Control: tags -1 + patch Hi Roland,
On Sat, Dec 20, 2014 at 06:08:54AM +0100, Salvatore Bonaccorso wrote: > I will try to work again (as for the previous update) on the > wheezy-security update. As the patches will be mostly the same I could > also do again the unstable upload too. Just let me know! Here the actual patches plus debdiff used for wheezy-security. Regards, Salvatore
diff -Nru jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog --- jasper-1.900.1/debian/changelog 2014-11-28 23:12:21.000000000 +0100 +++ jasper-1.900.1/debian/changelog 2014-12-20 08:46:40.000000000 +0100 @@ -1,3 +1,13 @@ +jasper (1.900.1-13+deb7u2) wheezy-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Add 05-CVE-2014-8137.patch patch. + CVE-2014-8137: double-free in in jas_iccattrval_destroy(). (Closes: #773463) + * Add 06-CVE-2014-8138.patch patch. + CVE-2014-8138: heap overflow in jp2_decode(). (Closes: #773463) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 20 Dec 2014 08:42:19 +0100 + jasper (1.900.1-13+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru jasper-1.900.1/debian/patches/05-CVE-2014-8137.patch jasper-1.900.1/debian/patches/05-CVE-2014-8137.patch --- jasper-1.900.1/debian/patches/05-CVE-2014-8137.patch 1970-01-01 01:00:00.000000000 +0100 +++ jasper-1.900.1/debian/patches/05-CVE-2014-8137.patch 2014-12-20 08:46:40.000000000 +0100 @@ -0,0 +1,66 @@ +Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy() +Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283, + https://bugzilla.redhat.com/attachment.cgi?id=967284 +Bug-Debian: https://bugs.debian.org/773463 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157 +Forwarded: no +Author: Tomas Hoger <tho...@redhat.com> +Last-Update: 2014-12-20 + +--- a/src/libjasper/base/jas_icc.c ++++ b/src/libjasper/base/jas_icc.c +@@ -1010,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattr + return 0; + + error: +- jas_icccurv_destroy(attrval); + return -1; + } + +@@ -1128,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_icca + #endif + return 0; + error: +- jas_icctxtdesc_destroy(attrval); + return -1; + } + +@@ -1207,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrv + goto error; + return 0; + error: +- if (txt->string) +- jas_free(txt->string); + return -1; + } + +@@ -1329,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattr + goto error; + return 0; + error: +- jas_icclut8_destroy(attrval); + return -1; + } + +@@ -1498,7 +1493,6 @@ static int jas_icclut16_input(jas_iccatt + goto error; + return 0; + error: +- jas_icclut16_destroy(attrval); + return -1; + } + +--- a/src/libjasper/jp2/jp2_dec.c ++++ b/src/libjasper/jp2/jp2_dec.c +@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in + case JP2_COLR_ICC: + iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, + dec->colr->data.colr.iccplen); +- assert(iccprof); ++ if (!iccprof) { ++ jas_eprintf("error: failed to parse ICC profile\n"); ++ goto error; ++ } + jas_iccprof_gethdr(iccprof, &icchdr); + jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); diff -Nru jasper-1.900.1/debian/patches/06-CVE-2014-8138.patch jasper-1.900.1/debian/patches/06-CVE-2014-8138.patch --- jasper-1.900.1/debian/patches/06-CVE-2014-8138.patch 1970-01-01 01:00:00.000000000 +0100 +++ jasper-1.900.1/debian/patches/06-CVE-2014-8138.patch 2014-12-20 08:46:40.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2014-8138: heap overflow in jp2_decode() +Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967280 +Bug-Debian: https://bugs.debian.org/773463 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173162 +Forwarded: no +Author: Tomas Hoger <tho...@redhat.com> +Last-Update: 2014-12-20 + +--- a/src/libjasper/jp2/jp2_dec.c ++++ b/src/libjasper/jp2/jp2_dec.c +@@ -389,6 +389,11 @@ jas_image_t *jp2_decode(jas_stream_t *in + /* Determine the type of each component. */ + if (dec->cdef) { + for (i = 0; i < dec->numchans; ++i) { ++ /* Is the channel number reasonable? */ ++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { ++ jas_eprintf("error: invalid channel number in CDEF box\n"); ++ goto error; ++ } + jas_image_setcmpttype(dec->image, + dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], + jp2_getct(jas_image_clrspc(dec->image), diff -Nru jasper-1.900.1/debian/patches/series jasper-1.900.1/debian/patches/series --- jasper-1.900.1/debian/patches/series 2014-11-28 23:12:21.000000000 +0100 +++ jasper-1.900.1/debian/patches/series 2014-12-20 08:46:40.000000000 +0100 @@ -2,3 +2,5 @@ 02-fix-filename-buffer-overflow.patch 03-CVE-2011-4516-and-CVE-2011-4517.patch 04-CVE-2014-9029.patch +05-CVE-2014-8137.patch +06-CVE-2014-8138.patch
Description: CVE-2014-8137: double-free in in jas_iccattrval_destroy() Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967283, https://bugzilla.redhat.com/attachment.cgi?id=967284 Bug-Debian: https://bugs.debian.org/773463 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173157 Forwarded: no Author: Tomas Hoger <tho...@redhat.com> Last-Update: 2014-12-20 --- a/src/libjasper/base/jas_icc.c +++ b/src/libjasper/base/jas_icc.c @@ -1010,7 +1010,6 @@ static int jas_icccurv_input(jas_iccattr return 0; error: - jas_icccurv_destroy(attrval); return -1; } @@ -1128,7 +1127,6 @@ static int jas_icctxtdesc_input(jas_icca #endif return 0; error: - jas_icctxtdesc_destroy(attrval); return -1; } @@ -1207,8 +1205,6 @@ static int jas_icctxt_input(jas_iccattrv goto error; return 0; error: - if (txt->string) - jas_free(txt->string); return -1; } @@ -1329,7 +1325,6 @@ static int jas_icclut8_input(jas_iccattr goto error; return 0; error: - jas_icclut8_destroy(attrval); return -1; } @@ -1498,7 +1493,6 @@ static int jas_icclut16_input(jas_iccatt goto error; return 0; error: - jas_icclut16_destroy(attrval); return -1; } --- a/src/libjasper/jp2/jp2_dec.c +++ b/src/libjasper/jp2/jp2_dec.c @@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in case JP2_COLR_ICC: iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, dec->colr->data.colr.iccplen); - assert(iccprof); + if (!iccprof) { + jas_eprintf("error: failed to parse ICC profile\n"); + goto error; + } jas_iccprof_gethdr(iccprof, &icchdr); jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
Description: CVE-2014-8138: heap overflow in jp2_decode() Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=967280 Bug-Debian: https://bugs.debian.org/773463 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1173162 Forwarded: no Author: Tomas Hoger <tho...@redhat.com> Last-Update: 2014-12-20 --- a/src/libjasper/jp2/jp2_dec.c +++ b/src/libjasper/jp2/jp2_dec.c @@ -389,6 +389,11 @@ jas_image_t *jp2_decode(jas_stream_t *in /* Determine the type of each component. */ if (dec->cdef) { for (i = 0; i < dec->numchans; ++i) { + /* Is the channel number reasonable? */ + if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { + jas_eprintf("error: invalid channel number in CDEF box\n"); + goto error; + } jas_image_setcmpttype(dec->image, dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], jp2_getct(jas_image_clrspc(dec->image),
