Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1

Wed, 26 Sep 2012 09:15:30 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

I've prepared a tpu security upload for openjpeg (attached).

Ok to upload?

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Naur openjpeg-1.3+dfsg.orig/debian/changelog openjpeg-1.3+dfsg/debian/changelog
--- openjpeg-1.3+dfsg.orig/debian/changelog	2012-09-23 08:01:25.000000000 +0200
+++ openjpeg-1.3+dfsg/debian/changelog	2012-09-23 08:04:39.697773699 +0200
@@ -1,3 +1,10 @@
+openjpeg (1.3+dfsg-4.1+deb7u1) testing-proposed-updates; urgency=medium
+
+  * Fix CVE-2012-3358 (Closes: #681075)
+  * Fix CVE-2012-3535 (Closes: #685970)	
+
+ -- Moritz Mühlenhoff <j...@debian.org>  Mon, 24 Sep 2012 23:02:44 +0200
+
 openjpeg (1.3+dfsg-4.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/00list openjpeg-1.3+dfsg/debian/patches/00list
--- openjpeg-1.3+dfsg.orig/debian/patches/00list	2012-09-23 08:01:25.000000000 +0200
+++ openjpeg-1.3+dfsg/debian/patches/00list	2012-09-23 08:02:26.061768619 +0200
@@ -2,3 +2,5 @@
 31_use_system_tiff_headers.dpatch
 32_fix_FTBFS_on_alpha.dpatch
 33_avoid_memory_overrun.dpatch
+CVE-2012-3358.dpatch
+CVE-2012-3535.dpatch
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch	2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,60 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-3358.dpatch by Michael Gilbert <mgilb...@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix buffer overflow in JPEG2000 file handling.
+## DP: https://bugzilla.redhat.com/show_bug.cgi?id=835767
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' openjpeg-1.3+dfsg~/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg~/libopenjpeg/j2k.c	2012-07-11 16:04:38.000000000 -0400
++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c	2012-07-11 16:06:07.000000000 -0400
+@@ -1282,7 +1282,7 @@
+ 		static int backup_tileno = 0;
+ 
+ 		/* tileno is negative or larger than the number of tiles!!! */
+-		if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
++		if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+ 			opj_event_msg(j2k->cinfo, EVT_ERROR,
+ 				"JPWL: bad tile number (%d out of a maximum of %d)\n",
+ 				tileno, (cp->tw * cp->th));
+@@ -1299,8 +1299,18 @@
+ 
+ 		/* keep your private count of tiles */
+ 		backup_tileno++;
+-	};
++	}
++	else
+ #endif /* USE_JPWL */
++	{
++		/* tileno is negative or larger than the number of tiles!!! */
++		if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
++			opj_event_msg(j2k->cinfo, EVT_ERROR,
++				"JPWL: bad tile number (%d out of a maximum of %d)\n",
++				tileno, (cp->tw * cp->th));
++			return;
++		}
++	}
+ 	
+ 	if (cp->tileno_size == 0) {
+ 		cp->tileno[cp->tileno_size] = tileno;
+@@ -1338,8 +1348,18 @@
+ 				totlen);
+ 		}
+ 
+-	};
++	}
++	else
+ #endif /* USE_JPWL */
++	{
++		/* totlen is negative or larger than the bytes left!!! */
++		if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) {
++			opj_event_msg(j2k->cinfo, EVT_ERROR,
++				"JPWL: bad tile byte size (%d bytes against %d bytes left)\n",
++				totlen, cio_numbytesleft(cio) + 8);
++			return;
++		}
++	}
+ 
+ 	if (!totlen)
+ 		totlen = cio_numbytesleft(cio) + 8;
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch	2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2012-3535
+
+@DPATCH@
+diff -Naur openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c	2008-03-10 09:50:35.000000000 +0100
++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c	2012-09-23 07:57:01.381756231 +0200
+@@ -720,6 +720,13 @@
+ 		j2k->state |= J2K_STATE_ERR;
+ 	}
+ 
++	if( tccp->numresolutions > J2K_MAXRLVLS ) {
++		opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
++		              compno, tccp->numresolutions, J2K_MAXRLVLS);
++		j2k->state |= J2K_STATE_ERR;
++		tccp->numresolutions = J2K_MAXRLVLS;
++	}
++
+ 	tccp->cblkw = cio_read(cio, 1) + 2;	/* SPcox (E) */
+ 	tccp->cblkh = cio_read(cio, 1) + 2;	/* SPcox (F) */
+ 	tccp->cblksty = cio_read(cio, 1);	/* SPcox (G) */

Reply via email to