Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
I've prepared a tpu security upload for openjpeg (attached).
Ok to upload?
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Naur openjpeg-1.3+dfsg.orig/debian/changelog openjpeg-1.3+dfsg/debian/changelog
--- openjpeg-1.3+dfsg.orig/debian/changelog 2012-09-23 08:01:25.0 +0200
+++ openjpeg-1.3+dfsg/debian/changelog 2012-09-23 08:04:39.697773699 +0200
@@ -1,3 +1,10 @@
+openjpeg (1.3+dfsg-4.1+deb7u1) testing-proposed-updates; urgency=medium
+
+ * Fix CVE-2012-3358 (Closes: #681075)
+ * Fix CVE-2012-3535 (Closes: #685970)
+
+ -- Moritz Mühlenhoff j...@debian.org Mon, 24 Sep 2012 23:02:44 +0200
+
openjpeg (1.3+dfsg-4.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/00list openjpeg-1.3+dfsg/debian/patches/00list
--- openjpeg-1.3+dfsg.orig/debian/patches/00list 2012-09-23 08:01:25.0 +0200
+++ openjpeg-1.3+dfsg/debian/patches/00list 2012-09-23 08:02:26.061768619 +0200
@@ -2,3 +2,5 @@
31_use_system_tiff_headers.dpatch
32_fix_FTBFS_on_alpha.dpatch
33_avoid_memory_overrun.dpatch
+CVE-2012-3358.dpatch
+CVE-2012-3535.dpatch
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch 1970-01-01 01:00:00.0 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch 2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,60 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-3358.dpatch by Michael Gilbert mgilb...@debian.org
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix buffer overflow in JPEG2000 file handling.
+## DP: https://bugzilla.redhat.com/show_bug.cgi?id=835767
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' openjpeg-1.3+dfsg~/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg~/libopenjpeg/j2k.c 2012-07-11 16:04:38.0 -0400
openjpeg-1.3+dfsg/libopenjpeg/j2k.c 2012-07-11 16:06:07.0 -0400
+@@ -1282,7 +1282,7 @@
+ static int backup_tileno = 0;
+
+ /* tileno is negative or larger than the number of tiles!!! */
+- if ((tileno 0) || (tileno (cp-tw * cp-th))) {
++ if ((tileno 0) || (tileno = (cp-tw * cp-th))) {
+ opj_event_msg(j2k-cinfo, EVT_ERROR,
+ JPWL: bad tile number (%d out of a maximum of %d)\n,
+ tileno, (cp-tw * cp-th));
+@@ -1299,8 +1299,18 @@
+
+ /* keep your private count of tiles */
+ backup_tileno++;
+- };
++ }
++ else
+ #endif /* USE_JPWL */
++ {
++ /* tileno is negative or larger than the number of tiles!!! */
++ if ((tileno 0) || (tileno = (cp-tw * cp-th))) {
++ opj_event_msg(j2k-cinfo, EVT_ERROR,
++JPWL: bad tile number (%d out of a maximum of %d)\n,
++tileno, (cp-tw * cp-th));
++ return;
++ }
++ }
+
+ if (cp-tileno_size == 0) {
+ cp-tileno[cp-tileno_size] = tileno;
+@@ -1338,8 +1348,18 @@
+ totlen);
+ }
+
+- };
++ }
++ else
+ #endif /* USE_JPWL */
++ {
++ /* totlen is negative or larger than the bytes left!!! */
++ if ((totlen 0) || (totlen (cio_numbytesleft(cio) + 8))) {
++ opj_event_msg(j2k-cinfo, EVT_ERROR,
++JPWL: bad tile byte size (%d bytes against %d bytes left)\n,
++totlen, cio_numbytesleft(cio) + 8);
++ return;
++ }
++ }
+
+ if (!totlen)
+ totlen = cio_numbytesleft(cio) + 8;
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch 1970-01-01 01:00:00.0 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch 2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2012-3535
+
+@DPATCH@
+diff -Naur openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c 2008-03-10 09:50:35.0 +0100
openjpeg-1.3+dfsg/libopenjpeg/j2k.c 2012-09-23 07:57:01.381756231 +0200
+@@ -720,6 +720,13 @@
+ j2k-state |= J2K_STATE_ERR;
+ }
+
++ if( tccp-numresolutions J2K_MAXRLVLS ) {
++ opj_event_msg(j2k-cinfo, EVT_ERROR, Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n,
++ compno, tccp-numresolutions, J2K_MAXRLVLS);
++ j2k-state |= J2K_STATE_ERR;
++ tccp-numresolutions = J2K_MAXRLVLS;
++ }
++
+ tccp-cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */
+ tccp-cblkh = cio_read(cio, 1) + 2; /* SPcox (F) */
+