control: tag -1 patch, pending Hi,
I've uploaded an nmu to delayed/5 fixing these issues. Please see attached. Best wishes, Mike
diff -Nru jasper-1.900.1-debian1/debian/changelog jasper-1.900.1-debian1/debian/changelog --- jasper-1.900.1-debian1/debian/changelog 2014-12-05 07:59:32.000000000 +0000 +++ jasper-1.900.1-debian1/debian/changelog 2014-12-21 01:55:43.000000000 +0000 @@ -1,3 +1,12 @@ +jasper (1.900.1-debian1-2.3) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix two security issues (Closes: #773463): + - CVE-2014-8137: double-free in jas_iccattrval_destroy. + - CVE-2014-8138: heap overflow in jp2_decode. + + -- Michael Gilbert <[email protected]> Sun, 21 Dec 2014 01:47:07 +0000 + jasper (1.900.1-debian1-2.2) unstable; urgency=high * Non-maintainer upload. diff -Nru jasper-1.900.1-debian1/debian/patches/05-CVE-2014-8137.patch jasper-1.900.1-debian1/debian/patches/05-CVE-2014-8137.patch --- jasper-1.900.1-debian1/debian/patches/05-CVE-2014-8137.patch 1970-01-01 00:00:00.000000000 +0000 +++ jasper-1.900.1-debian1/debian/patches/05-CVE-2014-8137.patch 2014-12-21 01:49:29.000000000 +0000 @@ -0,0 +1,66 @@ +Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy() +Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283, + https://bugzilla.redhat.com/attachment.cgi?id=967284 +Bug-Debian: https://bugs.debian.org/773463 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157 +Forwarded: no +Author: Tomas Hoger <[email protected]> +Last-Update: 2014-12-20 + +--- a/src/libjasper/base/jas_icc.c ++++ b/src/libjasper/base/jas_icc.c +@@ -1010,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattr + return 0; + + error: +- jas_icccurv_destroy(attrval); + return -1; + } + +@@ -1128,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_icca + #endif + return 0; + error: +- jas_icctxtdesc_destroy(attrval); + return -1; + } + +@@ -1207,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrv + goto error; + return 0; + error: +- if (txt->string) +- jas_free(txt->string); + return -1; + } + +@@ -1329,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattr + goto error; + return 0; + error: +- jas_icclut8_destroy(attrval); + return -1; + } + +@@ -1498,7 +1493,6 @@ static int jas_icclut16_input(jas_iccatt + goto error; + return 0; + error: +- jas_icclut16_destroy(attrval); + return -1; + } + +--- a/src/libjasper/jp2/jp2_dec.c ++++ b/src/libjasper/jp2/jp2_dec.c +@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in + case JP2_COLR_ICC: + iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, + dec->colr->data.colr.iccplen); +- assert(iccprof); ++ if (!iccprof) { ++ jas_eprintf("error: failed to parse ICC profile\n"); ++ goto error; ++ } + jas_iccprof_gethdr(iccprof, &icchdr); + jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); diff -Nru jasper-1.900.1-debian1/debian/patches/06-CVE-2014-8138.patch jasper-1.900.1-debian1/debian/patches/06-CVE-2014-8138.patch --- jasper-1.900.1-debian1/debian/patches/06-CVE-2014-8138.patch 1970-01-01 00:00:00.000000000 +0000 +++ jasper-1.900.1-debian1/debian/patches/06-CVE-2014-8138.patch 2014-12-21 01:49:29.000000000 +0000 @@ -0,0 +1,22 @@ +Description: CVE-2014-8138: heap overflow in jp2_decode() +Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967280 +Bug-Debian: https://bugs.debian.org/773463 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173162 +Forwarded: no +Author: Tomas Hoger <[email protected]> +Last-Update: 2014-12-20 + +--- a/src/libjasper/jp2/jp2_dec.c ++++ b/src/libjasper/jp2/jp2_dec.c +@@ -389,6 +389,11 @@ jas_image_t *jp2_decode(jas_stream_t *in + /* Determine the type of each component. */ + if (dec->cdef) { + for (i = 0; i < dec->numchans; ++i) { ++ /* Is the channel number reasonable? */ ++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { ++ jas_eprintf("error: invalid channel number in CDEF box\n"); ++ goto error; ++ } + jas_image_setcmpttype(dec->image, + dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], + jp2_getct(jas_image_clrspc(dec->image), diff -Nru jasper-1.900.1-debian1/debian/patches/series jasper-1.900.1-debian1/debian/patches/series --- jasper-1.900.1-debian1/debian/patches/series 2014-12-05 07:59:32.000000000 +0000 +++ jasper-1.900.1-debian1/debian/patches/series 2014-12-21 01:49:29.000000000 +0000 @@ -2,3 +2,5 @@ 02-fix-filename-buffer-overflow.patch 03-CVE-2011-4516-and-CVE-2011-4517.patch 04-CVE-2014-9029.patch +05-CVE-2014-8137.patch +06-CVE-2014-8138.patch
