Bug#929855: unblock: libheif/1.3.2-2

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#929855: unblock: libheif/1.3.2-2

Reinhard Tartler-2
Package: release.debian.org
Severity: normal
User: [hidden email]
Usertags: unblock

Please unblock package libheif to address CVE-2019-11471, aka #928210 in Debian/buster.

unblock libheif/1.3.2-2


debdiff follows:


diff --git a/debian/changelog b/debian/changelog
index 9452979..23246df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+libheif (1.3.2-2) unstable; urgency=medium
+
+  * Team Upload
+  
+  [ Dylan A├»ssi ]
+  * Add patch to fix CVE-2019-11471, Closes: #928210
+
+ -- Reinhard Tartler <[hidden email]>  Sat, 01 Jun 2019 17:56:05 -0400
+
 libheif (1.3.2-1) unstable; urgency=medium
 
   * Imported Upstream version 1.3.2
diff --git a/debian/patches/CVE-2019-11471.patch b/debian/patches/CVE-2019-11471.patch
new file mode 100644
index 0000000..767bb45
--- /dev/null
+++ b/debian/patches/CVE-2019-11471.patch
@@ -0,0 +1,60 @@
+Author: Joachim Bauch <bauch at struktur.de>
+Description: Fix CVE-2019-11471
+ Detect and handle recursive image references.
+ Detect non-existing referenced alpha images.
+ Detect non-existing referenced depth images.
+Origin: upstream, https://github.com/strukturag/libheif/commit/e89fbbe0705a4b8e755f148fd4c4c84007295d16
+                  https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014
+                  https://github.com/strukturag/libheif/commit/5a9b7f7564e158c6339f6d78a77de23720b15afd
+Bug: https://github.com/strukturag/libheif/issues/123
+     https://github.com/strukturag/libheif/issues/125
+Bug-Debian: https://bugs.debian.org/928210
+
+--- a/libheif/heif_context.cc
++++ b/libheif/heif_context.cc
+@@ -520,6 +520,11 @@
+                        "Thumbnail references another thumbnail");
+         }
+
++        if (image.get() == master_iter->second.get()) {
++          return Error(heif_error_Invalid_input,
++                       heif_suberror_Nonexisting_item_referenced,
++                       "Recursive thumbnail image detected");
++        }
+         master_iter->second->add_thumbnail(image);
+
+         remove_top_level_image(image);
+@@ -566,6 +571,16 @@
+           image->set_is_alpha_channel_of(refs[0]);
+
+           auto master_iter = m_all_images.find(refs[0]);
++            if (master_iter == m_all_images.end()) {
++              return Error(heif_error_Invalid_input,
++                           heif_suberror_Nonexisting_item_referenced,
++                           "Non-existing alpha image referenced");
++            }
++            if (image.get() == master_iter->second.get()) {
++              return Error(heif_error_Invalid_input,
++                           heif_suberror_Nonexisting_item_referenced,
++                           "Recursive alpha image detected");
++            }
+           master_iter->second->set_alpha_channel(image);
+         }
+
+@@ -576,6 +591,16 @@
+           image->set_is_depth_channel_of(refs[0]);
+
+           auto master_iter = m_all_images.find(refs[0]);
++            if (master_iter == m_all_images.end()) {
++              return Error(heif_error_Invalid_input,
++                           heif_suberror_Nonexisting_item_referenced,
++                           "Non-existing depth image referenced");
++            }
++            if (image.get() == master_iter->second.get()) {
++              return Error(heif_error_Invalid_input,
++                           heif_suberror_Nonexisting_item_referenced,
++                           "Recursive depth image detected");
++            }
+           master_iter->second->set_depth_channel(image);
+
+           auto subtypes = auxC_property->get_subtypes();
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..acd8abf
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-11471.patch

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply | Threaded
Open this post in threaded view
|

Bug#929855: marked as done (unblock: libheif/1.3.2-2)

Salvatore Bonaccorso-4
Hi Paul,

On Sun, Jun 02, 2019 at 07:39:04AM +0000, Debian Bug Tracking System wrote:
> On 02-06-2019 00:07, Reinhard Tartler wrote:
> > Please unblock package libheif to address CVE-2019-11471, aka #928210 in Debian/buster.
> >
> > unblock libheif/1.3.2-2
>
> Unblocked, thanks.

Looks libheif (similarly to qemu) cannot move to testing/buster:

libheif (1.3.2-1 to 1.3.2-2)
    Maintainer: Debian Multimedia Maintainers
    5 days old (needed 5 days)
    Depends: libheif gcc-8 (not considered)
    Updating libheif fixes old bugs: #928210
    Piuparts tested OK - https://piuparts.debian.org/sid/source/libh/libheif.html
    Ignoring block request by freeze, due to unblock request by elbrus
    Invalidated by dependency

should an upload be done via tpu here or is an unblock for the gcc-8
bug still under possible consideration?

Regards,
Salvatore

Reply | Threaded
Open this post in threaded view
|

Bug#929855: marked as done (unblock: libheif/1.3.2-2)

Paul Gevers-4
Hi Salvatore,

On 07-06-2019 08:37, Salvatore Bonaccorso wrote:

> On Sun, Jun 02, 2019 at 07:39:04AM +0000, Debian Bug Tracking System wrote:
>> On 02-06-2019 00:07, Reinhard Tartler wrote:
>>> Please unblock package libheif to address CVE-2019-11471, aka #928210 in Debian/buster.
>>>
>>> unblock libheif/1.3.2-2
>>
>> Unblocked, thanks.
>
> Looks libheif (similarly to qemu) cannot move to testing/buster:
>
> libheif (1.3.2-1 to 1.3.2-2)
>     Maintainer: Debian Multimedia Maintainers
>     5 days old (needed 5 days)
>     Depends: libheif gcc-8 (not considered)
>     Updating libheif fixes old bugs: #928210
>     Piuparts tested OK - https://piuparts.debian.org/sid/source/libh/libheif.html
>     Ignoring block request by freeze, due to unblock request by elbrus
>     Invalidated by dependency
>
> should an upload be done via tpu here or is an unblock for the gcc-8
> bug still under possible consideration?
I believe that Ivo told you in real life that rebuilds
* that target tpu
* that are unblocked by the release team in unstable
* that are blocked by gcc-8 and
* have security issues
are acceptable and will be unblocked when you ping us.

The gcc-8 bug is waiting for moreinfo.

Paul


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#929855: marked as done (unblock: libheif/1.3.2-2)

Salvatore Bonaccorso-4
Hi Paul,

On Fri, Jun 07, 2019 at 08:08:07PM +0200, Paul Gevers wrote:

> Hi Salvatore,
>
> On 07-06-2019 08:37, Salvatore Bonaccorso wrote:
> > On Sun, Jun 02, 2019 at 07:39:04AM +0000, Debian Bug Tracking System wrote:
> >> On 02-06-2019 00:07, Reinhard Tartler wrote:
> >>> Please unblock package libheif to address CVE-2019-11471, aka #928210 in Debian/buster.
> >>>
> >>> unblock libheif/1.3.2-2
> >>
> >> Unblocked, thanks.
> >
> > Looks libheif (similarly to qemu) cannot move to testing/buster:
> >
> > libheif (1.3.2-1 to 1.3.2-2)
> >     Maintainer: Debian Multimedia Maintainers
> >     5 days old (needed 5 days)
> >     Depends: libheif gcc-8 (not considered)
> >     Updating libheif fixes old bugs: #928210
> >     Piuparts tested OK - https://piuparts.debian.org/sid/source/libh/libheif.html
> >     Ignoring block request by freeze, due to unblock request by elbrus
> >     Invalidated by dependency
> >
> > should an upload be done via tpu here or is an unblock for the gcc-8
> > bug still under possible consideration?
>
> I believe that Ivo told you in real life that rebuilds
> * that target tpu
> * that are unblocked by the release team in unstable
> * that are blocked by gcc-8 and
> * have security issues
> are acceptable and will be unblocked when you ping us.
>
> The gcc-8 bug is waiting for moreinfo.
I just have uploaded for buster a source-only upload for buster with
the attached debdiff. So this will be just a rebuild of the unstable
version for buster with a lower version.

Thanks to all the release team for your work!

Regards,
Salvatore

libheif_1.3.2-2~deb10u1.debdiff (496 bytes) Download Attachment