Version in base suite: 1.8.5-8 Base version: plib_1.8.5-8 Target version: plib_1.8.5-8+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/plib/plib_1.8.5-8.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/plib/plib_1.8.5-8+deb11u1.dsc .gitlab-ci.yml | 7 ++++ changelog | 7 ++++ patches/08_CVE-2021-38714.patch | 64 ++++++++++++++++++++++++++++++++++++++++ patches/series | 1 4 files changed, 79 insertions(+) diff -Nru plib-1.8.5/debian/.gitlab-ci.yml plib-1.8.5/debian/.gitlab-ci.yml --- plib-1.8.5/debian/.gitlab-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ plib-1.8.5/debian/.gitlab-ci.yml 2021-10-17 12:56:13.000000000 +0000 @@ -0,0 +1,7 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bullseye' + SALSA_CI_COMPONENTS: 'main contrib non-free' + SALSA_CI_DISABLE_REPROTEST: 1 diff -Nru plib-1.8.5/debian/changelog plib-1.8.5/debian/changelog --- plib-1.8.5/debian/changelog 2017-07-24 19:24:48.000000000 +0000 +++ plib-1.8.5/debian/changelog 2021-10-17 12:56:13.000000000 +0000 @@ -1,3 +1,10 @@ +plib (1.8.5-8+deb11u1) bullseye; urgency=medium + + * Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 + (Closes: #992973) + + -- Anton Gladky Sun, 17 Oct 2021 14:56:13 +0200 + plib (1.8.5-8) unstable; urgency=medium * QA upload. diff -Nru plib-1.8.5/debian/patches/08_CVE-2021-38714.patch plib-1.8.5/debian/patches/08_CVE-2021-38714.patch --- plib-1.8.5/debian/patches/08_CVE-2021-38714.patch 1970-01-01 00:00:00.000000000 +0000 +++ plib-1.8.5/debian/patches/08_CVE-2021-38714.patch 2021-10-10 13:14:22.000000000 +0000 @@ -0,0 +1,64 @@ +Description: Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 +Author: Anton Gladky +Bug-Debian: https://bugs.debian.org/992973 +Last-Update: 2021-10-02 + +Index: plib/src/ssg/ssgLoadTGA.cxx +=================================================================== +--- plib.orig/src/ssg/ssgLoadTGA.cxx ++++ plib/src/ssg/ssgLoadTGA.cxx +@@ -23,6 +23,7 @@ + + + #include "ssgLocal.h" ++#include + + #ifdef SSG_LOAD_TGA_SUPPORTED + +@@ -103,9 +104,9 @@ bool ssgLoadTGA ( const char *fname, ssg + + // image info + int type = header[2]; +- int xsize = get16u(header + 12); +- int ysize = get16u(header + 14); +- int bits = header[16]; ++ unsigned int xsize = get16u(header + 12); ++ unsigned int ysize = get16u(header + 14); ++ unsigned int bits = header[16]; + + /* image types: + * +@@ -169,9 +170,32 @@ bool ssgLoadTGA ( const char *fname, ssg + } + + ++ const auto bytes_to_allocate = (bits / 8) * xsize * ysize; ++ ++ ulSetError( UL_DEBUG, "bytes_to_allocate=%ld xsize = %ld, ysize = %ld, %ld == %ld ", bytes_to_allocate, xsize, ysize, bytes_to_allocate / xsize, (ysize * (bits / 8))); ++ ++ if (xsize != 0 && ((ysize * (bits / 8)) != bytes_to_allocate / xsize)) ++ { ++ ulSetError( UL_WARNING, "Integer overflow in image size: xsize = %d, ysize = %d", xsize, ysize); ++ return false; ++ } ++ else ++ { ++ ulSetError( UL_DEBUG, "ssgLoadTGA: Allocating %ld bytes for the size %d x %d", bytes_to_allocate, xsize, ysize ); ++ } ++ + // read image data + +- GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ]; ++ GLubyte *image; ++ try ++ { ++ image = new GLubyte [ bytes_to_allocate ]; ++ } ++ catch (const std::bad_alloc&) ++ { ++ ulSetError( UL_WARNING, "ssgLoadTGA: Allocation of %d bytes failed!", bytes_to_allocate); ++ return false; ++ } + + if ((type & 8) != 0) + { diff -Nru plib-1.8.5/debian/patches/series plib-1.8.5/debian/patches/series --- plib-1.8.5/debian/patches/series 2017-07-24 18:11:17.000000000 +0000 +++ plib-1.8.5/debian/patches/series 2021-10-02 11:24:19.000000000 +0000 @@ -6,3 +6,4 @@ 06_spelling_errors.diff 05_CVE-2012-4552.diff 07_dont_break_joystick_system_calibration.diff +08_CVE-2021-38714.patch