Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
I've prepared a tpu security upload for openjpeg (attached).
Ok to upload?
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Naur openjpeg-1.3+dfsg.orig/debian/changelog openjpeg-1.3+dfsg/debian/changelog
--- openjpeg-1.3+dfsg.orig/debian/changelog 2012-09-23 08:01:25.000000000 +0200
+++ openjpeg-1.3+dfsg/debian/changelog 2012-09-23 08:04:39.697773699 +0200
@@ -1,3 +1,10 @@
+openjpeg (1.3+dfsg-4.1+deb7u1) testing-proposed-updates; urgency=medium
+
+ * Fix CVE-2012-3358 (Closes: #681075)
+ * Fix CVE-2012-3535 (Closes: #685970)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Mon, 24 Sep 2012 23:02:44 +0200
+
openjpeg (1.3+dfsg-4.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/00list openjpeg-1.3+dfsg/debian/patches/00list
--- openjpeg-1.3+dfsg.orig/debian/patches/00list 2012-09-23 08:01:25.000000000 +0200
+++ openjpeg-1.3+dfsg/debian/patches/00list 2012-09-23 08:02:26.061768619 +0200
@@ -2,3 +2,5 @@
31_use_system_tiff_headers.dpatch
32_fix_FTBFS_on_alpha.dpatch
33_avoid_memory_overrun.dpatch
+CVE-2012-3358.dpatch
+CVE-2012-3535.dpatch
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch 2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,60 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-3358.dpatch by Michael Gilbert <mgilbert@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix buffer overflow in JPEG2000 file handling.
+## DP: https://bugzilla.redhat.com/show_bug.cgi?id=835767
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' openjpeg-1.3+dfsg~/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg~/libopenjpeg/j2k.c 2012-07-11 16:04:38.000000000 -0400
++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c 2012-07-11 16:06:07.000000000 -0400
+@@ -1282,7 +1282,7 @@
+ static int backup_tileno = 0;
+
+ /* tileno is negative or larger than the number of tiles!!! */
+- if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
++ if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "JPWL: bad tile number (%d out of a maximum of %d)\n",
+ tileno, (cp->tw * cp->th));
+@@ -1299,8 +1299,18 @@
+
+ /* keep your private count of tiles */
+ backup_tileno++;
+- };
++ }
++ else
+ #endif /* USE_JPWL */
++ {
++ /* tileno is negative or larger than the number of tiles!!! */
++ if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad tile number (%d out of a maximum of %d)\n",
++ tileno, (cp->tw * cp->th));
++ return;
++ }
++ }
+
+ if (cp->tileno_size == 0) {
+ cp->tileno[cp->tileno_size] = tileno;
+@@ -1338,8 +1348,18 @@
+ totlen);
+ }
+
+- };
++ }
++ else
+ #endif /* USE_JPWL */
++ {
++ /* totlen is negative or larger than the bytes left!!! */
++ if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR,
++ "JPWL: bad tile byte size (%d bytes against %d bytes left)\n",
++ totlen, cio_numbytesleft(cio) + 8);
++ return;
++ }
++ }
+
+ if (!totlen)
+ totlen = cio_numbytesleft(cio) + 8;
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch 2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2012-3535
+
+@DPATCH@
+diff -Naur openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c 2008-03-10 09:50:35.000000000 +0100
++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c 2012-09-23 07:57:01.381756231 +0200
+@@ -720,6 +720,13 @@
+ j2k->state |= J2K_STATE_ERR;
+ }
+
++ if( tccp->numresolutions > J2K_MAXRLVLS ) {
++ opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
++ compno, tccp->numresolutions, J2K_MAXRLVLS);
++ j2k->state |= J2K_STATE_ERR;
++ tccp->numresolutions = J2K_MAXRLVLS;
++ }
++
+ tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */
+ tccp->cblkh = cio_read(cio, 1) + 2; /* SPcox (F) */
+ tccp->cblksty = cio_read(cio, 1); /* SPcox (G) */
Reply to: