Version in base suite: 2.20-8 Version in overlay suite: (not present) Base version: camlimages_2.20-8 Target version: camlimages_2.20-8+etch1 Base file: /org/ftp.debian.org/ftp/pool/main/c/camlimages/camlimages_2.20-8.dsc Target file: /org/ftp.debian.org/queue/o-p-u-new/camlimages_2.20-8+etch1.dsc camlimages-2.20/debian/changelog | 7 ++ camlimages-2.20/debian/patches/00list | 1 debian/patches/fix_integer_overflows.dpatch | 89 ++++++++++++++++++++++++++++ 3 files changed, 97 insertions(+) diff -u camlimages-2.20/debian/patches/00list camlimages-2.20/debian/patches/00list --- camlimages-2.20/debian/patches/00list +++ camlimages-2.20/debian/patches/00list @@ -2,0 +3 @@ +fix_integer_overflows diff -u camlimages-2.20/debian/changelog camlimages-2.20/debian/changelog --- camlimages-2.20/debian/changelog +++ camlimages-2.20/debian/changelog @@ -1,3 +1,10 @@ +camlimages (2.20-8+etch1) oldstable-security; urgency=low + + * Add patch fix_integer_overflows to fix integer overflow with PNG + images boundaries (CVE-2009-2295) (Closes: #535909) + + -- Stefano Zacchiroli Tue, 07 Jul 2009 13:51:06 +0200 + camlimages (2.20-8) unstable; urgency=low * Change my email address to gildor@debian.org, only in patch2: unchanged: --- camlimages-2.20.orig/debian/patches/fix_integer_overflows.dpatch +++ camlimages-2.20/debian/patches/fix_integer_overflows.dpatch @@ -0,0 +1,89 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## fix_integer_overflows.dpatch by Mehdi Dogguy +## +## DP: Fix multiple integer overflows. +## DP: http://www.ocert.org/advisories/ocert-2009-009.html + +@DPATCH@ +diff -urNad camlimages-2.20~/png/pngread.c camlimages-2.20/png/pngread.c +--- camlimages-2.20~/png/pngread.c 2002-03-26 14:15:10.000000000 +0100 ++++ camlimages-2.20/png/pngread.c 2009-07-07 13:58:45.639592173 +0200 +@@ -13,6 +13,8 @@ + /***********************************************************************/ + #include + ++#include ++ + #if HAVE_PNG + #include + #endif +@@ -33,6 +35,12 @@ + #define PNG_TAG_INDEX16 2 + #define PNG_TAG_INDEX4 3 + ++/* Test if x or y are negative, or if multiplying x * y would cause an ++ * arithmetic overflow. ++ */ ++#define oversized(x, y) \ ++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) ++ + value read_png_file_as_rgb24( name ) + value name; + { +@@ -88,6 +96,9 @@ + png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); + ++ if (oversized (width, height)) ++ failwith ("png error: image contains oversized or bogus width and height"); ++ + if ( color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { + png_set_gray_to_rgb(png_ptr); +@@ -109,10 +120,16 @@ + + rowbytes = png_get_rowbytes(png_ptr, info_ptr); + ++ if (oversized (rowbytes, height)) ++ failwith ("png error: image contains oversized or bogus rowbytes and height"); ++ + { + int i; + png_bytep *row_pointers; + ++ if (oversized (sizeof (png_bytep), height)) ++ failwith ("png error: image contains oversized or bogus height"); ++ + row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); + + res = alloc_tuple(3); +@@ -242,6 +259,9 @@ + png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); + ++ if (oversized (width, height)) ++ failwith ("png error: image contains oversized or bogus width and height"); ++ + if ( color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { + png_set_gray_to_rgb(png_ptr); +@@ -258,6 +278,9 @@ + + rowbytes = png_get_rowbytes(png_ptr, info_ptr); + ++ if (oversized (rowbytes, height)) ++ failwith ("png error: image contains oversized or bogus rowbytes and height"); ++ + /* + fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); + */ +@@ -266,6 +289,9 @@ + png_bytep *row_pointers; + char mesg[256]; + ++ if (oversized (sizeof (png_bytep), height)) ++ failwith ("png error: image contains oversized or bogus height"); ++ + row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height); + res = alloc_tuple(3); +