Hello community,

here is the log from the commit of package jasper for openSUSE:Factory checked 
in at 2017-07-17 09:01:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jasper (Old)
 and      /work/SRC/openSUSE:Factory/.jasper.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "jasper"

Mon Jul 17 09:01:59 2017 rev:39 rq:509748 version:1.900.14

Changes:
--------
--- /work/SRC/openSUSE:Factory/jasper/jasper.changes    2017-03-31 
15:01:20.369498459 +0200
+++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes       2017-07-17 
09:02:00.289283406 +0200
@@ -1,0 +2,50 @@
+Wed Jul 12 07:43:06 UTC 2017 - fst...@suse.com
+
+- Other bugs fixed by existing patches:
+  * jasper-CVE-2016-9395.patch
+    - bsc#1010756, CVE-2016-9394: assertion in jas_matrix_t
+      *jas_seq2d_create(int, int, int, int): Assertion
+      `xstart <= xend && ystart <= yend'
+    - bsc#1010757, CVE-2016-9392: pc_dec.c:1637: void
+      calcstepsizes(uint_fast16_t, int, uint_fast16_t *):
+      Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 -
+      ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))'
+      failed.
+    - bsc#1010766, CVE-2016-9393: jpc_t2cod.c:297: int
+      jpc_pi_nextrpcl(jpc_pi_t *): Assertion
+      `pi->prcno pirlvl->numprcs' failed.
+    - bsc#1010977, CVE-2016-9395: jas_seq.c:90: jas_matrix_t
+      *jas_seq2d_create(int, int, int, int): Assertion `xstart
+      <= xend && ystart <= yend' failed.
+- Other bugs fixed in current version:
+  * bsc#1010774, CVE-2016-9390: jas_seq.c:90: jas_matrix_t
+    *jas_seq2d_create(int, int, int, int): Assertion `xstart <=
+    xend && ystart <= yend' failed.
+  * bsc#1010782, CVE-2016-9391: jpc_bs.c:197: long
+    jpc_bitstream_getbits(jpc_bitstream_t *, int): Assertion
+    `n >= 0 && n < 32' failed.
+  * bsc#1010968, CVE-2016-9389: Assertion `((c1)->numcols_) ==
+    numcols && ((c2)->numcols_) == numcols' failed.
+  * bsc#1010975, CVE-2016-9388: ras_dec.c:330: int
+    ras_getcmap(jas_stream_t *, ras_hdr_t *, ras_cmap_t *):
+    Assertion `numcolors <= 256' failed.
+  * bsc#1010960, CVE-2016-9387: jas_seq.c:90: jas_matrix<= yend'
+    failed.
+
+-------------------------------------------------------------------
+Tue Jul 11 10:45:59 UTC 2017 - fst...@suse.com
+
+- Added patch:
+  * jasper-CVE-2016-9262.patch
+    + Fix for Multiple overflow vulnerabilities leading to use
+      after free (bsc#1009994, CVE-2016-9262)
+
+-------------------------------------------------------------------
+Tue Jul 11 09:02:39 UTC 2017 - fst...@suse.com
+
+- Added patch:
+  * jasper-CVE-2017-1000050.patch
+    + Upstream fix for NULL Pointer Dereference jp2_encode
+      (bsc#1047958, CVE-2017-1000050)
+
+-------------------------------------------------------------------

New:
----
  jasper-CVE-2016-9262.patch
  jasper-CVE-2017-1000050.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ jasper.spec ++++++
--- /var/tmp/diff_new_pack.54fZeR/_old  2017-07-17 09:02:01.021180344 +0200
+++ /var/tmp/diff_new_pack.54fZeR/_new  2017-07-17 09:02:01.021180344 +0200
@@ -36,6 +36,8 @@
 Patch8:         jasper-CVE-2016-9600.patch
 Patch9:         jasper-CVE-2016-9583.patch
 Patch10:        jasper-CVE-2017-6850.patch
+Patch11:        jasper-CVE-2017-1000050.patch
+Patch12:        jasper-CVE-2016-9262.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@@ -95,6 +97,8 @@
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1
 
 %build
 libtoolize --force --copy --install

++++++ jasper-CVE-2016-9262.patch ++++++
diff -urEbwB jasper-1.900.14/src/libjasper/base/jas_image.c 
jasper-1.900.14.new/src/libjasper/base/jas_image.c
--- jasper-1.900.14/src/libjasper/base/jas_image.c      2017-07-11 
12:01:22.628016305 +0200
+++ jasper-1.900.14.new/src/libjasper/base/jas_image.c  2017-07-11 
12:38:10.115887712 +0200
@@ -78,6 +78,7 @@
 #include <ctype.h>
 #include <inttypes.h>
 #include <stdbool.h>
+#include <limits.h>
 
 #include "jasper/jas_math.h"
 #include "jasper/jas_image.h"
@@ -333,8 +334,8 @@
        // Compute the number of samples in the image component, while 
protecting
        // against overflow.
        // size = cmpt->width_ * cmpt->height_ * cmpt->cps_;
-       if (!jas_safe_size_mul(cmpt->width_, cmpt->height_, &size) ||
-         !jas_safe_size_mul(size, cmpt->cps_, &size)) {
+       if (!jas_safe_size_mul3(cmpt->width_, cmpt->height_, cmpt->cps_, &size) 
||
+               size > INT_MAX) {
                goto error;
        }
        cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) :
diff -urEbwB jasper-1.900.14/src/libjasper/include/jasper/jas_math.h 
jasper-1.900.14.new/src/libjasper/include/jasper/jas_math.h
--- jasper-1.900.14/src/libjasper/include/jasper/jas_math.h     2017-07-11 
12:01:22.616016305 +0200
+++ jasper-1.900.14.new/src/libjasper/include/jasper/jas_math.h 2017-07-11 
12:42:52.798047647 +0200
@@ -181,7 +181,23 @@
                /* Overflow would occur. */
                return false;
        }
+       if (result) {
        *result = x * y;
+       }
+       return true;
+}
+
+inline static bool jas_safe_size_mul3(size_t a, size_t b, size_t c,
+  size_t *result)
+{
+       size_t tmp;
+       if (!jas_safe_size_mul(a, b, &tmp) ||
+         !jas_safe_size_mul(tmp, c, &tmp)) {
+               return false;
+       }
+       if (result) {
+               *result = tmp;
+       }
        return true;
 }
 
@@ -191,7 +207,9 @@
        if (y > SIZE_MAX - x) {
                return false;
        }
+       if (result) {
        *result = x + y;
+       }
        return true;
 }
 
@@ -201,7 +219,9 @@
        if (y > x) {
                return false;
        }
+       if (result) {
        *result = x - y;
+       }
        return true;
 }
 
++++++ jasper-CVE-2017-1000050.patch ++++++
--- jasper-1.900.14/src/libjasper/jp2/jp2_enc.c 2017-07-11 10:03:41.265870827 
+0200
+++ jasper-1.900.14/src/libjasper/jp2/jp2_enc.c 2017-07-11 10:06:03.028405233 
+0200
@@ -115,6 +115,10 @@
        iccstream = 0;
        iccprof = 0;
 
+       if (jas_image_numcmpts(image) < 1) {
+               goto error;
+       }
+
        allcmptssame = 1;
        sgnd = jas_image_cmptsgnd(image, 0);
        prec = jas_image_cmptprec(image, 0);

Reply via email to