Your message dated Mon, 12 Nov 2012 23:56:17 +0100 with message-id <20121112225617.GF17465@radis.cristau.org> and subject line Re: Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1 has caused the Debian Bug report #688881, regarding unblock: openjpeg/1.3+dfsg-4.1+deb7u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 688881: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688881 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: openjpeg/1.3+dfsg-4.1+deb7u1
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Wed, 26 Sep 2012 18:11:46 +0200
- Message-id: <20120926161146.5810.69782.reportbug@pisco.westfalen.local>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock I've prepared a tpu security upload for openjpeg (attached). Ok to upload? Cheers, Moritz -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashdiff -Naur openjpeg-1.3+dfsg.orig/debian/changelog openjpeg-1.3+dfsg/debian/changelog --- openjpeg-1.3+dfsg.orig/debian/changelog 2012-09-23 08:01:25.000000000 +0200 +++ openjpeg-1.3+dfsg/debian/changelog 2012-09-23 08:04:39.697773699 +0200 @@ -1,3 +1,10 @@ +openjpeg (1.3+dfsg-4.1+deb7u1) testing-proposed-updates; urgency=medium + + * Fix CVE-2012-3358 (Closes: #681075) + * Fix CVE-2012-3535 (Closes: #685970) + + -- Moritz Mühlenhoff <jmm@debian.org> Mon, 24 Sep 2012 23:02:44 +0200 + openjpeg (1.3+dfsg-4.1) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/00list openjpeg-1.3+dfsg/debian/patches/00list --- openjpeg-1.3+dfsg.orig/debian/patches/00list 2012-09-23 08:01:25.000000000 +0200 +++ openjpeg-1.3+dfsg/debian/patches/00list 2012-09-23 08:02:26.061768619 +0200 @@ -2,3 +2,5 @@ 31_use_system_tiff_headers.dpatch 32_fix_FTBFS_on_alpha.dpatch 33_avoid_memory_overrun.dpatch +CVE-2012-3358.dpatch +CVE-2012-3535.dpatch diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch --- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3358.dpatch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3358.dpatch 2012-09-23 08:01:59.353768078 +0200 @@ -0,0 +1,60 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## cve-2012-3358.dpatch by Michael Gilbert <mgilbert@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix buffer overflow in JPEG2000 file handling. +## DP: https://bugzilla.redhat.com/show_bug.cgi?id=835767 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' openjpeg-1.3+dfsg~/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c +--- openjpeg-1.3+dfsg~/libopenjpeg/j2k.c 2012-07-11 16:04:38.000000000 -0400 ++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c 2012-07-11 16:06:07.000000000 -0400 +@@ -1282,7 +1282,7 @@ + static int backup_tileno = 0; + + /* tileno is negative or larger than the number of tiles!!! */ +- if ((tileno < 0) || (tileno > (cp->tw * cp->th))) { ++ if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad tile number (%d out of a maximum of %d)\n", + tileno, (cp->tw * cp->th)); +@@ -1299,8 +1299,18 @@ + + /* keep your private count of tiles */ + backup_tileno++; +- }; ++ } ++ else + #endif /* USE_JPWL */ ++ { ++ /* tileno is negative or larger than the number of tiles!!! */ ++ if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "JPWL: bad tile number (%d out of a maximum of %d)\n", ++ tileno, (cp->tw * cp->th)); ++ return; ++ } ++ } + + if (cp->tileno_size == 0) { + cp->tileno[cp->tileno_size] = tileno; +@@ -1338,8 +1348,18 @@ + totlen); + } + +- }; ++ } ++ else + #endif /* USE_JPWL */ ++ { ++ /* totlen is negative or larger than the bytes left!!! */ ++ if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, ++ "JPWL: bad tile byte size (%d bytes against %d bytes left)\n", ++ totlen, cio_numbytesleft(cio) + 8); ++ return; ++ } ++ } + + if (!totlen) + totlen = cio_numbytesleft(cio) + 8; diff -Naur openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch --- openjpeg-1.3+dfsg.orig/debian/patches/CVE-2012-3535.dpatch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg-1.3+dfsg/debian/patches/CVE-2012-3535.dpatch 2012-09-23 08:01:59.353768078 +0200 @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2012-3535 + +@DPATCH@ +diff -Naur openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg/libopenjpeg/j2k.c +--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c 2008-03-10 09:50:35.000000000 +0100 ++++ openjpeg-1.3+dfsg/libopenjpeg/j2k.c 2012-09-23 07:57:01.381756231 +0200 +@@ -720,6 +720,13 @@ + j2k->state |= J2K_STATE_ERR; + } + ++ if( tccp->numresolutions > J2K_MAXRLVLS ) { ++ opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n", ++ compno, tccp->numresolutions, J2K_MAXRLVLS); ++ j2k->state |= J2K_STATE_ERR; ++ tccp->numresolutions = J2K_MAXRLVLS; ++ } ++ + tccp->cblkw = cio_read(cio, 1) + 2; /* SPcox (E) */ + tccp->cblkh = cio_read(cio, 1) + 2; /* SPcox (F) */ + tccp->cblksty = cio_read(cio, 1); /* SPcox (G) */
--- End Message ---
--- Begin Message ---
- To: Moritz Muehlenhoff <jmm@debian.org>, 688881-done@bugs.debian.org
- Subject: Re: Bug#688881: unblock: openjpeg/1.3+dfsg-4.1+deb7u1
- From: Julien Cristau <jcristau@debian.org>
- Date: Mon, 12 Nov 2012 23:56:17 +0100
- Message-id: <20121112225617.GF17465@radis.cristau.org>
- In-reply-to: <20120926190937.GO6116@radis.cristau.org>
- References: <20120926161146.5810.69782.reportbug@pisco.westfalen.local> <20120926190937.GO6116@radis.cristau.org>
On Wed, Sep 26, 2012 at 21:09:37 +0200, Julien Cristau wrote: > On Wed, Sep 26, 2012 at 18:11:46 +0200, Moritz Muehlenhoff wrote: > > > Package: release.debian.org > > Severity: normal > > User: release.debian.org@packages.debian.org > > Usertags: unblock > > > > I've prepared a tpu security upload for openjpeg (attached). > > > > Ok to upload? > > > I followed up to the unblock bug about the sid version. If we don't get > that sorted soon then a tpu upload would be fine. Probably best to get > the second CVE fixed in sid first in any case. > That should be sorted now, closing. Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---