Bug#1126167: bookworm-pu: package zvbi/_0.2.41-1+deb12u1

Thu, 22 Jan 2026 11:35:00 -0800 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
The attached debdiff for zvbi fixes CVE-2025-2173, CVE-2025-2174, CVE-2025-2175, CVE-2025-2176 and CVE-2025-2177 Though all CVEs are marked as no-dsa from the security team, all but one got a high CVSS score from one or the other evaluator. 

   Thorsten

diff -Nru zvbi-0.2.41/debian/changelog zvbi-0.2.41/debian/changelog
--- zvbi-0.2.41/debian/changelog        2023-02-13 14:32:40.000000000 +0100
+++ zvbi-0.2.41/debian/changelog        2026-01-10 10:03:02.000000000 +0100
@@ -1,3 +1,13 @@
+zvbi (0.2.41-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2025-2173
+    fix uninitialized pointer in src/conv.c:: vbi_strndup_iconv_ucs2()
+  * CVE-2025-2174, CVE-2025-2175, CVE-2025-2176, CVE-2025-2177
+    fix integer overflows in several functions
+
+ -- Thorsten Alteholz <[email protected]>  Sat, 10 Jan 2026 10:03:02 +0100
+
 zvbi (0.2.41-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru zvbi-0.2.41/debian/patches/CVE-2025-2173.patch 
zvbi-0.2.41/debian/patches/CVE-2025-2173.patch
--- zvbi-0.2.41/debian/patches/CVE-2025-2173.patch      1970-01-01 
01:00:00.000000000 +0100
+++ zvbi-0.2.41/debian/patches/CVE-2025-2173.patch      2026-01-10 
10:03:02.000000000 +0100
@@ -0,0 +1,31 @@
+commit 8def647eea27f7fd7ad33ff79c2d6d3e39948dce
+Author: Ileana Dumitrescu <[email protected]>
+Date:   Mon Mar 10 20:36:05 2025 +0200
+
+    src/conv.c: Check src_length to avoid an unitinialized heap read
+
+Index: zvbi-0.2.41/src/conv.c
+===================================================================
+--- zvbi-0.2.41.orig/src/conv.c        2026-01-10 13:44:06.799252632 +0100
++++ zvbi-0.2.41/src/conv.c     2026-01-10 13:44:06.795252605 +0100
+@@ -583,8 +583,8 @@
+  * @returns
+  * A pointer to the allocated buffer. You must free() the buffer
+  * when it is no longer needed. The function returns @c NULL when
+- * the conversion fails, when it runs out of memory or when @a src
+- * is @c NULL.
++ * the conversion fails, when it runs out of memory, src_length is
++ * set to zero, or when @a src is @c NULL.
+  *
+  * @since 0.2.23
+  */
+@@ -598,6 +598,9 @@
+       char *result;
+       unsigned long size;
+ 
++      if (0 == src_length)
++              return NULL;
++
+       buffer = strndup_iconv_from_ucs2 (&size,
+                                         dst_codeset,
+                                         src, src_length,
diff -Nru zvbi-0.2.41/debian/patches/CVE-2025-2177+2176+2175+2174.patch 
zvbi-0.2.41/debian/patches/CVE-2025-2177+2176+2175+2174.patch
--- zvbi-0.2.41/debian/patches/CVE-2025-2177+2176+2175+2174.patch       
1970-01-01 01:00:00.000000000 +0100
+++ zvbi-0.2.41/debian/patches/CVE-2025-2177+2176+2175+2174.patch       
2026-01-10 10:03:02.000000000 +0100
@@ -0,0 +1,110 @@
+commit ca1672134b3e2962cd392212c73f44f8f4cb489f
+Author: Ileana Dumitrescu <[email protected]>
+Date:   Mon Mar 10 20:36:32 2025 +0200
+
+    src/conv.c, src/io-sim.c, src/search.c: Avoid integer overflow leading to 
heap overflow
+
+Index: zvbi-0.2.41/src/conv.c
+===================================================================
+--- zvbi-0.2.41.orig/src/conv.c        2026-01-10 13:42:21.298548676 +0100
++++ zvbi-0.2.41/src/conv.c     2026-01-10 13:42:21.294548648 +0100
+@@ -333,7 +333,8 @@
+  * @returns
+  * A pointer to the allocated buffer. You must free() the buffer
+  * when it is no longer needed. The function returns @c NULL when
+- * it runs out of memory, or when @a src is @c NULL.
++ * it runs out of memory, src_size is too large, or when @a src
++ * is @c NULL.
+  *
+  * @since 0.2.23
+  */
+@@ -344,7 +345,11 @@
+ {
+       char *buffer;
+ 
+-      buffer = vbi_malloc (src_size + 4);
++      unsigned long check_buffer_size = (src_size + 4);
++      if (src_size > check_buffer_size)
++              return NULL;
++
++      buffer = vbi_malloc (check_buffer_size);
+       if (NULL == buffer) {
+               if (NULL != out_size)
+                       *out_size = 0;
+@@ -376,7 +381,8 @@
+  * @returns
+  * A pointer to the allocated buffer. You must free() the buffer
+  * when it is no longer needed. The function returns @c NULL when
+- * it runs out of memory, or when @a src is @c NULL.
++ * it runs out of memory, src_length is too large, or when @a src
++ * is @c NULL.
+  *
+  * @since 0.2.23
+  */
+@@ -398,7 +404,11 @@
+       if (src_length < 0)
+               src_length = vbi_strlen_ucs2 (src);
+ 
+-      buffer = vbi_malloc (src_length * 3 + 1);
++      unsigned long check_buffer_size = (src_length * 3 + 1);
++      if (src_length > check_buffer_size)
++              return NULL;
++
++      buffer = vbi_malloc (check_buffer_size);
+       if (NULL == buffer)
+               return NULL;
+ 
+Index: zvbi-0.2.41/src/io-sim.c
+===================================================================
+--- zvbi-0.2.41.orig/src/io-sim.c      2026-01-10 13:42:21.298548676 +0100
++++ zvbi-0.2.41/src/io-sim.c   2026-01-10 13:42:21.294548648 +0100
+@@ -1898,7 +1898,10 @@
+               }
+ 
+               if (b->size >= b->capacity) {
+-                      if (!extend_buffer (b, b->capacity + 256))
++                      unsigned int check_buffer_size = (b->capacity + 256);
++                      if (b->capacity > check_buffer_size)
++                              return FALSE;
++                      if (!extend_buffer (b, check_buffer_size))
+                               return FALSE;
+               }
+ 
+Index: zvbi-0.2.41/src/search.c
+===================================================================
+--- zvbi-0.2.41.orig/src/search.c      2026-01-10 13:42:21.298548676 +0100
++++ zvbi-0.2.41/src/search.c   2026-01-10 13:42:21.294548648 +0100
+@@ -2,7 +2,7 @@
+  *  libzvbi -- Teletext page cache search functions
+  *
+  *  Copyright (C) 2000, 2001, 2002 Michael H. Schimek
+- *  Copyright (C) 2000, 2001 I�aki G. Etxebarria
++ *  Copyright (C) 2000, 2001 I�aki G. Etxebarria
+  *
+  *  Originally based on AleVT 1.5.1 by Edgar Toernig
+  *
+@@ -470,7 +470,8 @@
+  * All this has yet to be addressed.
+  *
+  * @return
+- * A vbi_search context or @c NULL on error.
++ * A vbi_search context or @c NULL on error or pattern string length
++ * is too large.
+  */
+ vbi_search *
+ vbi_search_new(vbi_decoder *vbi,
+@@ -490,7 +491,13 @@
+               return NULL;
+ 
+       if (!regexp) {
+-              if (!(esc_pat = malloc(sizeof(ucs2_t) * pat_len * 2))) {
++              unsigned int check_size = (sizeof(ucs2_t) * pat_len * 2);
++              if (pat_len > check_size) {
++                      free(s);
++                      return NULL;
++              }
++
++              if (!(esc_pat = malloc(check_size))) {
+                       free(s);
+                       return NULL;
+               }
diff -Nru zvbi-0.2.41/debian/patches/series zvbi-0.2.41/debian/patches/series
--- zvbi-0.2.41/debian/patches/series   1970-01-01 01:00:00.000000000 +0100
+++ zvbi-0.2.41/debian/patches/series   2026-01-10 10:03:02.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2025-2177+2176+2175+2174.patch
+CVE-2025-2173.patch

Reply via email to