summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authoreric2015-08-22 00:15:49 +0000
committerJakob Gahde2016-09-26 11:27:19 +0200
commit3a799ecbaafcc24000b1770cc9078c829a850b43 (patch)
tree709d60ca3ab57ada11eb55b9c88f0c41b5938325
parente82fd4e233b4c52fbefdf00ce48b16306790e2d3 (diff)
downloadaur-3a799ecbaafcc24000b1770cc9078c829a850b43.tar.gz
upgpkg: jasper 1.900.1-14
Add security fix for CVE-2015-5203 git-svn-id: file:///srv/repos/svn-packages/svn@244482 eb2447ed-0c53-47e4-bac8-5bc4a241df78
-rw-r--r--.SRCINFO6
-rw-r--r--PKGBUILD9
-rw-r--r--jasper-1.900.1-CVE-2015-5203.patch197
3 files changed, 207 insertions, 5 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 00c1ef5b664..759af04c49a 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,9 +1,9 @@
# Generated by mksrcinfo v8
-# Mon Sep 26 04:26:51 UTC 2016
+# Mon Sep 26 04:26:52 UTC 2016
pkgbase = jasper
pkgdesc = A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard
pkgver = 1.900.1
- pkgrel = 13
+ pkgrel = 14
url = http://www.ece.uvic.ca/~mdadams/jasper/
arch = i686
arch = x86_64
@@ -27,6 +27,7 @@ pkgbase = jasper
source = jasper-1.900.1-fix-filename-buffer-overflow.patch
source = jasper-1.900.1-CVE-2014-8157.patch
source = jasper-1.900.1-CVE-2014-8158.patch
+ source = jasper-1.900.1-CVE-2015-5203.patch
sha1sums = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
sha1sums = f298566fef08c8a589d072582112cd51c72c3983
sha1sums = 2483dba925670bf29f531d85d73c4e5ada513b01
@@ -40,6 +41,7 @@ pkgbase = jasper
sha1sums = 577dfce40da75818c4d32eb1c4532b1370950bee
sha1sums = aaf96946073d2ece35f3695e8cc7956b5cad9a1d
sha1sums = e69b339de43d1dc2fbb98368cee3d20f76d35941
+ sha1sums = b28a15079e6c5dd4cde8d63c21763c8abb9d187c
pkgname = jasper
diff --git a/PKGBUILD b/PKGBUILD
index f165e1e5ec9..c085594bae1 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,7 +3,7 @@
pkgname=jasper
pkgver=1.900.1
-pkgrel=13
+pkgrel=14
pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
arch=('i686' 'x86_64')
url="http://www.ece.uvic.ca/~mdadams/jasper/"
@@ -19,7 +19,8 @@ source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}
jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
jasper-1.900.1-fix-filename-buffer-overflow.patch
jasper-1.900.1-CVE-2014-8157.patch
- jasper-1.900.1-CVE-2014-8158.patch)
+ jasper-1.900.1-CVE-2014-8158.patch
+ jasper-1.900.1-CVE-2015-5203.patch)
sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191'
'f298566fef08c8a589d072582112cd51c72c3983'
'2483dba925670bf29f531d85d73c4e5ada513b01'
@@ -32,7 +33,8 @@ sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191'
'3bfb37a4c732caa824563bad2603fcf5f2acf7f7'
'577dfce40da75818c4d32eb1c4532b1370950bee'
'aaf96946073d2ece35f3695e8cc7956b5cad9a1d'
- 'e69b339de43d1dc2fbb98368cee3d20f76d35941')
+ 'e69b339de43d1dc2fbb98368cee3d20f76d35941'
+ 'b28a15079e6c5dd4cde8d63c21763c8abb9d187c')
prepare() {
cd ${pkgname}-${pkgver}
@@ -48,6 +50,7 @@ prepare() {
patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8157.patch"
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8158.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2015-5203.patch"
}
build() {
diff --git a/jasper-1.900.1-CVE-2015-5203.patch b/jasper-1.900.1-CVE-2015-5203.patch
new file mode 100644
index 00000000000..c4b9b649c4e
--- /dev/null
+++ b/jasper-1.900.1-CVE-2015-5203.patch
@@ -0,0 +1,197 @@
+From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 17 Aug 2015
+Subject: CVE-2015-5203
+
+Prevent integer conversion errors.
+
+jasper is vulnerable to integer conversion errors that can be leveraged,
+via crafted input, to trigger faults such as double free's. This patch
+addresses that by using size_t for buffer sizes.
+
+---
+ src/libjasper/base/jas_stream.c | 10 +++++-----
+ src/libjasper/include/jasper/jas_stream.h | 8 ++++----
+ src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++--------
+ src/libjasper/mif/mif_cod.c | 4 ++--
+ 4 files changed, 19 insertions(+), 19 deletions(-)
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -215,7 +215,7 @@ typedef struct {
+ uchar *bufstart_;
+
+ /* The buffer size. */
+- int bufsize_;
++ size_t bufsize_;
+
+ /* The current position in the buffer. */
+ uchar *ptr_;
+@@ -267,7 +267,7 @@ typedef struct {
+ uchar *buf_;
+
+ /* The allocated size of the buffer for holding file data. */
+- int bufsize_;
++ size_t bufsize_;
+
+ /* The length of the file. */
+ int_fast32_t len_;
+@@ -291,7 +291,7 @@ typedef struct {
+ jas_stream_t *jas_stream_fopen(const char *filename, const char *mode);
+
+ /* Open a memory buffer as a stream. */
+-jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
+
+ /* Open a file descriptor as a stream. */
+ jas_stream_t *jas_stream_fdopen(int fd, const char *mode);
+@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre
+ int jas_stream_puts(jas_stream_t *stream, const char *s);
+
+ /* Read a line of input from a stream. */
+-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize);
++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize);
+
+ /* Look at the next character to be read from a stream without actually
+ removing it from the stream. */
+--- a/src/libjasper/base/jas_stream.c
++++ b/src/libjasper/base/jas_stream.c
+@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char
+ static void jas_stream_destroy(jas_stream_t *stream);
+ static jas_stream_t *jas_stream_create(void);
+ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
+- int bufsize);
++ size_t bufsize);
+
+ static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt);
+ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt);
+@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create()
+ return stream;
+ }
+
+-jas_stream_t *jas_stream_memopen(char *buf, int bufsize)
++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize)
+ {
+ jas_stream_t *stream;
+ jas_stream_memobj_t *obj;
+@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream
+ return 0;
+ }
+
+-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize)
+ {
+ int c;
+ char *bufptr;
+@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea
+ \******************************************************************************/
+
+ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
+- int bufsize)
++ size_t bufsize)
+ {
+ /* If this function is being called, the buffer should not have been
+ initialized yet. */
+@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob
+ return cnt;
+ }
+
+-static int mem_resize(jas_stream_memobj_t *m, int bufsize)
++static int mem_resize(jas_stream_memobj_t *m, size_t bufsize)
+ {
+ unsigned char *buf;
+
+--- a/src/libjasper/jpc/jpc_qmfb.c
++++ b/src/libjasper/jpc/jpc_qmfb.c
+@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = {
+ void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity)
+ {
+
+- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
++ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;#if !defined(HAVE_VLA)
+@@ -373,7 +373,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ int parity)
+ {
+
+- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+ jpc_fix_t *buf = splitbuf;
+ register jpc_fix_t *srcptr;
+@@ -441,7 +441,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ int parity)
+ {
+
+- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+@@ -530,7 +530,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ int stride, int parity)
+ {
+
+- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ jpc_fix_t *buf = splitbuf;
+ jpc_fix_t *srcptr;
+@@ -618,7 +618,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity)
+ {
+
+- int bufsize = JPC_CEILDIVPOW2(numcols, 1);
++ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1);
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+@@ -683,7 +683,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ int parity)
+ {
+
+- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+ jpc_fix_t *buf = joinbuf;
+ register jpc_fix_t *srcptr;
+@@ -748,7 +748,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ int parity)
+ {
+
+- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+@@ -834,7 +834,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ int stride, int parity)
+ {
+
+- int bufsize = JPC_CEILDIVPOW2(numrows, 1);
++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1);
+ jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+ jpc_fix_t *buf = joinbuf;
+ jpc_fix_t *srcptr;
+--- a/src/libjasper/mif/mif_cod.c
++++ b/src/libjasper/mif/mif_cod.c
+@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j
+ static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt);
+ static mif_cmpt_t *mif_cmpt_create(void);
+ static void mif_cmpt_destroy(mif_cmpt_t *cmpt);
+-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize);
++static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize);
+ static int mif_getc(jas_stream_t *in);
+ static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image);
+
+@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t
+ * MIF parsing code.
+ \******************************************************************************/
+
+-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize)
++static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize)
+ {
+ int c;
+ char *bufptr;