--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu, wheezy-pu: package librsvg/2.40.5-1 and librsvg/2.36.1-2
- From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Date: Fri, 25 Mar 2016 14:49:20 +0100
- Message-id: <145891376032.22153.4847989447226956392.reportbug@riseup.net>
Package: release.debian.org
Severity: normal
Tags: jessie, wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
Please consider the following debdiffs to fix librsvg's CVE-2015-7557
for Jessie and Wheezy. This is a no-dsa bug, that could fit a point
release. It applies the following simple patch, that upstream proposed
against 2.40.6.
https://git.gnome.org/browse/librsvg/commit/rsvg-shapes.c?id=40af93e6eb1c94b90c3b9a0b87e0840e126bb8df
The patch was also applied in squeeze-lts.
Thanks,
Santiago
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJW9UHYAAoJEN5v/bjI1ki9aUAQAKBpOevzSdKuCDOpUAmTqZz8
6QN45GPNN8aS7ipPOlvJCAzCMQtI66TDzJs86JsWGH+f4SWaPnNi3StMKAg8oYVV
q3iH5sBMo11znbAyhZdp9JmgKwtp5EYMQfc7H8l7fTcokVzMdhi4Eabc3Mzy/hEl
XYPQ6o3ZkssOuRlQC1csWytrgyc7zGd4Vy5EfeGyVXmOFGYmwPZt2FytPO+xFT4B
03k4a1BF+JtubUgL6L/4c6zcJznTo143QKeYq7A1oPo5S4zFcXysw/0PqcEINZEl
A99lQ+Yy4QDOVIqOwckm5yGKsOUMmY+W6fGoCtBYgSYhIKGEcuAjpx5ceUhBkGA9
MvyOqsu3n7F2dPoEJcwaugU0qEuPu2BcZ3Wv2Wqpe6RxbyuJpMUrZtwvXJKrimMK
OY/ckfED3gjXJDyzLZK7pcH6YOGagwbHRiYgvh+Y96xxYk/lw0HH6QvBINaLBoeU
PWjMrKUS2JBJtxwbwgPUTjoJJY5YpTVtGG5Z5NvqFFeKWJECzFhb5avRorp540oz
0uTVCwBlHA6HbXNYfoa7d+0uhWdzwSxtdpNROEu05KDrkcirDsofxGW6gAbeh94z
BbGbhZiJWXXGq1WKkG3VIoUoZFOmNj2HSe7ixjLfZKDG0iMR/2RflgOSv7AF/O7B
Ux9JBz+B6YIMk8JcyeSD
=RZdT
-----END PGP SIGNATURE-----
diff -Nru librsvg-2.40.5/debian/changelog librsvg-2.40.5/debian/changelog
--- librsvg-2.40.5/debian/changelog 2014-10-14 16:48:24.000000000 +0200
+++ librsvg-2.40.5/debian/changelog 2016-03-24 11:04:24.000000000 +0100
@@ -1,3 +1,10 @@
+librsvg (2.40.5-1+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file.
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Thu, 24 Mar 2016 11:02:20 +0100
+
librsvg (2.40.5-1) unstable; urgency=medium
* New upstream release.
diff -Nru librsvg-2.40.5/debian/patches/CVE-2015-7557.patch librsvg-2.40.5/debian/patches/CVE-2015-7557.patch
--- librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 1970-01-01 01:00:00.000000000 +0100
+++ librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 2016-03-24 11:05:21.000000000 +0100
@@ -0,0 +1,50 @@
+From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001
+From: Federico Mena Quintero <federico@gnome.org>
+Date: Thu, 5 Feb 2015 18:08:25 -0600
+Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an
+ odd number of elements
+
+Lists of points come in coordinate pairs, but we didn't have any checking for that.
+It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate
+of an x,y pair, that was in fact missing, leading to an out-of-bounds array read.
+
+In that case, we now reuse the last-known y coordinate.
+
+Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050
+
+Signed-off-by: Federico Mena Quintero <federico@gnome.org>
+---
+ rsvg-shapes.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/rsvg-shapes.c b/rsvg-shapes.c
+index c13b90c..e4a705d 100644
+--- a/rsvg-shapes.c
++++ b/rsvg-shapes.c
+@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value,
+
+ /* "L %f %f " */
+ for (i = 2; i < pointlist_len; i += 2) {
++ double p;
++
+ g_string_append (d, " L ");
+ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i]));
+ g_string_append_c (d, ' ');
+- g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1]));
++
++ /* We expect points to come in coordinate pairs. But if there is a
++ * missing part of one pair in a corrupt SVG, we'll have an incomplete
++ * list. In that case, we reuse the last-known Y coordinate.
++ */
++ if (i + 1 < pointlist_len)
++ p = pointlist[i + 1];
++ else
++ p = pointlist[i - 1];
++
++ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p));
+ }
+
+ if (close_path)
+--
+cgit v0.11.2
+
diff -Nru librsvg-2.40.5/debian/patches/series librsvg-2.40.5/debian/patches/series
--- librsvg-2.40.5/debian/patches/series 2014-09-15 00:58:58.000000000 +0200
+++ librsvg-2.40.5/debian/patches/series 2016-03-24 11:05:21.000000000 +0100
@@ -1,2 +1,3 @@
10_rsvg-gz.patch
20_rsvg_compat.patch
+CVE-2015-7557.patch
diff -Nru librsvg-2.36.1/debian/changelog librsvg-2.36.1/debian/changelog
--- librsvg-2.36.1/debian/changelog 2013-12-04 21:16:12.000000000 +0100
+++ librsvg-2.36.1/debian/changelog 2016-03-24 10:53:07.000000000 +0100
@@ -1,3 +1,10 @@
+librsvg (2.36.1-2+deb7u1) wheezy; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file.
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Thu, 24 Mar 2016 09:18:51 +0100
+
librsvg (2.36.1-2) stable; urgency=low
[ Raphaël Geissert ]
diff -Nru librsvg-2.36.1/debian/patches/CVE-2015-7557.patch librsvg-2.36.1/debian/patches/CVE-2015-7557.patch
--- librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 1970-01-01 01:00:00.000000000 +0100
+++ librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 2016-03-24 09:18:37.000000000 +0100
@@ -0,0 +1,50 @@
+From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001
+From: Federico Mena Quintero <federico@gnome.org>
+Date: Thu, 5 Feb 2015 18:08:25 -0600
+Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an
+ odd number of elements
+
+Lists of points come in coordinate pairs, but we didn't have any checking for that.
+It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate
+of an x,y pair, that was in fact missing, leading to an out-of-bounds array read.
+
+In that case, we now reuse the last-known y coordinate.
+
+Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050
+
+Signed-off-by: Federico Mena Quintero <federico@gnome.org>
+---
+ rsvg-shapes.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/rsvg-shapes.c b/rsvg-shapes.c
+index c13b90c..e4a705d 100644
+--- a/rsvg-shapes.c
++++ b/rsvg-shapes.c
+@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value,
+
+ /* "L %f %f " */
+ for (i = 2; i < pointlist_len; i += 2) {
++ double p;
++
+ g_string_append (d, " L ");
+ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i]));
+ g_string_append_c (d, ' ');
+- g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1]));
++
++ /* We expect points to come in coordinate pairs. But if there is a
++ * missing part of one pair in a corrupt SVG, we'll have an incomplete
++ * list. In that case, we reuse the last-known Y coordinate.
++ */
++ if (i + 1 < pointlist_len)
++ p = pointlist[i + 1];
++ else
++ p = pointlist[i - 1];
++
++ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p));
+ }
+
+ if (close_path)
+--
+cgit v0.11.2
+
diff -Nru librsvg-2.36.1/debian/patches/series librsvg-2.36.1/debian/patches/series
--- librsvg-2.36.1/debian/patches/series 2013-12-04 15:09:40.000000000 +0100
+++ librsvg-2.36.1/debian/patches/series 2016-03-24 09:18:37.000000000 +0100
@@ -3,3 +3,4 @@
10_rsvg-gz.patch
20_rsvg_compat.patch
99_ltmain_as-needed.patch
+CVE-2015-7557.patch
--- End Message ---