Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libheif to address CVE-2019-11471, aka #928210 in Debian/buster. unblock libheif/1.3.2-2 debdiff follows: diff --git a/debian/changelog b/debian/changelog index 9452979..23246df 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libheif (1.3.2-2) unstable; urgency=medium + + * Team Upload + + [ Dylan Aïssi ] + * Add patch to fix CVE-2019-11471, Closes: #928210 + + -- Reinhard Tartler <siret...@tauware.de> Sat, 01 Jun 2019 17:56:05 -0400 + libheif (1.3.2-1) unstable; urgency=medium * Imported Upstream version 1.3.2 diff --git a/debian/patches/CVE-2019-11471.patch b/debian/patches/CVE-2019-11471.patch new file mode 100644 index 0000000..767bb45 --- /dev/null +++ b/debian/patches/CVE-2019-11471.patch @@ -0,0 +1,60 @@ +Author: Joachim Bauch <bauch at struktur.de> +Description: Fix CVE-2019-11471 + Detect and handle recursive image references. + Detect non-existing referenced alpha images. + Detect non-existing referenced depth images. +Origin: upstream, https://github.com/strukturag/libheif/commit/e89fbbe0705a4b8e755f148fd4c4c84007295d16 + https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014 + https://github.com/strukturag/libheif/commit/5a9b7f7564e158c6339f6d78a77de23720b15afd +Bug: https://github.com/strukturag/libheif/issues/123 + https://github.com/strukturag/libheif/issues/125 +Bug-Debian: https://bugs.debian.org/928210 + +--- a/libheif/heif_context.cc ++++ b/libheif/heif_context.cc +@@ -520,6 +520,11 @@ + "Thumbnail references another thumbnail"); + } + ++ if (image.get() == master_iter->second.get()) { ++ return Error(heif_error_Invalid_input, ++ heif_suberror_Nonexisting_item_referenced, ++ "Recursive thumbnail image detected"); ++ } + master_iter->second->add_thumbnail(image); + + remove_top_level_image(image); +@@ -566,6 +571,16 @@ + image->set_is_alpha_channel_of(refs[0]); + + auto master_iter = m_all_images.find(refs[0]); ++ if (master_iter == m_all_images.end()) { ++ return Error(heif_error_Invalid_input, ++ heif_suberror_Nonexisting_item_referenced, ++ "Non-existing alpha image referenced"); ++ } ++ if (image.get() == master_iter->second.get()) { ++ return Error(heif_error_Invalid_input, ++ heif_suberror_Nonexisting_item_referenced, ++ "Recursive alpha image detected"); ++ } + master_iter->second->set_alpha_channel(image); + } + +@@ -576,6 +591,16 @@ + image->set_is_depth_channel_of(refs[0]); + + auto master_iter = m_all_images.find(refs[0]); ++ if (master_iter == m_all_images.end()) { ++ return Error(heif_error_Invalid_input, ++ heif_suberror_Nonexisting_item_referenced, ++ "Non-existing depth image referenced"); ++ } ++ if (image.get() == master_iter->second.get()) { ++ return Error(heif_error_Invalid_input, ++ heif_suberror_Nonexisting_item_referenced, ++ "Recursive depth image detected"); ++ } + master_iter->second->set_depth_channel(image); + + auto subtypes = auxC_property->get_subtypes(); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..acd8abf --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2019-11471.patch -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing'), (50, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled