Bug#976423: buster-pu: package pngcheck/2.3.0-7
Package: release.debian.org
Severity: important
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
A global buffer overflow vulnerability was found by Red Hat on
pngcheck-2.4.0 [1]. It was found and reported by the Debian Security
Team that the vulnerability also affects the versions found on the
Debian archive [2].
The bug was already fixed on unstable [2]. I have prepared a revision
for buster-security for pngcheck/2.3.0-7 with the backported changes
from unstable. The proposed update builds correctly on a minimal
up-to-date buster chroot.
I didn't coordinate with the security team, as the vulnerability is
marked "no-dsa" in the Debian Security Tracker [3].
If the update is deemed correct, I can make it available on mentors, and
open an RFS as I don't have uploading rights.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1902011
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976350
[3] https://security-tracker.debian.org/tracker/CVE-2020-27818
Regards,
Polverari
diff -Nru pngcheck-2.3.0/debian/changelog pngcheck-2.3.0/debian/changelog
--- pngcheck-2.3.0/debian/changelog 2013-06-26 09:28:27.000000000 +0000
+++ pngcheck-2.3.0/debian/changelog 2020-12-04 21:22:18.000000000 +0000
@@ -1,3 +1,10 @@
+pngcheck (2.3.0-7+deb10u1) buster-security; urgency=high
+
+ * debian/patches/60-fix-buffer-overflow.patch: added to fix CVE-2020-27818.
+ Thanks to Salvatore Bonaccorso <carnil@debian.org>. (Closes: #976350)
+
+ -- David da Silva Polverari <david.polverari@gmail.com> Fri, 04 Dec 2020 21:22:18 +0000
+
pngcheck (2.3.0-7) unstable; urgency=low
* debian/control
diff -Nru pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch
--- pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch 1970-01-01 00:00:00.000000000 +0000
+++ pngcheck-2.3.0/debian/patches/60-fix-buffer-overflow.patch 2020-12-04 21:22:18.000000000 +0000
@@ -0,0 +1,26 @@
+Description: Fix buffer overflow reported in RHBZ #1897485.
+ When char is signed, casting to a (signed) int directly could produce a
+ negative offset into the ASCII lookup table; adding an intermediate cast to
+ uch (a typedef for unsigned char) ensures a nonnegative offset no greater than
+ 255, which always corresponds to a valid table index.
+Origin: vendor, https://src.fedoraproject.org/rpms/pngcheck/blob/cc48791e34201caf7b686084b735d06cef66c974/f/pngcheck-2.4.0-overflow-bz1897485.patch
+Bug-Debian: https://bugs.debian.org/976350
+Forwarded: no
+Reviewed-By: David da Silva Polverari <david.polverari@gmail.com>
+Last-Update: 2020-12-04
+
+--- a/pngcheck.c
++++ b/pngcheck.c
+@@ -4895,8 +4895,10 @@
+ /* GRR 20061203: now EBCDIC-safe */
+ int check_chunk_name(char *chunk_name, char *fname)
+ {
+- if (isASCIIalpha((int)chunk_name[0]) && isASCIIalpha((int)chunk_name[1]) &&
+- isASCIIalpha((int)chunk_name[2]) && isASCIIalpha((int)chunk_name[3]))
++ if (isASCIIalpha((int)(uch)chunk_name[0]) &&
++ isASCIIalpha((int)(uch)chunk_name[1]) &&
++ isASCIIalpha((int)(uch)chunk_name[2]) &&
++ isASCIIalpha((int)(uch)chunk_name[3]))
+ return 0;
+
+ printf("%s%s invalid chunk name \"%.*s\" (%02x %02x %02x %02x)\n",
diff -Nru pngcheck-2.3.0/debian/patches/series pngcheck-2.3.0/debian/patches/series
--- pngcheck-2.3.0/debian/patches/series 2013-06-26 09:28:27.000000000 +0000
+++ pngcheck-2.3.0/debian/patches/series 2020-12-04 21:22:18.000000000 +0000
@@ -1,2 +1,3 @@
10-pngsplit-format-strings.patch
20-pngsplit-long-options.patch
+60-fix-buffer-overflow.patch
Reply to: