Version in base suite: 2.8.7.1-1.1 Version in overlay suite: (not present) Base version: wxwidgets2.8_2.8.7.1-1.1 Target version: wxwidgets2.8_2.8.7.1-1.1+lenny1 Base file: /org/ftp.debian.org/ftp/pool/main/w/wxwidgets2.8/wxwidgets2.8_2.8.7.1-1.1.dsc Target file: /org/ftp.debian.org/queue/p-u-new/wxwidgets2.8_2.8.7.1-1.1+lenny1.dsc debian/patches/CVE-2009-2369.dpatch | 66 +++++++++++++++++++++++++++++ wxwidgets2.8-2.8.7.1/debian/changelog | 8 +++ wxwidgets2.8-2.8.7.1/debian/patches/00list | 1 3 files changed, 75 insertions(+) diff -u wxwidgets2.8-2.8.7.1/debian/changelog wxwidgets2.8-2.8.7.1/debian/changelog --- wxwidgets2.8-2.8.7.1/debian/changelog +++ wxwidgets2.8-2.8.7.1/debian/changelog @@ -1,3 +1,11 @@ +wxwidgets2.8 (2.8.7.1-1.1+lenny1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches/CVE-2009-2369.dpatch: Fixed Integer overflow in the + wxImage::Create function (CVE-2009-2369) (Closes: #537174) + + -- Giuseppe Iuculano Thu, 17 Sep 2009 12:00:32 +0200 + wxwidgets2.8 (2.8.7.1-1.1) unstable; urgency=low * Non-maintainer upload. diff -u wxwidgets2.8-2.8.7.1/debian/patches/00list wxwidgets2.8-2.8.7.1/debian/patches/00list --- wxwidgets2.8-2.8.7.1/debian/patches/00list +++ wxwidgets2.8-2.8.7.1/debian/patches/00list @@ -1,0 +2 @@ +CVE-2009-2369.dpatch only in patch2: unchanged: --- wxwidgets2.8-2.8.7.1.orig/debian/patches/CVE-2009-2369.dpatch +++ wxwidgets2.8-2.8.7.1/debian/patches/CVE-2009-2369.dpatch @@ -0,0 +1,66 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2009-2369.dpatch by Giuseppe Iuculano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fixed Integer overflow in the wxImage::Create function (CVE-2009-2369) (#537175) + +@DPATCH@ +diff -urNad wxwidgets2.8-2.8.7.1~/src/common/imagpng.cpp wxwidgets2.8-2.8.7.1/src/common/imagpng.cpp +--- wxwidgets2.8-2.8.7.1~/src/common/imagpng.cpp 2007-07-04 21:25:04.000000000 +0200 ++++ wxwidgets2.8-2.8.7.1/src/common/imagpng.cpp 2009-07-29 23:04:20.000000000 +0200 +@@ -566,18 +566,16 @@ + if (!image->Ok()) + goto error; + +- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) ); ++ // initialize all line pointers to NULL to ensure that they can be safely ++ // free()d if an error occurs before all of them could be allocated ++ lines = (unsigned char **)calloc(height, sizeof(unsigned char *)); + if ( !lines ) + goto error; + + for (i = 0; i < height; i++) + { + if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL) +- { +- for ( unsigned int n = 0; n < i; n++ ) +- free( lines[n] ); + goto error; +- } + } + + png_read_image( png_ptr, lines ); +diff -urNad wxwidgets2.8-2.8.7.1~/src/common/imagtiff.cpp wxwidgets2.8-2.8.7.1/src/common/imagtiff.cpp +--- wxwidgets2.8-2.8.7.1~/src/common/imagtiff.cpp 2007-09-21 22:27:05.000000000 +0200 ++++ wxwidgets2.8-2.8.7.1/src/common/imagtiff.cpp 2009-07-29 23:04:20.000000000 +0200 +@@ -261,7 +261,6 @@ + } + + uint32 w, h; +- uint32 npixels; + uint32 *raster; + + TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); +@@ -275,9 +274,20 @@ + (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA || + samplesInfo[0] == EXTRASAMPLE_UNASSALPHA)); + +- npixels = w * h; ++ // guard against integer overflow during multiplication which could result ++ // in allocating a too small buffer and then overflowing it ++ const double bytesNeeded = (double)w * (double)h * sizeof(uint32); ++ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) ++ { ++ if ( verbose ) ++ wxLogError( _("TIFF: Image size is abnormally big.") ); + +- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); ++ TIFFClose(tif); ++ ++ return false; ++ } ++ ++ raster = (uint32*) _TIFFmalloc( bytesNeeded ); + + if (!raster) + {