Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1

[Moritz Muehlenhoff]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

I've prepared a tpu security upload for openjpeg (attached).

Ok to upload?

Cheers,
Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Naur openjpeg-1.3+dfsg.orig/debian/changelog openjpeg-1.3+dfsg/debian/changelog
--- openjpeg-1.3+dfsg.orig/debian/changelog	2012-09-23 08:01:25.0 +0200
+++ openjpeg-1.3+dfsg/debian/changelog	2012-09-23 08:04:39.697773699 +0200
@@ -1,3 +1,10 @@
+openjpeg (1.3+dfsg-4.1+deb7u1) testing-proposed-updates; urgency=medium
+
+  * Fix CVE-2012-3358 (Closes: #681075)
+  * Fix CVE-2012-3535 (Closes: #685970)	
+
+ -- Moritz Mühlenhoff j...@debian.org  Mon, 24 Sep 2012 23:02:44 +0200
+
 openjpeg (1.3+dfsg-4.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/00list openjpeg-1.3+dfsg/debian/patches/00list
--- openjpeg-1.3+dfsg.orig/debian/patches/00list	2012-09-23 08:01:25.0 +0200
+++ openjpeg-1.3+dfsg/debian/patches/00list	2012-09-23 08:02:26.061768619 +0200
@@ -2,3 +2,5 @@
 31_use_system_tiff_headers.dpatch
 32_fix_FTBFS_on_alpha.dpatch
 33_avoid_memory_overrun.dpatch
+CVE-2012-3358.dpatch
+CVE-2012-3535.dpatch
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch	1970-01-01 01:00:00.0 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch	2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,60 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-3358.dpatch by Michael Gilbert mgilb...@debian.org
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix buffer overflow in JPEG2000 file handling.
+## DP: https://bugzilla.redhat.com/show_bug.cgi?id=835767
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' openjpeg-1.3+dfsg~/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg~/libopenjpeg/j2k.c	2012-07-11 16:04:38.0 -0400
 openjpeg-1.3+dfsg/libopenjpeg/j2k.c	2012-07-11 16:06:07.0 -0400
+@@ -1282,7 +1282,7 @@
+ 		static int backup_tileno = 0;
+ 
+ 		/* tileno is negative or larger than the number of tiles!!! */
+-		if ((tileno  0) || (tileno  (cp-tw * cp-th))) {
++		if ((tileno  0) || (tileno = (cp-tw * cp-th))) {
+ 			opj_event_msg(j2k-cinfo, EVT_ERROR,
+ JPWL: bad tile number (%d out of a maximum of %d)\n,
+ tileno, (cp-tw * cp-th));
+@@ -1299,8 +1299,18 @@
+ 
+ 		/* keep your private count of tiles */
+ 		backup_tileno++;
+-	};
++	}
++	else
+ #endif /* USE_JPWL */
++	{
++		/* tileno is negative or larger than the number of tiles!!! */
++		if ((tileno  0) || (tileno = (cp-tw * cp-th))) {
++			opj_event_msg(j2k-cinfo, EVT_ERROR,
++JPWL: bad tile number (%d out of a maximum of %d)\n,
++tileno, (cp-tw * cp-th));
++			return;
++		}
++	}
+ 	
+ 	if (cp-tileno_size == 0) {
+ 		cp-tileno[cp-tileno_size] = tileno;
+@@ -1338,8 +1348,18 @@
+ totlen);
+ 		}
+ 
+-	};
++	}
++	else
+ #endif /* USE_JPWL */
++	{
++		/* totlen is negative or larger than the bytes left!!! */
++		if ((totlen  0) || (totlen  (cio_numbytesleft(cio) + 8))) {
++			opj_event_msg(j2k-cinfo, EVT_ERROR,
++JPWL: bad tile byte size (%d bytes against %d bytes left)\n,
++totlen, cio_numbytesleft(cio) + 8);
++			return;
++		}
++	}
+ 
+ 	if (!totlen)
+ 		totlen = cio_numbytesleft(cio) + 8;
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch	1970-01-01 01:00:00.0 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch	2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2012-3535
+
+@DPATCH@
+diff -Naur openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c	2008-03-10 09:50:35.0 +0100
 openjpeg-1.3+dfsg/libopenjpeg/j2k.c	2012-09-23 07:57:01.381756231 +0200
+@@ -720,6 +720,13 @@
+ 		j2k-state |= J2K_STATE_ERR;
+ 	}
+ 
++	if( tccp-numresolutions  J2K_MAXRLVLS ) {
++		opj_event_msg(j2k-cinfo, EVT_ERROR, Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n,
++		  compno, tccp-numresolutions, J2K_MAXRLVLS);
++		j2k-state |= J2K_STATE_ERR;
++		tccp-numresolutions = J2K_MAXRLVLS;
++	}
++
+ 	tccp-cblkw = cio_read(cio, 1) + 2;	/* SPcox (E) */
+ 	tccp-cblkh = cio_read(cio, 1) + 2;	/* SPcox (F) */
+ 	

Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1

[Julien Cristau]

On Wed, Sep 26, 2012 at 18:11:46 +0200, Moritz Muehlenhoff wrote:

 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: unblock
 
 I've prepared a tpu security upload for openjpeg (attached).
 
 Ok to upload?
 
I followed up to the unblock bug about the sid version.  If we don't get
that sorted soon then a tpu upload would be fine.  Probably best to get
the second CVE fixed in sid first in any case.

Cheers,
Julien


signature.asc
Description: Digital signature