Version in base suite: 2.2.0-4+lenny2 Version in overlay suite: (not present) Base version: camlimages_2.2.0-4+lenny2 Target version: camlimages_2.2.0-4+lenny3 Base file: /org/ftp.debian.org/ftp/pool/main/c/camlimages/camlimages_2.2.0-4+lenny2.dsc Target file: /org/ftp.debian.org/queue/p-u-new/camlimages_2.2.0-4+lenny3.dsc changelog | 10 ++ patches/05_tiffread.dpatch | 41 +++++++++- patches/fix_integer_overflows.dpatch | 139 +++++++++++++++++++---------------- 3 files changed, 123 insertions(+), 67 deletions(-) diff -u camlimages-2.2.0/debian/changelog camlimages-2.2.0/debian/changelog --- camlimages-2.2.0/debian/changelog +++ camlimages-2.2.0/debian/changelog @@ -1,3 +1,12 @@ +camlimages (1:2.2.0-4+lenny3) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Expand patch to also cover integer overflows in tiffread.c and + update last security patch + Fixes: CVE-2009-3296 + + -- Mehdi Dogguy Mon, 12 Oct 2009 21:40:10 +0200 + camlimages (1:2.2.0-4+lenny2) stable-security; urgency=high * Non-maintainer upload by the security team @@ -341 +349,0 @@ - diff -u camlimages-2.2.0/debian/patches/fix_integer_overflows.dpatch camlimages-2.2.0/debian/patches/fix_integer_overflows.dpatch --- camlimages-2.2.0/debian/patches/fix_integer_overflows.dpatch +++ camlimages-2.2.0/debian/patches/fix_integer_overflows.dpatch @@ -5,9 +5,83 @@ ## DP: http://www.ocert.org/advisories/ocert-2009-009.html @DPATCH@ -diff -urNad camlimages-2.20~/png/pngread.c camlimages-2.20/png/pngread.c ---- camlimages-2.20~/png/pngread.c 2002-03-26 14:15:10.000000000 +0100 -+++ camlimages-2.20/png/pngread.c 2009-07-07 13:58:45.639592173 +0200 +diff -urNad camlimages-2.2.0~/gif/gifread.c camlimages-2.2.0/gif/gifread.c +--- camlimages-2.2.0~/gif/gifread.c 2004-09-21 23:56:41.000000000 +0200 ++++ camlimages-2.2.0/gif/gifread.c 2009-10-12 21:47:22.000000000 +0200 +@@ -20,6 +20,15 @@ + #include + #include + ++#include ++ ++/* Test if x or y are negative, or if multiplying x * y would cause an ++ * arithmetic overflow. ++ */ ++#define oversized(x, y) \ ++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) ++ ++ + #define gif_not_supported() \ + failwith( "gif is not supported" ); \ + return(Val_unit) +@@ -193,6 +202,10 @@ + CAMLlocal1(buf); + + GifFileType *GifFile = (GifFileType*) hdl; ++ ++ if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){ ++ failwith ("gif error: image contains oversized or bogus width and height"); ++ } + + buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); + +diff -urNad camlimages-2.2.0~/jpeg/jpegread.c camlimages-2.2.0/jpeg/jpegread.c +--- camlimages-2.2.0~/jpeg/jpegread.c 2002-04-09 13:00:11.000000000 +0200 ++++ camlimages-2.2.0/jpeg/jpegread.c 2009-10-12 21:47:22.000000000 +0200 +@@ -26,6 +26,14 @@ + #include + #include + ++#include ++ ++/* Test if x or y are negative, or if multiplying x * y would cause an ++ * arithmetic overflow. ++ */ ++#define oversized(x, y) \ ++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) ++ + /* + * Include file for users of JPEG library. + * You will need to have included system headers that define at least +@@ -159,6 +167,12 @@ + */ + /* JSAMPLEs per row in output buffer */ + ++ if( oversized(cinfo.output_width, cinfo.output_components) ){ ++ jpeg_destroy_decompress(&cinfo); ++ fclose(infile); ++ failwith ("jpeg error: image contains oversized or bogus width and height"); ++ } ++ + row_stride = cinfo.output_width * cinfo.output_components; + + /* Make a one-row-high sample array that will go away when done with image */ +@@ -180,6 +194,12 @@ + jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1); + } + ++ if( oversized(row_stride, cinfo.output_height) ){ ++ jpeg_destroy_decompress(&cinfo); ++ fclose(infile); ++ failwith ("jpeg error: image contains oversized or bogus width and height"); ++ } ++ + { + CAMLlocalN(r,3); + r[0] = Val_int(cinfo.output_width); +diff -urNad camlimages-2.2.0~/png/pngread.c camlimages-2.2.0/png/pngread.c +--- camlimages-2.2.0~/png/pngread.c 2002-03-26 14:15:10.000000000 +0100 ++++ camlimages-2.2.0/png/pngread.c 2009-10-12 21:47:22.000000000 +0200 @@ -13,6 +13,8 @@ /***********************************************************************/ #include @@ -90,59 +163,0 @@ ---- ../old/camlimages-2.2.0/gif/gifread.c 2004-09-21 23:56:41.000000000 +0200 -+++ camlimages-2.2.0/gif/gifread.c 2009-08-08 09:30:48.000000000 +0200 -@@ -20,6 +20,15 @@ - #include - #include - -+#include -+ -+/* Test if x or y are negative, or if multiplying x * y would cause an -+ * arithmetic overflow. -+ */ -+#define oversized(x, y) \ -+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) -+ -+ - #define gif_not_supported() \ - failwith( "gif is not supported" ); \ - return(Val_unit) -@@ -193,6 +202,10 @@ - CAMLlocal1(buf); - - GifFileType *GifFile = (GifFileType*) hdl; -+ -+ if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){ -+ failwith ("gif error: image contains oversized or bogus width and height"); -+ } - - buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); - ---- ../old/camlimages-2.2.0/jpeg/jpegread.c 2002-04-09 13:00:11.000000000 +0200 -+++ camlimages-2.2.0/jpeg/jpegread.c 2009-08-08 09:34:26.000000000 +0200 -@@ -26,6 +26,14 @@ - #include - #include - -+#include -+ -+/* Test if x or y are negative, or if multiplying x * y would cause an -+ * arithmetic overflow. -+ */ -+#define oversized(x, y) \ -+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) -+ - /* - * Include file for users of JPEG library. - * You will need to have included system headers that define at least -@@ -159,6 +167,12 @@ - */ - /* JSAMPLEs per row in output buffer */ - -+ if( oversized(cinfo.output_width, cinfo.output_components) ){ -+ jpeg_destroy_decompress(&cinfo); -+ fclose(infile); -+ failwith ("jpeg error: image contains oversized or bogus width and height"); -+ } -+ - row_stride = cinfo.output_width * cinfo.output_components; - - /* Make a one-row-high sample array that will go away when done with image */ diff -u camlimages-2.2.0/debian/patches/05_tiffread.dpatch camlimages-2.2.0/debian/patches/05_tiffread.dpatch --- camlimages-2.2.0/debian/patches/05_tiffread.dpatch +++ camlimages-2.2.0/debian/patches/05_tiffread.dpatch @@ -5,10 +5,20 @@ ## DP: No description. @DPATCH@ -diff -urNad camlimages-2.20~/tiff/tiffread.c camlimages-2.20/tiff/tiffread.c ---- camlimages-2.20~/tiff/tiffread.c 2004-09-21 23:56:44.000000000 +0200 -+++ camlimages-2.20/tiff/tiffread.c 2005-12-02 01:25:31.000000000 +0100 -@@ -21,15 +21,11 @@ +diff -urNad camlimages-2.2.0~/tiff/tiffread.c camlimages-2.2.0/tiff/tiffread.c +--- camlimages-2.2.0~/tiff/tiffread.c 2004-09-21 23:56:44.000000000 +0200 ++++ camlimages-2.2.0/tiff/tiffread.c 2009-10-12 21:47:13.000000000 +0200 +@@ -18,18 +18,21 @@ + #include + #include + ++#include ++#define oversized(x, y) \ ++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) ++ ++#define failwith_oversized(lib) \ ++ failwith("#lib error: image contains oversized or bogus width and height"); ++ #if HAVE_TIFF /* These are defined in caml/config.h */ @@ -26,0 +37,23 @@ +@@ -68,6 +71,10 @@ + TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres); + TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric); + ++ if (oversized (imagewidth, imagelength)) { ++ failwith_oversized("tiff"); ++ } ++ + if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){ + if( imagebits != 8 ){ + failwith("Sorry, tiff rgb file must be 24bit-color"); +@@ -151,6 +158,11 @@ + + TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &imagelength); + TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &imagewidth); ++ ++ if (oversized (imagewidth, imagelength)) { ++ failwith_oversized("tiff"); ++ } ++ + TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &imagebits); + TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &imagesample); + TIFFGetField(tif, TIFFTAG_RESOLUTIONUNIT, &runit);