jasper: add more security patches from jasper_1.900.1-debian1-2.4+deb8u1.

e56126a9 · Kazuhiko Shiozaki · 3f9a4968 · e56126a9 · e56126a9 · e56126a9
Commit e56126a9 authored Jun 01, 2016 by Kazuhiko Shiozaki
4 changed files
--- a/component/jasper/CVE-2016-1577.patch
+++ b/component/jasper/CVE-2016-1577.patch
+Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
+Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12
+Bug-Ubuntu: https://launchpad.net/bugs/1547865
+Bug-Debian: https://bugs.debian.org/816625
+Forwarded: not-needed
+Author: Tyler Hicks <tyhicks@canonical.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-05
+--- a/src/libjasper/base/jas_icc.c
+++ b/src/libjasper/base/jas_icc.c
+@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ 				if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
+ 					goto error;
+ 				jas_iccattrval_destroy(attrval);
+				attrval = 0;
+ 			} else {
+ #if 0
+ 				jas_eprintf("warning: skipping unknown tag type\n");
--- a/component/jasper/CVE-2016-2089.patch
+++ b/component/jasper/CVE-2016-2089.patch
+Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip()
+Origin: vendor
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636
+Bug-Debian: https://bugs.debian.org/812978
+Forwarded: not-needed
+Author: Tomas Hoger <thoger@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-05
+--- a/src/libjasper/base/jas_image.c
+++ b/src/libjasper/base/jas_image.c
+@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ 		return -1;
+ 	}
+	if (!data->rows_) {
+		return -1;
+	}
+
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		if (jas_matrix_resize(data, height, width)) {
+ 			return -1;
+@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ 		return -1;
+ 	}
+	if (!data->rows_) {
+		return -1;
+	}
+
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		return -1;
+ 	}
+--- a/src/libjasper/base/jas_seq.c
+++ b/src/libjasper/base/jas_seq.c
+@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ 	int rowstep;
+ 	jas_seqent_t *data;
+	if (!matrix->rows_) {
+		return;
+	}
+
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ 	jas_seqent_t *data;
+ 	int rowstep;
+	if (!matrix->rows_) {
+		return;
+	}
+
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ 	int rowstep;
+ 	jas_seqent_t *data;
+	if (!matrix->rows_) {
+		return;
+	}
+
+ 	assert(n >= 0);
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ 	int rowstep;
+ 	jas_seqent_t *data;
+	if (!matrix->rows_) {
+		return;
+	}
+
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ 	int rowstep;
+ 	jas_seqent_t *data;
+	if (!matrix->rows_) {
+		return;
+	}
+
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
--- a/component/jasper/CVE-2016-2116.patch
+++ b/component/jasper/CVE-2016-2116.patch
+Description: CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf()
+Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12
+Bug-Debian: https://bugs.debian.org/816626
+Forwarded: not-needed
+Author: Tyler Hicks <tyhicks@canoonical.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-05
+--- a/src/libjasper/base/jas_icc.c
+++ b/src/libjasper/base/jas_icc.c
+@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
+ 	jas_stream_close(in);
+ 	return prof;
+ error:
+	if (in)
+		jas_stream_close(in);
+ 	return 0;
+ }
--- a/component/jasper/buildout.cfg
+++ b/component/jasper/buildout.cfg
@@ -19,6 +19,9 @@ patches =
  ${:_profile_base_location_}/CVE-2014-8138.patch#bfb9604fe84b6e686fea29bd760cf34d
  ${:_profile_base_location_}/CVE-2014-8157.patch#2fb5f62ba8a9f8afffc95a07d1194783
  ${:_profile_base_location_}/CVE-2014-8158.patch#9036077a1fab5de8819f210ea7b57a38
+  ${:_profile_base_location_}/CVE-2016-1577.patch#bc970cf3e8535559454781ec54db2d15
+  ${:_profile_base_location_}/CVE-2016-2089.patch#9b73eda015b04a6da493de89ce9b5685
+  ${:_profile_base_location_}/CVE-2016-2116.patch#387df217963281827e006ab4f14f869a
 configure-options =
  --disable-static
  --enable-shared