debian/0000775000000000000000000000000013061530761007172 5ustar debian/docs0000664000000000000000000000002113036353537010044 0ustar NEWS README TODO debian/control0000664000000000000000000000202213036353537010577 0ustar Source: icoutils Section: graphics Priority: optional Maintainer: Colin Watson Standards-Version: 3.9.5 Build-Depends: debhelper (>= 9~), libpng-dev, dh-autoreconf Homepage: http://www.nongnu.org/icoutils/ Vcs-Git: git://anonscm.debian.org/users/cjwatson/icoutils.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=users/cjwatson/icoutils.git Package: icoutils Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}, libwww-perl Suggests: libterm-readline-gnu-perl | libterm-readline-perl-perl Multi-Arch: foreign Description: Create and extract MS Windows icons and cursors Icoutils is a set of programs that deal with MS Windows icons and cursors. Resources such as icons and cursors can be extracted from MS Windows executable and library files with "wrestool". Conversion of these files to and from PNG images is done with "icotool". "extresso" automates these tasks with the help of special resource scripts. . This package can be used to create "favicon.ico" files for web sites. debian/patches/0000775000000000000000000000000013060530361010614 5ustar debian/patches/wrestool-Make-check_offset-more-stringent.patch0000664000000000000000000000211013036353537021767 0ustar From 4fbe9222fd79ee31b7ec031b0be070a9a400d1d3 Mon Sep 17 00:00:00 2001 From: Frank Richter Date: Sun, 8 Jan 2017 15:13:46 +0100 Subject: [PATCH] wrestool: Make check_offset more stringent --- wrestool/fileread.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/wrestool/fileread.c b/wrestool/fileread.c index 3f24278..d3a7e62 100644 --- a/wrestool/fileread.c +++ b/wrestool/fileread.c @@ -35,12 +35,15 @@ bool check_offset(char *memory, int total_size, char *name, void *offset, int size) { - ptrdiff_t need_size = (char *) offset - memory + size; + char* memory_end = memory + total_size; + char* block = (char*)offset; + char* block_end = offset + size; /*debug("check_offset: size=%x vs %x offset=%x size=%x\n", need_size, total_size, (char *) offset - memory, size);*/ - if (need_size < 0 || need_size > total_size) { + if (((memory <= memory_end) && (block <= block_end)) + && ((block < memory) || (block >= memory_end) || (block_end > memory_end))) { warn(_("%s: premature end"), name); return false; } -- 2.11.0 debian/patches/wrestool-Fix-an-index-additional-check.patch0000664000000000000000000000221013036353537021127 0ustar From 1a108713ac26215c7568353f6e02e727e6d4b24a Mon Sep 17 00:00:00 2001 From: Frank Richter Date: Sun, 8 Jan 2017 15:36:34 +0100 Subject: [PATCH] wrestool: Fix an index, additional check --- wrestool/extract.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wrestool/extract.c b/wrestool/extract.c index 8192a1f..a0c516c 100644 --- a/wrestool/extract.c +++ b/wrestool/extract.c @@ -237,11 +237,11 @@ extract_group_icon_cursor_resource(WinLibrary *fi, WinResource *wr, char *lang, fileicondir->entries[c-skipped].dib_offset = offset; /* transfer resource into file memory */ - if (size > icondir->entries[c].bytes_in_res) - size = icondir->entries[c].bytes_in_res; + if (size > icondir->entries[c-skipped].bytes_in_res) + size = icondir->entries[c-skipped].bytes_in_res; if (is_icon) { memcpy(&memory[offset], data, size); - } else { + } else if (size >= sizeof(uint16_t)*2) { fileicondir->entries[c-skipped].hotspot_x = ((uint16_t *) data)[0]; fileicondir->entries[c-skipped].hotspot_y = ((uint16_t *) data)[1]; memcpy(&memory[offset], data+sizeof(uint16_t)*2, -- 2.1.4 debian/patches/series0000664000000000000000000000034413060527423012037 0ustar check-offset-overflow.patch wrestool-Make-check_offset-more-stringent.patch prevent-access-to-unallocated-memory-in-wrestool-BZ-.patch wrestool-Fix-an-index-additional-check.patch CVE-2017-6009_CVE-2017-6010_CVE-2017-6011.patch debian/patches/prevent-access-to-unallocated-memory-in-wrestool-BZ-.patch0000664000000000000000000000232713036353537023663 0ustar From 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a Mon Sep 17 00:00:00 2001 From: Martin Gieseking Date: Sun, 8 Jan 2017 15:32:47 +0100 Subject: [PATCH] prevent access to unallocated memory in wrestool (BZ #1249276) --- wrestool/extract.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/wrestool/extract.c b/wrestool/extract.c index a203d04..8192a1f 100644 --- a/wrestool/extract.c +++ b/wrestool/extract.c @@ -237,13 +237,15 @@ extract_group_icon_cursor_resource(WinLibrary *fi, WinResource *wr, char *lang, fileicondir->entries[c-skipped].dib_offset = offset; /* transfer resource into file memory */ + if (size > icondir->entries[c].bytes_in_res) + size = icondir->entries[c].bytes_in_res; if (is_icon) { - memcpy(&memory[offset], data, icondir->entries[c].bytes_in_res); + memcpy(&memory[offset], data, size); } else { fileicondir->entries[c-skipped].hotspot_x = ((uint16_t *) data)[0]; fileicondir->entries[c-skipped].hotspot_y = ((uint16_t *) data)[1]; memcpy(&memory[offset], data+sizeof(uint16_t)*2, - icondir->entries[c].bytes_in_res-sizeof(uint16_t)*2); + size-sizeof(uint16_t)*2); offset -= sizeof(uint16_t)*2; } -- 2.1.4 debian/patches/CVE-2017-6009_CVE-2017-6010_CVE-2017-6011.patch0000664000000000000000000000453313060527476016400 0ustar Backport of these upstream fixes: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=bf97b99109607d4367a4e57df9a37cbcac02e220 http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=45a0207225df4cd4b82f41eee636e21f11a7db74 http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=f148ae5af1c9eeb85610a5653a7f625dd6c3ac2e --- icoutils-0.31.0.orig/icotool/extract.c +++ icoutils-0.31.0/icotool/extract.c @@ -138,7 +138,8 @@ extract_icons(FILE *in, char *inname, bo Win32RGBQuad *palette = NULL; uint32_t palette_count = 0; uint32_t image_size, mask_size; - uint32_t width, height, bit_count; + int32_t width, height; + uint32_t bit_count; uint8_t *image_data = NULL, *mask_data = NULL; png_structp png_ptr = NULL; png_infop info_ptr = NULL; @@ -154,16 +155,19 @@ extract_icons(FILE *in, char *inname, bo /* Vista icon: it's just a raw PNG */ if (bitmap.size == ICO_PNG_MAGIC) { + uint32_t unsigned_width, unsigned_height; fseek(in, offset, SEEK_SET); image_size = entries[c].dib_size; image_data = xmalloc(image_size); if (!xfread(image_data, image_size, in)) goto done; - - if (!read_png (image_data, image_size, &bit_count, &width, &height)) + + if (!read_png (image_data, image_size, &bit_count, &unsigned_width, &unsigned_height)) goto done; - + + width = (int32_t)unsigned_width; + height = (int32_t)unsigned_height; completed++; if (!filter(completed, width, height, bitmap.bit_count, palette_count, dir.type == 1, @@ -234,6 +238,10 @@ extract_icons(FILE *in, char *inname, bo goto done; offset += sizeof(Win32RGBQuad) * palette_count; } + if (abs(bitmap.width) > INT32_MAX/max(4, bitmap.bit_count)) { + warn(_("bitmap width too large")); + goto done; + } width = bitmap.width; height = abs(bitmap.height)/2; --- icoutils-0.31.0.orig/wrestool/restable.c +++ icoutils-0.31.0/wrestool/restable.c @@ -223,7 +223,7 @@ decode_ne_resource_id (WinLibrary *fi, W /* translate id into a string */ snprintf(wr->id, WINRES_ID_MAXLEN, "%d", value & ~NE_RESOURCE_NAME_IS_NUMERIC); } else { /* ASCII string id */ - int len; + unsigned char len; char *mem = (char *) NE_HEADER(fi->memory) + NE_HEADER(fi->memory)->rsrctab + value; debian/patches/check-offset-overflow.patch0000664000000000000000000000213513036353537016053 0ustar From ba9bc7b452e300c0567f28449ba3edfc50a41ff5 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sat, 7 Jan 2017 15:35:23 +0000 Subject: Fix check_offset overflow on 64-bit systems On 64-bit systems, the result of subtracting two pointers exceeds the size of int, so casting to int before checking offsets allows defeating the check using a large positive offset (greater than or equal to 2^32-size). Using ptrdiff_t instead of the cast avoids this problem. Bug-Debian: https://bugs.debian.org/850017 Forwarded: yes Last-Update: 2017-01-07 Patch-Name: check-offset-overflow.patch --- wrestool/fileread.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- icoutils-0.31.0.orig/wrestool/fileread.c +++ icoutils-0.31.0/wrestool/fileread.c @@ -35,7 +35,7 @@ bool check_offset(char *memory, int total_size, char *name, void *offset, int size) { - int need_size = (int) ((char *) offset - memory + size); + ptrdiff_t need_size = (char *) offset - memory + size; /*debug("check_offset: size=%x vs %x offset=%x size=%x\n", need_size, total_size, (char *) offset - memory, size);*/ debian/.git-dpm0000664000000000000000000000042713036353537010545 0ustar # see git-dpm(1) from git-dpm package 72f7d8b73a1210038fd79e443fdea74aa4f520a6 72f7d8b73a1210038fd79e443fdea74aa4f520a6 72f7d8b73a1210038fd79e443fdea74aa4f520a6 72f7d8b73a1210038fd79e443fdea74aa4f520a6 icoutils_0.31.0.orig.tar.bz2 2712acd33c611588793562310077efd2ff35dca5 559836 debian/compat0000664000000000000000000000000213036353537010376 0ustar 9 debian/changelog0000664000000000000000000002460313061530741011047 0ustar icoutils (0.31.0-2+deb8u3build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Tyler Hicks Mon, 13 Mar 2017 14:51:13 +0000 icoutils (0.31.0-2+deb8u3) jessie-security; urgency=medium * CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 -- Moritz Mühlenhoff Fri, 10 Mar 2017 00:11:04 +0100 icoutils (0.31.0-2+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * wrestool: Make check_offset more stringent (CVE-2017-5331) * prevent access to unallocated memory in wrestool (CVE-2017-5332) * wrestool: Fix an index, additional check (CVE-2017-5332 CVE-2017-5333) -- Salvatore Bonaccorso Sat, 14 Jan 2017 08:46:39 +0100 icoutils (0.31.0-2+deb8u1) jessie-security; urgency=medium * Fix security issue in wrestool, patch by Colin Watson -- Moritz Muehlenhoff Sun, 08 Jan 2017 11:02:07 +0100 icoutils (0.31.0-2) unstable; urgency=low * Support parallel builds. * Switch to git; add Vcs-* fields. * Policy version 3.9.5: no changes required. -- Colin Watson Tue, 18 Feb 2014 10:28:22 +0000 icoutils (0.31.0-1) unstable; urgency=low * New upstream release. -- Colin Watson Fri, 24 May 2013 18:07:09 +0100 icoutils (0.30.0-2) unstable; urgency=low * Use dh-autoreconf. -- Colin Watson Sat, 09 Feb 2013 19:05:33 +0000 icoutils (0.30.0-1) unstable; urgency=low * New upstream release. - Limit size of extracted icon to size of resource (LP: #872739, #956065, #976092). -- Colin Watson Fri, 07 Sep 2012 01:29:54 +0100 icoutils (0.29.1-5) unstable; urgency=low * Drop manual and not-very-useful 'debian/rules configure' target. * Upgrade to debhelper 9, mainly for hardening build flags support. -- Colin Watson Fri, 22 Jun 2012 12:55:18 +0100 icoutils (0.29.1-4) unstable; urgency=low * Rebuild in a clean unstable chroot to avoid pulling in experimental's libpng15-15. -- Colin Watson Wed, 07 Mar 2012 09:57:01 +0000 icoutils (0.29.1-3) unstable; urgency=low * Build-depend on libpng-dev rather than libpng12-dev (closes: #662375). -- Colin Watson Mon, 05 Mar 2012 09:38:54 +0000 icoutils (0.29.1-2) unstable; urgency=low * Mark icoutils Multi-Arch: foreign. -- Colin Watson Wed, 09 Nov 2011 01:52:17 +0000 icoutils (0.29.1-1) unstable; urgency=low [ Colin Watson ] * New upstream release (closes: #589377). Thanks to Markus Schölzel, Scott Ritchie, and others. - Supports Vista icons (closes: #511944). * Update watch file: upstream releases are now .bz2. * Convert to source format 3.0 (quilt). [ Markus Schölzel ] * Update copyright file (new author, GPLv3). * Add a Homepage field. * Fix typo in icotool(1) (thanks, Alessio Treglia; closes: #516170). * Fix various other manual page typos and hyphens used as minus signs. * Policy version 3.9.1. -- Colin Watson Sat, 23 Apr 2011 16:48:03 +0100 icoutils (0.26.0-4) unstable; urgency=low * Convert to debhelper 7. * Policy version 3.8.2: no changes required. -- Colin Watson Tue, 28 Jul 2009 10:39:56 +0100 icoutils (0.26.0-3) unstable; urgency=low * Update DEB_BUILD_OPTIONS parsing code from policy 3.8.0. * Update config.guess and config.sub from autotools-dev 20090427.1 (closes: #533684). -- Colin Watson Sat, 20 Jun 2009 00:10:36 +0100 icoutils (0.26.0-2) unstable; urgency=low * Use autotools-dev's recommended ./configure --build and --host options. -- Colin Watson Sun, 18 Nov 2007 14:39:14 +0000 icoutils (0.26.0-1) unstable; urgency=low * New upstream release. * Update URLs in copyright and watch files (closes: #354612, #449796). * Don't ignore errors from 'make distclean' other than the Makefile not existing. * Use debhelper v4. * Update licence text in debian/copyright, including new FSF address. * Policy version 3.7.2: no changes required. -- Colin Watson Mon, 12 Nov 2007 12:29:57 +0000 icoutils (0.25.0-1) unstable; urgency=low * New upstream release. - 'make distclean' fixed; revert workarounds. -- Colin Watson Thu, 26 May 2005 15:15:36 +0100 icoutils (0.22.0-2) unstable; urgency=low * Really ignore errors from 'make distclean' in subdirectories. -- Colin Watson Sat, 14 Feb 2004 02:45:19 +0000 icoutils (0.22.0-1) unstable; urgency=low * New upstream release. * Fiddle clean rule a bit to cope with distclean suddenly being too enthusiastic. * Build-depend on libpng12-dev rather than the compatibility library libpng3-dev. * Add text to package description containing "favicon.ico" for the benefit of searches (closes: #231975). * Upgrade debian/watch to format version 2. * Policy version 3.6.1: no changes required. -- Colin Watson Tue, 10 Feb 2004 21:58:09 +0000 icoutils (0.20.0-2) unstable; urgency=low * Update description to reflect that icotool can create icon files now, and that it uses PNG rather than XPM. -- Colin Watson Wed, 9 Jul 2003 09:18:44 +0100 icoutils (0.20.0-1) unstable; urgency=low * New upstream release (closes: #197407). * Remove bogus debian/rules build-stamp target. * Remove ia64 compiler workaround from version 0.16.0-2, since the default compiler there is no longer gcc 2.96. * Use debian/compat rather than DH_COMPAT. Increase debhelper build-dependency to 3.4.4 for this. * Remove Emacs local variables from this changelog. * Policy version 3.5.10: no changes required. -- Colin Watson Wed, 18 Jun 2003 01:09:48 +0100 icoutils (0.17.0-2) unstable; urgency=low * Fix boilerplate in debian/copyright, pedantically complained about by lintian. * Apply upstream patch for wrestool(1)'s NAME section (closes: #174231). -- Colin Watson Sun, 5 Jan 2003 14:16:42 +0000 icoutils (0.17.0-1) unstable; urgency=low * New upstream release. - Fixes big-endian problems with --create (closes: #171098). -- Colin Watson Sun, 1 Dec 2002 18:16:16 +0000 icoutils (0.16.0-2) unstable; urgency=low * Don't build getline.c if getline() is available in the C library (patch from upstream, closes: #161145). * Implement DEB_BUILD_OPTIONS=noopt. Force noopt on for ia64 until their internal compiler error on common/error.c is fixed. -- Colin Watson Tue, 24 Sep 2002 23:57:51 +0100 icoutils (0.16.0-1) unstable; urgency=low * New upstream release (closes: #160506). - 'icotool --create' is now implemented! It can create icon or cursor files from PNG images (closes: #130484). - Text and HTML documentation gone, replaced by manual pages imported from this packaging. * Accordingly, remove doc-base file and local versions of man pages, and generally update the packaging. * Build-depend on libpng3-dev for 'icotool --create'. * Policy version 3.5.7: - Add build-arch and build-indep targets. - Drop DEB_BUILD_OPTIONS=debug support. Build with -g unconditionally. -- Colin Watson Sat, 14 Sep 2002 00:22:13 +0100 icoutils (0.13.0-2) unstable; urgency=low * Don't refer to non-existent PostScript files (closes: #149646). -- Colin Watson Tue, 11 Jun 2002 23:04:26 +0000 icoutils (0.13.0-1) unstable; urgency=low * New upstream release. - Handles 24-bit color bitmaps (closes: #129656). * debian/copyright, debian/doc-base: New address for upstream author. * debian/rules: Adjust to cope with extresso and genresscript being generated files. * Policy version 3.5.6. -- Colin Watson Tue, 22 Jan 2002 02:36:01 +0000 icoutils (0.12.0-3) unstable; urgency=low * Make doc-base entry refer to icoutils.html rather than index.html (closes: #106835). -- Colin Watson Fri, 27 Jul 2001 23:47:43 +0100 icoutils (0.12.0-2) unstable; urgency=low * Perl policy version 1.19: tighten debhelper build-dep to >= 3.0.18. * Remove build-dependency on autoconf, since configure.in isn't modified. -- Colin Watson Fri, 25 May 2001 22:10:22 +0100 icoutils (0.12.0-1) unstable; urgency=low * New upstream release. - This fixes big-endian compilation errors (closes: #90210). * Note that wrestool won't generate the correct output on big-endian machines yet. That's waiting for another upstream release ... -- Colin Watson Mon, 19 Mar 2001 20:14:13 +0000 icoutils (0.11.0-1) unstable; urgency=low * New upstream release. There is untested preliminary support for big-endian machines now. * debian/copyright: Updated. * Oops. genresscript had the wrong path to wrestool. Fixed. -- Colin Watson Sun, 18 Mar 2001 13:26:59 +0000 icoutils (0.10.0-1) unstable; urgency=low * New upstream release. * The Wine headers were removed upstream for licensing reasons, allowing this to be uploaded to main (closes: #85643). Updated the copyright file. * Updated policy version to 3.5.2: no changes required. * Updates for new Perl policy. * Man page tweaks (including s|GNU/Linux|GNU|). * Add more documentation and examples. * Suggest a real Term::ReadLine library. -- Colin Watson Thu, 8 Mar 2001 20:16:24 +0000 icoutils (0.9.0-3) unstable; urgency=low * New maintainer address. * Policy version 3.5.0: support DEB_BUILD_OPTIONS. * Use debhelper v3. * Minor tweaks to copyright file. * Don't install the documentation in SGML format. -- Colin Watson Sun, 11 Feb 2001 20:22:33 +0000 icoutils (0.9.0-2) unstable; urgency=low * New maintainer address. * debian/control: Standards-Version: 3.1.1, and build dependencies. * debian/doc-base: Section: Graphics, not Section: graphics. * debian/doc-base: Use /usr/share/doc as the canonical location, not /usr/doc. * debian/rules: Add configure target, tracking dh-make version 0.22. * Don't include the INSTALL file. * Other minor cleanups. -- Colin Watson Sat, 1 Jul 2000 02:10:16 +0100 icoutils (0.9.0-1) unstable; urgency=low * Initial Release. -- Colin Watson Thu, 24 Feb 2000 18:19:01 +0000 debian/copyright0000664000000000000000000000171613036353537011140 0ustar This package was debianized by Colin Watson on Thu, 24 Feb 2000 18:19:01 +0000. It was downloaded from http://www.nongnu.org/icoutils/ Upstream Authors: Frank Richter Oskar Liljeblad Copyright: The icoutils are copyright (C) 1998 Oskar Liljeblad. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. On Debian systems a copy of the GNU General Public License version 3 is available in /usr/share/common-licenses/GPL-3, which is part of the base-files package. debian/manpages0000664000000000000000000000012213036353537010711 0ustar extresso/extresso.1 extresso/genresscript.1 icotool/icotool.1 wrestool/wrestool.1 debian/install0000664000000000000000000000006013036353537010565 0ustar extresso/extresso extresso/genresscript usr/bin debian/watch0000664000000000000000000000014413036353537010230 0ustar version=2 http://download.savannah.gnu.org/releases/icoutils/icoutils-(.*)\.tar\.bz2 debian uupdate debian/source/0000775000000000000000000000000013036353537010500 5ustar debian/source/format0000664000000000000000000000001413036353537011706 0ustar 3.0 (quilt) debian/rules0000775000000000000000000000007313036353537010260 0ustar #! /usr/bin/make -f %: dh $@ --with autoreconf --parallel