Bug#652649: jasper: Fix for CVE-2011-4516 and CVE-2011-4517

Tue, 03 Jan 2012 17:18:17 -0800 

Attached is a patch for a planned NMU for this bug.  It is essentially
the same as the original patch Mark sent along.

I see you've marked this bug as pending, so I'll wait a couple days
before pushing the NMU if you'd like to push your particular changes
instead.

Best wishes,
Mike

diff -Nru jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog
--- jasper-1.900.1/debian/changelog	2011-11-27 13:56:59.000000000 -0500
+++ jasper-1.900.1/debian/changelog	2012-01-03 15:10:02.000000000 -0500
@@ -1,3 +1,11 @@
+jasper (1.900.1-12.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2011-4516 and CVE-2011-4517: two buffer overflow issues possibly
+    exploitable via specially crafted input files (closes: #652649).
+
+ -- Michael Gilbert <michael.s.gilb...@gmail.com>  Tue, 03 Jan 2012 14:58:11 -0500
+
 jasper (1.900.1-12) unstable; urgency=low
 
   * Added patch to fix filename buffer overflow, thanks to Jonas Smedegard
diff -Nru jasper-1.900.1/debian/patches/CVE-2011-4516-and-CVE-2011-4517.patch jasper-1.900.1/debian/patches/CVE-2011-4516-and-CVE-2011-4517.patch
--- jasper-1.900.1/debian/patches/CVE-2011-4516-and-CVE-2011-4517.patch	1969-12-31 19:00:00.000000000 -0500
+++ jasper-1.900.1/debian/patches/CVE-2011-4516-and-CVE-2011-4517.patch	2012-01-03 15:10:05.000000000 -0500
@@ -0,0 +1,28 @@
+Description: fix denial of service and possible code execution via
+ heap-based buffer overflows.
+Origin: Patch thanks to Red Hat
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c	2011-12-19 09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2011-12-19 09:35:51.198909832 -0500
+@@ -744,6 +744,10 @@
+ 		return -1;
+ 	}
+ 	compparms->numrlvls = compparms->numdlvls + 1;
++	if (compparms->numrlvls > JPC_MAXRLVLS) {
++		jpc_cox_destroycompparms(compparms);
++		return -1;
++	}
+ 	if (prtflag) {
+ 		for (i = 0; i < compparms->numrlvls; ++i) {
+ 			if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+ 	jpc_crgcomp_t *comp;
+ 	uint_fast16_t compno;
+ 	crg->numcomps = cstate->numcomps;
+-	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ 		return -1;
+ 	}
+ 	for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
diff -Nru jasper-1.900.1/debian/patches/series jasper-1.900.1/debian/patches/series
--- jasper-1.900.1/debian/patches/series	2011-11-27 13:55:33.000000000 -0500
+++ jasper-1.900.1/debian/patches/series	2012-01-03 15:10:19.000000000 -0500
@@ -1,2 +1,3 @@
 01-misc-fixes.patch
 02-fix-filename-buffer-overflow.patch
+CVE-2011-4516-and-CVE-2011-4517.patch

Reply via email to