Version in base suite: 0.11.1-1 Base version: libavif_0.11.1-1 Target version: libavif_0.11.1-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/liba/libavif/libavif_0.11.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/liba/libavif/libavif_0.11.1-1+deb12u1.dsc changelog | 10 + patches/Add-integer-overflow-checks-to-makeRoom.patch | 53 ++++++++++ patches/Avoid-integer-overflow-in-32-bit-int-or-unsigned-int.patch | 44 ++++++++ patches/series | 2 4 files changed, 109 insertions(+) diff -Nru libavif-0.11.1/debian/changelog libavif-0.11.1/debian/changelog --- libavif-0.11.1/debian/changelog 2022-10-25 15:39:25.000000000 +0000 +++ libavif-0.11.1/debian/changelog 2025-05-25 15:51:18.000000000 +0000 @@ -1,3 +1,13 @@ +libavif (0.11.1-1+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Add integer overflow checks to makeRoom (CVE-2025-48174) + (Closes: #1105885) + * Avoid integer overflow in (32-bit) int or unsigned int arithmetic + operations (CVE-2025-48175) (Closes: #1105883) + + -- Salvatore Bonaccorso Sun, 25 May 2025 17:51:18 +0200 + libavif (0.11.1-1) unstable; urgency=medium * New upstream version 0.11.1. diff -Nru libavif-0.11.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch libavif-0.11.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch --- libavif-0.11.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch 1970-01-01 00:00:00.000000000 +0000 +++ libavif-0.11.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch 2025-05-25 15:51:18.000000000 +0000 @@ -0,0 +1,53 @@ +From: DanisJiang <43723722+DanisJiang@users.noreply.github.com> +Subject: Add integer overflow checks to makeRoom (CVE-2025-48174) +Origin: backport, https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c053559902, + https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109, + https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11 +Bug: https://github.com/AOMediaCodec/libavif/pull/2768 +Bug-Debian: https://bugs.debian.org/1105885 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174 + +Instead of backporting requsites for the patches from +https://github.com/AOMediaCodec/libavif/pull/2768 make the overflow check and +abort() instead. Use abort() to be consistent with avifAlloc() in libavif +v0.11.1 (in src/mem.c): + + void * avifAlloc(size_t size) + { + void * out = malloc(size); + if (out == NULL) { + abort(); + } + return out; + } + +Include for abort(). + +Thanks: Wan-Teh Chang +--- + src/stream.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/stream.c ++++ b/src/stream.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + + // --------------------------------------------------------------------------- +@@ -234,6 +235,9 @@ avifBool avifROStreamReadAndEnforceVersi + #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024) + static void makeRoom(avifRWStream * stream, size_t size) + { ++ if (size > SIZE_MAX - stream->offset) { ++ abort(); ++ } + size_t neededSize = stream->offset + size; + size_t newSize = stream->raw->size; + while (newSize < neededSize) { +-- +2.49.0 + diff -Nru libavif-0.11.1/debian/patches/Avoid-integer-overflow-in-32-bit-int-or-unsigned-int.patch libavif-0.11.1/debian/patches/Avoid-integer-overflow-in-32-bit-int-or-unsigned-int.patch --- libavif-0.11.1/debian/patches/Avoid-integer-overflow-in-32-bit-int-or-unsigned-int.patch 1970-01-01 00:00:00.000000000 +0000 +++ libavif-0.11.1/debian/patches/Avoid-integer-overflow-in-32-bit-int-or-unsigned-int.patch 2025-05-25 15:51:18.000000000 +0000 @@ -0,0 +1,44 @@ +From: Wan-Teh Chang +Subject: Avoid integer overflow in (32-bit) int or unsigned int arithmetic + operations +Origin: https://github.com/AOMediaCodec/libavif/pull/2769#issuecomment-2907860473 +Bug: https://github.com/AOMediaCodec/libavif/pull/2769 +Bug-Debian: https://bugs.debian.org/1105883 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48175 + +The idea of this patch is to assume the existence of integer overflow in +the code in avifImageRGBToYUV() and only enter the function when the +image width and height are not too big. We have a similar protection in +avifDecoder. Since avifImageRGBToYUV() is typically used to prepare the +input to avifEncoder, I didn't add this protection to +avifImageRGBToYUV(). + +2ded15b09 has some context for the image size (area) and dimension +limits. For this avifImageRGBToYUV() issue, the image size (area) limit +is sufficient. The image dimension limit is intended to avoid spending a +very long time decoding an image. + +Link: https://github.com/AOMediaCodec/libavif/pull/2769#issuecomment-2907860473 +--- + src/reformat.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/reformat.c b/src/reformat.c +index 951c46b56ffb..9f760396da5a 100644 +--- a/src/reformat.c ++++ b/src/reformat.c +@@ -196,6 +196,11 @@ static int avifReformatStateUVToUNorm(avifReformatState * state, float v) + + avifResult avifImageRGBToYUV(avifImage * image, const avifRGBImage * rgb) + { ++ // Avoid integer overflow in (32-bit) int or unsigned int arithmetic operations. ++ if ((uint64_t)rgb->width * rgb->height > AVIF_DEFAULT_IMAGE_SIZE_LIMIT) { ++ return AVIF_RESULT_REFORMAT_FAILED; ++ } ++ + if (!rgb->pixels || rgb->format == AVIF_RGB_FORMAT_RGB_565) { + return AVIF_RESULT_REFORMAT_FAILED; + } +-- +2.49.0 + diff -Nru libavif-0.11.1/debian/patches/series libavif-0.11.1/debian/patches/series --- libavif-0.11.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libavif-0.11.1/debian/patches/series 2025-05-25 15:51:18.000000000 +0000 @@ -0,0 +1,2 @@ +Add-integer-overflow-checks-to-makeRoom.patch +Avoid-integer-overflow-in-32-bit-int-or-unsigned-int.patch