CVE-2015-7557/librsvg packages for wheezy and jessie (was: squeeze update of librsvg?)
Hi, Please, find attached the debdiffs that fix CVE-2015-7557 in wheezy and jessie. Since this is a no-dsa issue, it could address a next point release. Cheers, Santiago diff -Nru librsvg-2.36.1/debian/changelog librsvg-2.36.1/debian/changelog --- librsvg-2.36.1/debian/changelog 2013-12-04 21:16:12.0 +0100 +++ librsvg-2.36.1/debian/changelog 2016-03-24 10:53:07.0 +0100 @@ -1,3 +1,10 @@ +librsvg (2.36.1-2+deb7u1) wheezy; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file. + + -- Santiago Ruano RincónThu, 24 Mar 2016 09:18:51 +0100 + librsvg (2.36.1-2) stable; urgency=low [ Raphaël Geissert ] diff -Nru librsvg-2.36.1/debian/patches/CVE-2015-7557.patch librsvg-2.36.1/debian/patches/CVE-2015-7557.patch --- librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 1970-01-01 01:00:00.0 +0100 +++ librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 2016-03-24 09:18:37.0 +0100 @@ -0,0 +1,50 @@ +From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001 +From: Federico Mena Quintero +Date: Thu, 5 Feb 2015 18:08:25 -0600 +Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an + odd number of elements + +Lists of points come in coordinate pairs, but we didn't have any checking for that. +It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate +of an x,y pair, that was in fact missing, leading to an out-of-bounds array read. + +In that case, we now reuse the last-known y coordinate. + +Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050 + +Signed-off-by: Federico Mena Quintero +--- + rsvg-shapes.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/rsvg-shapes.c b/rsvg-shapes.c +index c13b90c..e4a705d 100644 +--- a/rsvg-shapes.c b/rsvg-shapes.c +@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value, + + /* "L %f %f " */ + for (i = 2; i < pointlist_len; i += 2) { ++double p; ++ + g_string_append (d, " L "); + g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i])); + g_string_append_c (d, ' '); +-g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1])); ++ ++/* We expect points to come in coordinate pairs. But if there is a ++ * missing part of one pair in a corrupt SVG, we'll have an incomplete ++ * list. In that case, we reuse the last-known Y coordinate. ++ */ ++if (i + 1 < pointlist_len) ++p = pointlist[i + 1]; ++else ++p = pointlist[i - 1]; ++ ++g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p)); + } + + if (close_path) +-- +cgit v0.11.2 + diff -Nru librsvg-2.36.1/debian/patches/series librsvg-2.36.1/debian/patches/series --- librsvg-2.36.1/debian/patches/series2013-12-04 15:09:40.0 +0100 +++ librsvg-2.36.1/debian/patches/series2016-03-24 09:18:37.0 +0100 @@ -3,3 +3,4 @@ 10_rsvg-gz.patch 20_rsvg_compat.patch 99_ltmain_as-needed.patch +CVE-2015-7557.patch diff -Nru librsvg-2.40.5/debian/changelog librsvg-2.40.5/debian/changelog --- librsvg-2.40.5/debian/changelog 2014-10-14 16:48:24.0 +0200 +++ librsvg-2.40.5/debian/changelog 2016-03-24 11:04:24.0 +0100 @@ -1,3 +1,10 @@ +librsvg (2.40.5-1+deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file. + + -- Santiago Ruano Rincón Thu, 24 Mar 2016 11:02:20 +0100 + librsvg (2.40.5-1) unstable; urgency=medium * New upstream release. diff -Nru librsvg-2.40.5/debian/patches/CVE-2015-7557.patch librsvg-2.40.5/debian/patches/CVE-2015-7557.patch --- librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 1970-01-01 01:00:00.0 +0100 +++ librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 2016-03-24 11:05:21.0 +0100 @@ -0,0 +1,50 @@ +From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001 +From: Federico Mena Quintero +Date: Thu, 5 Feb 2015 18:08:25 -0600 +Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an + odd number of elements + +Lists of points come in coordinate pairs, but we didn't have any checking for that. +It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate +of an x,y pair, that was in fact missing, leading to an out-of-bounds array read. + +In that case, we now reuse the last-known y coordinate. + +Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050 + +Signed-off-by: Federico Mena Quintero +--- + rsvg-shapes.c | 14 +- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/rsvg-shapes.c b/rsvg-shapes.c +index c13b90c..e4a705d 100644 +--- a/rsvg-shapes.c
Re: squeeze update of librsvg?
Hi Salvatore, El 18/01/16 a las 08:57, Salvatore Bonaccorso escribió: > Hi Santiago, > > Sorry for the late reply. > No worries! > On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote: > > Hi, > > > > El 30/12/15 a las 01:49, Ben Hutchings escribió: > > > Hello dear maintainer(s), > > > > > > the Debian LTS team would like to fix the security issues which are > > > currently open in the Squeeze version of librsvg: > > > https://security-tracker.debian.org/tracker/CVE-2015-7557 > > > https://security-tracker.debian.org/tracker/CVE-2015-7558 > > > > Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple, > > the CVE-2015-7558 is not trivial. It has been fixed by many changes in the > > checks of cyclic references, using the new rsvg_acquire_node function > > (i.e. > > https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61). > > > > I cannot find info about how CVE-2015-7558 is exploitable, but I'd say > > that is no-dsa. What do you think? What's the security team position > > about it? > > I have marked one issue as no-dsa for wheezy- and jessie > (CVE-2015-7557). I had prepared a squeeze package to fix it, and even if it isn't a critical issue, I prefer to upload it given that the work is done. > Regarding CVE-2015-7558, not sure here. But if the > fix is too intrusive to backport we can mark it as (Too > intrusive to backport). At least for Squeeze, it's indeed too intrusive. I haven't taken a look yet into Wheezy or Jessie. Cheers, Santiago signature.asc Description: PGP signature
Re: squeeze update of librsvg?
Hi Santiago, Sorry for the late reply. On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote: > Hi, > > El 30/12/15 a las 01:49, Ben Hutchings escribió: > > Hello dear maintainer(s), > > > > the Debian LTS team would like to fix the security issues which are > > currently open in the Squeeze version of librsvg: > > https://security-tracker.debian.org/tracker/CVE-2015-7557 > > https://security-tracker.debian.org/tracker/CVE-2015-7558 > > Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple, > the CVE-2015-7558 is not trivial. It has been fixed by many changes in the > checks of cyclic references, using the new rsvg_acquire_node function > (i.e. > https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61). > > I cannot find info about how CVE-2015-7558 is exploitable, but I'd say > that is no-dsa. What do you think? What's the security team position > about it? I have marked one issue as no-dsa for wheezy- and jessie (CVE-2015-7557). Regarding CVE-2015-7558, not sure here. But if the fix is too intrusive to backport we can mark it as (Too intrusive to backport). Regards, Salvatore
Re: squeeze update of librsvg?
Hi, El 30/12/15 a las 01:49, Ben Hutchings escribió: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of librsvg: > https://security-tracker.debian.org/tracker/CVE-2015-7557 > https://security-tracker.debian.org/tracker/CVE-2015-7558 Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple, the CVE-2015-7558 is not trivial. It has been fixed by many changes in the checks of cyclic references, using the new rsvg_acquire_node function (i.e. https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61). I cannot find info about how CVE-2015-7558 is exploitable, but I'd say that is no-dsa. What do you think? What's the security team position about it? Cheers, Santiago signature.asc Description: Digital signature
squeeze update of librsvg?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of librsvg: https://security-tracker.debian.org/tracker/CVE-2015-7557 https://security-tracker.debian.org/tracker/CVE-2015-7558 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Ben Hutchings, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams signature.asc Description: This is a digitally signed message part