CVE-2015-7557/librsvg packages for wheezy and jessie (was: squeeze update of librsvg?)

2016-03-24 Thread Santiago Ruano Rincón 
Hi,

Please, find attached the debdiffs that fix CVE-2015-7557 in wheezy and
jessie. Since this is a no-dsa issue, it could address a next point
release.

Cheers,

Santiago
diff -Nru librsvg-2.36.1/debian/changelog librsvg-2.36.1/debian/changelog
--- librsvg-2.36.1/debian/changelog 2013-12-04 21:16:12.0 +0100
+++ librsvg-2.36.1/debian/changelog 2016-03-24 10:53:07.0 +0100
@@ -1,3 +1,10 @@
+librsvg (2.36.1-2+deb7u1) wheezy; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file.
+
+ -- Santiago Ruano Rincón   Thu, 24 Mar 2016 09:18:51 
+0100
+
 librsvg (2.36.1-2) stable; urgency=low
 
   [ Raphaël Geissert ]
diff -Nru librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 
librsvg-2.36.1/debian/patches/CVE-2015-7557.patch
--- librsvg-2.36.1/debian/patches/CVE-2015-7557.patch   1970-01-01 
01:00:00.0 +0100
+++ librsvg-2.36.1/debian/patches/CVE-2015-7557.patch   2016-03-24 
09:18:37.0 +0100
@@ -0,0 +1,50 @@
+From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001
+From: Federico Mena Quintero 
+Date: Thu, 5 Feb 2015 18:08:25 -0600
+Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an
+ odd number of elements
+
+Lists of points come in coordinate pairs, but we didn't have any checking for 
that.
+It was possible to try to fetch the 'last' coordinate in a list, i.e. the y 
coordinate
+of an x,y pair, that was in fact missing, leading to an out-of-bounds array 
read.
+
+In that case, we now reuse the last-known y coordinate.
+
+Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050
+
+Signed-off-by: Federico Mena Quintero 
+---
+ rsvg-shapes.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/rsvg-shapes.c b/rsvg-shapes.c
+index c13b90c..e4a705d 100644
+--- a/rsvg-shapes.c
 b/rsvg-shapes.c
+@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value,
+ 
+ /* "L %f %f " */
+ for (i = 2; i < pointlist_len; i += 2) {
++double p;
++
+ g_string_append (d, " L ");
+ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i]));
+ g_string_append_c (d, ' ');
+-g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 
1]));
++
++/* We expect points to come in coordinate pairs.  But if there is a
++ * missing part of one pair in a corrupt SVG, we'll have an incomplete
++ * list.  In that case, we reuse the last-known Y coordinate.
++ */
++if (i + 1 < pointlist_len)
++p = pointlist[i + 1];
++else
++p = pointlist[i - 1];
++
++g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p));
+ }
+ 
+ if (close_path)
+-- 
+cgit v0.11.2
+
diff -Nru librsvg-2.36.1/debian/patches/series 
librsvg-2.36.1/debian/patches/series
--- librsvg-2.36.1/debian/patches/series2013-12-04 15:09:40.0 
+0100
+++ librsvg-2.36.1/debian/patches/series2016-03-24 09:18:37.0 
+0100
@@ -3,3 +3,4 @@
 10_rsvg-gz.patch
 20_rsvg_compat.patch
 99_ltmain_as-needed.patch
+CVE-2015-7557.patch
diff -Nru librsvg-2.40.5/debian/changelog librsvg-2.40.5/debian/changelog
--- librsvg-2.40.5/debian/changelog 2014-10-14 16:48:24.0 +0200
+++ librsvg-2.40.5/debian/changelog 2016-03-24 11:04:24.0 +0100
@@ -1,3 +1,10 @@
+librsvg (2.40.5-1+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file.
+
+ -- Santiago Ruano Rincón   Thu, 24 Mar 2016 11:02:20 
+0100
+
 librsvg (2.40.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 
librsvg-2.40.5/debian/patches/CVE-2015-7557.patch
--- librsvg-2.40.5/debian/patches/CVE-2015-7557.patch   1970-01-01 
01:00:00.0 +0100
+++ librsvg-2.40.5/debian/patches/CVE-2015-7557.patch   2016-03-24 
11:05:21.0 +0100
@@ -0,0 +1,50 @@
+From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001
+From: Federico Mena Quintero 
+Date: Thu, 5 Feb 2015 18:08:25 -0600
+Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an
+ odd number of elements
+
+Lists of points come in coordinate pairs, but we didn't have any checking for 
that.
+It was possible to try to fetch the 'last' coordinate in a list, i.e. the y 
coordinate
+of an x,y pair, that was in fact missing, leading to an out-of-bounds array 
read.
+
+In that case, we now reuse the last-known y coordinate.
+
+Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050
+
+Signed-off-by: Federico Mena Quintero 
+---
+ rsvg-shapes.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/rsvg-shapes.c b/rsvg-shapes.c
+index c13b90c..e4a705d 100644
+--- a/rsvg-shapes.c

Re: squeeze update of librsvg?

2016-01-19 Thread Santiago Ruano Rincón 
Hi Salvatore,

El 18/01/16 a las 08:57, Salvatore Bonaccorso escribió:
> Hi Santiago,
> 
> Sorry for the late reply.
>

No worries!

> On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote:
> > Hi,
> > 
> > El 30/12/15 a las 01:49, Ben Hutchings escribió:
> > > Hello dear maintainer(s),
> > > 
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of librsvg:
> > > https://security-tracker.debian.org/tracker/CVE-2015-7557
> > > https://security-tracker.debian.org/tracker/CVE-2015-7558
> > 
> > Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
> > the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
> > checks of cyclic references, using the new rsvg_acquire_node function
> > (i.e. 
> > https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).
> > 
> > I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
> > that is no-dsa. What do you think? What's the security team position
> > about it?
> 
> I have marked one issue as no-dsa for wheezy- and jessie
> (CVE-2015-7557). 

I had prepared a squeeze package to fix it, and even if it isn't a
critical issue, I prefer to upload it given that the work is done.

> Regarding CVE-2015-7558, not sure here. But if the
> fix is too intrusive to backport we can mark it as  (Too
> intrusive to backport).

At least for Squeeze, it's indeed too intrusive. I haven't taken a look
yet into Wheezy or Jessie.

Cheers,

Santiago


signature.asc
Description: PGP signature

Re: squeeze update of librsvg?

2016-01-17 Thread Salvatore Bonaccorso 
Hi Santiago,

Sorry for the late reply.

On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote:
> Hi,
> 
> El 30/12/15 a las 01:49, Ben Hutchings escribió:
> > Hello dear maintainer(s),
> > 
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of librsvg:
> > https://security-tracker.debian.org/tracker/CVE-2015-7557
> > https://security-tracker.debian.org/tracker/CVE-2015-7558
> 
> Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
> the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
> checks of cyclic references, using the new rsvg_acquire_node function
> (i.e. 
> https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).
> 
> I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
> that is no-dsa. What do you think? What's the security team position
> about it?

I have marked one issue as no-dsa for wheezy- and jessie
(CVE-2015-7557). Regarding CVE-2015-7558, not sure here. But if the
fix is too intrusive to backport we can mark it as  (Too
intrusive to backport).

Regards,
Salvatore

Re: squeeze update of librsvg?

2016-01-09 Thread Santiago Ruano Rincón 
Hi,

El 30/12/15 a las 01:49, Ben Hutchings escribió:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of librsvg:
> https://security-tracker.debian.org/tracker/CVE-2015-7557
> https://security-tracker.debian.org/tracker/CVE-2015-7558

Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
checks of cyclic references, using the new rsvg_acquire_node function
(i.e. 
https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).

I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
that is no-dsa. What do you think? What's the security team position
about it?

Cheers,

Santiago


signature.asc
Description: Digital signature

squeeze update of librsvg?

2015-12-29 Thread Ben Hutchings 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of librsvg:
https://security-tracker.debian.org/tracker/CVE-2015-7557
https://security-tracker.debian.org/tracker/CVE-2015-7558

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Ben Hutchings,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams



signature.asc
Description: This is a digitally signed message part