Version in base suite: 2.20-8
Version in overlay suite: 2.20-8+etch2

Base version: camlimages_2.20-8
Target version: camlimages_2.20-8+etch3
Base file: /org/ftp.debian.org/ftp/pool/main/c/camlimages/camlimages_2.20-8.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/camlimages_2.20-8+etch3.dsc

 camlimages-2.20/debian/changelog                  |   26 +++
 camlimages-2.20/debian/patches/00list             |    1 
 camlimages-2.20/debian/patches/05_tiffread.dpatch |   37 ++++
 debian/patches/fix_integer_overflows.dpatch       |  163 ++++++++++++++++++++++
 4 files changed, 224 insertions(+), 3 deletions(-)

diff -u camlimages-2.20/debian/patches/05_tiffread.dpatch camlimages-2.20/debian/patches/05_tiffread.dpatch
--- camlimages-2.20/debian/patches/05_tiffread.dpatch
+++ camlimages-2.20/debian/patches/05_tiffread.dpatch
@@ -7,8 +7,18 @@
 @DPATCH@
 diff -urNad camlimages-2.20~/tiff/tiffread.c camlimages-2.20/tiff/tiffread.c
 --- camlimages-2.20~/tiff/tiffread.c	2004-09-21 23:56:44.000000000 +0200
-+++ camlimages-2.20/tiff/tiffread.c	2005-12-02 01:25:31.000000000 +0100
-@@ -21,15 +21,11 @@
++++ camlimages-2.20/tiff/tiffread.c	2009-10-12 21:35:08.000000000 +0200
+@@ -18,18 +18,21 @@
+ #include <caml/memory.h>
+ #include <caml/fail.h>
+ 
++#include <limits.h>
++#define oversized(x, y) \
++  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
++
++#define failwith_oversized(lib) \
++  failwith("#lib error: image contains oversized or bogus width and height");
++
  #if HAVE_TIFF
  
  /* These are defined in caml/config.h */
@@ -26,0 +37,23 @@
+@@ -68,6 +71,10 @@
+     TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
+     TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ 
++    if (oversized (imagewidth, imagelength)) {
++      failwith_oversized("tiff");
++    }
++
+     if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
+       if( imagebits != 8 ){
+ 	failwith("Sorry, tiff rgb file must be 24bit-color");
+@@ -156,6 +163,11 @@
+     TIFFGetField(tif, TIFFTAG_RESOLUTIONUNIT, &runit);
+     TIFFGetField(tif, TIFFTAG_XRESOLUTION, &xres);
+     TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
++
++    if (oversized (imagewidth, imagelength)) {
++      failwith_oversized("tiff");
++    }
++
+     if( imagesample != 3 || imagebits != 8 ) {
+       failwith("tiff file is not in the 24 bit RGB format");
+     }
diff -u camlimages-2.20/debian/patches/00list camlimages-2.20/debian/patches/00list
--- camlimages-2.20/debian/patches/00list
+++ camlimages-2.20/debian/patches/00list
@@ -2,0 +3 @@
+fix_integer_overflows
diff -u camlimages-2.20/debian/changelog camlimages-2.20/debian/changelog
--- camlimages-2.20/debian/changelog
+++ camlimages-2.20/debian/changelog
@@ -1,3 +1,28 @@
+camlimages (2.20-8+etch3) oldstable-security; urgency=low
+
+  * Non-maintainer upload to fix a security bug.
+  * Expand patch to also cover integer overflows in tiffread.c and
+    update last security patch.
+    Fixes: CVE-2009-3296
+
+ -- Mehdi Dogguy <mehdi@debian.org>  Mon, 12 Oct 2009 20:58:51 +0200
+
+camlimages (2.20-8+etch2) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the security team
+  * Expand patch to also cover integer overflows in jpegread.c and
+    gifread.c (Closes: #540146)
+    Fixes: CVE-2009-2660
+
+ -- Steffen Joeris <white@debian.org>  Sat, 08 Aug 2009 09:54:48 +0200
+
+camlimages (2.20-8+etch1) oldstable-security; urgency=low
+
+  * Add patch fix_integer_overflows to fix integer overflow with PNG
+    images boundaries (CVE-2009-2295) (Closes: #535909)
+
+ -- Stefano Zacchiroli <zack@debian.org>  Tue, 07 Jul 2009 13:51:06 +0200
+
 camlimages (2.20-8) unstable; urgency=low
 
   * Change my email address to gildor@debian.org,
@@ -268 +292,0 @@
-
only in patch2:
unchanged:
--- camlimages-2.20.orig/debian/patches/fix_integer_overflows.dpatch
+++ camlimages-2.20/debian/patches/fix_integer_overflows.dpatch
@@ -0,0 +1,163 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix_integer_overflows.dpatch by Mehdi Dogguy <dogguy@pps.jussieu.fr>
+##
+## DP: Fix multiple integer overflows.
+## DP: http://www.ocert.org/advisories/ocert-2009-009.html
+
+@DPATCH@
+diff -urNad camlimages-2.20~/gif/gifread.c camlimages-2.20/gif/gifread.c
+--- camlimages-2.20~/gif/gifread.c	2004-09-21 23:56:41.000000000 +0200
++++ camlimages-2.20/gif/gifread.c	2009-10-12 21:25:53.000000000 +0200
+@@ -20,6 +20,15 @@
+ #include <stdio.h>
+ #include <string.h>
+ 
++#include <limits.h>
++
++/* Test if x or y are negative, or if multiplying x * y would cause an
++ * arithmetic overflow.
++ */
++#define oversized(x, y)                                                \
++  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
++
++
+ #define gif_not_supported() \
+   failwith( "gif is not supported" ); \
+   return(Val_unit)
+@@ -193,6 +202,10 @@
+   CAMLlocal1(buf);
+ 
+   GifFileType *GifFile = (GifFileType*) hdl;
++ 
++  if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){
++    failwith ("gif error: image contains oversized or bogus width and height");
++  }
+ 
+   buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); 
+ 
+diff -urNad camlimages-2.20~/jpeg/jpegread.c camlimages-2.20/jpeg/jpegread.c
+--- camlimages-2.20~/jpeg/jpegread.c	2002-04-09 13:00:11.000000000 +0200
++++ camlimages-2.20/jpeg/jpegread.c	2009-10-12 21:25:53.000000000 +0200
+@@ -26,6 +26,14 @@
+ #include <stdio.h>
+ #include <string.h>
+ 
++#include <limits.h>
++
++/* Test if x or y are negative, or if multiplying x * y would cause an
++ * arithmetic overflow.
++ */
++#define oversized(x, y)                                                \
++  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
++
+ /*
+  * Include file for users of JPEG library.
+  * You will need to have included system headers that define at least
+@@ -159,6 +167,12 @@
+    */ 
+   /* JSAMPLEs per row in output buffer */
+ 
++  if( oversized(cinfo.output_width, cinfo.output_components) ){
++    jpeg_destroy_decompress(&cinfo);
++    fclose(infile);
++    failwith ("jpeg error: image contains oversized or bogus width and height");
++  }
++
+   row_stride = cinfo.output_width * cinfo.output_components;
+ 
+   /* Make a one-row-high sample array that will go away when done with image */
+@@ -180,6 +194,12 @@
+     jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1); 
+   }
+ 
++  if( oversized(row_stride, cinfo.output_height) ){
++    jpeg_destroy_decompress(&cinfo);
++    fclose(infile);
++    failwith ("jpeg error: image contains oversized or bogus width and height");
++  }
++
+   {
+     CAMLlocalN(r,3);
+     r[0] = Val_int(cinfo.output_width);
+diff -urNad camlimages-2.20~/png/pngread.c camlimages-2.20/png/pngread.c
+--- camlimages-2.20~/png/pngread.c	2002-03-26 14:15:10.000000000 +0100
++++ camlimages-2.20/png/pngread.c	2009-10-12 21:25:53.000000000 +0200
+@@ -13,6 +13,8 @@
+ /***********************************************************************/
+ #include <config.h>
+ 
++#include <limits.h>
++
+ #if HAVE_PNG
+ #include <png.h>
+ #endif
+@@ -33,6 +35,12 @@
+ #define PNG_TAG_INDEX16 2
+ #define PNG_TAG_INDEX4 3
+ 
++/* Test if x or y are negative, or if multiplying x * y would cause an
++ * arithmetic overflow.
++ */
++#define oversized(x, y)						\
++  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
++
+ value read_png_file_as_rgb24( name )
+      value name;
+ {
+@@ -88,6 +96,9 @@
+   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 	       &interlace_type, NULL, NULL);
+ 
++  if (oversized (width, height))
++    failwith ("png error: image contains oversized or bogus width and height");
++
+   if ( color_type == PNG_COLOR_TYPE_GRAY ||
+        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
+     png_set_gray_to_rgb(png_ptr); 
+@@ -109,10 +120,16 @@
+ 
+   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ 
++  if (oversized (rowbytes, height))
++    failwith ("png error: image contains oversized or bogus rowbytes and height");
++
+   {
+     int i;
+     png_bytep *row_pointers;
+ 
++    if (oversized (sizeof (png_bytep), height))
++      failwith ("png error: image contains oversized or bogus height");
++
+     row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
+ 
+     res = alloc_tuple(3);
+@@ -242,6 +259,9 @@
+   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 	       &interlace_type, NULL, NULL);
+ 
++  if (oversized (width, height))
++    failwith ("png error: image contains oversized or bogus width and height");
++
+   if ( color_type == PNG_COLOR_TYPE_GRAY ||
+        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
+     png_set_gray_to_rgb(png_ptr); 
+@@ -258,6 +278,9 @@
+ 
+   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ 
++  if (oversized (rowbytes, height))
++    failwith ("png error: image contains oversized or bogus rowbytes and height");
++
+ /*
+ fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
+ */
+@@ -266,6 +289,9 @@
+     png_bytep *row_pointers;
+     char mesg[256];
+  
++    if (oversized (sizeof (png_bytep), height))
++      failwith ("png error: image contains oversized or bogus height");
++
+     row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
+     res = alloc_tuple(3);
+