Package: release.debian.org Severity: normal Tags: squeeze User: release.debian....@packages.debian.org Usertags: pu
Dear release team, please accept an upload of lcms2 2.2+git20110628-2.2+deb7u1 to wheezy-proposed updates. The update fixes a minor security issue in stable (#714529, CVE-2013-4160). DSA considers the issue to be not worth a security update: https://security-tracker.debian.org/tracker/CVE-2013-4160 Debdiff attached. Thanks Thomas -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru lcms2-2.2+git20110628/debian/changelog lcms2-2.2+git20110628/debian/changelog --- lcms2-2.2+git20110628/debian/changelog 2014-03-17 23:41:12.000000000 +0100 +++ lcms2-2.2+git20110628/debian/changelog 2014-03-21 11:29:26.000000000 +0100 @@ -1,3 +1,9 @@ +lcms2 (2.2+git20110628-2.2+deb7u1) stable; urgency=medium + + * Fix security bugs in stable (Closes: #714529), CVE-2013-4160 + + -- Thomas Weber <twe...@debian.org> Thu, 20 Mar 2014 00:17:31 +0100 + lcms2 (2.2+git20110628-2.2) unstable; urgency=low * Non-maintainer upload. diff -Nru lcms2-2.2+git20110628/debian/control lcms2-2.2+git20110628/debian/control --- lcms2-2.2+git20110628/debian/control 2014-03-17 23:41:12.000000000 +0100 +++ lcms2-2.2+git20110628/debian/control 2014-03-21 11:29:26.000000000 +0100 @@ -2,6 +2,7 @@ Section: libs Priority: optional Maintainer: Oleksandr Moskalenko <ma...@debian.org> +Uploaders: Thomas Weber <twe...@debian.org> Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.0), autotools-dev, libjpeg-dev, libtiff4-dev, zlib1g-dev, quilt Standards-Version: 3.9.2 Homepage: http://www.littlecms.com/ diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch --- lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch 1970-01-01 01:00:00.000000000 +0100 +++ lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch 2014-03-21 11:29:26.000000000 +0100 @@ -0,0 +1,28 @@ +# HG changeset patch +# Date 1364497268 -14400 +# Node ID 56f01b89d8b8f7e2cbc651dccbd904b45698be24 +# Parent 09c14ca57ff092cd304a4e29f9398176255a72ab +8007925: Improve cmsStageAllocLabV2ToV4curves +8007926: Improve cmsPipelineDup + +Index: lcms2-2.2+git20110628/src/cmslut.c +=================================================================== +--- lcms2-2.2+git20110628.orig/src/cmslut.c 2011-06-27 23:20:02.000000000 -0500 ++++ lcms2-2.2+git20110628/src/cmslut.c 2013-07-01 10:51:20.000000000 -0500 +@@ -980,6 +980,7 @@ + mpe = cmsStageAllocToneCurves(ContextID, 3, LabTable); + cmsFreeToneCurveTriple(LabTable); + ++ if (mpe == NULL) return mpe; + mpe ->Implements = cmsSigLabV2toV4; + return mpe; + } +@@ -1291,6 +1292,8 @@ + if (lut == NULL) return NULL; + + NewLUT = cmsPipelineAlloc(lut ->ContextID, lut ->InputChannels, lut ->OutputChannels); ++ if (NewLUT == NULL) return NULL; ++ + for (mpe = lut ->Elements; + mpe != NULL; + mpe = mpe ->Next) { diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch --- lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch 1970-01-01 01:00:00.000000000 +0100 +++ lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch 2014-03-21 11:29:26.000000000 +0100 @@ -0,0 +1,22 @@ +# HG changeset patch +# User bae +# Date 1363852330 -14400 +# Node ID 4047e9efcbd0966d8cc15d51f9b25ae5b141e239 +# Parent a7299af2af32c38eef541180e26f4aac7d79bff8 +8007927: Improve cmsAllocProfileSequenceDescription + +Index: lcms2-2.2+git20110628/src/cmsnamed.c +=================================================================== +--- lcms2-2.2+git20110628.orig/src/cmsnamed.c 2013-07-01 11:02:26.000000000 -0500 ++++ lcms2-2.2+git20110628/src/cmsnamed.c 2013-07-01 11:03:56.000000000 -0500 +@@ -698,6 +702,10 @@ + Seq -> seq = (cmsPSEQDESC*) _cmsCalloc(ContextID, n, sizeof(cmsPSEQDESC)); + Seq -> n = n; + ++ if (Seq -> seq == NULL) { ++ _cmsFree(ContextID, Seq); ++ return NULL; ++ } + + for (i=0; i < n; i++) { + Seq -> seq[i].Manufacturer = NULL; diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch --- lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch 1970-01-01 01:00:00.000000000 +0100 +++ lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch 2014-03-21 11:29:26.000000000 +0100 @@ -0,0 +1,27 @@ +# HG changeset patch +# User bae +# Date 1363852924 -14400 +# Node ID 2c71b4f2104b4951376604d50d5ecd176cd5acc7 +# Parent 4047e9efcbd0966d8cc15d51f9b25ae5b141e239 +8007929: Improve CurvesAlloc + +Index: lcms2-2.2+git20110628/src/cmsopt.c +=================================================================== +--- lcms2-2.2+git20110628.orig/src/cmsopt.c 2013-07-01 10:54:09.000000000 -0500 ++++ lcms2-2.2+git20110628/src/cmsopt.c 2013-07-01 10:54:09.000000000 -0500 +@@ -1135,6 +1135,15 @@ + for (i=0; i < nCurves; i++) { + + c16->Curves[i] = _cmsCalloc(ContextID, nElements, sizeof(cmsUInt16Number)); ++ if (c16->Curves[i] == NULL) { ++ for (j=0; j < i; j++) { ++ _cmsFree(ContextID, c16->Curves[j]); ++ } ++ _cmsFree(ContextID, c16->Curves); ++ _cmsFree(ContextID, c16); ++ ++ return NULL; ++ } + + if (nElements == 256) { + diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8009654.patch lcms2-2.2+git20110628/debian/patches/ojdk-8009654.patch --- lcms2-2.2+git20110628/debian/patches/ojdk-8009654.patch 1970-01-01 01:00:00.000000000 +0100 +++ lcms2-2.2+git20110628/debian/patches/ojdk-8009654.patch 2014-03-21 11:29:26.000000000 +0100 @@ -0,0 +1,40 @@ +# HG changeset patch +# User bae +# Date 1364538631 -14400 +# Node ID 8718da8c36f3c265f4ee3a3410ed7e9b116283a7 +# Parent cc656d61e7135d43cd8908a8ef8ceae66ca0d462 +8009654: Improve stability of cmsnamed + +Index: lcms2-2.2+git20110628/src/cmsnamed.c +=================================================================== +--- lcms2-2.2+git20110628.orig/src/cmsnamed.c 2013-07-01 11:43:05.000000000 -0500 ++++ lcms2-2.2+git20110628/src/cmsnamed.c 2013-07-01 11:44:10.000000000 -0500 +@@ -488,8 +488,10 @@ + while (v -> Allocated < n) + GrowNamedColorList(v); + +- strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix)); +- strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix)); ++ strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix) - 1); ++ strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix) - 1); ++ v->Prefix[sizeof(v ->Prefix) - 1] = v->Suffix[sizeof(v ->Suffix) - 1] = 0; ++ + v -> ColorantCount = ColorantCount; + + return v; +@@ -543,10 +545,12 @@ + for (i=0; i < 3; i++) + NamedColorList ->List[NamedColorList ->nColors].PCS[i] = PCS == NULL ? 0 : PCS[i]; + +- if (Name != NULL) ++ if (Name != NULL) { + strncpy(NamedColorList ->List[NamedColorList ->nColors].Name, Name, +- sizeof(NamedColorList ->List[NamedColorList ->nColors].Name)); +- else ++ sizeof(NamedColorList ->List[NamedColorList ->nColors].Name) - 1); ++ NamedColorList ->List[NamedColorList ->nColors]. ++ Name[sizeof(NamedColorList ->List[NamedColorList ->nColors].Name) - 1] = 0; ++ } else + NamedColorList ->List[NamedColorList ->nColors].Name[0] = 0; + + diff -Nru lcms2-2.2+git20110628/debian/patches/series lcms2-2.2+git20110628/debian/patches/series --- lcms2-2.2+git20110628/debian/patches/series 2014-03-17 23:41:12.000000000 +0100 +++ lcms2-2.2+git20110628/debian/patches/series 2014-03-21 11:29:26.000000000 +0100 @@ -1,2 +1,6 @@ tificc.1 jpgicc.1 +ojdk-8007925+8007926.patch +ojdk-8007927.patch +ojdk-8007929.patch +ojdk-8009654.patch
