Fix CVE-2023-40890 and CVE-2023-40889

mchehab / zbar

ZBar is an open source software suite for reading bar codes from various sources, including webcams. As its development stopped in 2012, I took the task of keeping it updated with the V4L2 API. This is the main repository for it. There's a clone at at LinuxTV.org, and another one at gitlab.

https://linuxtv.org/downloads/zbar/

GNU Lesser General Public License v2.1

1k stars 205 forks source link

Fix CVE-2023-40890 and CVE-2023-40889 #276

Closed jubalh closed 10 months ago

jubalh commented 10 months ago

To the best of my knowledge all the work was done by @bastien-roucaries / Remi Meier. I just took the patches from https://salsa.debian.org/debian/zbar/-/tree/master/debian/patches and made them apply.

I hope this helps upstream to review the changes as requested in #263 (comment).

Fix #263

jubalh commented 10 months ago

I hope I didn't introduce any mistakes :)

jubalh commented 10 months ago

Tested against the two POCs mentioned in https://github.com/mchehab/zbar/issues/263#issuecomment-1881235966.

mchehab commented 10 months ago

Merged, thanks!