Bug#742263: squeeze-pu: package lcms2/2.2+git20110628-2.2+deb7u1
Package: release.debian.org
Severity: normal
Tags: squeeze
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
please accept an upload of lcms2 2.2+git20110628-2.2+deb7u1 to wheezy-proposed
updates.
The update fixes a minor security issue in stable (#714529,
CVE-2013-4160). DSA considers the issue to be not worth a security
update:
https://security-tracker.debian.org/tracker/CVE-2013-4160
Debdiff attached.
Thanks
Thomas
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru lcms2-2.2+git20110628/debian/changelog lcms2-2.2+git20110628/debian/changelog
--- lcms2-2.2+git20110628/debian/changelog 2014-03-17 23:41:12.000000000 +0100
+++ lcms2-2.2+git20110628/debian/changelog 2014-03-21 11:29:26.000000000 +0100
@@ -1,3 +1,9 @@
+lcms2 (2.2+git20110628-2.2+deb7u1) stable; urgency=medium
+
+ * Fix security bugs in stable (Closes: #714529), CVE-2013-4160
+
+ -- Thomas Weber <tweber@debian.org> Thu, 20 Mar 2014 00:17:31 +0100
+
lcms2 (2.2+git20110628-2.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru lcms2-2.2+git20110628/debian/control lcms2-2.2+git20110628/debian/control
--- lcms2-2.2+git20110628/debian/control 2014-03-17 23:41:12.000000000 +0100
+++ lcms2-2.2+git20110628/debian/control 2014-03-21 11:29:26.000000000 +0100
@@ -2,6 +2,7 @@
Section: libs
Priority: optional
Maintainer: Oleksandr Moskalenko <malex@debian.org>
+Uploaders: Thomas Weber <tweber@debian.org>
Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.0), autotools-dev, libjpeg-dev, libtiff4-dev, zlib1g-dev, quilt
Standards-Version: 3.9.2
Homepage: http://www.littlecms.com/
diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch
--- lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch 1970-01-01 01:00:00.000000000 +0100
+++ lcms2-2.2+git20110628/debian/patches/ojdk-8007925+8007926.patch 2014-03-21 11:29:26.000000000 +0100
@@ -0,0 +1,28 @@
+# HG changeset patch
+# Date 1364497268 -14400
+# Node ID 56f01b89d8b8f7e2cbc651dccbd904b45698be24
+# Parent 09c14ca57ff092cd304a4e29f9398176255a72ab
+8007925: Improve cmsStageAllocLabV2ToV4curves
+8007926: Improve cmsPipelineDup
+
+Index: lcms2-2.2+git20110628/src/cmslut.c
+===================================================================
+--- lcms2-2.2+git20110628.orig/src/cmslut.c 2011-06-27 23:20:02.000000000 -0500
++++ lcms2-2.2+git20110628/src/cmslut.c 2013-07-01 10:51:20.000000000 -0500
+@@ -980,6 +980,7 @@
+ mpe = cmsStageAllocToneCurves(ContextID, 3, LabTable);
+ cmsFreeToneCurveTriple(LabTable);
+
++ if (mpe == NULL) return mpe;
+ mpe ->Implements = cmsSigLabV2toV4;
+ return mpe;
+ }
+@@ -1291,6 +1292,8 @@
+ if (lut == NULL) return NULL;
+
+ NewLUT = cmsPipelineAlloc(lut ->ContextID, lut ->InputChannels, lut ->OutputChannels);
++ if (NewLUT == NULL) return NULL;
++
+ for (mpe = lut ->Elements;
+ mpe != NULL;
+ mpe = mpe ->Next) {
diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch
--- lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch 1970-01-01 01:00:00.000000000 +0100
+++ lcms2-2.2+git20110628/debian/patches/ojdk-8007927.patch 2014-03-21 11:29:26.000000000 +0100
@@ -0,0 +1,22 @@
+# HG changeset patch
+# User bae
+# Date 1363852330 -14400
+# Node ID 4047e9efcbd0966d8cc15d51f9b25ae5b141e239
+# Parent a7299af2af32c38eef541180e26f4aac7d79bff8
+8007927: Improve cmsAllocProfileSequenceDescription
+
+Index: lcms2-2.2+git20110628/src/cmsnamed.c
+===================================================================
+--- lcms2-2.2+git20110628.orig/src/cmsnamed.c 2013-07-01 11:02:26.000000000 -0500
++++ lcms2-2.2+git20110628/src/cmsnamed.c 2013-07-01 11:03:56.000000000 -0500
+@@ -698,6 +702,10 @@
+ Seq -> seq = (cmsPSEQDESC*) _cmsCalloc(ContextID, n, sizeof(cmsPSEQDESC));
+ Seq -> n = n;
+
++ if (Seq -> seq == NULL) {
++ _cmsFree(ContextID, Seq);
++ return NULL;
++ }
+
+ for (i=0; i < n; i++) {
+ Seq -> seq[i].Manufacturer = NULL;
diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch
--- lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch 1970-01-01 01:00:00.000000000 +0100
+++ lcms2-2.2+git20110628/debian/patches/ojdk-8007929.patch 2014-03-21 11:29:26.000000000 +0100
@@ -0,0 +1,27 @@
+# HG changeset patch
+# User bae
+# Date 1363852924 -14400
+# Node ID 2c71b4f2104b4951376604d50d5ecd176cd5acc7
+# Parent 4047e9efcbd0966d8cc15d51f9b25ae5b141e239
+8007929: Improve CurvesAlloc
+
+Index: lcms2-2.2+git20110628/src/cmsopt.c
+===================================================================
+--- lcms2-2.2+git20110628.orig/src/cmsopt.c 2013-07-01 10:54:09.000000000 -0500
++++ lcms2-2.2+git20110628/src/cmsopt.c 2013-07-01 10:54:09.000000000 -0500
+@@ -1135,6 +1135,15 @@
+ for (i=0; i < nCurves; i++) {
+
+ c16->Curves[i] = _cmsCalloc(ContextID, nElements, sizeof(cmsUInt16Number));
++ if (c16->Curves[i] == NULL) {
++ for (j=0; j < i; j++) {
++ _cmsFree(ContextID, c16->Curves[j]);
++ }
++ _cmsFree(ContextID, c16->Curves);
++ _cmsFree(ContextID, c16);
++
++ return NULL;
++ }
+
+ if (nElements == 256) {
+
diff -Nru lcms2-2.2+git20110628/debian/patches/ojdk-8009654.patch lcms2-2.2+git20110628/debian/patches/ojdk-8009654.patch
--- lcms2-2.2+git20110628/debian/patches/ojdk-8009654.patch 1970-01-01 01:00:00.000000000 +0100
+++ lcms2-2.2+git20110628/debian/patches/ojdk-8009654.patch 2014-03-21 11:29:26.000000000 +0100
@@ -0,0 +1,40 @@
+# HG changeset patch
+# User bae
+# Date 1364538631 -14400
+# Node ID 8718da8c36f3c265f4ee3a3410ed7e9b116283a7
+# Parent cc656d61e7135d43cd8908a8ef8ceae66ca0d462
+8009654: Improve stability of cmsnamed
+
+Index: lcms2-2.2+git20110628/src/cmsnamed.c
+===================================================================
+--- lcms2-2.2+git20110628.orig/src/cmsnamed.c 2013-07-01 11:43:05.000000000 -0500
++++ lcms2-2.2+git20110628/src/cmsnamed.c 2013-07-01 11:44:10.000000000 -0500
+@@ -488,8 +488,10 @@
+ while (v -> Allocated < n)
+ GrowNamedColorList(v);
+
+- strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix));
+- strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix));
++ strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix) - 1);
++ strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix) - 1);
++ v->Prefix[sizeof(v ->Prefix) - 1] = v->Suffix[sizeof(v ->Suffix) - 1] = 0;
++
+ v -> ColorantCount = ColorantCount;
+
+ return v;
+@@ -543,10 +545,12 @@
+ for (i=0; i < 3; i++)
+ NamedColorList ->List[NamedColorList ->nColors].PCS[i] = PCS == NULL ? 0 : PCS[i];
+
+- if (Name != NULL)
++ if (Name != NULL) {
+ strncpy(NamedColorList ->List[NamedColorList ->nColors].Name, Name,
+- sizeof(NamedColorList ->List[NamedColorList ->nColors].Name));
+- else
++ sizeof(NamedColorList ->List[NamedColorList ->nColors].Name) - 1);
++ NamedColorList ->List[NamedColorList ->nColors].
++ Name[sizeof(NamedColorList ->List[NamedColorList ->nColors].Name) - 1] = 0;
++ } else
+ NamedColorList ->List[NamedColorList ->nColors].Name[0] = 0;
+
+
diff -Nru lcms2-2.2+git20110628/debian/patches/series lcms2-2.2+git20110628/debian/patches/series
--- lcms2-2.2+git20110628/debian/patches/series 2014-03-17 23:41:12.000000000 +0100
+++ lcms2-2.2+git20110628/debian/patches/series 2014-03-21 11:29:26.000000000 +0100
@@ -1,2 +1,6 @@
tificc.1
jpgicc.1
+ojdk-8007925+8007926.patch
+ojdk-8007927.patch
+ojdk-8007929.patch
+ojdk-8009654.patch
Reply to: