Your message dated Mon, 12 Nov 2012 23:56:17 +0100
with message-id <[email protected]>
and subject line Re: Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1
has caused the Debian Bug report #688881,
regarding unblock: openjpeg/1.3+dfsg-4.1+deb7u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
688881: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688881
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
I've prepared a tpu security upload for openjpeg (attached).
Ok to upload?
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Naur openjpeg-1.3+dfsg.orig/debian/changelog openjpeg-1.3+dfsg/debian/changelog
--- openjpeg-1.3+dfsg.orig/debian/changelog 2012-09-23 08:01:25.000000000 +0200
+++ openjpeg-1.3+dfsg/debian/changelog 2012-09-23 08:04:39.697773699 +0200
@@ -1,3 +1,10 @@
+openjpeg (1.3+dfsg-4.1+deb7u1) testing-proposed-updates; urgency=medium
+
+ * Fix CVE-2012-3358 (Closes: #681075)
+ * Fix CVE-2012-3535 (Closes: #685970)
+
+ -- Moritz Mühlenhoff <[email protected]> Mon, 24 Sep 2012 23:02:44 +0200
+
openjpeg (1.3+dfsg-4.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/00list openjpeg-1.3+dfsg/debian/patches/00list
--- openjpeg-1.3+dfsg.orig/debian/patches/00list 2012-09-23 08:01:25.000000000 +0200
+++ openjpeg-1.3+dfsg/debian/patches/00list 2012-09-23 08:02:26.061768619 +0200
@@ -2,3 +2,5 @@
31_use_system_tiff_headers.dpatch
32_fix_FTBFS_on_alpha.dpatch
33_avoid_memory_overrun.dpatch
+CVE-2012-3358.dpatch
+CVE-2012-3535.dpatch
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch 2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,60 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-3358.dpatch by Michael Gilbert <[email protected]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix buffer overflow in JPEG2000 file handling.
+## DP: https://bugzilla.redhat.com/show_bug.cgi?id=835767
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' openjpeg-1.3+dfsg~/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg~/libopenjpeg/j2k.c 2012-07-11 16:04:38.000000000 -0400
++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c 2012-07-11 16:06:07.000000000 -0400
+@@ -1282,7 +1282,7 @@
+ static int backup_tileno = 0;
+
+ /* tileno is negative or larger than the number of tiles!!! */
+- if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
++ if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "JPWL: bad tile number (%d out of a maximum of %d)\n",
+ tileno, (cp->tw * cp->th));
+@@ -1299,8 +1299,18 @@
+
+ /* keep your private count of tiles */
+ backup_tileno++;
+- };
++ }
++ else
+ #endif /* USE_JPWL */
++ {
++ /* tileno is negative or larger than the number of tiles!!! */
++ if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad tile number (%d out of a maximum of %d)\n",
++ tileno, (cp->tw * cp->th));
++ return;
++ }
++ }
+
+ if (cp->tileno_size == 0) {
+ cp->tileno[cp->tileno_size] = tileno;
+@@ -1338,8 +1348,18 @@
+ totlen);
+ }
+
+- };
++ }
++ else
+ #endif /* USE_JPWL */
++ {
++ /* totlen is negative or larger than the bytes left!!! */
++ if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad tile byte size (%d bytes against %d bytes left)\n",
++ totlen, cio_numbytesleft(cio) + 8);
++ return;
++ }
++ }
+
+ if (!totlen)
+ totlen = cio_numbytesleft(cio) + 8;
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch 2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2012-3535
+
+@DPATCH@
+diff -Naur openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c 2008-03-10 09:50:35.000000000 +0100
++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c 2012-09-23 07:57:01.381756231 +0200
+@@ -720,6 +720,13 @@
+ j2k->state |= J2K_STATE_ERR;
+ }
+
++ if( tccp->numresolutions > J2K_MAXRLVLS ) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
++ compno, tccp->numresolutions, J2K_MAXRLVLS);
++ j2k->state |= J2K_STATE_ERR;
++ tccp->numresolutions = J2K_MAXRLVLS;
++ }
++
+ tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */
+ tccp->cblkh = cio_read(cio, 1) + 2; /* SPcox (F) */
+ tccp->cblksty = cio_read(cio, 1); /* SPcox (G) */
--- End Message ---
--- Begin Message ---
On Wed, Sep 26, 2012 at 21:09:37 +0200, Julien Cristau wrote:
> On Wed, Sep 26, 2012 at 18:11:46 +0200, Moritz Muehlenhoff wrote:
>
> > Package: release.debian.org
> > Severity: normal
> > User: [email protected]
> > Usertags: unblock
> >
> > I've prepared a tpu security upload for openjpeg (attached).
> >
> > Ok to upload?
> >
> I followed up to the unblock bug about the sid version. If we don't get
> that sorted soon then a tpu upload would be fine. Probably best to get
> the second CVE fixed in sid first in any case.
>
That should be sorted now, closing.
Cheers,
Julien
signature.asc
Description: Digital signature
--- End Message ---
