[arch-commits] Commit in jasper/trunk (6 files)

Eric Bélanger Thu, 18 Dec 2014 19:38:21 -0800

    Date: Friday, December 19, 2014 @ 04:38:02
  Author: eric
Revision: 227774


upgpkg: jasper 1.900.1-12

Add CVE patches (close FS#43155)

Added:
  jasper/trunk/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
  jasper/trunk/jasper-1.900.1-CVE-2014-8137.patch
  jasper/trunk/jasper-1.900.1-CVE-2014-8138.patch
  jasper/trunk/jasper-1.900.1-fix-filename-buffer-overflow.patch
  jasper/trunk/jasper-avoid-assert-abort.diff
Modified:
  jasper/trunk/PKGBUILD

------------------------------------------------------+
 PKGBUILD                                             |   19 ++++++-
 jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch |   30 +++++++++++
 jasper-1.900.1-CVE-2014-8137.patch                   |   43 +++++++++++++++++
 jasper-1.900.1-CVE-2014-8138.patch                   |   14 +++++
 jasper-1.900.1-fix-filename-buffer-overflow.patch    |   37 ++++++++++++++
 jasper-avoid-assert-abort.diff                       |   14 +++++
 6 files changed, 154 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2014-12-19 03:10:51 UTC (rev 227773)
+++ PKGBUILD    2014-12-19 03:38:02 UTC (rev 227774)
@@ -3,7 +3,7 @@
 
 pkgname=jasper
 pkgver=1.900.1
-pkgrel=11
+pkgrel=12
 pkgdesc="A software-based implementation of the codec specified in the 
emerging JPEG-2000 Part-1 standard"
 arch=('i686' 'x86_64')
 url="http://www.ece.uvic.ca/~mdadams/jasper/";
@@ -14,13 +14,21 @@
 
source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.zip
         patch-libjasper-stepsizes-overflow.diff 
jasper-1.900.1-CVE-2008-3520.patch
         jpc_dec.c.patch jasper-1.900.1-CVE-2008-3522.patch
-       jasper-1.900.1-CVE-2014-9029.patch)
+        jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff
+        jasper-1.900.1-CVE-2014-8138.patch jasper-1.900.1-CVE-2014-9029.patch
+       jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
+        jasper-1.900.1-fix-filename-buffer-overflow.patch)
 sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191'
           'f298566fef08c8a589d072582112cd51c72c3983'
           '2483dba925670bf29f531d85d73c4e5ada513b01'
           'c1a0176a15210c0af14d85e55ce566921957d780'
           '0e7b6142cd9240ffb15a1ed7297c43c76fa09ee4'
-          'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd')
+          '437519aaaeff6076d11cdbea82125dbcac6f729b'
+          '98548b610a7319e569ee0425a32dc1d31a8771d2'
+          '6086e717af2f0a026f70e399e28fe115f08a8cc1'
+          'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd'
+          '3bfb37a4c732caa824563bad2603fcf5f2acf7f7'
+          '577dfce40da75818c4d32eb1c4532b1370950bee')
 
 prepare() {
   cd ${pkgname}-${pkgver}
@@ -29,6 +37,11 @@
   patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch"
   patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3522.patch"
   patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-9029.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8137.patch"
+  patch -p1 -i "${srcdir}/jasper-avoid-assert-abort.diff"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8138.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
 }
 
 build() {

Added: jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
===================================================================
--- jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch                        
        (rev 0)
+++ jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch        2014-12-19 
03:38:02 UTC (rev 227774)
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2011-4516 and CVE-2011-4517
+ This patch fixes a possible denial of service and code execution via
+ heap-based buffer overflows.
+Author: Michael Gilbert <michael.s.gilb...@gmail.com>
+Origin: Patch thanks to Red Hat
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c     2011-12-19 
09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c  2011-12-19 09:35:51.198909832 
-0500
+@@ -744,6 +744,10 @@
+               return -1;
+       }
+       compparms->numrlvls = compparms->numdlvls + 1;
++      if (compparms->numrlvls > JPC_MAXRLVLS) {
++              jpc_cox_destroycompparms(compparms);
++              return -1;
++      }
+       if (prtflag) {
+               for (i = 0; i < compparms->numrlvls; ++i) {
+                       if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+       jpc_crgcomp_t *comp;
+       uint_fast16_t compno;
+       crg->numcomps = cstate->numcomps;
+-      if (!(crg->comps = jas_alloc2(cstate->numcomps, 
sizeof(uint_fast16_t)))) {
++      if (!(crg->comps = jas_alloc2(cstate->numcomps, 
sizeof(jpc_crgcomp_t)))) {
+               return -1;
+       }
+       for (compno = 0, comp = crg->comps; compno < cstate->numcomps;

Added: jasper-1.900.1-CVE-2014-8137.patch
===================================================================
--- jasper-1.900.1-CVE-2014-8137.patch                          (rev 0)
+++ jasper-1.900.1-CVE-2014-8137.patch  2014-12-19 03:38:02 UTC (rev 227774)
@@ -0,0 +1,43 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c   2014-12-11 
14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c        2014-12-11 
15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+       return 0;
+ 
+ error:
+-      jas_icccurv_destroy(attrval);
+       return -1;
+ }
+ 
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+       return 0;
+ error:
+-      jas_icctxtdesc_destroy(attrval);
+       return -1;
+ }
+ 
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+               goto error;
+       return 0;
+ error:
+-      if (txt->string)
+-              jas_free(txt->string);
+       return -1;
+ }
+ 
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+               goto error;
+       return 0;
+ error:
+-      jas_icclut8_destroy(attrval);
+       return -1;
+ }
+ 
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+               goto error;
+       return 0;
+ error:
+-      jas_icclut16_destroy(attrval);
+       return -1;
+ }
+ 

Added: jasper-1.900.1-CVE-2014-8138.patch
===================================================================
--- jasper-1.900.1-CVE-2014-8138.patch                          (rev 0)
+++ jasper-1.900.1-CVE-2014-8138.patch  2014-12-19 03:38:02 UTC (rev 227774)
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c    2014-12-11 
14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 
+0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+       /* Determine the type of each component. */
+       if (dec->cdef) {
+               for (i = 0; i < dec->numchans; ++i) {
++                      /* Is the channel number reasonable? */
++                      if (dec->cdef->data.cdef.ents[i].channo >= 
dec->numchans) {
++                              jas_eprintf("error: invalid channel number in 
CDEF box\n");
++                              goto error;
++                      }
+                       jas_image_setcmpttype(dec->image,
+                         
dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+                         jp2_getct(jas_image_clrspc(dec->image),

Added: jasper-1.900.1-fix-filename-buffer-overflow.patch
===================================================================
--- jasper-1.900.1-fix-filename-buffer-overflow.patch                           
(rev 0)
+++ jasper-1.900.1-fix-filename-buffer-overflow.patch   2014-12-19 03:38:02 UTC 
(rev 227774)
@@ -0,0 +1,37 @@
+Description: Filename buffer overflow fix
+ This patch fixes a security hole by a bad buffer size handling.
+Author: Roland Stigge <sti...@antcom.de>
+Bug-Debian: http://bugs.debian.org/645118
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -77,6 +77,7 @@
+ #include <jasper/jas_config.h>
+ 
+ #include <stdio.h>
++#include <limits.h>
+ #if defined(HAVE_FCNTL_H)
+ #include <fcntl.h>
+ #endif
+@@ -99,6 +100,12 @@ extern "C" {
+ #define O_BINARY      0
+ #endif
+ 
++#ifdef PATH_MAX
++#define JAS_PATH_MAX PATH_MAX
++#else
++#define JAS_PATH_MAX 4096
++#endif
++
+ /*
+  * Stream open flags.
+  */
+@@ -251,7 +258,7 @@ typedef struct {
+ typedef struct {
+       int fd;
+       int flags;
+-      char pathname[L_tmpnam + 1];
++      char pathname[JAS_PATH_MAX + 1];
+ } jas_stream_fileobj_t;
+ 
+ #define       JAS_STREAM_FILEOBJ_DELONCLOSE   0x01

Added: jasper-avoid-assert-abort.diff
===================================================================
--- jasper-avoid-assert-abort.diff                              (rev 0)
+++ jasper-avoid-assert-abort.diff      2014-12-19 03:38:02 UTC (rev 227774)
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c    2014-12-11 
14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 
+0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+       case JP2_COLR_ICC:
+               iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+                 dec->colr->data.colr.iccplen);
+-              assert(iccprof);
++              if (!iccprof) {
++                      jas_eprintf("error: failed to parse ICC profile\n");
++                      goto error;
++              }
+               jas_iccprof_gethdr(iccprof, &icchdr);
+               jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+               jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));

[arch-commits] Commit in jasper/trunk (6 files)

Reply via email to