summarylogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.SRCINFO12
-rw-r--r--PKGBUILD19
-rw-r--r--jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch30
-rw-r--r--jasper-1.900.1-CVE-2014-8137.patch43
-rw-r--r--jasper-1.900.1-CVE-2014-8138.patch14
-rw-r--r--jasper-1.900.1-fix-filename-buffer-overflow.patch37
-rw-r--r--jasper-avoid-assert-abort.diff14
7 files changed, 165 insertions, 4 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 4b90a836f2e9..9c238704ecab 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -3,7 +3,7 @@
pkgbase = jasper
pkgdesc = A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard
pkgver = 1.900.1
- pkgrel = 11
+ pkgrel = 12
url = http://www.ece.uvic.ca/~mdadams/jasper/
arch = i686
arch = x86_64
@@ -19,13 +19,23 @@ pkgbase = jasper
source = jasper-1.900.1-CVE-2008-3520.patch
source = jpc_dec.c.patch
source = jasper-1.900.1-CVE-2008-3522.patch
+ source = jasper-1.900.1-CVE-2014-8137.patch
+ source = jasper-avoid-assert-abort.diff
+ source = jasper-1.900.1-CVE-2014-8138.patch
source = jasper-1.900.1-CVE-2014-9029.patch
+ source = jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
+ source = jasper-1.900.1-fix-filename-buffer-overflow.patch
sha1sums = 9c5735f773922e580bf98c7c7dfda9bbed4c5191
sha1sums = f298566fef08c8a589d072582112cd51c72c3983
sha1sums = 2483dba925670bf29f531d85d73c4e5ada513b01
sha1sums = c1a0176a15210c0af14d85e55ce566921957d780
sha1sums = 0e7b6142cd9240ffb15a1ed7297c43c76fa09ee4
+ sha1sums = 437519aaaeff6076d11cdbea82125dbcac6f729b
+ sha1sums = 98548b610a7319e569ee0425a32dc1d31a8771d2
+ sha1sums = 6086e717af2f0a026f70e399e28fe115f08a8cc1
sha1sums = f5fe80c8576379d34f372f6a7c6a76630ab9fdcd
+ sha1sums = 3bfb37a4c732caa824563bad2603fcf5f2acf7f7
+ sha1sums = 577dfce40da75818c4d32eb1c4532b1370950bee
pkgname = jasper
diff --git a/PKGBUILD b/PKGBUILD
index a6846389e278..fa4d376140fc 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,7 +3,7 @@
pkgname=jasper
pkgver=1.900.1
-pkgrel=11
+pkgrel=12
pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
arch=('i686' 'x86_64')
url="http://www.ece.uvic.ca/~mdadams/jasper/"
@@ -14,13 +14,21 @@ optdepends=('freeglut: for jiv support' 'glu: for jiv support')
source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.zip
patch-libjasper-stepsizes-overflow.diff jasper-1.900.1-CVE-2008-3520.patch
jpc_dec.c.patch jasper-1.900.1-CVE-2008-3522.patch
- jasper-1.900.1-CVE-2014-9029.patch)
+ jasper-1.900.1-CVE-2014-8137.patch jasper-avoid-assert-abort.diff
+ jasper-1.900.1-CVE-2014-8138.patch jasper-1.900.1-CVE-2014-9029.patch
+ jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
+ jasper-1.900.1-fix-filename-buffer-overflow.patch)
sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191'
'f298566fef08c8a589d072582112cd51c72c3983'
'2483dba925670bf29f531d85d73c4e5ada513b01'
'c1a0176a15210c0af14d85e55ce566921957d780'
'0e7b6142cd9240ffb15a1ed7297c43c76fa09ee4'
- 'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd')
+ '437519aaaeff6076d11cdbea82125dbcac6f729b'
+ '98548b610a7319e569ee0425a32dc1d31a8771d2'
+ '6086e717af2f0a026f70e399e28fe115f08a8cc1'
+ 'f5fe80c8576379d34f372f6a7c6a76630ab9fdcd'
+ '3bfb37a4c732caa824563bad2603fcf5f2acf7f7'
+ '577dfce40da75818c4d32eb1c4532b1370950bee')
prepare() {
cd ${pkgname}-${pkgver}
@@ -29,6 +37,11 @@ prepare() {
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch"
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3522.patch"
patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-9029.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8137.patch"
+ patch -p1 -i "${srcdir}/jasper-avoid-assert-abort.diff"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8138.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch"
+ patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
}
build() {
diff --git a/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch b/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
new file mode 100644
index 000000000000..974b0bae47b1
--- /dev/null
+++ b/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2011-4516 and CVE-2011-4517
+ This patch fixes a possible denial of service and code execution via
+ heap-based buffer overflows.
+Author: Michael Gilbert <michael.s.gilbert@gmail.com>
+Origin: Patch thanks to Red Hat
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-12-19 09:35:51.198909832 -0500
+@@ -744,6 +744,10 @@
+ return -1;
+ }
+ compparms->numrlvls = compparms->numdlvls + 1;
++ if (compparms->numrlvls > JPC_MAXRLVLS) {
++ jpc_cox_destroycompparms(compparms);
++ return -1;
++ }
+ if (prtflag) {
+ for (i = 0; i < compparms->numrlvls; ++i) {
+ if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+ jpc_crgcomp_t *comp;
+ uint_fast16_t compno;
+ crg->numcomps = cstate->numcomps;
+- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ return -1;
+ }
+ for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
diff --git a/jasper-1.900.1-CVE-2014-8137.patch b/jasper-1.900.1-CVE-2014-8137.patch
new file mode 100644
index 000000000000..0397a24c5c4d
--- /dev/null
+++ b/jasper-1.900.1-CVE-2014-8137.patch
@@ -0,0 +1,43 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
diff --git a/jasper-1.900.1-CVE-2014-8138.patch b/jasper-1.900.1-CVE-2014-8138.patch
new file mode 100644
index 000000000000..5aaf8abb1d5e
--- /dev/null
+++ b/jasper-1.900.1-CVE-2014-8138.patch
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ /* Determine the type of each component. */
+ if (dec->cdef) {
+ for (i = 0; i < dec->numchans; ++i) {
++ /* Is the channel number reasonable? */
++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++ jas_eprintf("error: invalid channel number in CDEF box\n");
++ goto error;
++ }
+ jas_image_setcmpttype(dec->image,
+ dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ jp2_getct(jas_image_clrspc(dec->image),
diff --git a/jasper-1.900.1-fix-filename-buffer-overflow.patch b/jasper-1.900.1-fix-filename-buffer-overflow.patch
new file mode 100644
index 000000000000..eba6cbe49a8b
--- /dev/null
+++ b/jasper-1.900.1-fix-filename-buffer-overflow.patch
@@ -0,0 +1,37 @@
+Description: Filename buffer overflow fix
+ This patch fixes a security hole by a bad buffer size handling.
+Author: Roland Stigge <stigge@antcom.de>
+Bug-Debian: http://bugs.debian.org/645118
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -77,6 +77,7 @@
+ #include <jasper/jas_config.h>
+
+ #include <stdio.h>
++#include <limits.h>
+ #if defined(HAVE_FCNTL_H)
+ #include <fcntl.h>
+ #endif
+@@ -99,6 +100,12 @@ extern "C" {
+ #define O_BINARY 0
+ #endif
+
++#ifdef PATH_MAX
++#define JAS_PATH_MAX PATH_MAX
++#else
++#define JAS_PATH_MAX 4096
++#endif
++
+ /*
+ * Stream open flags.
+ */
+@@ -251,7 +258,7 @@ typedef struct {
+ typedef struct {
+ int fd;
+ int flags;
+- char pathname[L_tmpnam + 1];
++ char pathname[JAS_PATH_MAX + 1];
+ } jas_stream_fileobj_t;
+
+ #define JAS_STREAM_FILEOBJ_DELONCLOSE 0x01
diff --git a/jasper-avoid-assert-abort.diff b/jasper-avoid-assert-abort.diff
new file mode 100644
index 000000000000..d3622374c36d
--- /dev/null
+++ b/jasper-avoid-assert-abort.diff
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));