-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 30 Apr 2023 17:35:04 +0200 Source: sgt-puzzles Architecture: source Version: 20191231.79a5378-3+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Ben Hutchings <ben@decadent.org.uk> Changed-By: Ben Hutchings <benh@debian.org> Closes: 905852 1028986 1034190 Changes: sgt-puzzles (20191231.79a5378-3+deb11u1) bullseye; urgency=medium . * Fix various security issues in game loading (Closes: #1028986, #1034190): - Mines: add validation for negative mine count. - Galaxies: fix assertion failure when adding out-of-bounds association. - Filling: fix assertion failure in 3x1 game generation. - Map: add missing sresize in new_game_desc(). - Add more validation to midend deserialisation routine - Correct and enable the range check on statepos when loading - Add an assertion to check the format of encoded parameters - Add assertions that game descriptions consist only of printable ASCII. - Hex-encode non-ASCII random seeds in save files - Assert that everything written to a save file is printable ASCII - Build fix: take declarations out of for loops. - galaxies: Use the same code for handling all dropped arrows - magnets: Area constraints; fix message. - lightup: Ban 2x2 with either 4-way type - Remove _() introduced from Android port. - Solo: Set max difficulty for small jigsaw puzzles - Add a macro of an upper bound on the formatted length of an integer - Guess: Don't allow any moves once the game is solved (CVE-2023-24283) - Guess: validate peg colours in decode_ui() (CVE-2023-24284) - Netslide: Reject moves wider than the grid (CVE-2023-24285) - Sixteen: limit length of moves - Undead: check for valid commands in execute_move() - Undead: fix buffer overrun in "M" command (CVE-2023-24287) - Correct RANGECHECK macro in Black Box - Range-check normal moves in Undead - Range-check record lengths when deserialising games (CVE-2023-24291) - Don't load too many states just because there's no STATEPOS (CVE-2023-24288) - Palisade: forbid moves that remove grid edges - Last-ditch maximum size limit for Bridges - Last-ditch grid-size limit for Dominosa - Last-ditch grid-size limit for Galaxies - Last-ditch grid-size limit for Fifteen - Last-ditch maximum size limit for Flip - Last-ditch grid-size limit for Flood - Insist that Flood grids must have non-zero size - Last-ditch grid-size limit for Inertia - Last-ditch maximum size limit for Light Up - Limit maximum grid size in Loopy - Last-ditch maximum size limit for Magnets - Last-ditch maximum size limit for Map - Last-ditch maximum size limit for Mines - Also check for tiny grids in Mines - Last-ditch maximum size limit for Net - Last-ditch maximum size limit for Netslide - Integer overflow protection in Pattern - Last-ditch maximum size limit for Palisade - Last-ditch maximum size limit for Pearl - Last-ditch maximum size limit for Pegs - Also limit Pegs to at least 1x1 even when not doing full validation - Last-ditch maximum size limit for Same Game - Last-ditch maximum size limit for Signpost - Last-ditch maximum size limit for Sixteen - Limit size of puzzle in Tents to avoid integer overflow - Last-ditch maximum size limit for Tracks - Last-ditch maximum size limit for Twiddle - Adjust Undead upper grid-size limit to avoid overflow - Last-ditch point-count limit for Untangle - Black Box: correct order of validation checks for "F" commands - Palisade: don't leak memory on a bad move - Don't allow negative clues in Pattern - When loading, don't decode_ui unless we have a UI - Palisade: remove assertion from decode_ui() - Same Game: reject moves with unexpected characters in - Filling: validate length of auto-solve move strings - Tighten Bridges' validate_desc() - Untangle: forbid descriptions that connect a node to itself - Mines: No moving once you're dead! - Towers: reject descriptions with odd characters at the end - Tracks: make sure moves are valid in execute_move() - Tracks: let solve make illegal moves - Tracks: tighten up the 'illegal solve submoves' fix. - Allow repeated "solve" operations in Guess - Black Box: reject negative ball counts in game_params. - Add validate_params bounds checks in a few more games. - Don't allow Bridges games with < 2 islands - Forbid moves that fill with the current colour in Flood - Cleanly reject ill-formed solve moves in Flood - Don't segfault on premature solve moves in Mines - Limit number of mines in Mines game description - Validate the number of pegs and holes in a Pegs game ID - Mines: forbid moves that flag or unflag an exposed square - Mines: Don't check if the player has won if they've already lost - Avoid invalid moves when solving Tracks - Fix move validation in Netslide - Tighten validation of Tents game descriptions - Dominosa: require the two halves of a domino to be adjacent - Forbid lines off the grid in Pearl - Tolerate incorrect solutions in Inertia - Palisade: replace dfs_dsf() with a simple iteration. - latin_solver_alloc: handle clashing numbers in input grid. - Pearl: fix assertion failure on bad puzzle. - Pearl: fix bounds check in previous commit. - Unequal: Don't insist that solve moves must actually solve - Range: Don't fail an assertion on an all-black board - Limit width and height to SHRT_MAX in Mines - Mines: Add assertions to range-check conversions to short - Unequal: fix sense error in latin_solver_alloc fix. - Forbid impossible moves in Bridges - Forbid game descriptions with joined islands in Bridges - Check state is valid at the end of a move in Pearl - Cleanly reject more ill-formed solve moves in Flood - Don't allow moves that change the constraints in Unequal - Fix memory leaks in Keen's validate_desc() - Don't leak grids in Loopy's validate_desc() - Remember to free the to_draw member from Net's drawstate - Undead: check the return value of sscanf() in execute_move() - Don't leak duplicate edges in Untangle - Remember to free the numcolours array from Pattern's drawstate - Twiddle: don't read off the end of parameter strings ending 'm' - Loopy: free the grid description string if it's invalid - Avoid division by zero in Cube grid-size checks - Validate that save file values are ASCII (mostly) - More validation of solve moves in Flood - Make sure that moves in Flood use only valid colours - Tighten grid-size limit in Mines - Tracks: set drag_s{x,y} even if starting off-grid - Undead: be a bit more careful about sprintf buffer sizes - Fix memory leak in midend_game_id_int() - Flood: don't read off the end of some parameter strings - Be more careful with type of left operand of << - Map: reduce maximum size - Correctly handle some short save files - Inertia: insist that solutions must be non-empty - Galaxies: fix recursion depth limit in solver. - Correct a range check in Magnets' layout verification - Magnets: add a check that magnets don't wrap between lines - Net: assert that cx and cy are in range in compute_active() - Don't allow zero clues in Pattern * Solo: cope with pencil marks when tilesize == 1 (Closes: #905852) Checksums-Sha1: 7f996f5dc1bca17b0e28dd0600a6c5f8f84fdb2d 2067 sgt-puzzles_20191231.79a5378-3+deb11u1.dsc 1ac3e583d5e42d22d46ed8b7ca44e080f3b689e2 167904 sgt-puzzles_20191231.79a5378-3+deb11u1.debian.tar.xz 88b456057fd10c4145fb21464af49b9b07f8ed5d 14750 sgt-puzzles_20191231.79a5378-3+deb11u1_source.buildinfo Checksums-Sha256: f5b69b6253056a53e3c53429094708e27d0c07e47f69fad27ef4806e1d82164a 2067 sgt-puzzles_20191231.79a5378-3+deb11u1.dsc a27f1ec910b314468fe5b1c9c0ba25d3c9fc94865024beebe284356b7d6f5bd9 167904 sgt-puzzles_20191231.79a5378-3+deb11u1.debian.tar.xz b94b8010c061db3848f1c1c9a01151de64671afa288ebfe268a51545aaa40a76 14750 sgt-puzzles_20191231.79a5378-3+deb11u1_source.buildinfo Files: a111034e756c54f52ef76eed32a8a558 2067 games optional sgt-puzzles_20191231.79a5378-3+deb11u1.dsc 320ce6fb19359cb4623b660b3f7a622e 167904 games optional sgt-puzzles_20191231.79a5378-3+deb11u1.debian.tar.xz 5aa094930916f060f955965730c939c3 14750 games optional sgt-puzzles_20191231.79a5378-3+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmROm1MACgkQ57/I7JWG EQmDqw/+NEVX3kR7E1ecsreeTIN+XvslXZTBixZUJV9lV+VFzy3TtAhFsKLUG5MP 4F06xLylAt73a6Z7F4qaaiObPJOxwzNaLn9JDl0Lp0nji5N3RW+eOpDAhXtZ1JHi K33EF06wJIZU/qsv2Q+HyDrp8peSGDc+1wGCBBW6mTYPlvjtEh2f6Jwq6A1zjg/9 /4FWvKhR9kcOuGFktMM2PUtqM5Pur7N2Y66VdYenzc+fQrZDJ1oik5SFB+G3ZAI3 nwrcZUUKMD786ToC+mC7sM0ePC7N7m3aGpLWaXYmEcm9ca2FRkgFydTO9mKLTkrv qRmVyKtKnjwjFPVklF4CXJnhqWimAYADYLoOSTY3wNolssNi4/UXmjLLHbN5OIEy YZM2Gt/xdFhQN4vnRo8KBhvHmiYLi0GiMdIHeIpbivQNgPX04P+Tqv1DOKCrPe6K HLYFfaqQLe86qkASliRhSlNtR39Yvt5goJ2OTTy5gfnd3l2nL0vitzHc1zSU5d1W RJIl6h1ja5ulpW2lpA8+0nM763xFA3zJy9AuyQAroIitlPi2roxwte9LYXu+FdfY MxMnwDn4934a54kfUTN2x+NlFHJubktZQiJMEONCaukSibEqI+JvWK7y0525NELS PuGg3TyYCUcKkSBXu7jYU+0u4wpYXs3NFKbUgv7ftWfhvt+oOY8= =wPAx -----END PGP SIGNATURE-----