Bug#911220: stretch-pu: package jhead/1:3.00-4
Le 17/10/2018 à 11:15, Salvatore Bonaccorso a écrit : Hi [Disclaimer: not a SRM but looking at the proposed update] On Wed, Oct 17, 2018 at 10:28:15AM +0200, Ludovic Rousseau wrote: +jhead (1:3.00-4.1) stable; urgency=high Please use 1:3.00-4+deb9u1 as version. Using the codename instead of 'stable' would be prefered, but both work. Thanks a lot for preparing the update! New patch version with the package version fixed. Bye -- Dr. Ludovic Rousseau diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog --- jhead-3.00/debian/changelog 2017-03-20 20:26:16.0 +0100 +++ jhead-3.00/debian/changelog 2018-10-16 10:38:19.0 +0200 @@ -1,3 +1,11 @@ +jhead (1:3.00-4+deb9u1) stretch; urgency=high + + * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088 + * d/p/33_fix_908176: Fix CVE-2018-16554 + * d/p/34_buffer_overflow: Fix heap buffer overflow + + -- Ludovic Rousseau Tue, 16 Oct 2018 10:38:19 +0200 + jhead (1:3.00-4) unstable; urgency=medium * Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213) diff -Nru jhead-3.00/debian/patches/32_crash_in_gpsinfo jhead-3.00/debian/patches/32_crash_in_gpsinfo --- jhead-3.00/debian/patches/32_crash_in_gpsinfo 1970-01-01 01:00:00.0 +0100 +++ jhead-3.00/debian/patches/32_crash_in_gpsinfo 2018-10-16 10:33:06.0 +0200 @@ -0,0 +1,26 @@ +From: Ludovic Rousseau +Date: Wed Sep 5 15:32:00 CEST 2018 +Subject: Fix heap buffer overflow + +Bug-Debian: http://bugs.debian.org/907925 +Description: Fix CVE-2018-17088 + +--- a/gpsinfo.c b/gpsinfo.c +@@ -4,6 +4,7 @@ + // Matthias Wandel, Dec 1999 - Dec 2002 + //-- + #include "jhead.h" ++#include + + #define MAX_GPS_TAG 0x1e + +@@ -101,7 +102,7 @@ + unsigned OffsetVal; + OffsetVal = Get32u(DirEntry+8); + // If its bigger than 4 bytes, the dir entry contains an offset. +-if (OffsetVal+ByteCount > ExifLength){ ++if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ + // Bogus pointer offset and / or bytecount value + ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0); + continue; diff -Nru jhead-3.00/debian/patches/33_fix_908176 jhead-3.00/debian/patches/33_fix_908176 --- jhead-3.00/debian/patches/33_fix_908176 1970-01-01 01:00:00.0 +0100 +++ jhead-3.00/debian/patches/33_fix_908176 2018-10-16 10:35:19.0 +0200 @@ -0,0 +1,19 @@ +From: Ludovic Rousseau +Date: Sat Sep 8 16:19:07 CEST 2018 +Subject: fix heap buffer overflow + +Bug-Debian: https://bugs.debian.org/908176 +Description: Fix CVE-2018-16554 + +--- a/gpsinfo.c b/gpsinfo.c +@@ -162,7 +162,8 @@ + break; + + case TAG_GPS_ALT: +-sprintf(ImageInfo.GpsAlt + 1, "%.2fm", ++snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1, ++"%.2fm", + ConvertAnyFormat(ValuePtr, Format)); + break; + } diff -Nru jhead-3.00/debian/patches/34_buffer_overflow jhead-3.00/debian/patches/34_buffer_overflow --- jhead-3.00/debian/patches/34_buffer_overflow1970-01-01 01:00:00.0 +0100 +++ jhead-3.00/debian/patches/34_buffer_overflow2018-10-16 10:36:45.0 +0200 @@ -0,0 +1,15 @@ +From: Ludovic Rousseau +Date: Sat Sep 8 16:02:23 CEST 2018 +Subject: Fix heap buffer overflow + +--- a/jhead.c b/jhead.c +@@ -670,7 +670,7 @@ + NameExtra[0] = 0; + } + +-sprintf(NewName, "%s%s.jpg", NewBaseName, NameExtra); ++snprintf(NewName, sizeof(NewName), "%s%s.jpg", NewBaseName, NameExtra); + + if (!strcmp(FileName, NewName)) break; // Skip if its already this name. + diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series --- jhead-3.00/debian/patches/series2017-03-20 20:26:16.0 +0100 +++ jhead-3.00/debian/patches/series2018-10-16 10:37:07.0 +0200 @@ -5,3 +5,6 @@ 25_makefile 27_documentation 31_CVE-2016-3822 +32_crash_in_gpsinfo +33_fix_908176 +34_buffer_overflow
Bug#903656: publicsuffix 20180523.2326-0+deb9u1 flagged for acceptance
On Tue 2018-10-09 19:15:09 +, Adam D Barratt wrote: > The upload referenced by this bug report has been flagged for acceptance into > the proposed-updates queue for Debian stretch. > > Thanks for your contribution! > > Upload details > == > > Package: publicsuffix > Version: 20180523.2326-0+deb9u1 thanks! since this process started, there has been more updates to the publicsuffix list. I've opened #911244 to track that request. Regards, --dkg
Bug#911244: stretch-pu: package publicsuffix/20181003.1334-0+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Control: affects -1 publicsuffix Please consider an update to publicsuffix in debian stretch. This package reflects the state of the network, and keeping it current is useful for all the packages that depend on it. The debdiff from the version currently in stretch-proposed-updates is attached. This proposed release is also available at the "publicsuffix_debian/20181003.1334-0+deb9u1" tag on the "debian/stretch" branch at the git repo for publicsuffix packaging: https://salsa.debian.org/debian/publicsuffix Please followup on this ticket to confirm whether I should upload this revision to stretch. publicsuffix_20180523.2326-0+deb9u1_20181003.1334-0+deb9u1.debdiff.gz Description: application/gzip
Processed: stretch-pu: package publicsuffix/20181003.1334-0+deb9u1
Processing control commands: > affects -1 publicsuffix Bug #911244 [release.debian.org] stretch-pu: package publicsuffix/20181003.1334-0+deb9u1 Added indication that 911244 affects publicsuffix -- 911244: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911244 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#911220: stretch-pu: package jhead/1:3.00-4
Hi [Disclaimer: not a SRM but looking at the proposed update] On Wed, Oct 17, 2018 at 10:28:15AM +0200, Ludovic Rousseau wrote: > +jhead (1:3.00-4.1) stable; urgency=high Please use 1:3.00-4+deb9u1 as version. Using the codename instead of 'stable' would be prefered, but both work. Thanks a lot for preparing the update! Regards, Salvatore
Bug#911220: stretch-pu: package jhead/1:3.00-4
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, Some CVE were reported for jhead. I talked to Debian security team. The security issues are not critical and Salvatore Bonaccorso proposed to update the package in stable using stretch-pu instead of the security team. The issues are already fixed in Debian unstable. I just reused the patches (from debian/patches/) for stretch-pu. changes: * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088 * d/p/33_fix_908176: Fix CVE-2018-16554 * d/p/34_buffer_overflow: Fix heap buffer overflow -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru jhead-3.00/debian/changelog jhead-3.00/debian/changelog --- jhead-3.00/debian/changelog 2017-03-20 19:26:16.0 + +++ jhead-3.00/debian/changelog 2018-10-16 08:38:19.0 + @@ -1,3 +1,11 @@ +jhead (1:3.00-4.1) stable; urgency=high + + * d/p/32_crash_in_gpsinfo: Fix CVE-2018-17088 + * d/p/33_fix_908176: Fix CVE-2018-16554 + * d/p/34_buffer_overflow: Fix heap buffer overflow + + -- Ludovic Rousseau Tue, 16 Oct 2018 10:38:19 +0200 + jhead (1:3.00-4) unstable; urgency=medium * Fix "CVE-2016-3822" Apply patch from Google (Closes: #858213) diff -Nru jhead-3.00/debian/patches/32_crash_in_gpsinfo jhead-3.00/debian/patches/32_crash_in_gpsinfo --- jhead-3.00/debian/patches/32_crash_in_gpsinfo 1970-01-01 00:00:00.0 + +++ jhead-3.00/debian/patches/32_crash_in_gpsinfo 2018-10-16 08:33:06.0 + @@ -0,0 +1,26 @@ +From: Ludovic Rousseau +Date: Wed Sep 5 15:32:00 CEST 2018 +Subject: Fix heap buffer overflow + +Bug-Debian: http://bugs.debian.org/907925 +Description: Fix CVE-2018-17088 + +--- a/gpsinfo.c b/gpsinfo.c +@@ -4,6 +4,7 @@ + // Matthias Wandel, Dec 1999 - Dec 2002 + //-- + #include "jhead.h" ++#include + + #define MAX_GPS_TAG 0x1e + +@@ -101,7 +102,7 @@ + unsigned OffsetVal; + OffsetVal = Get32u(DirEntry+8); + // If its bigger than 4 bytes, the dir entry contains an offset. +-if (OffsetVal+ByteCount > ExifLength){ ++if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ + // Bogus pointer offset and / or bytecount value + ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0); + continue; diff -Nru jhead-3.00/debian/patches/33_fix_908176 jhead-3.00/debian/patches/33_fix_908176 --- jhead-3.00/debian/patches/33_fix_908176 1970-01-01 00:00:00.0 + +++ jhead-3.00/debian/patches/33_fix_908176 2018-10-16 08:35:19.0 + @@ -0,0 +1,19 @@ +From: Ludovic Rousseau +Date: Sat Sep 8 16:19:07 CEST 2018 +Subject: fix heap buffer overflow + +Bug-Debian: https://bugs.debian.org/908176 +Description: Fix CVE-2018-16554 + +--- a/gpsinfo.c b/gpsinfo.c +@@ -162,7 +162,8 @@ + break; + + case TAG_GPS_ALT: +-sprintf(ImageInfo.GpsAlt + 1, "%.2fm", ++snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1, ++"%.2fm", + ConvertAnyFormat(ValuePtr, Format)); + break; + } diff -Nru jhead-3.00/debian/patches/34_buffer_overflow jhead-3.00/debian/patches/34_buffer_overflow --- jhead-3.00/debian/patches/34_buffer_overflow1970-01-01 00:00:00.0 + +++ jhead-3.00/debian/patches/34_buffer_overflow2018-10-16 08:36:45.0 + @@ -0,0 +1,15 @@ +From: Ludovic Rousseau +Date: Sat Sep 8 16:02:23 CEST 2018 +Subject: Fix heap buffer overflow + +--- a/jhead.c b/jhead.c +@@ -670,7 +670,7 @@ + NameExtra[0] = 0; + } + +-sprintf(NewName, "%s%s.jpg", NewBaseName, NameExtra); ++snprintf(NewName, sizeof(NewName), "%s%s.jpg", NewBaseName, NameExtra); + + if (!strcmp(FileName, NewName)) break; // Skip if its already this name. + diff -Nru jhead-3.00/debian/patches/series jhead-3.00/debian/patches/series --- jhead-3.00/debian/patches/series2017-03-20 19:26:16.0 + +++ jhead-3.00/debian/patches/series2018-10-16 08:37:07.0 + @@ -5,3 +5,6 @@ 25_makefile 27_documentation 31_CVE-2016-3822 +32_crash_in_gpsinfo +33_fix_908176 +34_buffer_overflow