[arch-commits] Commit in jasper/trunk (6 files)
Eric Bélanger
eric at archlinux.org
Fri Dec 19 03:38:03 UTC 2014
Date: Friday, December 19, 2014 @ 04:38:02
Author: eric
Revision: 227774
upgpkg: jasper 1.900.1-12
Add CVE patches (close FS#43155)
Added:
jasper/trunk/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
jasper/trunk/jasper-1.900.1-CVE-2014-8137.patch
jasper/trunk/jasper-1.900.1-CVE-2014-8138.patch
jasper/trunk/jasper-1.900.1-fix-filename-buffer-overflow.patch
jasper/trunk/jasper-avoid-assert-abort.diff
Modified:
jasper/trunk/PKGBUILD
------------------------------------------------------+
PKGBUILD | 19 ++++++-
jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch | 30 +++++++++++
jasper-1.900.1-CVE-2014-8137.patch | 43 +++++++++++++++++
jasper-1.900.1-CVE-2014-8138.patch | 14 +++++
jasper-1.900.1-fix-filename-buffer-overflow.patch | 37 ++++++++++++++
jasper-avoid-assert-abort.diff | 14 +++++
6 files changed, 154 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-12-19 03:10:51 UTC (rev 227773)
+++ PKGBUILD 2014-12-19 03:38:02 UTC (rev 227774)
@@ -3,7 +3,7 @@
pkgname=jasper
pkgver=1.900.1
-pkgrel=11
+pkgrel=12
pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
arch=('i686' 'x86_64')
url="http://www.ece.uvic.ca/~mdadams/jasper/"
@@ -14,13 +14,21 @@
source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.zip
patch-libjasper-stepsizes-overflow.diff jasper-1.900.1-CVE-2008-3520.patch
jpc_dec.c.patch jasper-1.900.1-CVE-2008-3522.patch
- jasper-1.900.1-CVE-2014-9029.patch)
+ jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff
+ jasper-1.900.1-CVE-2014-8138.patch jasper-1.900.1-CVE-2014-9029.patch
+ jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
+ jasper-1.900.1-fix-filename-buffer-overflow.patch)
sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191'
'f298566fef08c8a589d072582112cd51c72c3983'
'2483dba925670bf29f531d85d73c4e5ada513b01'
'c1a0176a15210c0af14d85e55ce566921957d780'
'0e7b6142cd9240ffb15a1ed7297c43c76fa09ee4'
- 'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd')
+ '437519aaaeff6076d11cdbea82125dbcac6f729b'
+ '98548b610a7319e569ee0425a32dc1d31a8771d2'
+ '6086e717af2f0a026f70e399e28fe115f08a8cc1'
+ 'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd'
+ '3bfb37a4c732caa824563bad2603fcf5f2acf7f7'
+ '577dfce40da75818c4d32eb1c4532b1370950bee')
prepare() {
cd ${pkgname}-${pkgver}
@@ -29,6 +37,11 @@
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch"
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3522.patch"
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-9029.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8137.patch"
+ patch -p1 -i "${srcdir}/jasper-avoid-assert-abort.diff"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8138.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
}
build() {
Added: jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
===================================================================
--- jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch (rev 0)
+++ jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch 2014-12-19 03:38:02 UTC (rev 227774)
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2011-4516 and CVE-2011-4517
+ This patch fixes a possible denial of service and code execution via
+ heap-based buffer overflows.
+Author: Michael Gilbert <michael.s.gilbert at gmail.com>
+Origin: Patch thanks to Red Hat
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500
+@@ -744,6 +744,10 @@
+ return -1;
+ }
+ compparms->numrlvls = compparms->numdlvls + 1;
++ if (compparms->numrlvls > JPC_MAXRLVLS) {
++ jpc_cox_destroycompparms(compparms);
++ return -1;
++ }
+ if (prtflag) {
+ for (i = 0; i < compparms->numrlvls; ++i) {
+ if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
Added: jasper-1.900.1-CVE-2014-8137.patch
===================================================================
--- jasper-1.900.1-CVE-2014-8137.patch (rev 0)
+++ jasper-1.900.1-CVE-2014-8137.patch 2014-12-19 03:38:02 UTC (rev 227774)
@@ -0,0 +1,43 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
Added: jasper-1.900.1-CVE-2014-8138.patch
===================================================================
--- jasper-1.900.1-CVE-2014-8138.patch (rev 0)
+++ jasper-1.900.1-CVE-2014-8138.patch 2014-12-19 03:38:02 UTC (rev 227774)
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ /* Determine the type of each component. */
+ if (dec->cdef) {
+ for (i = 0; i < dec->numchans; ++i) {
++ /* Is the channel number reasonable? */
++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++ jas_eprintf("error: invalid channel number in CDEF box\n");
++ goto error;
++ }
+ jas_image_setcmpttype(dec->image,
+ dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ jp2_getct(jas_image_clrspc(dec->image),
Added: jasper-1.900.1-fix-filename-buffer-overflow.patch
===================================================================
--- jasper-1.900.1-fix-filename-buffer-overflow.patch (rev 0)
+++ jasper-1.900.1-fix-filename-buffer-overflow.patch 2014-12-19 03:38:02 UTC (rev 227774)
@@ -0,0 +1,37 @@
+Description: Filename buffer overflow fix
+ This patch fixes a security hole by a bad buffer size handling.
+Author: Roland Stigge <stigge at antcom.de>
+Bug-Debian: http://bugs.debian.org/645118
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -77,6 +77,7 @@
+ #include <jasper/jas_config.h>
+
+ #include <stdio.h>
++#include <limits.h>
+ #if defined(HAVE_FCNTL_H)
+ #include <fcntl.h>
+ #endif
+@@ -99,6 +100,12 @@ extern "C" {
+ #define O_BINARY 0
+ #endif
+
++#ifdef PATH_MAX
++#define JAS_PATH_MAX PATH_MAX
++#else
++#define JAS_PATH_MAX 4096
++#endif
++
+ /*
+ * Stream open flags.
+ */
+@@ -251,7 +258,7 @@ typedef struct {
+ typedef struct {
+ int fd;
+ int flags;
+- char pathname[L_tmpnam + 1];
++ char pathname[JAS_PATH_MAX + 1];
+ } jas_stream_fileobj_t;
+
+ #define JAS_STREAM_FILEOBJ_DELONCLOSE 0x01
Added: jasper-avoid-assert-abort.diff
===================================================================
--- jasper-avoid-assert-abort.diff (rev 0)
+++ jasper-avoid-assert-abort.diff 2014-12-19 03:38:02 UTC (rev 227774)
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
More information about the arch-commits
mailing list