Bug#688881: marked as done (unblock: openjpeg/1.3+dfsg-4.1+deb7u1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 12 Nov 2012 23:56:17 +0100
with message-id <20121112225617.GF17465@radis.cristau.org>
and subject line Re: Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1
has caused the Debian Bug report #688881,
regarding unblock: openjpeg/1.3+dfsg-4.1+deb7u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
688881: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688881
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: openjpeg/1.3+dfsg-4.1+deb7u1
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Wed, 26 Sep 2012 18:11:46 +0200
• Message-id: <20120926161146.5810.69782.reportbug@pisco.westfalen.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

I've prepared a tpu security upload for openjpeg (attached).

Ok to upload?

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Naur openjpeg-1.3+dfsg.orig/debian/changelog openjpeg-1.3+dfsg/debian/changelog
--- openjpeg-1.3+dfsg.orig/debian/changelog	2012-09-23 08:01:25.000000000 +0200
+++ openjpeg-1.3+dfsg/debian/changelog	2012-09-23 08:04:39.697773699 +0200
@@ -1,3 +1,10 @@
+openjpeg (1.3+dfsg-4.1+deb7u1) testing-proposed-updates; urgency=medium
+
+  * Fix CVE-2012-3358 (Closes: #681075)
+  * Fix CVE-2012-3535 (Closes: #685970)	
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 24 Sep 2012 23:02:44 +0200
+
 openjpeg (1.3+dfsg-4.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/00list openjpeg-1.3+dfsg/debian/patches/00list
--- openjpeg-1.3+dfsg.orig/debian/patches/00list	2012-09-23 08:01:25.000000000 +0200
+++ openjpeg-1.3+dfsg/debian/patches/00list	2012-09-23 08:02:26.061768619 +0200
@@ -2,3 +2,5 @@
 31_use_system_tiff_headers.dpatch
 32_fix_FTBFS_on_alpha.dpatch
 33_avoid_memory_overrun.dpatch
+CVE-2012-3358.dpatch
+CVE-2012-3535.dpatch
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch	2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,60 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-3358.dpatch by Michael Gilbert <mgilbert@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix buffer overflow in JPEG2000 file handling.
+## DP: https://bugzilla.redhat.com/show_bug.cgi?id=835767
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' openjpeg-1.3+dfsg~/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg~/libopenjpeg/j2k.c	2012-07-11 16:04:38.000000000 -0400
++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c	2012-07-11 16:06:07.000000000 -0400
+@@ -1282,7 +1282,7 @@
+ 		static int backup_tileno = 0;
+ 
+ 		/* tileno is negative or larger than the number of tiles!!! */
+-		if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
++		if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+ 			opj_event_msg(j2k->cinfo, EVT_ERROR,
+ 				"JPWL: bad tile number (%d out of a maximum of %d)\n",
+ 				tileno, (cp->tw * cp->th));
+@@ -1299,8 +1299,18 @@
+ 
+ 		/* keep your private count of tiles */
+ 		backup_tileno++;
+-	};
++	}
++	else
+ #endif /* USE_JPWL */
++	{
++		/* tileno is negative or larger than the number of tiles!!! */
++		if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
++			opj_event_msg(j2k->cinfo, EVT_ERROR,
++				"JPWL: bad tile number (%d out of a maximum of %d)\n",
++				tileno, (cp->tw * cp->th));
++			return;
++		}
++	}
+ 	
+ 	if (cp->tileno_size == 0) {
+ 		cp->tileno[cp->tileno_size] = tileno;
+@@ -1338,8 +1348,18 @@
+ 				totlen);
+ 		}
+ 
+-	};
++	}
++	else
+ #endif /* USE_JPWL */
++	{
++		/* totlen is negative or larger than the bytes left!!! */
++		if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) {
++			opj_event_msg(j2k->cinfo, EVT_ERROR,
++				"JPWL: bad tile byte size (%d bytes against %d bytes left)\n",
++				totlen, cio_numbytesleft(cio) + 8);
++			return;
++		}
++	}
+ 
+ 	if (!totlen)
+ 		totlen = cio_numbytesleft(cio) + 8;
diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch
--- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch	2012-09-23 08:01:59.353768078 +0200
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2012-3535
+
+@DPATCH@
+diff -Naur openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c
+--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c	2008-03-10 09:50:35.000000000 +0100
++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c	2012-09-23 07:57:01.381756231 +0200
+@@ -720,6 +720,13 @@
+ 		j2k->state |= J2K_STATE_ERR;
+ 	}
+ 
++	if( tccp->numresolutions > J2K_MAXRLVLS ) {
++		opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
++		              compno, tccp->numresolutions, J2K_MAXRLVLS);
++		j2k->state |= J2K_STATE_ERR;
++		tccp->numresolutions = J2K_MAXRLVLS;
++	}
++
+ 	tccp->cblkw = cio_read(cio, 1) + 2;	/* SPcox (E) */
+ 	tccp->cblkh = cio_read(cio, 1) + 2;	/* SPcox (F) */
+ 	tccp->cblksty = cio_read(cio, 1);	/* SPcox (G) */

--- End Message ---

--- Begin Message ---

• To: Moritz Muehlenhoff <jmm@debian.org>, 688881-done@bugs.debian.org
• Subject: Re: Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1
• From: Julien Cristau <jcristau@debian.org>
• Date: Mon, 12 Nov 2012 23:56:17 +0100
• Message-id: <20121112225617.GF17465@radis.cristau.org>
• In-reply-to: <20120926190937.GO6116@radis.cristau.org>
• References: <20120926161146.5810.69782.reportbug@pisco.westfalen.local> <20120926190937.GO6116@radis.cristau.org>

On Wed, Sep 26, 2012 at 21:09:37 +0200, Julien Cristau wrote:

> On Wed, Sep 26, 2012 at 18:11:46 +0200, Moritz Muehlenhoff wrote:
> 
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > 
> > I've prepared a tpu security upload for openjpeg (attached).
> > 
> > Ok to upload?
> > 
> I followed up to the unblock bug about the sid version.  If we don't get
> that sorted soon then a tpu upload would be fine.  Probably best to get
> the second CVE fixed in sid first in any case.
> 
That should be sorted now, closing.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature

--- End Message ---