diff options
-rw-r--r-- | .SRCINFO | 12 | ||||
-rw-r--r-- | PKGBUILD | 19 | ||||
-rw-r--r-- | jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch | 30 | ||||
-rw-r--r-- | jasper-1.900.1-CVE-2014-8137.patch | 43 | ||||
-rw-r--r-- | jasper-1.900.1-CVE-2014-8138.patch | 14 | ||||
-rw-r--r-- | jasper-1.900.1-fix-filename-buffer-overflow.patch | 37 | ||||
-rw-r--r-- | jasper-avoid-assert-abort.diff | 14 |
7 files changed, 165 insertions, 4 deletions
@@ -3,7 +3,7 @@ pkgbase = jasper pkgdesc = A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard pkgver = 1.900.1 - pkgrel = 11 + pkgrel = 12 url = http://www.ece.uvic.ca/~mdadams/jasper/ arch = i686 arch = x86_64 @@ -19,13 +19,23 @@ pkgbase = jasper source = jasper-1.900.1-CVE-2008-3520.patch source = jpc_dec.c.patch source = jasper-1.900.1-CVE-2008-3522.patch + source = jasper-1.900.1-CVE-2014-8137.patch + source = jasper-avoid-assert-abort.diff + source = jasper-1.900.1-CVE-2014-8138.patch source = jasper-1.900.1-CVE-2014-9029.patch + source = jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch + source = jasper-1.900.1-fix-filename-buffer-overflow.patch sha1sums = 9c5735f773922e580bf98c7c7dfda9bbed4c5191 sha1sums = f298566fef08c8a589d072582112cd51c72c3983 sha1sums = 2483dba925670bf29f531d85d73c4e5ada513b01 sha1sums = c1a0176a15210c0af14d85e55ce566921957d780 sha1sums = 0e7b6142cd9240ffb15a1ed7297c43c76fa09ee4 + sha1sums = 437519aaaeff6076d11cdbea82125dbcac6f729b + sha1sums = 98548b610a7319e569ee0425a32dc1d31a8771d2 + sha1sums = 6086e717af2f0a026f70e399e28fe115f08a8cc1 sha1sums = f5fe80c8576379d34f372f6a7c6a76630ab9fdcd + sha1sums = 3bfb37a4c732caa824563bad2603fcf5f2acf7f7 + sha1sums = 577dfce40da75818c4d32eb1c4532b1370950bee pkgname = jasper @@ -3,7 +3,7 @@ pkgname=jasper pkgver=1.900.1 -pkgrel=11 +pkgrel=12 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard" arch=('i686' 'x86_64') url="http://www.ece.uvic.ca/~mdadams/jasper/" @@ -14,13 +14,21 @@ optdepends=('freeglut: for jiv support' 'glu: for jiv support') source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.zip patch-libjasper-stepsizes-overflow.diff jasper-1.900.1-CVE-2008-3520.patch jpc_dec.c.patch jasper-1.900.1-CVE-2008-3522.patch - jasper-1.900.1-CVE-2014-9029.patch) + jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff + jasper-1.900.1-CVE-2014-8138.patch jasper-1.900.1-CVE-2014-9029.patch + jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch + jasper-1.900.1-fix-filename-buffer-overflow.patch) sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191' 'f298566fef08c8a589d072582112cd51c72c3983' '2483dba925670bf29f531d85d73c4e5ada513b01' 'c1a0176a15210c0af14d85e55ce566921957d780' '0e7b6142cd9240ffb15a1ed7297c43c76fa09ee4' - 'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd') + '437519aaaeff6076d11cdbea82125dbcac6f729b' + '98548b610a7319e569ee0425a32dc1d31a8771d2' + '6086e717af2f0a026f70e399e28fe115f08a8cc1' + 'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd' + '3bfb37a4c732caa824563bad2603fcf5f2acf7f7' + '577dfce40da75818c4d32eb1c4532b1370950bee') prepare() { cd ${pkgname}-${pkgver} @@ -29,6 +37,11 @@ prepare() { patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch" patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3522.patch" patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-9029.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8137.patch" + patch -p1 -i "${srcdir}/jasper-avoid-assert-abort.diff" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8138.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch" + patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch" } build() { diff --git a/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch b/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch new file mode 100644 index 000000000000..974b0bae47b1 --- /dev/null +++ b/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch @@ -0,0 +1,30 @@ +Description: Fix for CVE-2011-4516 and CVE-2011-4517 + This patch fixes a possible denial of service and code execution via + heap-based buffer overflows. +Author: Michael Gilbert <michael.s.gilbert@gmail.com> +Origin: Patch thanks to Red Hat + +Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +=================================================================== +--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500 ++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500 +@@ -744,6 +744,10 @@ + return -1; + } + compparms->numrlvls = compparms->numdlvls + 1; ++ if (compparms->numrlvls > JPC_MAXRLVLS) { ++ jpc_cox_destroycompparms(compparms); ++ return -1; ++ } + if (prtflag) { + for (i = 0; i < compparms->numrlvls; ++i) { + if (jpc_getuint8(in, &tmp)) { +@@ -1331,7 +1335,7 @@ + jpc_crgcomp_t *comp; + uint_fast16_t compno; + crg->numcomps = cstate->numcomps; +- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { ++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { + return -1; + } + for (compno = 0, comp = crg->comps; compno < cstate->numcomps; diff --git a/jasper-1.900.1-CVE-2014-8137.patch b/jasper-1.900.1-CVE-2014-8137.patch new file mode 100644 index 000000000000..0397a24c5c4d --- /dev/null +++ b/jasper-1.900.1-CVE-2014-8137.patch @@ -0,0 +1,43 @@ +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100 +@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr + return 0; + + error: +- jas_icccurv_destroy(attrval); + return -1; + } + +@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca + #endif + return 0; + error: +- jas_icctxtdesc_destroy(attrval); + return -1; + } + +@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv + goto error; + return 0; + error: +- if (txt->string) +- jas_free(txt->string); + return -1; + } + +@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr + goto error; + return 0; + error: +- jas_icclut8_destroy(attrval); + return -1; + } + +@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt + goto error; + return 0; + error: +- jas_icclut16_destroy(attrval); + return -1; + } + diff --git a/jasper-1.900.1-CVE-2014-8138.patch b/jasper-1.900.1-CVE-2014-8138.patch new file mode 100644 index 000000000000..5aaf8abb1d5e --- /dev/null +++ b/jasper-1.900.1-CVE-2014-8138.patch @@ -0,0 +1,14 @@ +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100 +@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in + /* Determine the type of each component. */ + if (dec->cdef) { + for (i = 0; i < dec->numchans; ++i) { ++ /* Is the channel number reasonable? */ ++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { ++ jas_eprintf("error: invalid channel number in CDEF box\n"); ++ goto error; ++ } + jas_image_setcmpttype(dec->image, + dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], + jp2_getct(jas_image_clrspc(dec->image), diff --git a/jasper-1.900.1-fix-filename-buffer-overflow.patch b/jasper-1.900.1-fix-filename-buffer-overflow.patch new file mode 100644 index 000000000000..eba6cbe49a8b --- /dev/null +++ b/jasper-1.900.1-fix-filename-buffer-overflow.patch @@ -0,0 +1,37 @@ +Description: Filename buffer overflow fix + This patch fixes a security hole by a bad buffer size handling. +Author: Roland Stigge <stigge@antcom.de> +Bug-Debian: http://bugs.debian.org/645118 + +--- a/src/libjasper/include/jasper/jas_stream.h ++++ b/src/libjasper/include/jasper/jas_stream.h +@@ -77,6 +77,7 @@ + #include <jasper/jas_config.h> + + #include <stdio.h> ++#include <limits.h> + #if defined(HAVE_FCNTL_H) + #include <fcntl.h> + #endif +@@ -99,6 +100,12 @@ extern "C" { + #define O_BINARY 0 + #endif + ++#ifdef PATH_MAX ++#define JAS_PATH_MAX PATH_MAX ++#else ++#define JAS_PATH_MAX 4096 ++#endif ++ + /* + * Stream open flags. + */ +@@ -251,7 +258,7 @@ typedef struct { + typedef struct { + int fd; + int flags; +- char pathname[L_tmpnam + 1]; ++ char pathname[JAS_PATH_MAX + 1]; + } jas_stream_fileobj_t; + + #define JAS_STREAM_FILEOBJ_DELONCLOSE 0x01 diff --git a/jasper-avoid-assert-abort.diff b/jasper-avoid-assert-abort.diff new file mode 100644 index 000000000000..d3622374c36d --- /dev/null +++ b/jasper-avoid-assert-abort.diff @@ -0,0 +1,14 @@ +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100 +@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in + case JP2_COLR_ICC: + iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, + dec->colr->data.colr.iccplen); +- assert(iccprof); ++ if (!iccprof) { ++ jas_eprintf("error: failed to parse ICC profile\n"); ++ goto error; ++ } + jas_iccprof_gethdr(iccprof, &icchdr); + jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); |