Bug#860460: jbig2dec: diff for NMU version 0.13-4.1

To: 860460@bugs.debian.org, 860787@bugs.debian.org, 860788@bugs.debian.org
Subject: Bug#860460: jbig2dec: diff for NMU version 0.13-4.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 16 May 2017 21:37:00 +0200
Message-id: <[🔎] 20170516193700.gltkajirqoai5dah@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 860460@bugs.debian.org

Control: tags 860460 + patch
Control: tags 860460 + pending
Control: tags 860787 + patch
Control: tags 860787 + pending
Control: tags 860788 + patch
Control: tags 860788 + pending

Dear maintainer,

I've prepared an NMU for jbig2dec (versioned as 0.13-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru jbig2dec-0.13/debian/changelog jbig2dec-0.13/debian/changelog
--- jbig2dec-0.13/debian/changelog	2017-01-23 21:13:34.000000000 +0100
+++ jbig2dec-0.13/debian/changelog	2017-05-16 20:08:21.000000000 +0200
@@ -1,3 +1,13 @@
+jbig2dec (0.13-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Prevent integer overflow vulnerability (CVE-2017-7885) (Closes: #860460)
+  * Prevent SEGV due to integer overflow (CVE-2017-7975) (Closes: #860788)
+  * Bounds check before reading from image source data (CVE-2017-7976)
+    (Closes: #860787)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 16 May 2017 20:08:21 +0200
+
 jbig2dec (0.13-4) unstable; urgency=medium
 
   * Add patches cherry-picked upstream to squash signed/unsigned
diff -Nru jbig2dec-0.13/debian/patches/020170426~5e57e48.patch jbig2dec-0.13/debian/patches/020170426~5e57e48.patch
--- jbig2dec-0.13/debian/patches/020170426~5e57e48.patch	1970-01-01 01:00:00.000000000 +0100
+++ jbig2dec-0.13/debian/patches/020170426~5e57e48.patch	2017-05-16 20:08:21.000000000 +0200
@@ -0,0 +1,26 @@
+Description: Bug 697693: Prevent SEGV due to integer overflow.
+ While building a Huffman table, the start and end points were susceptible
+ to integer overflow.
+ .
+Thank you to Jiaqi for finding this issue and suggesting a patch.
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e57e483298dae8b
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697693
+Bug-Debian: https://bugs.debian.org/860788
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7975
+Forwarded: not-needed
+Author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Last-Update: 2017-05-16
+
+--- a/jbig2_huffman.c
++++ b/jbig2_huffman.c
+@@ -422,8 +422,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx,
+ 
+             if (PREFLEN == CURLEN) {
+                 int RANGELEN = lines[CURTEMP].RANGELEN;
+-                int start_j = CURCODE << shift;
+-                int end_j = (CURCODE + 1) << shift;
++                uint32_t start_j = CURCODE << shift;
++                uint32_t end_j = (CURCODE + 1) << shift;
+                 byte eflags = 0;
+ 
+                 if (end_j > max_j) {
diff -Nru jbig2dec-0.13/debian/patches/020170503~b184e78.patch jbig2dec-0.13/debian/patches/020170503~b184e78.patch
--- jbig2dec-0.13/debian/patches/020170503~b184e78.patch	1970-01-01 01:00:00.000000000 +0100
+++ jbig2dec-0.13/debian/patches/020170503~b184e78.patch	2017-05-16 20:08:21.000000000 +0200
@@ -0,0 +1,27 @@
+Description: Bug 697703: Prevent integer overflow vulnerability.
+ Add extra check for the offset being greater than the size
+ of the image and hence reading off the end of the buffer.
+ .
+ Thank you to Dai Ge for finding this issue and suggesting a patch.
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b184e783702246e15
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697703
+Bug-Debian: https://bugs.debian.org/860460
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7885
+Forwarded: not-needed
+Author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Last-Update: 2017-05-16
+---
+ jbig2dec/jbig2_symbol_dict.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+                 byte *dst = image->data;
+ 
+                 /* SumatraPDF: prevent read access violation */
+-                if (size - jbig2_huffman_offset(hs) < image->height * stride) {
++                if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
+                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
+                                 size - jbig2_huffman_offset(hs));
+                     jbig2_image_release(ctx, image);
diff -Nru jbig2dec-0.13/debian/patches/020170510~ed6c513.patch jbig2dec-0.13/debian/patches/020170510~ed6c513.patch
--- jbig2dec-0.13/debian/patches/020170510~ed6c513.patch	1970-01-01 01:00:00.000000000 +0100
+++ jbig2dec-0.13/debian/patches/020170510~ed6c513.patch	2017-05-16 20:08:21.000000000 +0200
@@ -0,0 +1,28 @@
+Description: Bug 697683: Bounds check before reading from image source data.
+ Add extra check to prevent reading off the end of the image source
+ data buffer.
+ .
+ Thank you to Dai Ge for finding this issue and suggesting a patch.
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ed6c5133a1004ce8d
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697683
+Bug-Debian: https://bugs.debian.org/860787
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7976
+Forwarded: not-needed
+Author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Last-Update: 2017-05-16
+---
+ jbig2dec/jbig2_image.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -256,7 +256,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
++        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {
diff -Nru jbig2dec-0.13/debian/patches/series jbig2dec-0.13/debian/patches/series
--- jbig2dec-0.13/debian/patches/series	2017-01-23 21:07:51.000000000 +0100
+++ jbig2dec-0.13/debian/patches/series	2017-05-16 20:08:21.000000000 +0200
@@ -1,6 +1,9 @@
 020160518~1369359.patch
 020161212~e698d5c.patch
 020161214~9d2c4f3.patch
+020170426~5e57e48.patch
+020170503~b184e78.patch
+020170510~ed6c513.patch
 1001_ignore_python_test.patch
 1004_extract_infile_from_autogen-sh.patch
 2001_disable_memento.patch

Reply to:

Prev by Date: cups-filters_1.14.0-1_source.changes ACCEPTED into experimental
Next by Date: Processed: jbig2dec: diff for NMU version 0.13-4.1
Previous by thread: cups-filters_1.14.0-1_source.changes ACCEPTED into experimental
Next by thread: Processed: jbig2dec: diff for NMU version 0.13-4.1
Index(es):
- Date
- Thread