Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu
Dear Release team,
I have been requested by the security team to update libjpeg8 and libjpeg6b1
in stable to fix CVE-2013-6629 and CVE-2013-6630. (see #729867).
The fix is available in version 8d-2 and 6b1-4 in testing which are
otherwise identical to version 8d-1 and 6b1-3 in stable.
I join the debdiff.
Please advise to proper procedure for upload.
Cheers,
--
Bill. <ballo...@debian.org>
Imagine a large red swirl here.
diff -Nru libjpeg8-8d/debian/changelog libjpeg8-8d/debian/changelog
--- libjpeg8-8d/debian/changelog 2012-01-29 19:51:42.000000000 +0100
+++ libjpeg8-8d/debian/changelog 2013-12-03 23:07:33.000000000 +0100
@@ -1,3 +1,10 @@
+libjpeg8 (8d-2) unstable; urgency=high
+
+ * Apply upstream patch to fix CVE-2013-6629 and CVE-2013-6630.
+ closes: #729867.
+
+ -- Bill Allombert <ballo...@debian.org> Mon, 02 Dec 2013 23:11:23 +0100
+
libjpeg8 (8d-1) unstable; urgency=low
* The "Lucas" release
diff -Nru libjpeg8-8d/debian/patches/fix-CVE-2013-6629_6630 libjpeg8-8d/debian/patches/fix-CVE-2013-6629_6630
--- libjpeg8-8d/debian/patches/fix-CVE-2013-6629_6630 1970-01-01 01:00:00.000000000 +0100
+++ libjpeg8-8d/debian/patches/fix-CVE-2013-6629_6630 2013-12-02 23:07:35.000000000 +0100
@@ -0,0 +1,108 @@
+Index: libjpeg8-8d/jdmarker.c
+===================================================================
+--- libjpeg8-8d.orig/jdmarker.c 2013-12-02 22:27:12.205907726 +0100
++++ libjpeg8-8d/jdmarker.c 2013-12-02 23:07:21.300024752 +0100
+@@ -240,7 +240,7 @@
+ /* Process a SOFn marker */
+ {
+ INT32 length;
+- int c, ci;
++ int c, ci, i;
+ jpeg_component_info * compptr;
+ INPUT_VARS(cinfo);
+
+@@ -278,11 +278,27 @@
+ cinfo->comp_info = (jpeg_component_info *) (*cinfo->mem->alloc_small)
+ ((j_common_ptr) cinfo, JPOOL_IMAGE,
+ cinfo->num_components * SIZEOF(jpeg_component_info));
+-
+- for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components;
+- ci++, compptr++) {
++
++ for (ci = 0; ci < cinfo->num_components; ci++) {
++ INPUT_BYTE(cinfo, c, return FALSE);
++ /* Check to see whether component id has already been seen */
++ /* (in violation of the spec, but unfortunately seen in some */
++ /* files). If so, create "fake" component id equal to the */
++ /* max id seen so far + 1. */
++ for (i = 0, compptr = cinfo->comp_info; i < ci; i++, compptr++) {
++ if (c == compptr->component_id) {
++ compptr = cinfo->comp_info;
++ c = compptr->component_id;
++ compptr++;
++ for (i = 1; i < ci; i++, compptr++) {
++ if (compptr->component_id > c) c = compptr->component_id;
++ }
++ c++;
++ break;
++ }
++ }
++ compptr->component_id = c;
+ compptr->component_index = ci;
+- INPUT_BYTE(cinfo, compptr->component_id, return FALSE);
+ INPUT_BYTE(cinfo, c, return FALSE);
+ compptr->h_samp_factor = (c >> 4) & 15;
+ compptr->v_samp_factor = (c ) & 15;
+@@ -305,7 +321,7 @@
+ /* Process a SOS marker */
+ {
+ INT32 length;
+- int i, ci, n, c, cc;
++ int c, ci, i, n;
+ jpeg_component_info * compptr;
+ INPUT_VARS(cinfo);
+
+@@ -328,24 +344,38 @@
+ /* Collect the component-spec parameters */
+
+ for (i = 0; i < n; i++) {
+- INPUT_BYTE(cinfo, cc, return FALSE);
+ INPUT_BYTE(cinfo, c, return FALSE);
+-
++
++ /* Detect the case where component id's are not unique, and, if so, */
++ /* create a fake component id using the same logic as in get_sof. */
++ for (ci = 0; ci < i; ci++) {
++ if (c == cinfo->cur_comp_info[ci]->component_id) {
++ c = cinfo->cur_comp_info[0]->component_id;
++ for (ci = 1; ci < i; ci++) {
++ compptr = cinfo->cur_comp_info[ci];
++ if (compptr->component_id > c) c = compptr->component_id;
++ }
++ c++;
++ break;
++ }
++ }
++
+ for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components;
+ ci++, compptr++) {
+- if (cc == compptr->component_id)
++ if (c == compptr->component_id)
+ goto id_found;
+ }
+
+- ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
++ ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, c);
+
+ id_found:
+
+ cinfo->cur_comp_info[i] = compptr;
++ INPUT_BYTE(cinfo, c, return FALSE);
+ compptr->dc_tbl_no = (c >> 4) & 15;
+ compptr->ac_tbl_no = (c ) & 15;
+-
+- TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc,
++
++ TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, compptr->component_id,
+ compptr->dc_tbl_no, compptr->ac_tbl_no);
+ }
+
+@@ -461,6 +491,8 @@
+ if (count > 256 || ((INT32) count) > length)
+ ERREXIT(cinfo, JERR_BAD_HUFF_TABLE);
+
++ MEMZERO(huffval, SIZEOF(huffval)); /* pre-zero array for later copy */
++
+ for (i = 0; i < count; i++)
+ INPUT_BYTE(cinfo, huffval[i], return FALSE);
+
diff -Nru libjpeg8-8d/debian/patches/series libjpeg8-8d/debian/patches/series
--- libjpeg8-8d/debian/patches/series 2011-07-08 23:06:32.000000000 +0200
+++ libjpeg8-8d/debian/patches/series 2013-12-02 23:21:46.000000000 +0100
@@ -1,2 +1,3 @@
use-autotools-dev
GIF-patent-expired
+fix-CVE-2013-6629_6630
diff -Nru libjpeg6b-6b1/debian/changelog libjpeg6b-6b1/debian/changelog
--- libjpeg6b-6b1/debian/changelog 2012-06-03 13:42:22.000000000 +0200
+++ libjpeg6b-6b1/debian/changelog 2013-12-05 23:43:54.000000000 +0100
@@ -1,3 +1,11 @@
+libjpeg6b (6b1-4) unstable; urgency=high
+
+ * Apply upstream patch to fix CVE-2013-6629 and CVE-2013-6630.
+ * debian/rules clean: remove stamp-h1
+ * debian/copyright: fix download URL
+
+ -- Bill Allombert <ballo...@debian.org> Thu, 05 Dec 2013 23:43:52 +0100
+
libjpeg6b (6b1-3) unstable; urgency=low
* Add multiarch support (similar to libjpeg8). closes: #642079
diff -Nru libjpeg6b-6b1/debian/copyright libjpeg6b-6b1/debian/copyright
--- libjpeg6b-6b1/debian/copyright 2010-06-04 16:25:52.000000000 +0200
+++ libjpeg6b-6b1/debian/copyright 2013-12-05 11:26:03.000000000 +0100
@@ -2,7 +2,7 @@
JPEG Group.
This package was created by Bill Allombert <ballo...@debian.org> from sources
-which can be found at http://www.ijg.org/jpegsrc.v6b1.tar.gz.
+which can be found at http://www.ijg.org/files/jpegsrc.v6b1.tar.gz.
Package for version 6b was created by Mark Mickan <mmic...@debian.org> from
sources which can be found at ftp://ftp.uu.net/graphics/jpeg/jpegsrc.v6b.tar.gz
diff -Nru libjpeg6b-6b1/debian/patches/debian-changes-6b1-1 libjpeg6b-6b1/debian/patches/debian-changes-6b1-1
--- libjpeg6b-6b1/debian/patches/debian-changes-6b1-1 2010-06-30 15:08:54.000000000 +0200
+++ libjpeg6b-6b1/debian/patches/debian-changes-6b1-1 1970-01-01 01:00:00.000000000 +0100
@@ -1,47 +0,0 @@
-Description: Upstream changes introduced in version 6b1-1
- This patch has been created by dpkg-source during the package build.
- Here's the last changelog entry, hopefully it gives details on why
- those changes were made:
- .
- libjpeg6b (6b1-1) unstable; urgency=low
- .
- * New upstream release
- - libjpeg62 has now versionned symbols.
- - Updated build system that use current libtool.
- - Full source code for the build system.
- * debian/copyright: add 6b1 upstream download URL.
- * debian/control:
- - libjpeg62-dev: Provides libjpeg-dev since the transition has been
- postponed.
- - Remove now useless dependency on libtool and sharutils
- - Bump Standards-Version to 3.9.0.
- * Get rid of dpatch system. Patches were only relevant to libjpeg-progs
- which is not build from this package anymore.
- * Move to new source format 3.0 (quilt). Patches applied:
- - use-autotools-dev: Use autotools-dev version of config.sub/.guess.
- - extern_C-jpeglib.h: Wrap jpeglib.h with extern "C" {} if __cplusplus
- is defined.
- * debian/rules:
- - Adjust for new build system and new patch system.
- * debian/shlibs: add (>=6b1) to avoid linker warnings with libjpeg6b.
- .
- The person named in the Author field signed this changelog entry.
-Author: Bill Allombert <ballo...@debian.org>
-
----
-The information above should follow the Patch Tagging Guidelines, please
-checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
-are templates for supplementary fields that you might want to add:
-
-Origin: <vendor|upstream|other>, <url of original patch>
-Bug: <url in upstream bugtracker>
-Bug-Debian: http://bugs.debian.org/<bugnumber>
-Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
-Forwarded: <no|not-needed|url proving that it has been forwarded>
-Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: <YYYY-MM-DD>
-
---- /dev/null
-+++ libjpeg6b-6b1/stamp-h1
-@@ -0,0 +1 @@
-+timestamp for jconfig.h
diff -Nru libjpeg6b-6b1/debian/patches/fix-CVE-2013-6629_6630 libjpeg6b-6b1/debian/patches/fix-CVE-2013-6629_6630
--- libjpeg6b-6b1/debian/patches/fix-CVE-2013-6629_6630 1970-01-01 01:00:00.000000000 +0100
+++ libjpeg6b-6b1/debian/patches/fix-CVE-2013-6629_6630 2013-12-03 22:53:33.000000000 +0100
@@ -0,0 +1,108 @@
+Index: libjpeg6b-6b1/jdmarker.c
+===================================================================
+--- libjpeg6b-6b1.orig/jdmarker.c 1998-02-21 21:24:50.000000000 +0100
++++ libjpeg6b-6b1/jdmarker.c 2013-12-03 22:53:28.393111296 +0100
+@@ -238,7 +238,7 @@
+ /* Process a SOFn marker */
+ {
+ INT32 length;
+- int c, ci;
++ int c, ci, i;
+ jpeg_component_info * compptr;
+ INPUT_VARS(cinfo);
+
+@@ -275,11 +275,27 @@
+ cinfo->comp_info = (jpeg_component_info *) (*cinfo->mem->alloc_small)
+ ((j_common_ptr) cinfo, JPOOL_IMAGE,
+ cinfo->num_components * SIZEOF(jpeg_component_info));
+-
+- for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components;
+- ci++, compptr++) {
++
++ for (ci = 0; ci < cinfo->num_components; ci++) {
++ INPUT_BYTE(cinfo, c, return FALSE);
++ /* Check to see whether component id has already been seen */
++ /* (in violation of the spec, but unfortunately seen in some */
++ /* files). If so, create "fake" component id equal to the */
++ /* max id seen so far + 1. */
++ for (i = 0, compptr = cinfo->comp_info; i < ci; i++, compptr++) {
++ if (c == compptr->component_id) {
++ compptr = cinfo->comp_info;
++ c = compptr->component_id;
++ compptr++;
++ for (i = 1; i < ci; i++, compptr++) {
++ if (compptr->component_id > c) c = compptr->component_id;
++ }
++ c++;
++ break;
++ }
++ }
++ compptr->component_id = c;
+ compptr->component_index = ci;
+- INPUT_BYTE(cinfo, compptr->component_id, return FALSE);
+ INPUT_BYTE(cinfo, c, return FALSE);
+ compptr->h_samp_factor = (c >> 4) & 15;
+ compptr->v_samp_factor = (c ) & 15;
+@@ -302,7 +318,7 @@
+ /* Process a SOS marker */
+ {
+ INT32 length;
+- int i, ci, n, c, cc;
++ int c, ci, i, n;
+ jpeg_component_info * compptr;
+ INPUT_VARS(cinfo);
+
+@@ -323,24 +339,38 @@
+ /* Collect the component-spec parameters */
+
+ for (i = 0; i < n; i++) {
+- INPUT_BYTE(cinfo, cc, return FALSE);
+ INPUT_BYTE(cinfo, c, return FALSE);
+-
++
++ /* Detect the case where component id's are not unique, and, if so, */
++ /* create a fake component id using the same logic as in get_sof. */
++ for (ci = 0; ci < i; ci++) {
++ if (c == cinfo->cur_comp_info[ci]->component_id) {
++ c = cinfo->cur_comp_info[0]->component_id;
++ for (ci = 1; ci < i; ci++) {
++ compptr = cinfo->cur_comp_info[ci];
++ if (compptr->component_id > c) c = compptr->component_id;
++ }
++ c++;
++ break;
++ }
++ }
++
+ for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components;
+ ci++, compptr++) {
+- if (cc == compptr->component_id)
++ if (c == compptr->component_id)
+ goto id_found;
+ }
+
+- ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
++ ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, c);
+
+ id_found:
+
+ cinfo->cur_comp_info[i] = compptr;
++ INPUT_BYTE(cinfo, c, return FALSE);
+ compptr->dc_tbl_no = (c >> 4) & 15;
+ compptr->ac_tbl_no = (c ) & 15;
+-
+- TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc,
++
++ TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, compptr->component_id,
+ compptr->dc_tbl_no, compptr->ac_tbl_no);
+ }
+
+@@ -456,6 +486,8 @@
+ if (count > 256 || ((INT32) count) > length)
+ ERREXIT(cinfo, JERR_BAD_HUFF_TABLE);
+
++ MEMZERO(huffval, SIZEOF(huffval)); /* pre-zero array for later copy */
++
+ for (i = 0; i < count; i++)
+ INPUT_BYTE(cinfo, huffval[i], return FALSE);
+
diff -Nru libjpeg6b-6b1/debian/patches/series libjpeg6b-6b1/debian/patches/series
--- libjpeg6b-6b1/debian/patches/series 2010-06-03 19:27:18.000000000 +0200
+++ libjpeg6b-6b1/debian/patches/series 2013-12-03 22:54:02.000000000 +0100
@@ -1,3 +1,3 @@
extern_C-jpeglib.h
use-autotools-dev
-debian-changes-6b1-1
+fix-CVE-2013-6629_6630
diff -Nru libjpeg6b-6b1/debian/rules libjpeg6b-6b1/debian/rules
--- libjpeg6b-6b1/debian/rules 2012-06-03 13:53:15.000000000 +0200
+++ libjpeg6b-6b1/debian/rules 2013-12-05 11:24:59.000000000 +0100
@@ -33,7 +33,7 @@
clean:
dh_testdir
dh_testroot
- -rm -f build-stamp
+ -rm -f build-stamp stamp-h1
if [ -f Makefile ]; then $(MAKE) clean; fi
-rm -f Makefile jconfig.h config.log config.status libtool
dh_clean
