summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorjgc2016-05-04 10:10:43 +0000
committerJakob Gahde2016-09-26 11:27:20 +0200
commit198b0603b6791c74ee89b17204a3d8bc6e2122d4 (patch)
treea7ac21127ca2e3d0e29634d0f44893618cd532c9
parent3a799ecbaafcc24000b1770cc9078c829a850b43 (diff)
downloadaur-198b0603b6791c74ee89b17204a3d8bc6e2122d4.tar.gz
upgpkg: jasper 1.900.1-15
Revert FS#46056, fixes FS#46161. Apply security fixes from FS48511 git-svn-id: file:///srv/repos/svn-packages/svn@266864 eb2447ed-0c53-47e4-bac8-5bc4a241df78
-rw-r--r--.SRCINFO10
-rw-r--r--PKGBUILD20
-rw-r--r--jasper-1.900.1-CVE-2015-5203.patch197
-rw-r--r--jasper-1.900.1-CVE-2016-1577.patch14
-rw-r--r--jasper-1.900.1-CVE-2016-2089.patch90
-rw-r--r--jasper-1.900.1-CVE-2016-2116.patch14
6 files changed, 138 insertions, 207 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 759af04c49a..13e971e2bfb 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -3,7 +3,7 @@
pkgbase = jasper
pkgdesc = A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard
pkgver = 1.900.1
- pkgrel = 14
+ pkgrel = 15
url = http://www.ece.uvic.ca/~mdadams/jasper/
arch = i686
arch = x86_64
@@ -27,7 +27,9 @@ pkgbase = jasper
source = jasper-1.900.1-fix-filename-buffer-overflow.patch
source = jasper-1.900.1-CVE-2014-8157.patch
source = jasper-1.900.1-CVE-2014-8158.patch
- source = jasper-1.900.1-CVE-2015-5203.patch
+ source = jasper-1.900.1-CVE-2016-1577.patch
+ source = jasper-1.900.1-CVE-2016-2089.patch
+ source = jasper-1.900.1-CVE-2016-2116.patch
sha1sums = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
sha1sums = f298566fef08c8a589d072582112cd51c72c3983
sha1sums = 2483dba925670bf29f531d85d73c4e5ada513b01
@@ -41,7 +43,9 @@ pkgbase = jasper
sha1sums = 577dfce40da75818c4d32eb1c4532b1370950bee
sha1sums = aaf96946073d2ece35f3695e8cc7956b5cad9a1d
sha1sums = e69b339de43d1dc2fbb98368cee3d20f76d35941
- sha1sums = b28a15079e6c5dd4cde8d63c21763c8abb9d187c
+ sha1sums = 70dafcbcf76e32d8601e2ed11712d018d38d7f56
+ sha1sums = 06f89116508b1498e97a41ae07e15a4f049e671d
+ sha1sums = 101de5e73ebd690c08a7c1d7639fb35ede41faa3
pkgname = jasper
diff --git a/PKGBUILD b/PKGBUILD
index c085594bae1..4730571eb41 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,7 +3,7 @@
pkgname=jasper
pkgver=1.900.1
-pkgrel=14
+pkgrel=15
pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
arch=('i686' 'x86_64')
url="http://www.ece.uvic.ca/~mdadams/jasper/"
@@ -16,11 +16,13 @@ source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}
jpc_dec.c.patch jasper-1.900.1-CVE-2008-3522.patch
jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff
jasper-1.900.1-CVE-2014-8138.patch jasper-1.900.1-CVE-2014-9029.patch
- jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
+ jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
jasper-1.900.1-fix-filename-buffer-overflow.patch
- jasper-1.900.1-CVE-2014-8157.patch
- jasper-1.900.1-CVE-2014-8158.patch
- jasper-1.900.1-CVE-2015-5203.patch)
+ jasper-1.900.1-CVE-2014-8157.patch
+ jasper-1.900.1-CVE-2014-8158.patch
+ jasper-1.900.1-CVE-2016-1577.patch
+ jasper-1.900.1-CVE-2016-2089.patch
+ jasper-1.900.1-CVE-2016-2116.patch)
sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191'
'f298566fef08c8a589d072582112cd51c72c3983'
'2483dba925670bf29f531d85d73c4e5ada513b01'
@@ -34,7 +36,9 @@ sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191'
'577dfce40da75818c4d32eb1c4532b1370950bee'
'aaf96946073d2ece35f3695e8cc7956b5cad9a1d'
'e69b339de43d1dc2fbb98368cee3d20f76d35941'
- 'b28a15079e6c5dd4cde8d63c21763c8abb9d187c')
+ '70dafcbcf76e32d8601e2ed11712d018d38d7f56'
+ '06f89116508b1498e97a41ae07e15a4f049e671d'
+ '101de5e73ebd690c08a7c1d7639fb35ede41faa3')
prepare() {
cd ${pkgname}-${pkgver}
@@ -50,7 +54,9 @@ prepare() {
patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8157.patch"
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8158.patch"
- patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2015-5203.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2016-1577.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2016-2089.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2016-2116.patch"
}
build() {
diff --git a/jasper-1.900.1-CVE-2015-5203.patch b/jasper-1.900.1-CVE-2015-5203.patch
deleted file mode 100644
index c4b9b649c4e..00000000000
--- a/jasper-1.900.1-CVE-2015-5203.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001
-From: mancha <mancha1 AT zoho DOT com>
-Date: Mon, 17 Aug 2015
-Subject: CVE-2015-5203
-
-Prevent integer conversion errors.
-
-jasper is vulnerable to integer conversion errors that can be leveraged,
-via crafted input, to trigger faults such as double free's. This patch
-addresses that by using size_t for buffer sizes.
-
----
- src/libjasper/base/jas_stream.c | 10 +++++-----
- src/libjasper/include/jasper/jas_stream.h | 8 ++++----
- src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++--------
- src/libjasper/mif/mif_cod.c | 4 ++--
- 4 files changed, 19 insertions(+), 19 deletions(-)
-
---- a/src/libjasper/include/jasper/jas_stream.h
-+++ b/src/libjasper/include/jasper/jas_stream.h
-@@ -215,7 +215,7 @@ typedef struct {
- uchar *bufstart_;
-
- /* The buffer size. */
-- int bufsize_;
-+ size_t bufsize_;
-
- /* The current position in the buffer. */
- uchar *ptr_;
-@@ -267,7 +267,7 @@ typedef struct {
- uchar *buf_;
-
- /* The allocated size of the buffer for holding file data. */
-- int bufsize_;
-+ size_t bufsize_;
-
- /* The length of the file. */
- int_fast32_t len_;
-@@ -291,7 +291,7 @@ typedef struct {
- jas_stream_t *jas_stream_fopen(const char *filename, const char *mode);
-
- /* Open a memory buffer as a stream. */
--jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
-+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
-
- /* Open a file descriptor as a stream. */
- jas_stream_t *jas_stream_fdopen(int fd, const char *mode);
-@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre
- int jas_stream_puts(jas_stream_t *stream, const char *s);
-
- /* Read a line of input from a stream. */
--char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize);
-+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize);
-
- /* Look at the next character to be read from a stream without actually
- removing it from the stream. */
---- a/src/libjasper/base/jas_stream.c
-+++ b/src/libjasper/base/jas_stream.c
-@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char
- static void jas_stream_destroy(jas_stream_t *stream);
- static jas_stream_t *jas_stream_create(void);
- static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
-- int bufsize);
-+ size_t bufsize);
-
- static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt);
- static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt);
-@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create()
- return stream;
- }
-
--jas_stream_t *jas_stream_memopen(char *buf, int bufsize)
-+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize)
- {
- jas_stream_t *stream;
- jas_stream_memobj_t *obj;
-@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream
- return 0;
- }
-
--char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
-+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize)
- {
- int c;
- char *bufptr;
-@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea
- \******************************************************************************/
-
- static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
-- int bufsize)
-+ size_t bufsize)
- {
- /* If this function is being called, the buffer should not have been
- initialized yet. */
-@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob
- return cnt;
- }
-
--static int mem_resize(jas_stream_memobj_t *m, int bufsize)
-+static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
- {
- unsigned char *buf;
-
---- a/src/libjasper/jpc/jpc_qmfb.c
-+++ b/src/libjasper/jpc/jpc_qmfb.c
-@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = {
- void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
- {
-
-- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
-+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
- jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
- jpc_fix_t *buf = splitbuf;
- register jpc_fix_t *srcptr;#if !defined(HAVE_VLA)
-@@ -373,7 +373,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
- int parity)
- {
-
-- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
- jpc_fix_t *buf = splitbuf;
- register jpc_fix_t *srcptr;
-@@ -441,7 +441,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
- int parity)
- {
-
-- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
- jpc_fix_t *buf = splitbuf;
- jpc_fix_t *srcptr;
-@@ -530,7 +530,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
- int stride, int parity)
- {
-
-- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
- jpc_fix_t *buf = splitbuf;
- jpc_fix_t *srcptr;
-@@ -618,7 +618,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
- void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
- {
-
-- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
-+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
- jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
- jpc_fix_t *buf = joinbuf;
- register jpc_fix_t *srcptr;
-@@ -683,7 +683,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
- int parity)
- {
-
-- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
- jpc_fix_t *buf = joinbuf;
- register jpc_fix_t *srcptr;
-@@ -748,7 +748,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
- int parity)
- {
-
-- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
- jpc_fix_t *buf = joinbuf;
- jpc_fix_t *srcptr;
-@@ -834,7 +834,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
- int stride, int parity)
- {
-
-- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
-+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
- jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
- jpc_fix_t *buf = joinbuf;
- jpc_fix_t *srcptr;
---- a/src/libjasper/mif/mif_cod.c
-+++ b/src/libjasper/mif/mif_cod.c
-@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
- static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
- static mif_cmpt_t *mif_cmpt_create(void);
- static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
--static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
-+static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
- static int mif_getc(jas_stream_t *in);
- static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
-
-@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
- * MIF parsing code.
- \******************************************************************************/
-
--static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
-+static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
- {
- int c;
- char *bufptr;
diff --git a/jasper-1.900.1-CVE-2016-1577.patch b/jasper-1.900.1-CVE-2016-1577.patch
new file mode 100644
index 00000000000..ff2f1d61a1b
--- /dev/null
+++ b/jasper-1.900.1-CVE-2016-1577.patch
@@ -0,0 +1,14 @@
+Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
+Author: Tyler Hicks <tyhicks@canonical.com>
+Bug-Ubuntu: https://launchpad.net/bugs/1547865
+
+--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c
++++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c
+@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
+ goto error;
+ jas_iccattrval_destroy(attrval);
++ attrval = 0;
+ } else {
+ #if 0
+ jas_eprintf("warning: skipping unknown tag type\n");
diff --git a/jasper-1.900.1-CVE-2016-2089.patch b/jasper-1.900.1-CVE-2016-2089.patch
new file mode 100644
index 00000000000..95d4b611114
--- /dev/null
+++ b/jasper-1.900.1-CVE-2016-2089.patch
@@ -0,0 +1,90 @@
+Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
+Origin: vendor
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636
+Bug-Debian: https://bugs.debian.org/812978
+Forwarded: not-needed
+Author: Tomas Hoger <thoger@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_image.c
++++ b/src/libjasper/base/jas_image.c
+@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ if (jas_matrix_resize(data, height, width)) {
+ return -1;
+@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ return -1;
+ }
+--- a/src/libjasper/base/jas_seq.c
++++ b/src/libjasper/base/jas_seq.c
+@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ jas_seqent_t *data;
+ int rowstep;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ assert(n >= 0);
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
diff --git a/jasper-1.900.1-CVE-2016-2116.patch b/jasper-1.900.1-CVE-2016-2116.patch
new file mode 100644
index 00000000000..ee3f41bfa73
--- /dev/null
+++ b/jasper-1.900.1-CVE-2016-2116.patch
@@ -0,0 +1,14 @@
+Description: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf()
+Author: Tyler Hicks <tyhicks@canonical.com>
+
+--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c
++++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c
+@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
+ jas_stream_close(in);
+ return prof;
+ error:
++ if (in)
++ jas_stream_close(in);
+ return 0;
+ }
+