Date: Friday, December 19, 2014 @ 04:38:02 Author: eric Revision: 227774
upgpkg: jasper 1.900.1-12 Add CVE patches (close FS#43155) Added: jasper/trunk/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch jasper/trunk/jasper-1.900.1-CVE-2014-8137.patch jasper/trunk/jasper-1.900.1-CVE-2014-8138.patch jasper/trunk/jasper-1.900.1-fix-filename-buffer-overflow.patch jasper/trunk/jasper-avoid-assert-abort.diff Modified: jasper/trunk/PKGBUILD ------------------------------------------------------+ PKGBUILD | 19 ++++++- jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch | 30 +++++++++++ jasper-1.900.1-CVE-2014-8137.patch | 43 +++++++++++++++++ jasper-1.900.1-CVE-2014-8138.patch | 14 +++++ jasper-1.900.1-fix-filename-buffer-overflow.patch | 37 ++++++++++++++ jasper-avoid-assert-abort.diff | 14 +++++ 6 files changed, 154 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-12-19 03:10:51 UTC (rev 227773) +++ PKGBUILD 2014-12-19 03:38:02 UTC (rev 227774) @@ -3,7 +3,7 @@ pkgname=jasper pkgver=1.900.1 -pkgrel=11 +pkgrel=12 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard" arch=('i686' 'x86_64') url="http://www.ece.uvic.ca/~mdadams/jasper/" @@ -14,13 +14,21 @@ source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.zip patch-libjasper-stepsizes-overflow.diff jasper-1.900.1-CVE-2008-3520.patch jpc_dec.c.patch jasper-1.900.1-CVE-2008-3522.patch - jasper-1.900.1-CVE-2014-9029.patch) + jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff + jasper-1.900.1-CVE-2014-8138.patch jasper-1.900.1-CVE-2014-9029.patch + jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch + jasper-1.900.1-fix-filename-buffer-overflow.patch) sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191' 'f298566fef08c8a589d072582112cd51c72c3983' '2483dba925670bf29f531d85d73c4e5ada513b01' 'c1a0176a15210c0af14d85e55ce566921957d780' '0e7b6142cd9240ffb15a1ed7297c43c76fa09ee4' - 'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd') + '437519aaaeff6076d11cdbea82125dbcac6f729b' + '98548b610a7319e569ee0425a32dc1d31a8771d2' + '6086e717af2f0a026f70e399e28fe115f08a8cc1' + 'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd' + '3bfb37a4c732caa824563bad2603fcf5f2acf7f7' + '577dfce40da75818c4d32eb1c4532b1370950bee') prepare() { cd ${pkgname}-${pkgver} @@ -29,6 +37,11 @@ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch" patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3522.patch" patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-9029.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8137.patch" + patch -p1 -i "${srcdir}/jasper-avoid-assert-abort.diff" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8138.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch" } build() { Added: jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch =================================================================== --- jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch (rev 0) +++ jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch 2014-12-19 03:38:02 UTC (rev 227774) @@ -0,0 +1,30 @@ +Description: Fix for CVE-2011-4516 and CVE-2011-4517 + This patch fixes a possible denial of service and code execution via + heap-based buffer overflows. +Author: Michael Gilbert <michael.s.gilb...@gmail.com> +Origin: Patch thanks to Red Hat + +Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +=================================================================== +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500 +@@ -744,6 +744,10 @@ + return -1; + } + compparms->numrlvls = compparms->numdlvls + 1; ++ if (compparms->numrlvls > JPC_MAXRLVLS) { ++ jpc_cox_destroycompparms(compparms); ++ return -1; ++ } + if (prtflag) { + for (i = 0; i < compparms->numrlvls; ++i) { + if (jpc_getuint8(in, &tmp)) { +@@ -1331,7 +1335,7 @@ + jpc_crgcomp_t *comp; + uint_fast16_t compno; + crg->numcomps = cstate->numcomps; +- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { ++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { + return -1; + } + for (compno = 0, comp = crg->comps; compno < cstate->numcomps; Added: jasper-1.900.1-CVE-2014-8137.patch =================================================================== --- jasper-1.900.1-CVE-2014-8137.patch (rev 0) +++ jasper-1.900.1-CVE-2014-8137.patch 2014-12-19 03:38:02 UTC (rev 227774) @@ -0,0 +1,43 @@ +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100 +@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr + return 0; + + error: +- jas_icccurv_destroy(attrval); + return -1; + } + +@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca + #endif + return 0; + error: +- jas_icctxtdesc_destroy(attrval); + return -1; + } + +@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv + goto error; + return 0; + error: +- if (txt->string) +- jas_free(txt->string); + return -1; + } + +@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr + goto error; + return 0; + error: +- jas_icclut8_destroy(attrval); + return -1; + } + +@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt + goto error; + return 0; + error: +- jas_icclut16_destroy(attrval); + return -1; + } + Added: jasper-1.900.1-CVE-2014-8138.patch =================================================================== --- jasper-1.900.1-CVE-2014-8138.patch (rev 0) +++ jasper-1.900.1-CVE-2014-8138.patch 2014-12-19 03:38:02 UTC (rev 227774) @@ -0,0 +1,14 @@ +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100 +@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in + /* Determine the type of each component. */ + if (dec->cdef) { + for (i = 0; i < dec->numchans; ++i) { ++ /* Is the channel number reasonable? */ ++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { ++ jas_eprintf("error: invalid channel number in CDEF box\n"); ++ goto error; ++ } + jas_image_setcmpttype(dec->image, + dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], + jp2_getct(jas_image_clrspc(dec->image), Added: jasper-1.900.1-fix-filename-buffer-overflow.patch =================================================================== --- jasper-1.900.1-fix-filename-buffer-overflow.patch (rev 0) +++ jasper-1.900.1-fix-filename-buffer-overflow.patch 2014-12-19 03:38:02 UTC (rev 227774) @@ -0,0 +1,37 @@ +Description: Filename buffer overflow fix + This patch fixes a security hole by a bad buffer size handling. +Author: Roland Stigge <sti...@antcom.de> +Bug-Debian: http://bugs.debian.org/645118 + +--- a/src/libjasper/include/jasper/jas_stream.h ++++ b/src/libjasper/include/jasper/jas_stream.h +@@ -77,6 +77,7 @@ + #include <jasper/jas_config.h> + + #include <stdio.h> ++#include <limits.h> + #if defined(HAVE_FCNTL_H) + #include <fcntl.h> + #endif +@@ -99,6 +100,12 @@ extern "C" { + #define O_BINARY 0 + #endif + ++#ifdef PATH_MAX ++#define JAS_PATH_MAX PATH_MAX ++#else ++#define JAS_PATH_MAX 4096 ++#endif ++ + /* + * Stream open flags. + */ +@@ -251,7 +258,7 @@ typedef struct { + typedef struct { + int fd; + int flags; +- char pathname[L_tmpnam + 1]; ++ char pathname[JAS_PATH_MAX + 1]; + } jas_stream_fileobj_t; + + #define JAS_STREAM_FILEOBJ_DELONCLOSE 0x01 Added: jasper-avoid-assert-abort.diff =================================================================== --- jasper-avoid-assert-abort.diff (rev 0) +++ jasper-avoid-assert-abort.diff 2014-12-19 03:38:02 UTC (rev 227774) @@ -0,0 +1,14 @@ +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100 +@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in + case JP2_COLR_ICC: + iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, + dec->colr->data.colr.iccplen); +- assert(iccprof); ++ if (!iccprof) { ++ jas_eprintf("error: failed to parse ICC profile\n"); ++ goto error; ++ } + jas_iccprof_gethdr(iccprof, &icchdr); + jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));