Bug#776453: marked as done (unblock: jasper/1.900.1-debian1-2.4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 28 Jan 2015 07:11:39 +0100
with message-id <54C87D9B.9020906@thykier.net>
and subject line Re: Bug#776453: unblock: jasper/1.900.1-debian1-2.4
has caused the Debian Bug report #776453,
regarding unblock: jasper/1.900.1-debian1-2.4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
776453: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776453
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: jasper/1.900.1-debian1-2.4
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 28 Jan 2015 06:46:49 +0100
• Message-id: <[🔎] 20150128054649.14402.85313.reportbug@lorien.valinor.li>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Could you please unblock the package jasper, the changelog reads as

> jasper (1.900.1-debian1-2.4) unstable; urgency=high
> 
>   * Non-maintainer upload.
>   * Add 07-CVE-2014-8157.patch patch.
>     CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
>     (Closes: #775970)
>   * Add 08-CVE-2014-8158.patch patch.
>     CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970)
> 
>  -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 22 Jan 2015 17:09:24 +0100

and fixes two CVEs which were already addressed in DSA-3138-1:

 https://www.debian.org/security/2015/dsa-3138

unblock jasper/1.900.1-debian1-2.4

Attached is also the full debdiff for the version in unstable.

Thanks in advance!

Regards,
Salvatore

diff -Nru jasper-1.900.1-debian1/debian/changelog jasper-1.900.1-debian1/debian/changelog
--- jasper-1.900.1-debian1/debian/changelog	2014-12-21 10:31:44.000000000 +0100
+++ jasper-1.900.1-debian1/debian/changelog	2015-01-22 18:35:26.000000000 +0100
@@ -1,3 +1,14 @@
+jasper (1.900.1-debian1-2.4) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add 07-CVE-2014-8157.patch patch.
+    CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot().
+    (Closes: #775970)
+  * Add 08-CVE-2014-8158.patch patch.
+    CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 22 Jan 2015 17:09:24 +0100
+
 jasper (1.900.1-debian1-2.3) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru jasper-1.900.1-debian1/debian/patches/07-CVE-2014-8157.patch jasper-1.900.1-debian1/debian/patches/07-CVE-2014-8157.patch
--- jasper-1.900.1-debian1/debian/patches/07-CVE-2014-8157.patch	1970-01-01 01:00:00.000000000 +0100
+++ jasper-1.900.1-debian1/debian/patches/07-CVE-2014-8157.patch	2015-01-22 18:35:26.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot()
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8157.patch
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179282
+Bug-Debian: https://bugs.debian.org/775970
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-01-22
+
+--- a/src/libjasper/jpc/jpc_dec.c
++++ b/src/libjasper/jpc/jpc_dec.c
+@@ -489,7 +489,7 @@ static int jpc_dec_process_sot(jpc_dec_t
+ 		dec->curtileendoff = 0;
+ 	}
+ 
+-	if (JAS_CAST(int, sot->tileno) > dec->numtiles) {
++	if (JAS_CAST(int, sot->tileno) >= dec->numtiles) {
+ 		jas_eprintf("invalid tile number in SOT marker segment\n");
+ 		return -1;
+ 	}
diff -Nru jasper-1.900.1-debian1/debian/patches/08-CVE-2014-8158.patch jasper-1.900.1-debian1/debian/patches/08-CVE-2014-8158.patch
--- jasper-1.900.1-debian1/debian/patches/08-CVE-2014-8158.patch	1970-01-01 01:00:00.000000000 +0100
+++ jasper-1.900.1-debian1/debian/patches/08-CVE-2014-8158.patch	2015-01-22 18:35:26.000000000 +0100
@@ -0,0 +1,336 @@
+Description: CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/jasper.git/tree/jasper-CVE-2014-8158.patch
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1179298
+Bug-Debian: https://bugs.debian.org/775970
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2015-01-22
+
+--- a/src/libjasper/jpc/jpc_qmfb.c
++++ b/src/libjasper/jpc/jpc_qmfb.c
+@@ -306,11 +306,7 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+@@ -318,7 +314,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 	register int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -326,7 +321,6 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numcols >= 2) {
+ 		hstartcol = (numcols + 1 - parity) >> 1;
+@@ -360,12 +354,10 @@ void jpc_qmfb_split_row(jpc_fix_t *a, in
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -374,11 +366,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+@@ -386,7 +374,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 	register int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -394,7 +381,6 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -428,12 +414,10 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -442,11 +426,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -457,7 +437,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 	int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -465,7 +444,6 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -517,12 +495,10 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a,
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -531,11 +507,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t splitbuf[bufsize * numcols];
+-#endif
+ 	jpc_fix_t *buf = splitbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -546,7 +518,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 	int m;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Get a buffer. */
+ 	if (bufsize > QMFB_SPLITBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -554,7 +525,6 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	if (numrows >= 2) {
+ 		hstartcol = (numrows + 1 - parity) >> 1;
+@@ -606,12 +576,10 @@ void jpc_qmfb_split_colres(jpc_fix_t *a,
+ 		}
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the split buffer was allocated on the heap, free this memory. */
+ 	if (buf != splitbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -619,18 +587,13 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numcols, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -638,7 +601,6 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numcols + 1 - parity) >> 1;
+ 
+@@ -670,12 +632,10 @@ void jpc_qmfb_join_row(jpc_fix_t *a, int
+ 		++srcptr;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -684,18 +644,13 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	register jpc_fix_t *srcptr;
+ 	register jpc_fix_t *dstptr;
+ 	register int n;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t)))) {
+@@ -703,7 +658,6 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -735,12 +689,10 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int
+ 		++srcptr;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -749,11 +701,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize * JPC_QMFB_COLGRPSIZE];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -763,7 +711,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 	register int i;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc2(bufsize, JPC_QMFB_COLGRPSIZE * sizeof(jpc_fix_t)))) {
+@@ -771,7 +718,6 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -821,12 +767,10 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a,
+ 		srcptr += JPC_QMFB_COLGRPSIZE;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
+@@ -835,11 +779,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ {
+ 
+ 	int bufsize = JPC_CEILDIVPOW2(numrows, 1);
+-#if !defined(HAVE_VLA)
+ 	jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE];
+-#else
+-	jpc_fix_t joinbuf[bufsize * numcols];
+-#endif
+ 	jpc_fix_t *buf = joinbuf;
+ 	jpc_fix_t *srcptr;
+ 	jpc_fix_t *dstptr;
+@@ -849,7 +789,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 	register int i;
+ 	int hstartcol;
+ 
+-#if !defined(HAVE_VLA)
+ 	/* Allocate memory for the join buffer from the heap. */
+ 	if (bufsize > QMFB_JOINBUFSIZE) {
+ 		if (!(buf = jas_alloc3(bufsize, numcols, sizeof(jpc_fix_t)))) {
+@@ -857,7 +796,6 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 			abort();
+ 		}
+ 	}
+-#endif
+ 
+ 	hstartcol = (numrows + 1 - parity) >> 1;
+ 
+@@ -907,12 +845,10 @@ void jpc_qmfb_join_colres(jpc_fix_t *a,
+ 		srcptr += numcols;
+ 	}
+ 
+-#if !defined(HAVE_VLA)
+ 	/* If the join buffer was allocated on the heap, free this memory. */
+ 	if (buf != joinbuf) {
+ 		jas_free(buf);
+ 	}
+-#endif
+ 
+ }
+ 
diff -Nru jasper-1.900.1-debian1/debian/patches/series jasper-1.900.1-debian1/debian/patches/series
--- jasper-1.900.1-debian1/debian/patches/series	2014-12-21 10:31:44.000000000 +0100
+++ jasper-1.900.1-debian1/debian/patches/series	2015-01-22 18:35:26.000000000 +0100
@@ -4,3 +4,5 @@
 04-CVE-2014-9029.patch
 05-CVE-2014-8137.patch
 06-CVE-2014-8138.patch
+07-CVE-2014-8157.patch
+08-CVE-2014-8158.patch

--- End Message ---

--- Begin Message ---

• To: Salvatore Bonaccorso <carnil@debian.org>, 776453-done@bugs.debian.org
• Subject: Re: Bug#776453: unblock: jasper/1.900.1-debian1-2.4
• From: Niels Thykier <niels@thykier.net>
• Date: Wed, 28 Jan 2015 07:11:39 +0100
• Message-id: <54C87D9B.9020906@thykier.net>
• In-reply-to: <[🔎] 20150128054649.14402.85313.reportbug@lorien.valinor.li>
• References: <[🔎] 20150128054649.14402.85313.reportbug@lorien.valinor.li>

On 2015-01-28 06:46, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi Release Team,
> 
> Could you please unblock the package jasper, the changelog reads as
> 
>> [...]
> 
>  https://www.debian.org/security/2015/dsa-3138
> 
> unblock jasper/1.900.1-debian1-2.4
> 
> Attached is also the full debdiff for the version in unstable.
> 
> Thanks in advance!
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels

--- End Message ---