Your message dated Sat, 08 Feb 2020 14:21:36 +0000 with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk> and subject line Closing requests included in 10.3 point release has caused the Debian Bug report #942575, regarding buster-pu: package openjpeg2/2.3.0-2+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 942575: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942575 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package openjpeg2/2.3.0-2+deb10u1
- From: Hugo Lefeuvre <hle@debian.org>
- Date: Fri, 18 Oct 2019 13:23:02 +0200
- Message-id: <20191018112302.wvdvzttulvgyj6bk@behemoth.owl.eu.com.local>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Dear release managers, as discussed in #939553[0], no DSA will be issued by the security team for CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached debdiff addresses this issue, along with CVE-2018-20847. This is almost the same debdiff as #942024[1] (for stretch-pu). thanks! cheers, Hugo [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942024 -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4Cdiff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog --- openjpeg2-2.3.0/debian/changelog 2019-03-10 18:34:51.000000000 +0100 +++ openjpeg2-2.3.0/debian/changelog 2019-10-17 14:48:09.000000000 +0200 @@ -1,3 +1,14 @@ +openjpeg2 (2.3.0-2+deb10u1) buster; urgency=high + + * Backport security fixes: + * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile + (Closes: #939553). + * CVE-2018-20847: improper computation of values in the function + opj_get_encoding_parameters, leading to an integer overflow + (Closes: #931294). + + -- Hugo Lefeuvre <hle@debian.org> Thu, 17 Oct 2019 14:48:09 +0200 + openjpeg2 (2.3.0-2) unstable; urgency=high [ Hugo Lefeuvre ] diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch --- openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 2019-10-17 14:43:51.000000000 +0200 @@ -0,0 +1,40 @@ +Description: fix integer overflow in opj_get_encoding_parameters + This bug is known at three places in the source code: + opj_get_all_encoding_parameters() and opj_tcd_init_tile() in pi.c and tcd.c + (both fixed _before_ the release of 2.1.2), and opj_get_encoding_parameters() + in pi.c. This patch addresses the issue in opj_get_encoding_parameters(). +Author: Young_X <YangX92@hotmail.com> +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/c58df149900df862 +--- a/src/lib/openjp2/pi.c 2019-10-17 14:41:15.997977749 +0200 ++++ b/src/lib/openjp2/pi.c 2019-10-17 14:43:46.276679721 +0200 +@@ -748,6 +748,9 @@ + /* position in x and y of tile */ + OPJ_UINT32 p, q; + ++ /* non-corrected (in regard to image offset) tile offset */ ++ OPJ_UINT32 l_tx0, l_ty0; ++ + /* preconditions */ + assert(p_cp != 00); + assert(p_image != 00); +@@ -763,14 +766,12 @@ + q = p_tileno / p_cp->tw; + + /* find extent of tile */ +- *p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx), +- (OPJ_INT32)p_image->x0); +- *p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx), +- (OPJ_INT32)p_image->x1); +- *p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy), +- (OPJ_INT32)p_image->y0); +- *p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy), +- (OPJ_INT32)p_image->y1); ++ l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 so won't overflow */ ++ *p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0); ++ *p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), p_image->x1); ++ l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 so won't overflow */ ++ *p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0); ++ *p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), p_image->y1); + + /* max precision is 0 (can only grow) */ + *p_max_prec = 0; diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch --- openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 2019-10-17 14:34:45.000000000 +0200 @@ -0,0 +1,26 @@ +Description: color_apply_icc_profile: avoid potential heap buffer overflow + This patch addresses CVE-2018-21010. It differs slightly from upstream's + patch in that we avoid whitespace refactoring and complex nested ifs. +Author: Even Rouault <even.rouault@spatialys.com>, Hugo Lefeuvre <hle@debian.org> +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c9 +--- a/src/bin/common/color.c 2019-10-17 14:33:21.021771909 +0200 ++++ b/src/bin/common/color.c 2019-10-17 14:34:39.397137223 +0200 +@@ -597,6 +597,18 @@ + } + + if (image->numcomps > 2) { /* RGB, RGBA */ ++ ++ if (!(image->comps[0].w == image->comps[1].w && ++ image->comps[0].w == image->comps[2].w) || ++ !(image->comps[0].h == image->comps[1].h && ++ image->comps[0].h == image->comps[2].h)) ++ { ++ fprintf(stderr, ++ "[ERROR] Image components should have the same width and height\n"); ++ cmsDeleteTransform(transform); ++ return; ++ } ++ + if (prec <= 8) { + unsigned char *inbuf, *outbuf, *in, *out; + diff -Nru openjpeg2-2.3.0/debian/patches/series openjpeg2-2.3.0/debian/patches/series --- openjpeg2-2.3.0/debian/patches/series 2019-03-10 18:31:30.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/series 2019-10-17 14:41:01.000000000 +0200 @@ -5,3 +5,5 @@ CVE-2018-18088.patch CVE-2018-5785.patch CVE-2018-6616.patch +CVE-2018-21010.patch +CVE-2018-20847.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 939036-done@bugs.debian.org, 939802-done@bugs.debian.org, 940647-done@bugs.debian.org, 941365-done@bugs.debian.org, 941713-done@bugs.debian.org, 942575-done@bugs.debian.org, 944294-done@bugs.debian.org, 944348-done@bugs.debian.org, 944856-done@bugs.debian.org, 944865-done@bugs.debian.org, 945518-done@bugs.debian.org, 945845-done@bugs.debian.org, 945896-done@bugs.debian.org, 945925-done@bugs.debian.org, 945965-done@bugs.debian.org, 946032-done@bugs.debian.org, 946033-done@bugs.debian.org, 946083-done@bugs.debian.org, 946175-done@bugs.debian.org, 946184-done@bugs.debian.org, 946402-done@bugs.debian.org, 946557-done@bugs.debian.org, 946559-done@bugs.debian.org, 946651-done@bugs.debian.org, 946705-done@bugs.debian.org, 946819-done@bugs.debian.org, 946822-done@bugs.debian.org, 946831-done@bugs.debian.org, 946841-done@bugs.debian.org, 946864-done@bugs.debian.org, 946901-done@bugs.debian.org, 946960-done@bugs.debian.org, 947038-done@bugs.debian.org, 947125-done@bugs.debian.org, 947201-done@bugs.debian.org, 947254-done@bugs.debian.org, 947321-done@bugs.debian.org, 947331-done@bugs.debian.org, 947832-done@bugs.debian.org, 948104-done@bugs.debian.org, 948203-done@bugs.debian.org, 948205-done@bugs.debian.org, 948290-done@bugs.debian.org, 948363-done@bugs.debian.org, 948390-done@bugs.debian.org, 948400-done@bugs.debian.org, 948464-done@bugs.debian.org, 948472-done@bugs.debian.org, 948485-done@bugs.debian.org, 948544-done@bugs.debian.org, 948545-done@bugs.debian.org, 948550-done@bugs.debian.org, 948601-done@bugs.debian.org, 948609-done@bugs.debian.org, 948695-done@bugs.debian.org, 948796-done@bugs.debian.org, 948826-done@bugs.debian.org, 948850-done@bugs.debian.org, 948854-done@bugs.debian.org, 948857-done@bugs.debian.org, 948899-done@bugs.debian.org, 948904-done@bugs.debian.org, 948910-done@bugs.debian.org, 948979-done@bugs.debian.org, 948988-done@bugs.debian.org, 948991-done@bugs.debian.org, 949120-done@bugs.debian.org, 949121-done@bugs.debian.org, 949310-done@bugs.debian.org, 949541-done@bugs.debian.org, 949704-done@bugs.debian.org, 949728-done@bugs.debian.org, 949842-done@bugs.debian.org, 949852-done@bugs.debian.org, 949895-done@bugs.debian.org, 949898-done@bugs.debian.org, 949899-done@bugs.debian.org, 949904-done@bugs.debian.org, 949906-done@bugs.debian.org, 949908-done@bugs.debian.org, 949957-done@bugs.debian.org, 950018-done@bugs.debian.org, 950139-done@bugs.debian.org, 950166-done@bugs.debian.org, 950257-done@bugs.debian.org, 950272-done@bugs.debian.org, 950280-done@bugs.debian.org, 950369-done@bugs.debian.org, 950466-done@bugs.debian.org
- Subject: Closing requests included in 10.3 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 08 Feb 2020 14:21:36 +0000
- Message-id: <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.3 Hi, Each of the uploads referred to by these bugs was included in today's stable point release. Regards, Adam
--- End Message ---