Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear release team, I'd like to update tinyexr in bullseye [ Reason ] The update fixes two vulnerabilities with low priority, i.e. the security team has decided not to issue a DSA. [ Impact ] CVE-2022-34300: Heap overflow in DecodePixelData CVE-2022-38529: Heap overflow in rleUncompress [ Tests ] I have verified that the changes fix the aforementioned vulnerabilities and do not cause regressions in the package test suite. [ Risks ] tinyexr is a low popcon package with two reverse dependencies (both of which I maintain). Both code fixes are localized and unlikely to cause further issues. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The update patches two statements in two functions Cheers Timo -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmM5zIAACgkQ+C8H+466 LVnfmAv7BCTx2RPhA8gGGRGpHjQGY9o8gwWoTfKocWmPfJgEz3KLt3HntP7jo3fn x6QooHIYCJ8iveUPD1J0zK5wgr//22Z9iER1Uuk/48SVAVKXDbuvak3wJer5ssDl pAwluYXdMNREfOcu49sJ0cs5WmaPFsv7Kt1LLWfsTBRru3ekLwYI4AkHrCFpSfy0 SVEm4zF/99athm4Pd/teV1znvXcmhAW64UxoypsSJpdJm46kyZ2fHZPxMOVkaQGe Vz4mROOoAMA60stDL0ot/iFjiUCen/dUlR/K8VP3h3l3NI6/hgLiGW7QvrVom07j J0knQxnnMn+RVJGQRxaWFm/Qculk9xvY8H/uekvgZglWMxoW2FmJCvTnlizETCB6 MxIf0aHQRDgY+0g1VbAGsOZ12xjkTV5BhsKADN+eOHI0hfwiNJEkjMLVOnUNdnhC qHYZILTfH4sTXs/xNlGJ49KJlFYmizsNwEIL0CTi6eVf062whzUFiRmDN/JYMvax +/SrWuWb =WbEi -----END PGP SIGNATURE-----
diff -Nru tinyexr-1.0.1+dfsg/debian/changelog tinyexr-1.0.1+dfsg/debian/changelog --- tinyexr-1.0.1+dfsg/debian/changelog 2021-08-29 20:43:34.000000000 +0200 +++ tinyexr-1.0.1+dfsg/debian/changelog 2022-10-01 23:13:34.000000000 +0200 @@ -1,3 +1,11 @@ +tinyexr (1.0.1+dfsg-1+deb11u1) bullseye; urgency=medium + + * Fix low-priority vulnerabilities + - CVE-2022-34300: Heap overflow in DecodePixelData + - CVE-2022-38529: Heap overflow in rleUncompress + + -- Timo Röhling <roehl...@debian.org> Sat, 01 Oct 2022 23:13:34 +0200 + tinyexr (1.0.1+dfsg-1) unstable; urgency=medium * New upstream version 1.0.1+dfsg diff -Nru tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch --- tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch 1970-01-01 01:00:00.000000000 +0100 +++ tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch 2022-10-01 23:13:34.000000000 +0200 @@ -0,0 +1,25 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= <roehl...@debian.org> +Date: Thu, 8 Sep 2022 19:31:26 +0200 +Subject: CVE-2022-38529 + +Fix heap buffer overflow in rleUncompress. +Backported from upstream commit cc1b199dd17b700c3130a53866ea462ab88e7f82 + +Forwarded: not-needed +--- + tinyexr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tinyexr.h b/tinyexr.h +index eb5e5c0..ba05fdf 100644 +--- a/tinyexr.h ++++ b/tinyexr.h +@@ -1480,7 +1480,7 @@ static int rleUncompress(int inLength, int maxLength, const signed char in[], + int count = *in++; + inLength -= 2; + +- if (0 > (maxLength -= count + 1)) return 0; ++ if (0 > (maxLength -= count + 1) || inLength < 0) return 0; + + memset(out, *reinterpret_cast<const char *>(in), count + 1); + out += count + 1; diff -Nru tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch --- tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch 1970-01-01 01:00:00.000000000 +0100 +++ tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch 2022-10-01 23:13:34.000000000 +0200 @@ -0,0 +1,26 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= <roehl...@debian.org> +Date: Thu, 8 Sep 2022 20:38:54 +0200 +Subject: CVE-2022-34300 + +Fix heap buffer overflow in DecodePixelData. + +Forwarded: https://github.com/syoyo/tinyexr/pull/175 +--- + tinyexr.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tinyexr.h b/tinyexr.h +index ba05fdf..c36e6ec 100644 +--- a/tinyexr.h ++++ b/tinyexr.h +@@ -3568,8 +3568,8 @@ static bool DecodePixelData(/* out */ unsigned char **out_images, + assert(requested_pixel_types[c] == TINYEXR_PIXELTYPE_FLOAT); + for (size_t v = 0; v < static_cast<size_t>(num_lines); v++) { + const float *line_ptr = reinterpret_cast<float *>(&outBuf.at( +- v * pixel_data_size * static_cast<size_t>(x_stride) + +- channel_offset_list[c] * static_cast<size_t>(x_stride))); ++ v * pixel_data_size * static_cast<size_t>(width) + ++ channel_offset_list[c] * static_cast<size_t>(width))); + for (size_t u = 0; u < static_cast<size_t>(width); u++) { + float val; + // val = line_ptr[u]; diff -Nru tinyexr-1.0.1+dfsg/debian/patches/series tinyexr-1.0.1+dfsg/debian/patches/series --- tinyexr-1.0.1+dfsg/debian/patches/series 2021-08-29 20:43:34.000000000 +0200 +++ tinyexr-1.0.1+dfsg/debian/patches/series 2022-10-01 23:13:34.000000000 +0200 @@ -2,3 +2,5 @@ 0002-Explicitly-export-required-symbols.patch 0003-Fix-CMake-build-system.patch 0004-Add-test-executable-for-CTest.patch +0005-CVE-2022-38529.patch +0006-CVE-2022-34300.patch