Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please unblock package libjpeg-turbo Hi, a rare case when a Huffman local buffer can be overrun was found in libjpeg-turbo. The package pulls an upstream fix for that. changelog | 7 ++++++ control | 8 +------ patches/CVE-2014-9092.patch | 49 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 4 files changed, 59 insertions(+), 6 deletions(-) The diff is a bigger than it could be since it also includes comments and relevant upstream changelog entries, but the only code change is just this: - -#define BUFSIZE (DCTSIZE2 * 2) +#define BUFSIZE (DCTSIZE2 * 4) Cheers, Ondrej unblock libjpeg-turbo/1:1.3.1-11 - -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (700, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJUdacZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHPGgP/AzxPjUX82Y9KEHQYrbebhIc agC0V+nM+1mDZ5Y3l8TdrWCFDBbMxsJ8HiEj0vp0Ngrxlv1/LMV5ikth3bmoL0sJ LoWeeaH7WW+OscQc2BJLWXvKq/3YUkGitryfQPxkiYdpQ1SpP5nckMPiY16CZ575 PnNiijXIVt31sotScCFVS4sufHEjVIM+II463CXsRDJt+kxm7vMUTJXHMEL+jIRU lIrzWaXnrKWEx1aNkfVa+yNn4/afcirpXdveJQkrCvYu38DLeBS4o/2EcWAZ9Up8 +nu8RzMpYlML5ekFfe9q4ydHBqaBbyo9ez+946bVmdwZoQ3uxLyBDe5Yqn5nkwat JdvSFQgAqU+kf5qyQTb8tt3we9Ym6+Lxt7i7jAnlttsiNznt+9WEqpm6diAZKqFw H4zQUwn0v4mw2OJbSEdcfiLHK6qPHJZDJq7UBGcsYTJIsdonGVrWHfiJfaWrH7Rt CXgY316ZCztxtWYq24EEpgYRLHNxkzke8affy2AlQjS4Q1z+W2H/dqoS41Yg65F1 MSW2X50V/3vDw1n0vtA4dhjmTFl89eplbAVddpD6wnb1DRVbYEfKc70RfAwmMyFV CQ6jkm0/lOl0CeQxVEeLoexYmiimESZ9U25PPHFUHtsUSu03OB080asIbhUnMfqQ +ADxHsb6Iwq02F/fpWLF =JWWy -----END PGP SIGNATURE-----
diff -Nru libjpeg-turbo-1.3.1/debian/changelog libjpeg-turbo-1.3.1/debian/changelog
--- libjpeg-turbo-1.3.1/debian/changelog 2014-10-22 15:14:05.000000000 +0200
+++ libjpeg-turbo-1.3.1/debian/changelog 2014-11-26 11:02:13.000000000 +0100
@@ -1,3 +1,10 @@
+libjpeg-turbo (1:1.3.1-11) unstable; urgency=medium
+
+ * Cleanup the list of maintainers and uploaders
+ * [CVE-2014-9092]: Fix a Huffman local buffer overrun
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 26 Nov 2014 11:00:17 +0100
+
libjpeg-turbo (1:1.3.1-10) unstable; urgency=medium
* Drop extra and conflicting Provides (Closes: #766347)
diff -Nru libjpeg-turbo-1.3.1/debian/control libjpeg-turbo-1.3.1/debian/control
--- libjpeg-turbo-1.3.1/debian/control 2014-10-22 15:14:05.000000000 +0200
+++ libjpeg-turbo-1.3.1/debian/control 2014-11-26 11:02:13.000000000 +0100
@@ -1,12 +1,8 @@
Source: libjpeg-turbo
Priority: optional
Section: graphics
-Maintainer: Debian TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>
-Uploaders: Fathi Boudra <fabo@debian.org>,
- Osamu Aoki <osamu@debian.org>,
- Tom Gall <tom.gall@linaro.org>,
- Mike Gabriel <sunweaver@debian.org>,
- Ondřej Surý <ondrej@debian.org>
+Maintainer: Ondřej Surý <ondrej@debian.org>
+Uploaders: Mike Gabriel <sunweaver@debian.org>
Build-Depends: debhelper (>= 9),
dh-autoreconf,
nasm [any-amd64 any-i386],
diff -Nru libjpeg-turbo-1.3.1/debian/patches/CVE-2014-9092.patch libjpeg-turbo-1.3.1/debian/patches/CVE-2014-9092.patch
--- libjpeg-turbo-1.3.1/debian/patches/CVE-2014-9092.patch 1970-01-01 01:00:00.000000000 +0100
+++ libjpeg-turbo-1.3.1/debian/patches/CVE-2014-9092.patch 2014-11-26 11:02:13.000000000 +0100
@@ -0,0 +1,49 @@
+--- libjpeg-turbo.orig/ChangeLog.txt
++++ libjpeg-turbo/ChangeLog.txt
+@@ -1,3 +1,26 @@
++1.3.2
++=====
++
++[5] Fixed an extremely rare bug that could cause the Huffman encoder's local
++buffer to overrun when a very high-frequency MCU is compressed using quality
++100 and no subsampling, and when the JPEG output buffer is being dynamically
++resized by the destination manager. This issue was so rare that, even with a
++test program specifically designed to make the bug occur (by injecting random
++high-frequency YUV data into the compressor), it was reproducible only once in
++about every 25 million iterations.
++
++[9] Referring to [5] above, another extremely rare circumstance was discovered
++under which the Huffman encoder's local buffer can be overrun when a buffered
++destination manager is being used and an extremely-high-frequency block
++(basically junk image data) is being encoded. Even though the Huffman local
++buffer was increased from 128 bytes to 136 bytes to address the previous
++issue, the new issue caused even the larger buffer to be overrun. Further
++analysis reveals that, in the absolute worst case (such as setting alternating
++AC coefficients to 32767 and -32768 in the JPEG scanning order), the Huffman
++encoder can produce encoded blocks that approach double the size of the
++unencoded blocks. Thus, the Huffman local buffer was increased to 256 bytes,
++which should prevent any such issue from re-occurring in the future.
++
+ 1.3.1
+ =====
+
+--- libjpeg-turbo.orig/jchuff.c
++++ libjpeg-turbo/jchuff.c
+@@ -391,7 +391,16 @@ dump_buffer (working_state * state)
+ #endif
+
+
+-#define BUFSIZE (DCTSIZE2 * 2)
++/* Although it is exceedingly rare, it is possible for a Huffman-encoded
++ * coefficient block to be larger than the 128-byte unencoded block. For each
++ * of the 64 coefficients, PUT_BITS is invoked twice, and each invocation can
++ * theoretically store 16 bits (for a maximum of 2048 bits or 256 bytes per
++ * encoded block.) If, for instance, one artificially sets the AC
++ * coefficients to alternating values of 32767 and -32768 (using the JPEG
++ * scanning order-- 1, 8, 16, etc.), then this will produce an encoded block
++ * larger than 200 bytes.
++ */
++#define BUFSIZE (DCTSIZE2 * 4)
+
+ #define LOAD_BUFFER() { \
+ if (state->free_in_buffer < BUFSIZE) { \
diff -Nru libjpeg-turbo-1.3.1/debian/patches/series libjpeg-turbo-1.3.1/debian/patches/series
--- libjpeg-turbo-1.3.1/debian/patches/series 2014-10-22 15:14:05.000000000 +0200
+++ libjpeg-turbo-1.3.1/debian/patches/series 2014-11-26 11:02:13.000000000 +0100
@@ -1 +1,2 @@
001_versioned-libjpegturbo.patch
+CVE-2014-9092.patch
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 26 Nov 2014 11:00:17 +0100 Source: libjpeg-turbo Binary: libjpeg-dev libjpeg62-turbo-dev libjpeg62-turbo libjpeg62-turbo-dbg libturbojpeg1 libturbojpeg1-dbg libturbojpeg1-dev libjpeg-turbo-progs libjpeg-turbo-progs-dbg Architecture: source all Version: 1:1.3.1-11 Distribution: unstable Urgency: medium Maintainer: Ondřej Surý <ondrej@debian.org> Changed-By: Ondřej Surý <ondrej@debian.org> Description: libjpeg-dev - Development files for the JPEG library [dummy package] libjpeg-turbo-progs - Programs for manipulating JPEG files libjpeg-turbo-progs-dbg - Programs for manipulating JPEG files (debugging symbols) libjpeg62-turbo - libjpeg-turbo JPEG runtime library libjpeg62-turbo-dbg - Debugging symbols for the libjpeg-turbo JPEG library libjpeg62-turbo-dev - Development files for the libjpeg-turbo JPEG library libturbojpeg1 - TurboJPEG runtime library - SIMD optimized libturbojpeg1-dbg - TurboJPEG runtime library - SIMD optimized (debugging symbols) libturbojpeg1-dev - Development files for the TurboJPEG library Changes: libjpeg-turbo (1:1.3.1-11) unstable; urgency=medium . * Cleanup the list of maintainers and uploaders * [CVE-2014-9092]: Fix a Huffman local buffer overrun Checksums-Sha1: 011ffbd056a0e14ac562365d99d144ed3748aa8e 2650 libjpeg-turbo_1.3.1-11.dsc b917046f02769baaed45898abf592dece88f9bd1 78564 libjpeg-turbo_1.3.1-11.debian.tar.xz 188fda08e635c02c8342518e2b8b0dc50c2f52ac 49252 libjpeg-dev_1.3.1-11_all.deb Checksums-Sha256: 2ecd68541983135312abea57c2bbfc450ab888830073ee2e19a22c548d26111d 2650 libjpeg-turbo_1.3.1-11.dsc ec23814a296bbc3a5f2b383f5526c28bfe21ce380c4a93b4205d7088bc021667 78564 libjpeg-turbo_1.3.1-11.debian.tar.xz 072ba94d3d8c536fff05a03581c184e26bc41c6a8ada917e75e26fca35985bbd 49252 libjpeg-dev_1.3.1-11_all.deb Files: 7ece68461462ccca84c59cc84425f034 2650 graphics optional libjpeg-turbo_1.3.1-11.dsc 3e311d4984d27e0ad126a22300eeeea2 78564 graphics optional libjpeg-turbo_1.3.1-11.debian.tar.xz fba750757cea3765da47c2a5ee86f1f3 49252 libdevel optional libjpeg-dev_1.3.1-11_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJUdaYUXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHXM0QAICyscKOTKeu/OuwI0RTnknf AFufLwjfL2LnjgH6+rGN02zedfhWxF40UMVXlCdi2dHOaffNgsumA521O5GMzYyA QmHwjZKIqbeVWg7UWMo/ZBFjzBd0N1urKmAdE4mT86o6RDE9EOeJa/RDa1AfgD6o nWFCtgNQvwo29km8T5A0aFIxbs5wSZdBH58ymzzeXnYhsGF8b+erxD/ZVZhcostt V615Zg1WhsHjAL7IxKL9btLYe59NPnCqMrcA/gRcf/GDIZAoh8BdqunU2Vd7RPoC Bj7t7jmHM9AR6kcxtWuslcpOHtPUzf0labsRSZ/eZXB9NC8kwESLJ6AOt3Gv0eJB eIEK1mn+DRbEaVylcnyt1onIVqxe9maNfxggWZ4DyEsyCfftLhVlcdElvAvg1AHQ MBMsu1lvb/+VjDzY8LSLqKrTUdGM1DS6D4OpJwS6rQqGhAi9JUZ8m5Rq0ZXEos2f 9Ih1r+ki3W0TmSk4dwMShCXMhdi9WkSZFpefJ+Avv4gfYEulSUjvOYRGQ1A+iRUv cI9oW4Rz4VzDI9qYOD1D8ND+Oh8747g0WmOHqp0hpWx7NHvZxrneYbxCRUMOj+Wo CDn1TH91NS65RzQ0dnfqh0VuYmoUoQ6yr/1eLSWm7FHGoSJVQY/l7VY3Qnl/PeJ8 rTDPdovfn65/4fldFGas =EZ7/ -----END PGP SIGNATURE-----
Attachment:
libjpeg-turbo_1.3.1-11.debian.tar.xz
Description: application/xz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 3.0 (quilt) Source: libjpeg-turbo Binary: libjpeg-dev, libjpeg62-turbo-dev, libjpeg62-turbo, libjpeg62-turbo-dbg, libturbojpeg1, libturbojpeg1-dbg, libturbojpeg1-dev, libjpeg-turbo-progs, libjpeg-turbo-progs-dbg Architecture: any all Version: 1:1.3.1-11 Maintainer: Ondřej Surý <ondrej@debian.org> Uploaders: Mike Gabriel <sunweaver@debian.org> Homepage: http://www.libjpeg-turbo.org/ Standards-Version: 3.9.6 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/libjpeg-turbo.git Vcs-Git: git://anonscm.debian.org/collab-maint/libjpeg-turbo.git Build-Depends: debhelper (>= 9), dh-autoreconf, nasm [any-amd64 any-i386] Package-List: libjpeg-dev deb libdevel optional arch=all libjpeg-turbo-progs deb graphics optional arch=any libjpeg-turbo-progs-dbg deb debug extra arch=any libjpeg62-turbo deb libs optional arch=any libjpeg62-turbo-dbg deb debug extra arch=any libjpeg62-turbo-dev deb libdevel optional arch=any libturbojpeg1 deb libs optional arch=any libturbojpeg1-dbg deb debug extra arch=any libturbojpeg1-dev deb libdevel optional arch=any Checksums-Sha1: 5fa19252e5ca992cfa40446a0210ceff55fbe468 1390282 libjpeg-turbo_1.3.1.orig.tar.gz b917046f02769baaed45898abf592dece88f9bd1 78564 libjpeg-turbo_1.3.1-11.debian.tar.xz Checksums-Sha256: c132907417ddc40ed552fe53d6b91d5fecbb14a356a60ddc7ea50d6be9666fb9 1390282 libjpeg-turbo_1.3.1.orig.tar.gz ec23814a296bbc3a5f2b383f5526c28bfe21ce380c4a93b4205d7088bc021667 78564 libjpeg-turbo_1.3.1-11.debian.tar.xz Files: 2c3a68129dac443a72815ff5bb374b05 1390282 libjpeg-turbo_1.3.1.orig.tar.gz 3e311d4984d27e0ad126a22300eeeea2 78564 libjpeg-turbo_1.3.1-11.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJUdaYPXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHpG4QANMdxr7tpNZQUnNG3zsPdWPw v7e+uonXgB56aisoEVAi0n7d3QeBQrkbuEwF5V35nK/H3HyS7AUtMQNQi8PkA15K t1SMcnLvBXLG3D2MTJMRwaPza8ZkDsVdlMxrl2mT0Uqo7u9MeJTwEJtRxYkDxvX2 VUIqAl8m+dA/ScRFhxw47casb7rnUvdtLsHuVmZMRNmxJ6zlqcSLUB+zqYtOni3y cOE70FsgrMSW3LaoaYs69n3qt17J6dvwD2vYDor1fxVMsNmyRcxxjaHe3b3xQnkI Q4Vr7fG5YncnI8X6h+eAnr2IUFQNfbOzm2O0Sw0wv7ukmGQSmrTB+txaq/2RuzD0 p+US2BdsP4x/dWIVg90Ymzvf1wvNFC4xpHqm2w6QyRt4KKC4OAEgK9sXMDLowOLo qQ+De6FKfNjEMruuRbrivAIDMrPW1g/nemylMkum/A81TzPmvvnC2VYQalsA7sIX QjlADWPYwwxgz79IVRkcf7vHHpdZZSW9oYWQDizcKIW2TSloGAklT7YkkqPX8Qge IzlQZsYcCxTg3EWLjfi5p1I97pGisQH21pm+V+qFFNuoh58eSMzg5yBUiNBSkauE tLvfd5MYZ6NY6if/jSVEH47YjIFwSUVXSzIS3ka02wbETMFFh1c6DuCoPrEG3B5B pS57LrX8QBFhi9bMh0zK =+EqA -----END PGP SIGNATURE-----