Accepting request 1134050 from home:jubalh:branches:Application:Geo

- security update: * CVE-2023-40889 [bsc#1214770] Fix heap based buffer overflow in qr_reader_match_centers() + zbar-CVE-2023-40889.patch * CVE-2023-40890 [bsc#1214771] Fix stack based buffer overflow in lookup_sequence() + zbar-CVE-2023-40890.patch OBS-URL: https://build.opensuse.org/request/show/1134050 OBS-URL: https://build.opensuse.org/package/show/Application:Geo/zbar?expand=0&rev=57
2023-12-20 09:31:40 +00:00 · 2023-12-20 09:31:40 +00:00 · 74eeb89137
commit 74eeb89137
parent de4a119d29
4 changed files with 99 additions and 0 deletions
--- a/zbar-CVE-2023-40889.patch
+++ b/zbar-CVE-2023-40889.patch
@ -0,0 +1,16 @@
+https://salsa.debian.org/debian/zbar/-/commit/1c3ddc8d7d828d68688c7f4f2ea35a2eee18594c
+Index: zbar-0.23.1/zbar/qrcode/qrdec.c
+===================================================================
+--- zbar-0.23.1.orig/zbar/qrcode/qrdec.c
+++ zbar-0.23.1/zbar/qrcode/qrdec.c
+@@ -3900,8 +3900,8 @@ void qr_reader_match_centers(qr_reader *
+     /*TODO: We might be able to accelerate this step significantly by
+        considering the remaining finder centers in a more intelligent order,
+        based on the first finder center we just chose.*/
+-    for(j=i+1;!mark[i]&&j<_ncenters;j++){
+-      for(k=j+1;!mark[j]&&k<_ncenters;k++)if(!mark[k]){
+	  for (j=i+1;i<_ncenters&&!mark[i]&&j<_ncenters;j++) {
+		  for (k=j+1;j<_ncenters&&!mark[j]&&k<_ncenters;k++)if(!mark[k]) {
+         qr_finder_center *c[3];
+         qr_code_data      qrdata;
+         int               version;
--- a/zbar-CVE-2023-40890.patch
+++ b/zbar-CVE-2023-40890.patch
@ -0,0 +1,68 @@
+https://salsa.debian.org/debian/zbar/-/blob/master/debian/patches/0004-Add-bounds-check-for-CVE-2023-40890.patch
+Index: zbar-0.23.1/zbar/decoder/databar.c
+===================================================================
+--- zbar-0.23.1.orig/zbar/decoder/databar.c
+++ zbar-0.23.1/zbar/decoder/databar.c
+@@ -23,6 +23,8 @@
+ 
+ #include <config.h>
+ #include <zbar.h>
+#include <stdlib.h>
+#include <stdio.h>
+ 
+ #ifdef DEBUG_DATABAR
+ # define DEBUG_LEVEL (DEBUG_DATABAR)
+@@ -663,10 +665,11 @@ match_segment (zbar_decoder_t *dcode,
+     return(ZBAR_DATABAR);
+ }
+ 
+-static inline unsigned
+static inline signed
+ lookup_sequence (databar_segment_t *seg,
+                  int fixed,
+-                 int seq[22])
+                 int seq[22],
+                 const size_t maxsize)
+ {
+     unsigned n = seg->data / 211, i;
+     const unsigned char *p;
+@@ -676,6 +679,13 @@ lookup_sequence (databar_segment_t *seg,
+     dbprintf(2, " {%d,%d:", i, n);
+     p = exp_sequences + i;
+ 
+    if (n >= maxsize-1) {
+	// The loop below checks i<n and increments i by one within the loop
+	// when accessing seq[22]. For this to be safe, n needs to be < 21.
+	// See CVE-2023-40890.
+	return -1;
+    }
+
+     fixed >>= 1;
+     seq[0] = 0;
+     seq[1] = 1;
+@@ -755,10 +765,15 @@ match_segment_exp (zbar_decoder_t *dcode
+             }
+ 
+             if(!i) {
+-                if(!lookup_sequence(seg, fixed, seq)) {
+                signed int lu = lookup_sequence(seg, fixed, seq, sizeof(seq)/sizeof(seq[0]));
+                if(!lu) {
+                     dbprintf(2, "[nf]");
+                     continue;
+                 }
+                if(lu < 0) {
+                    dbprintf(1, " [aborted]\n");
+                    goto abort;
+                }
+                 width = seg->width;
+                 dbprintf(2, " A00@%d", j);
+             }
+@@ -829,6 +844,8 @@ match_segment_exp (zbar_decoder_t *dcode
+     dcode->direction = (1 - 2 * (seg->side ^ seg->color)) * dir;
+     dcode->modifiers = MOD(ZBAR_MOD_GS1);
+     return(ZBAR_DATABAR_EXP);
+abort:
+    return (ZBAR_NONE);
+ }
+ #undef IDX
+ 
--- a/zbar.changes
+++ b/zbar.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Dec 13 18:36:21 UTC 2023 - Michael Vetter <mvetter@suse.com>
+
+- security update:
+  * CVE-2023-40889 [bsc#1214770]
+    Fix heap based buffer overflow in qr_reader_match_centers()
+    + zbar-CVE-2023-40889.patch
+  * CVE-2023-40890 [bsc#1214771]
+    Fix stack based buffer overflow in lookup_sequence()
+    + zbar-CVE-2023-40890.patch
+
 -------------------------------------------------------------------
 Tue Jun 20 11:21:51 UTC 2023 - Martin Pluskal <mpluskal@suse.com>

--- a/zbar.spec
+++ b/zbar.spec
@ -29,6 +29,10 @@ Source0:        https://linuxtv.org/downloads/%{name}/%{name}-%{version}.tar.bz2
 Source98:       baselibs.conf
 # PATCH-FIX-UPSTREAM: fix build against python 3.11 - https://github.com/mchehab/zbar/commit/9bb0cc43f7f9e9c676e07b2e511f03bfa1c491cb
 Patch1:         py311.patch
+# PATCH-FIX-UPSTREAM -- mvetter@suse.com -- bsc#1214770
+Patch2:         zbar-CVE-2023-40889.patch
+# PATCH-FIX-UPSTREAM -- mvetter@suse.com -- bsc#1214771
+Patch3:         zbar-CVE-2023-40890.patch
 BuildRequires:  libjpeg-devel
 BuildRequires:  pkgconfig >= 0.9.0
 BuildRequires:  xmlto