Bug#998042: marked as done (buster-pu: package jbig2dec/0.16-1+deb10u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#998042: marked as done (buster-pu: package jbig2dec/0.16-1+deb10u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 26 Mar 2022 12:08:04 +0000
Message-id: <[🔎] handler.998042.D998042.164829618712088.ackdone@bugs.debian.org>
Reply-to: 998042@bugs.debian.org
References: <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk> <alpine.DEB.2.21.2110282227220.22048@postfach.intern.alteholz.me>

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #998042,
regarding buster-pu: package jbig2dec/0.16-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
998042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998042
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: buster-pu: package jbig2dec/0.16-1+deb10u1
From: Thorsten Alteholz <debian@alteholz.de>
Date: Thu, 28 Oct 2021 22:35:42 +0000 (UTC)
Message-id: <alpine.DEB.2.21.2110282227220.22048@postfach.intern.alteholz.me>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for jbig2dec fixes CVE-2020-12268 in Buster.

This CVE is marked as no-dsa by the security team.

The patch just adds some checks to prevent an overflow, so the riskshould be small. The testsuite of the package showed no errors.


  Thorsten

diff -Nru jbig2dec-0.16/debian/changelog jbig2dec-0.16/debian/changelog
--- jbig2dec-0.16/debian/changelog	2019-04-07 17:52:08.000000000 +0200
+++ jbig2dec-0.16/debian/changelog	2021-10-24 19:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+jbig2dec (0.16-1+deb10u1) buster; urgency=high
+
+  * Team upload (printing and LTS)
+  * CVE-2020-12268
+    avoid overflow with extreme values of x,y,w,h in function
+    jbig2_image_compose()
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sun, 24 Oct 2021 19:03:02 +0200
+
 jbig2dec (0.16-1) unstable; urgency=high
 
   [ upstream ]
diff -Nru jbig2dec-0.16/debian/patches/CVE-2020-12268.patch jbig2dec-0.16/debian/patches/CVE-2020-12268.patch
--- jbig2dec-0.16/debian/patches/CVE-2020-12268.patch	1970-01-01 01:00:00.000000000 +0100
+++ jbig2dec-0.16/debian/patches/CVE-2020-12268.patch	2021-10-24 19:03:02.000000000 +0200
@@ -0,0 +1,41 @@
+commit 0726320a4b55078e9d8deb590e477d598b3da66e
+Author: Robin Watts <Robin.Watts@artifex.com>
+Date:   Mon Jan 27 10:12:24 2020 -0800
+
+    Fix OSS-Fuzz issue 20332: buffer overflow in jbig2_image_compose.
+    
+    With extreme values of x/y/w/h we can get overflow. Test for this
+    and exit safely.
+    
+    Thanks for OSS-Fuzz for reporting.
+
+Index: jbig2dec-0.16/jbig2_image.c
+===================================================================
+--- jbig2dec-0.16.orig/jbig2_image.c	2021-10-25 15:53:32.254308657 +0200
++++ jbig2dec-0.16/jbig2_image.c	2021-10-25 16:10:42.074548650 +0200
+@@ -33,6 +33,9 @@
+ #if !defined (INT32_MAX)
+ #define INT32_MAX  0x7fffffff
+ #endif
++#if !defined (UINT32_MAX)
++#define UINT32_MAX  0xffffffffu
++#endif
+ 
+ /* allocate a Jbig2Image structure and its associated bitmap */
+ Jbig2Image *
+@@ -258,6 +261,15 @@
+     if (src == NULL)
+         return 0;
+ 
++    if ((UINT32_MAX - src->width  < (x > 0 ? x : -x)) ||
++        (UINT32_MAX - src->height < (y > 0 ? y : -y)))
++    {
++#ifdef JBIG2_DEBUG
++        jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
++#endif
++        return 0;
++    }
++
+     /* The optimized code for the OR operator below doesn't
+        handle the source image partially placed outside the
+        destination (above and/or to the left). The affected
diff -Nru jbig2dec-0.16/debian/patches/series jbig2dec-0.16/debian/patches/series
--- jbig2dec-0.16/debian/patches/series	2019-03-25 09:49:08.000000000 +0100
+++ jbig2dec-0.16/debian/patches/series	2021-10-24 19:03:02.000000000 +0200
@@ -1,3 +1,5 @@
 1001_ignore_python_test.patch
 1004_extract_infile_from_autogen-sh.patch
 2001_disable_memento.patch
+
+CVE-2020-12268.patch

--- End Message ---

--- Begin Message ---

To: 959469-done@bugs.debian.org, 985063-done@bugs.debian.org, 987376-done@bugs.debian.org, 992546-done@bugs.debian.org, 992613-done@bugs.debian.org, 995748-done@bugs.debian.org, 996023-done@bugs.debian.org, 996024-done@bugs.debian.org, 996600-done@bugs.debian.org, 996624-done@bugs.debian.org, 996695-done@bugs.debian.org, 996929-done@bugs.debian.org, 996997-done@bugs.debian.org, 997079-done@bugs.debian.org, 998042-done@bugs.debian.org, 998248-done@bugs.debian.org, 998344-done@bugs.debian.org, 1000218-done@bugs.debian.org, 1000341-done@bugs.debian.org, 1000386-done@bugs.debian.org, 1000408-done@bugs.debian.org, 1000473-done@bugs.debian.org, 1000479-done@bugs.debian.org, 1000480-done@bugs.debian.org, 1000486-done@bugs.debian.org, 1000608-done@bugs.debian.org, 1001043-done@bugs.debian.org, 1001149-done@bugs.debian.org, 1001280-done@bugs.debian.org, 1001454-done@bugs.debian.org, 1001556-done@bugs.debian.org, 1001749-done@bugs.debian.org, 1001752-done@bugs.debian.org, 1002297-done@bugs.debian.org, 1002298-done@bugs.debian.org, 1002740-done@bugs.debian.org, 1002912-done@bugs.debian.org, 1003795-done@bugs.debian.org, 1003825-done@bugs.debian.org, 1003826-done@bugs.debian.org, 1003827-done@bugs.debian.org, 1003841-done@bugs.debian.org, 1003842-done@bugs.debian.org, 1004049-done@bugs.debian.org, 1004055-done@bugs.debian.org, 1004056-done@bugs.debian.org, 1004249-done@bugs.debian.org, 1004261-done@bugs.debian.org, 1004265-done@bugs.debian.org, 1004267-done@bugs.debian.org, 1004268-done@bugs.debian.org, 1005000-done@bugs.debian.org, 1005218-done@bugs.debian.org, 1005233-done@bugs.debian.org, 1005353-done@bugs.debian.org, 1005374-done@bugs.debian.org, 1006377-done@bugs.debian.org, 1006417-done@bugs.debian.org, 1006494-done@bugs.debian.org, 1006525-done@bugs.debian.org, 1007745-done@bugs.debian.org, 1007746-done@bugs.debian.org, 1007879-done@bugs.debian.org, 1007938-done@bugs.debian.org, 1007948-done@bugs.debian.org, 1007964-done@bugs.debian.org, 1008030-done@bugs.debian.org, 1008072-done@bugs.debian.org, 1006142-done@bugs.debian.org

Subject: Closing requests for updates in 10.12

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 26 Mar 2022 12:02:22 +0000

Message-id: <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#996997: marked as done (buster-pu: Cleaning up the http-parser ABI breakage in Debian 10 ("buster"))
Next by Date: Bug#998248: marked as done (buster-pu: package libencode-perl/3.00-1+deb10u1)
Previous by thread: Bug#996997: marked as done (buster-pu: Cleaning up the http-parser ABI breakage in Debian 10 ("buster"))
Next by thread: Bug#998248: marked as done (buster-pu: package libencode-perl/3.00-1+deb10u1)
Index(es):
- Date
- Thread