Version in base suite: 0.9.8-1 Base version: sail_0.9.8-1 Target version: sail_0.9.8-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/sail/sail_0.9.8-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/sail/sail_0.9.8-1+deb13u1.dsc changelog | 14 ++ patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch | 30 ++++++ patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch | 25 +++++ patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch | 33 ++++++ patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch | 25 +++++ patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch | 25 +++++ patches/0001-SAIL-Fix-memory-leak-on-error.patch | 24 +++++ patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch | 48 ++++++++++ patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch | 25 +++++ patches/series | 8 + 10 files changed, 257 insertions(+) diff -Nru sail-0.9.8/debian/changelog sail-0.9.8/debian/changelog --- sail-0.9.8/debian/changelog 2025-04-06 11:41:53.000000000 +0000 +++ sail-0.9.8/debian/changelog 2025-11-02 21:13:55.000000000 +0000 @@ -1,3 +1,17 @@ +sail (0.9.8-1+deb13u1) trixie; urgency=medium + + * Add upstream patches to fix security vulnerabilities. (Closes: #1112346) + - CVE-2025-32468 + - CVE-2025-35984 + - CVE-2025-46407 + - CVE-2025-50129 + - CVE-2025-52456 + - CVE-2025-52930 + - CVE-2025-53085 + - CVE-2025-53510 + + -- Sudip Mukherjee Sun, 02 Nov 2025 21:13:55 +0000 + sail (0.9.8-1) unstable; urgency=medium * New upstream version 0.9.8 diff -Nru sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch --- sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-223.patch 2025-09-03 17:47:26.000000000 +0000 @@ -0,0 +1,30 @@ +Description: Fix for CVE-2025-46407 + +Origin: upstream, https://github.com/HappySeaFox/sail/commit/d46b6ca190938fc3bb6f216a888467c7808f3cf5 +Bug: https://github.com/HappySeaFox/sail/issues/223 +Bug-Debian: https://bugs.debian.org/1112346 +Last-Update: 2025-09-03 +--- + +diff --git a/src/sail-codecs/common/bmp/bmp.c b/src/sail-codecs/common/bmp/bmp.c +index 90b43f8c..a2144b8a 100644 +--- a/src/sail-codecs/common/bmp/bmp.c ++++ b/src/sail-codecs/common/bmp/bmp.c +@@ -284,6 +284,14 @@ sail_status_t bmp_private_read_init(struct sail_io *io, const struct sail_load_o + SAIL_LOG_AND_RETURN(SAIL_ERROR_MISSING_PALETTE); + } + ++ /* Validate and allocate palette. */ ++ size_t max_palette_count = SIZE_MAX / sizeof(sail_rgba32_t); ++ ++ if (bmp_state->palette_count > max_palette_count) { ++ SAIL_LOG_ERROR("BMP: Indexed image has too large palette"); ++ SAIL_LOG_AND_RETURN(SAIL_ERROR_BROKEN_IMAGE); ++ } ++ + void *ptr; + SAIL_TRY(sail_malloc(sizeof(sail_rgba32_t) * bmp_state->palette_count, &ptr)); + bmp_state->palette = ptr; +-- +2.39.5 + diff -Nru sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch --- sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/0001-BMP-Fix-possible-buffer-overflow-closes-229.patch 2025-09-03 17:47:53.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Fix for CVE-2025-52930 + +Origin: upstream, https://github.com/HappySeaFox/sail/commit/1b7dfa9f4b7364d496015808cac76457e5ddcf0c +Bug: https://github.com/HappySeaFox/sail/issues/229 +Bug-Debian: https://bugs.debian.org/1112346 +Last-Update: 2025-09-03 +--- + +diff --git a/src/sail-codecs/common/bmp/bmp.c b/src/sail-codecs/common/bmp/bmp.c +index c67c86b2..ed05d162 100644 +--- a/src/sail-codecs/common/bmp/bmp.c ++++ b/src/sail-codecs/common/bmp/bmp.c +@@ -516,6 +516,9 @@ sail_status_t bmp_private_read_frame(void *state, struct sail_io *io, struct sai + uint8_t index; + SAIL_TRY(io->strict_read(io->stream, &index, sizeof(index))); + ++ /* Round to the buffer size. */ ++ marker = (pixel_index + marker) <= image->width ? marker : (image->width - pixel_index); ++ + for (uint8_t k = 0; k < marker; k++) { + *scan++ = index; + } +-- +2.39.5 + diff -Nru sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch --- sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch 2025-09-03 17:47:44.000000000 +0000 @@ -0,0 +1,33 @@ +Description: Fix for CVE-2025-53510 + +Origin: upstream, https://github.com/HappySeaFox/sail/commit/9d17b8f36e74a33247a0ccae4b81dddcba57ca5a +Bug: https://github.com/HappySeaFox/sail/issues/226 +Bug-Debian: https://bugs.debian.org/1112346 +Last-Update: 2025-09-03 +--- + +diff --git a/src/sail-common/utils.c b/src/sail-common/utils.c +index 0f519ba4..4a00a67e 100644 +--- a/src/sail-common/utils.c ++++ b/src/sail-common/utils.c +@@ -25,6 +25,7 @@ + + #include + #include ++#include /* UINT_MAX */ + #include + #include + #include +@@ -412,7 +413,8 @@ bool sail_greater_bits_per_pixel(enum SailPixelFormat pixel_format1, enum SailPi + unsigned sail_bytes_per_line(unsigned width, enum SailPixelFormat pixel_format) { + + const unsigned bits_per_pixel = sail_bits_per_pixel(pixel_format); +- return (unsigned)(((double)width * bits_per_pixel + 7) / 8); ++ const double bytes_per_line = ((double)width * bits_per_pixel + 7) / 8; ++ return (bytes_per_line < UINT_MAX) ? (unsigned)bytes_per_line : 0; + } + + bool sail_is_indexed(enum SailPixelFormat pixel_format) { +-- +2.39.5 + diff -Nru sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch --- sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/0001-PCX-Fix-possible-buffer-overflow-closes-225.patch 2025-09-03 17:47:34.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Fix for CVE-2025-35984 + +Origin: upstream, https://github.com/HappySeaFox/sail/commit/246fdcdaecae39f1258e58507048cafab6f8905a +Bug: https://github.com/HappySeaFox/sail/issues/225 +Bug-Debian: https://bugs.debian.org/1112346 +Last-Update: 2025-09-03 +--- + +diff --git a/src/sail-codecs/pcx/pcx.c b/src/sail-codecs/pcx/pcx.c +index 62207e10..503d2c36 100644 +--- a/src/sail-codecs/pcx/pcx.c ++++ b/src/sail-codecs/pcx/pcx.c +@@ -203,6 +203,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_pcx(void *state, struct sail_ + value = marker; + } + ++ /* Round to the buffer size. */ ++ count = (bytes + count) < image->bytes_per_line ? count : (image->bytes_per_line - bytes); ++ + bytes += count; + + memset(pcx_state->scanline_buffer + buffer_offset, value, count); +-- +2.39.5 + diff -Nru sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch --- sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/0001-PSD-Fix-possible-buffer-overflow-closes-227.patch 2025-09-03 17:47:47.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Fix for CVE-2025-53085 + +Origin: upstream, https://github.com/HappySeaFox/sail/commit/4e94da2a191a89c788f0f14af258e49cacc7764f +Bug: https://github.com/HappySeaFox/sail/issues/227 +Bug-Debian: https://bugs.debian.org/1112346 +Last-Update: 2025-09-03 +--- + +diff --git a/src/sail-codecs/psd/psd.c b/src/sail-codecs/psd/psd.c +index af0ee4d6..4e95990a 100644 +--- a/src/sail-codecs/psd/psd.c ++++ b/src/sail-codecs/psd/psd.c +@@ -261,6 +261,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_psd(void *state, struct sail_ + unsigned char value; + SAIL_TRY(psd_state->io->strict_read(psd_state->io->stream, &value, sizeof(value))); + ++ /* Round to the buffer size. */ ++ c = (count + c) <= image->width ? c : (image->width - count); ++ + for (unsigned i = count; i < count + c; i++) { + unsigned char *scan = (unsigned char *)sail_scan_line(image, row) + i * bpp; + *(scan + channel) = value; +-- +2.39.5 + diff -Nru sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch --- sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/0001-SAIL-Fix-memory-leak-on-error.patch 2025-09-03 17:47:39.000000000 +0000 @@ -0,0 +1,24 @@ +Description: Fix a memory leak + +Origin: upstream, https://github.com/HappySeaFox/sail/commit/38834fe0e484563df31362ecd90b78197d6133ca +Bug-Debian: https://bugs.debian.org/1112346 +Last-Update: 2025-09-03 +--- + +diff --git a/src/sail/sail_advanced.c b/src/sail/sail_advanced.c +index f2979534..b28d8da6 100644 +--- a/src/sail/sail_advanced.c ++++ b/src/sail/sail_advanced.c +@@ -106,7 +106,8 @@ sail_status_t sail_load_next_frame(void *state, struct sail_image **image) { + struct sail_image *image_local; + SAIL_TRY(state_of_mind->codec->v8->load_seek_next_frame(state_of_mind->state, &image_local)); + +- SAIL_TRY(sail_check_image_skeleton_valid(image_local)); ++ SAIL_TRY_OR_CLEANUP(sail_check_image_skeleton_valid(image_local), ++ /* cleanup */ sail_destroy_image(image_local)); + + if (image_local->pixels != NULL) { + SAIL_LOG_ERROR("Internal error in %s codec: codecs must not allocate pixels", state_of_mind->codec_info->name); +-- +2.39.5 + diff -Nru sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch --- sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch 2025-09-03 17:47:31.000000000 +0000 @@ -0,0 +1,48 @@ +Description: Fix for CVE-2025-32468 + +Origin: upstream, https://github.com/HappySeaFox/sail/commit/efc1cd8f38e7ba3401698ecb2ad9b25d6f886596 +Bug: https://github.com/HappySeaFox/sail/issues/224 +Bug-Debian: https://bugs.debian.org/1112346 +Last-Update: 2025-09-03 +--- + +diff --git a/src/sail/sail_advanced.c b/src/sail/sail_advanced.c +index dba064e7..9d9949f4 100644 +--- a/src/sail/sail_advanced.c ++++ b/src/sail/sail_advanced.c +@@ -24,6 +24,7 @@ + */ + + #include ++#include /* SIZE_MAX */ + #include + + #include +@@ -105,13 +106,23 @@ sail_status_t sail_load_next_frame(void *state, struct sail_image **image) { + struct sail_image *image_local; + SAIL_TRY(state_of_mind->codec->v8->load_seek_next_frame(state_of_mind->state, &image_local)); + ++ SAIL_TRY(sail_check_image_skeleton_valid(image_local)); ++ + if (image_local->pixels != NULL) { + SAIL_LOG_ERROR("Internal error in %s codec: codecs must not allocate pixels", state_of_mind->codec_info->name); + sail_destroy_image(image_local); + SAIL_LOG_AND_RETURN(SAIL_ERROR_CONFLICTING_OPERATION); + } + +- /* Allocate pixels. */ ++ /* Validate and allocate pixels. */ ++ const size_t max_height = SIZE_MAX / image_local->bytes_per_line; ++ ++ if (image_local->height > max_height) { ++ SAIL_LOG_ERROR("Image height is too long"); ++ sail_destroy_image(image_local); ++ SAIL_LOG_AND_RETURN(SAIL_ERROR_INCORRECT_IMAGE_DIMENSIONS); ++ } ++ + const size_t pixels_size = (size_t)image_local->height * image_local->bytes_per_line; + SAIL_TRY_OR_CLEANUP(sail_malloc(pixels_size, &image_local->pixels), + /* cleanup */ sail_destroy_image(image_local)); +-- +2.39.5 + diff -Nru sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch --- sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/0001-TGA-Fix-possible-buffer-overflow-closes-228.patch 2025-09-03 17:47:50.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Fix for CVE-2025-50129 + +Origin: upstream, https://github.com/HappySeaFox/sail/commit/4879e0df0bc9e99873e70d65be31b94f47b7d41d +Bug: https://github.com/HappySeaFox/sail/issues/228 +Bug-Debian: https://bugs.debian.org/1112346 +Last-Update: 2025-09-03 +--- + +diff --git a/src/sail-codecs/tga/tga.c b/src/sail-codecs/tga/tga.c +index afc04288..cc7f471a 100644 +--- a/src/sail-codecs/tga/tga.c ++++ b/src/sail-codecs/tga/tga.c +@@ -223,6 +223,9 @@ SAIL_EXPORT sail_status_t sail_codec_load_frame_v8_tga(void *state, struct sail_ + + SAIL_TRY(tga_state->io->strict_read(tga_state->io->stream, pixel, pixel_size)); + ++ /* Round to the buffer size. */ ++ count = (i + count) <= pixels_num ? count : (pixels_num - i); ++ + for (unsigned j = 0; j < count; j++, i++) { + memcpy(pixels, pixel, pixel_size); + pixels += pixel_size; +-- +2.39.5 + diff -Nru sail-0.9.8/debian/patches/series sail-0.9.8/debian/patches/series --- sail-0.9.8/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ sail-0.9.8/debian/patches/series 2025-09-03 17:39:17.000000000 +0000 @@ -0,0 +1,8 @@ +0001-BMP-Fix-possible-buffer-overflow-closes-223.patch +0001-SAIL-Validate-image-dimensions-before-allocating-clo.patch +0001-PCX-Fix-possible-buffer-overflow-closes-225.patch +0001-SAIL-Fix-memory-leak-on-error.patch +0001-COMMON-Fix-possible-unsigned-overflow-closes-226.patch +0001-PSD-Fix-possible-buffer-overflow-closes-227.patch +0001-TGA-Fix-possible-buffer-overflow-closes-228.patch +0001-BMP-Fix-possible-buffer-overflow-closes-229.patch