diff options
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | PKGBUILD | 20 | ||||
-rw-r--r-- | jasper-1.900.1-CVE-2015-5203.patch | 197 | ||||
-rw-r--r-- | jasper-1.900.1-CVE-2016-1577.patch | 14 | ||||
-rw-r--r-- | jasper-1.900.1-CVE-2016-2089.patch | 90 | ||||
-rw-r--r-- | jasper-1.900.1-CVE-2016-2116.patch | 14 |
6 files changed, 138 insertions, 207 deletions
@@ -3,7 +3,7 @@ pkgbase = jasper pkgdesc = A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard pkgver = 1.900.1 - pkgrel = 14 + pkgrel = 15 url = http://www.ece.uvic.ca/~mdadams/jasper/ arch = i686 arch = x86_64 @@ -27,7 +27,9 @@ pkgbase = jasper source = jasper-1.900.1-fix-filename-buffer-overflow.patch source = jasper-1.900.1-CVE-2014-8157.patch source = jasper-1.900.1-CVE-2014-8158.patch - source = jasper-1.900.1-CVE-2015-5203.patch + source = jasper-1.900.1-CVE-2016-1577.patch + source = jasper-1.900.1-CVE-2016-2089.patch + source = jasper-1.900.1-CVE-2016-2116.patch sha1sums = 9c5735f773922e580bf98c7c7dfda9bbed4c5191 sha1sums = f298566fef08c8a589d072582112cd51c72c3983 sha1sums = 2483dba925670bf29f531d85d73c4e5ada513b01 @@ -41,7 +43,9 @@ pkgbase = jasper sha1sums = 577dfce40da75818c4d32eb1c4532b1370950bee sha1sums = aaf96946073d2ece35f3695e8cc7956b5cad9a1d sha1sums = e69b339de43d1dc2fbb98368cee3d20f76d35941 - sha1sums = b28a15079e6c5dd4cde8d63c21763c8abb9d187c + sha1sums = 70dafcbcf76e32d8601e2ed11712d018d38d7f56 + sha1sums = 06f89116508b1498e97a41ae07e15a4f049e671d + sha1sums = 101de5e73ebd690c08a7c1d7639fb35ede41faa3 pkgname = jasper @@ -3,7 +3,7 @@ pkgname=jasper pkgver=1.900.1 -pkgrel=14 +pkgrel=15 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard" arch=('i686' 'x86_64') url="http://www.ece.uvic.ca/~mdadams/jasper/" @@ -16,11 +16,13 @@ source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver} jpc_dec.c.patch jasper-1.900.1-CVE-2008-3522.patch jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff jasper-1.900.1-CVE-2014-8138.patch jasper-1.900.1-CVE-2014-9029.patch - jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch + jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch jasper-1.900.1-fix-filename-buffer-overflow.patch - jasper-1.900.1-CVE-2014-8157.patch - jasper-1.900.1-CVE-2014-8158.patch - jasper-1.900.1-CVE-2015-5203.patch) + jasper-1.900.1-CVE-2014-8157.patch + jasper-1.900.1-CVE-2014-8158.patch + jasper-1.900.1-CVE-2016-1577.patch + jasper-1.900.1-CVE-2016-2089.patch + jasper-1.900.1-CVE-2016-2116.patch) sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191' 'f298566fef08c8a589d072582112cd51c72c3983' '2483dba925670bf29f531d85d73c4e5ada513b01' @@ -34,7 +36,9 @@ sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191' '577dfce40da75818c4d32eb1c4532b1370950bee' 'aaf96946073d2ece35f3695e8cc7956b5cad9a1d' 'e69b339de43d1dc2fbb98368cee3d20f76d35941' - 'b28a15079e6c5dd4cde8d63c21763c8abb9d187c') + '70dafcbcf76e32d8601e2ed11712d018d38d7f56' + '06f89116508b1498e97a41ae07e15a4f049e671d' + '101de5e73ebd690c08a7c1d7639fb35ede41faa3') prepare() { cd ${pkgname}-${pkgver} @@ -50,7 +54,9 @@ prepare() { patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch" patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8157.patch" patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8158.patch" - patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2015-5203.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2016-1577.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2016-2089.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2016-2116.patch" } build() { diff --git a/jasper-1.900.1-CVE-2015-5203.patch b/jasper-1.900.1-CVE-2015-5203.patch deleted file mode 100644 index c4b9b649c4e3..000000000000 --- a/jasper-1.900.1-CVE-2015-5203.patch +++ /dev/null @@ -1,197 +0,0 @@ -From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001 -From: mancha <mancha1 AT zoho DOT com> -Date: Mon, 17 Aug 2015 -Subject: CVE-2015-5203 - -Prevent integer conversion errors. - -jasper is vulnerable to integer conversion errors that can be leveraged, -via crafted input, to trigger faults such as double free's. This patch -addresses that by using size_t for buffer sizes. - ---- - src/libjasper/base/jas_stream.c | 10 +++++----- - src/libjasper/include/jasper/jas_stream.h | 8 ++++---- - src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++-------- - src/libjasper/mif/mif_cod.c | 4 ++-- - 4 files changed, 19 insertions(+), 19 deletions(-) - ---- a/src/libjasper/include/jasper/jas_stream.h -+++ b/src/libjasper/include/jasper/jas_stream.h -@@ -215,7 +215,7 @@ typedef struct { - uchar *bufstart_; - - /* The buffer size. */ -- int bufsize_; -+ size_t bufsize_; - - /* The current position in the buffer. */ - uchar *ptr_; -@@ -267,7 +267,7 @@ typedef struct { - uchar *buf_; - - /* The allocated size of the buffer for holding file data. */ -- int bufsize_; -+ size_t bufsize_; - - /* The length of the file. */ - int_fast32_t len_; -@@ -291,7 +291,7 @@ typedef struct { - jas_stream_t *jas_stream_fopen(const char *filename, const char *mode); - - /* Open a memory buffer as a stream. */ --jas_stream_t *jas_stream_memopen(char *buf, int bufsize); -+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize); - - /* Open a file descriptor as a stream. */ - jas_stream_t *jas_stream_fdopen(int fd, const char *mode); -@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre - int jas_stream_puts(jas_stream_t *stream, const char *s); - - /* Read a line of input from a stream. */ --char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize); -+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize); - - /* Look at the next character to be read from a stream without actually - removing it from the stream. */ ---- a/src/libjasper/base/jas_stream.c -+++ b/src/libjasper/base/jas_stream.c -@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char - static void jas_stream_destroy(jas_stream_t *stream); - static jas_stream_t *jas_stream_create(void); - static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, -- int bufsize); -+ size_t bufsize); - - static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt); - static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt); -@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create() - return stream; - } - --jas_stream_t *jas_stream_memopen(char *buf, int bufsize) -+jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize) - { - jas_stream_t *stream; - jas_stream_memobj_t *obj; -@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream - return 0; - } - --char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) -+char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize) - { - int c; - char *bufptr; -@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea - \******************************************************************************/ - - static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, -- int bufsize) -+ size_t bufsize) - { - /* If this function is being called, the buffer should not have been - initialized yet. */ -@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob - return cnt; - } - --static int mem_resize(jas_stream_memobj_t *m, int bufsize) -+static int mem_resize(jas_stream_memobj_t *m, size_t bufsize) - { - unsigned char *buf; - ---- a/src/libjasper/jpc/jpc_qmfb.c -+++ b/src/libjasper/jpc/jpc_qmfb.c -@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = { - void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numcols, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr;#if !defined(HAVE_VLA) -@@ -373,7 +373,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in - int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; - jpc_fix_t *buf = splitbuf; - register jpc_fix_t *srcptr; -@@ -441,7 +441,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, - int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; -@@ -530,7 +530,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - int stride, int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; - jpc_fix_t *buf = splitbuf; - jpc_fix_t *srcptr; -@@ -618,7 +618,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, - void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numcols, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; -@@ -683,7 +683,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int - int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; - jpc_fix_t *buf = joinbuf; - register jpc_fix_t *srcptr; -@@ -748,7 +748,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, - int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; -@@ -834,7 +834,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, - int stride, int parity) - { - -- int bufsize = JPC_CEILDIVPOW2(numrows, 1); -+ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); - jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; - jpc_fix_t *buf = joinbuf; - jpc_fix_t *srcptr; ---- a/src/libjasper/mif/mif_cod.c -+++ b/src/libjasper/mif/mif_cod.c -@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j - static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt); - static mif_cmpt_t *mif_cmpt_create(void); - static void mif_cmpt_destroy(mif_cmpt_t *cmpt); --static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize); -+static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize); - static int mif_getc(jas_stream_t *in); - static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image); - -@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t - * MIF parsing code. - \******************************************************************************/ - --static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize) -+static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize) - { - int c; - char *bufptr; diff --git a/jasper-1.900.1-CVE-2016-1577.patch b/jasper-1.900.1-CVE-2016-1577.patch new file mode 100644 index 000000000000..ff2f1d61a1b5 --- /dev/null +++ b/jasper-1.900.1-CVE-2016-1577.patch @@ -0,0 +1,14 @@ +Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy() +Author: Tyler Hicks <tyhicks@canonical.com> +Bug-Ubuntu: https://launchpad.net/bugs/1547865 + +--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c ++++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c +@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) + goto error; + jas_iccattrval_destroy(attrval); ++ attrval = 0; + } else { + #if 0 + jas_eprintf("warning: skipping unknown tag type\n"); diff --git a/jasper-1.900.1-CVE-2016-2089.patch b/jasper-1.900.1-CVE-2016-2089.patch new file mode 100644 index 000000000000..95d4b6111144 --- /dev/null +++ b/jasper-1.900.1-CVE-2016-2089.patch @@ -0,0 +1,90 @@ +Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() +Origin: vendor +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 +Bug-Debian: https://bugs.debian.org/812978 +Forwarded: not-needed +Author: Tomas Hoger <thoger@redhat.com> +Reviewed-by: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2016-03-05 + +--- a/src/libjasper/base/jas_image.c ++++ b/src/libjasper/base/jas_image.c +@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + if (jas_matrix_resize(data, height, width)) { + return -1; +@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + return -1; + } +--- a/src/libjasper/base/jas_seq.c ++++ b/src/libjasper/base/jas_seq.c +@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri + jas_seqent_t *data; + int rowstep; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + assert(n >= 0); + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { diff --git a/jasper-1.900.1-CVE-2016-2116.patch b/jasper-1.900.1-CVE-2016-2116.patch new file mode 100644 index 000000000000..ee3f41bfa734 --- /dev/null +++ b/jasper-1.900.1-CVE-2016-2116.patch @@ -0,0 +1,14 @@ +Description: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf() +Author: Tyler Hicks <tyhicks@canonical.com> + +--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c ++++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c +@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf + jas_stream_close(in); + return prof; + error: ++ if (in) ++ jas_stream_close(in); + return 0; + } + |