+ if (goodcol > 0) { /* copy cols backward */
+- for (j = goodcol - 1; j >= 0; j--) {
+- pixRasterop(pix, j, 0, 1, h, PIX_SRC, pixt, j + 1, 0);
+- pixRasterop(pixt, j, 0, 1, h, PIX_SRC, pix, j, 0);
+- }
++ for (j = goodcol - 1; j >= 0; j--)
++ pixRasterop(pix, j, 0, 1, h, PIX_SRC, pix, j + 1, 0);
+ }
+ for (j = goodcol + 1; j < w; j++) { /* copy cols forward */
+ numaGetIValue(na, j, &ival);
+ if (ival == 0) {
+ /* Copy the column to the left of j */
+- pixRasterop(pix, j, 0, 1, h, PIX_SRC, pixt, j - 1, 0);
+- pixRasterop(pixt, j, 0, 1, h, PIX_SRC, pix, j, 0);
++ pixRasterop(pix, j, 0, 1, h, PIX_SRC, pix, j - 1, 0);
+ }
+ }
+- pixDestroy(&pixt);
+ }
+ if (w > nx) { /* replicate the last column */
+ for (i = 0; i < h; i++) {
diff -Nru leptonlib-1.76.0/debian/patches/CVE-2020-36280.patch
leptonlib-1.76.0/debian/patches/CVE-2020-36280.patch
--- leptonlib-1.76.0/debian/patches/CVE-2020-36280.patch 1970-01-01
01:00:00.000000000 +0100
+++ leptonlib-1.76.0/debian/patches/CVE-2020-36280.patch 2021-04-18
10:03:02.000000000 +0200
@@ -0,0 +1,22 @@
+Index: leptonlib-1.76.0/prog/dewarptest1.c
+===================================================================
+--- leptonlib-1.76.0.orig/prog/dewarptest1.c 2021-03-30 18:10:48.612820876
+0200
++++ leptonlib-1.76.0/prog/dewarptest1.c 2021-03-30 18:10:48.604820746
+0200
+@@ -48,6 +48,8 @@
+
+ setLeptDebugOK(1);
+ lept_mkdir("lept/model");
++ lept_rmdir("lept/dewmod");
++ lept_mkdir("lept/dewmod");
+
+ /* pixs = pixRead("1555.007.jpg"); */
+ pixs = pixRead("cat.035.jpg");
+@@ -156,8 +158,6 @@
+ "/tmp/lept/dewarptest1.pdf");
+ fprintf(stderr, "pdf file made: /tmp/lept/model/dewarptest1.pdf\n");
+
+- lept_rmdir("lept/dewmod");
+- lept_rmdir("lept/dewtest");
+ pixDestroy(&pixs);
+ pixDestroy(&pixn);
+ pixDestroy(&pixg);
diff -Nru leptonlib-1.76.0/debian/patches/CVE-2020-36281.patch
leptonlib-1.76.0/debian/patches/CVE-2020-36281.patch
--- leptonlib-1.76.0/debian/patches/CVE-2020-36281.patch 1970-01-01
01:00:00.000000000 +0100
+++ leptonlib-1.76.0/debian/patches/CVE-2020-36281.patch 2021-04-18
10:03:02.000000000 +0200
@@ -0,0 +1,25 @@
+Index: leptonlib-1.76.0/src/colorquant1.c
+===================================================================
+--- leptonlib-1.76.0.orig/src/colorquant1.c 2021-03-30 18:13:27.799426670
+0200
++++ leptonlib-1.76.0/src/colorquant1.c 2021-03-30 18:13:27.795426605 +0200
+@@ -3308,7 +3308,7 @@
+ l_int32 rval, gval, bval, val, minval, maxval;
+ l_int32 *lut;
+ l_uint32 *datac, *datam, *datad, *linec, *linem, *lined;
+-PIX *pixc, *pixm, *pixg, *pixd;
++PIX *pix1, *pixc, *pixm, *pixg, *pixd;
+ PIXCMAP *cmap, *cmapd;
+
+ PROCNAME("pixFewColorsOctcubeQuantMixed");
+@@ -3325,8 +3325,10 @@
+ if (maxspan <= 2) maxspan = 15;
+
+ /* Start with a simple fixed octcube quantizer. */
+- if ((pixc = pixFewColorsOctcubeQuant1(pixs, level)) == NULL)
++ if ((pix1 = pixFewColorsOctcubeQuant1(pixs, level)) == NULL)
+ return (PIX *)ERROR_PTR("too many colors", procName, NULL);
++ pixc = pixConvertTo8(pix1, 1); /* must be 8 bpp */
++ pixDestroy(&pix1);
+
+ /* Identify and save color entries in the colormap. Set up a LUT
+ * that returns -1 for any gray pixel. */
diff -Nru leptonlib-1.76.0/debian/patches/series
leptonlib-1.76.0/debian/patches/series
--- leptonlib-1.76.0/debian/patches/series 2018-05-10 21:47:10.000000000
+0200
+++ leptonlib-1.76.0/debian/patches/series 2021-04-18 10:03:02.000000000
+0200
@@ -1 +1,5 @@
-
+CVE-2020-36277.patch
+CVE-2020-36278.patch
+CVE-2020-36279.patch
+CVE-2020-36281.patch
+CVE-2020-36280.patch
