Bug#772168: marked as done (unblock: jasper/1.900.1-debian1-2.2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 05 Dec 2014 19:18:11 +0000
with message-id <1417807091.10998.52.camel@adam-barratt.org.uk>
and subject line Re: Bug#772168: unblock: jasper/1.900.1-debian1-2.2
has caused the Debian Bug report #772168,
regarding unblock: jasper/1.900.1-debian1-2.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772168: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772168
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: jasper/1.900.1-debian1-2.2
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 05 Dec 2014 19:43:46 +0100
• Message-id: <[🔎] 20141205184346.30998.46319.reportbug@lorien.valinor.li>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package jasper

The jasper upload to unstable fixes CVE-2014-9029, also reported as
#772036, addressing heap-based buffer overflows in libjasper. We have
released DSA-3089-1, the same patch applied for unstable:

jasper (1.900.1-debian1-2.2) unstable; urgency=high  
  
  * Non-maintainer upload.  
  * Add 04-CVE-2014-9029.patch patch.  
    CVE-2014-9029: incorrect component number check in COC, RGN and QCC  
    marker segment decoders. (Closes: #772036)  
  
 -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 05 Dec 2014 08:39:16 +0100

Attached is also the full debdiff against the version in testing.

Could you please unblock jasper to have the fix included in jessie?

unblock jasper/1.900.1-debian1-2.2

Regards,
Salvatore

diff -Nru jasper-1.900.1-debian1/debian/changelog jasper-1.900.1-debian1/debian/changelog
--- jasper-1.900.1-debian1/debian/changelog	2014-09-30 15:54:59.000000000 +0200
+++ jasper-1.900.1-debian1/debian/changelog	2014-12-05 08:59:32.000000000 +0100
@@ -1,3 +1,12 @@
+jasper (1.900.1-debian1-2.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add 04-CVE-2014-9029.patch patch.
+    CVE-2014-9029: incorrect component number check in COC, RGN and QCC
+    marker segment decoders. (Closes: #772036)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 05 Dec 2014 08:39:16 +0100
+
 jasper (1.900.1-debian1-2.1) unstable; urgency=medium
 
   * Non-maintainer upload (acked by maintainer)
diff -Nru jasper-1.900.1-debian1/debian/patches/04-CVE-2014-9029.patch jasper-1.900.1-debian1/debian/patches/04-CVE-2014-9029.patch
--- jasper-1.900.1-debian1/debian/patches/04-CVE-2014-9029.patch	1970-01-01 01:00:00.000000000 +0100
+++ jasper-1.900.1-debian1/debian/patches/04-CVE-2014-9029.patch	2014-12-05 08:59:32.000000000 +0100
@@ -0,0 +1,38 @@
+Description: CVE-2014-9029: Heap overflows in libjasper
+Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=961994&action=diff
+Bug-Debian: https://bugs.debian.org/772036
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1167537
+Forwarded: no
+Author: Tomas Hoger <thoger@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-11-28
+
+--- a/src/libjasper/jpc/jpc_dec.c
++++ b/src/libjasper/jpc/jpc_dec.c
+@@ -1280,7 +1280,7 @@ static int jpc_dec_process_coc(jpc_dec_t
+ 	jpc_coc_t *coc = &ms->parms.coc;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, coc->compno) > dec->numcomps) {
++	if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in COC marker segment\n");
+ 		return -1;
+ 	}
+@@ -1306,7 +1306,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
+ 	jpc_rgn_t *rgn = &ms->parms.rgn;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
++	if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in RGN marker segment\n");
+ 		return -1;
+ 	}
+@@ -1355,7 +1355,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
+ 	jpc_qcc_t *qcc = &ms->parms.qcc;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
++	if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in QCC marker segment\n");
+ 		return -1;
+ 	}
diff -Nru jasper-1.900.1-debian1/debian/patches/series jasper-1.900.1-debian1/debian/patches/series
--- jasper-1.900.1-debian1/debian/patches/series	2014-09-30 15:54:59.000000000 +0200
+++ jasper-1.900.1-debian1/debian/patches/series	2014-12-05 08:59:32.000000000 +0100
@@ -1,3 +1,4 @@
 01-misc-fixes.patch
 02-fix-filename-buffer-overflow.patch
 03-CVE-2011-4516-and-CVE-2011-4517.patch
+04-CVE-2014-9029.patch

--- End Message ---

--- Begin Message ---

• To: Salvatore Bonaccorso <carnil@debian.org>, 772168-done@bugs.debian.org
• Subject: Re: Bug#772168: unblock: jasper/1.900.1-debian1-2.2
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Fri, 05 Dec 2014 19:18:11 +0000
• Message-id: <1417807091.10998.52.camel@adam-barratt.org.uk>
• In-reply-to: <[🔎] 20141205184346.30998.46319.reportbug@lorien.valinor.li>
• References: <[🔎] 20141205184346.30998.46319.reportbug@lorien.valinor.li>

On Fri, 2014-12-05 at 19:43 +0100, Salvatore Bonaccorso wrote:
> The jasper upload to unstable fixes CVE-2014-9029, also reported as
> #772036, addressing heap-based buffer overflows in libjasper. We have
> released DSA-3089-1, the same patch applied for unstable:

Unblocked, thanks.

Regards,

Adam

--- End Message ---