Hi, I intend to NMU ghostview. Attached is a patch to fix this issue in the embedded copy of jasper. It will be also archived on: http://people.debian.org/~nion/nmu-diff/ghostscript-8.61.dfsg.1~svn8187-1_8.61.dfsg.1~svn8187-1.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ghostscript-8.61.dfsg.1~svn8187/debian/patches/00list ghostscript-8.61.dfsg.1~svn8187/debian/patches/00list
--- ghostscript-8.61.dfsg.1~svn8187/debian/patches/00list
+++ ghostscript-8.61.dfsg.1~svn8187/debian/patches/00list
@@ -13,0 +14 @@
+31-CVE-2007-2721
diff -u ghostscript-8.61.dfsg.1~svn8187/debian/changelog ghostscript-8.61.dfsg.1~svn8187/debian/changelog
--- ghostscript-8.61.dfsg.1~svn8187/debian/changelog
+++ ghostscript-8.61.dfsg.1~svn8187/debian/changelog
@@ -1,3 +1,12 @@
+ghostscript (8.61.dfsg.1~svn8187-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by testing security team.
+ * Included 31-CVE-2007-2721.dpatch to fix remote
+ user-assisted denial of service via malformed image
+ files in embedded copy of jasper (Closes: #447188)
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sat, 20 Oct 2007 12:46:44 +0200
+
ghostscript (8.61.dfsg.1~svn8187-1) unstable; urgency=low
* New upstream release - closes: #437848, #291452
only in patch2:
unchanged:
--- ghostscript-8.61.dfsg.1~svn8187.orig/debian/patches/31-CVE-2007-2721.dpatch
+++ ghostscript-8.61.dfsg.1~svn8187/debian/patches/31-CVE-2007-2721.dpatch
@@ -0,0 +1,48 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 31-CVE-2007-2721.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad ghostscript-8.61.dfsg.1~svn8187~/jasper/src/libjasper/jpc/jpc_cs.c ghostscript-8.61.dfsg.1~svn8187/jasper/src/libjasper/jpc/jpc_cs.c
+--- ghostscript-8.61.dfsg.1~svn8187~/jasper/src/libjasper/jpc/jpc_cs.c 2007-08-13 20:07:23.000000000 +0200
++++ ghostscript-8.61.dfsg.1~svn8187/jasper/src/libjasper/jpc/jpc_cs.c 2007-10-20 12:46:21.000000000 +0200
+@@ -991,21 +991,24 @@
+ compparms->numstepsizes = (len - n) / 2;
+ break;
+ }
+-if (compparms->numstepsizes > 0) {
+- compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+- sizeof(uint_fast32_t));
+- assert(compparms->stepsizes);
+- for (i = 0; i < compparms->numstepsizes; ++i) {
+- if (compparms->qntsty == JPC_QCX_NOQNT) {
+- jpc_getuint8(in, &tmp);
+- compparms->stepsizes[i] = JPC_QCX_EXPN(tmp >> 3);
+- } else {
+- jpc_getuint16(in, &compparms->stepsizes[i]);
++ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++ jpc_qcx_destroycompparms(compparms);
++ return -1;
++ } else if (compparms->numstepsizes > 0) {
++ compparms->stepsizes = jas_malloc(compparms->numstepsizes *
++ sizeof(uint_fast32_t));
++ assert(compparms->stepsizes);
++ for (i = 0; i < compparms->numstepsizes; ++i) {
++ if (compparms->qntsty == JPC_QCX_NOQNT) {
++ jpc_getuint8(in, &tmp);
++ compparms->stepsizes[i] = JPC_QCX_EXPN(tmp >> 3);
++ } else {
++ jpc_getuint16(in, &compparms->stepsizes[i]);
++ }
+ }
++ } else {
++ compparms->stepsizes = 0;
+ }
+-} else {
+- compparms->stepsizes = 0;
+-}
+ if (jas_stream_error(in) || jas_stream_eof(in)) {
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
pgpwoM5VuR6db.pgp
Description: PGP signature
