Your message dated Wed, 13 Aug 2008 10:04:00 +0200 with message-id <[EMAIL PROTECTED]> and subject line Closing old security bug with versioning 2 has caused the Debian Bug report #362288, regarding xzgv: exploitable buffer overflow with crafted JPEG images [CVE-2006-1060] to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 362288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=362288 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: xzgv Version: 0.8-5 Severity: grave Tags: security patch Hi, recently an exploitable buffer overflow was discovered in xzgv, please see here for some details and some further URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1060 Please mention the CVE number in the changelog when you fix this to ease tracking. I attach a test case jpg, and the patch from upstream. Thank you! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?--- xzgv-0.8-patched/src/readjpeg.c Tue Mar 21 12:16:07 2006 +++ xzgv/src/readjpeg.c Wed Sep 21 21:15:01 2005 @@ -179,11 +179,13 @@ static int have_image; static int width,height; static unsigned char *image; +static int cmyk; unsigned char *ptr,*ptr2; int chkw,chkh; int f,rec; static int greyscale; /* static to satisfy gcc -Wall */ +cmyk=0; greyscale=0; lineptrs=NULL; @@ -225,6 +227,15 @@ greyscale=1; } +if(cinfo.jpeg_color_space==JCS_CMYK) + cmyk=1; + +if(cinfo.jpeg_color_space==JCS_YCCK) + { + cmyk=1; + cinfo.out_color_space=JCS_CMYK; + } + *wp=width=cinfo.image_width; *hp=height=cinfo.image_height; @@ -266,7 +277,7 @@ /* this one shouldn't hurt */ cinfo.do_block_smoothing=FALSE; -if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL) +if(WH_BAD(width,height) || (*imagep=image=malloc(width*(height+cmyk)*3))==NULL) longjmp(jerr.setjmp_buffer,1); jpeg_start_decompress(&cinfo); @@ -279,12 +290,33 @@ for(f=0;f<height;f++,ptr+=width*3) lineptrs[f]=ptr; -rec=cinfo.rec_outbuf_height; -while(cinfo.output_scanline<height) +if(!cmyk) { - f=height-cinfo.output_scanline; - jpeg_read_scanlines(&cinfo,lineptrs+cinfo.output_scanline, - f>rec?rec:f); + rec=cinfo.rec_outbuf_height; + while(cinfo.output_scanline<height) + { + f=height-cinfo.output_scanline; + jpeg_read_scanlines(&cinfo,lineptrs+cinfo.output_scanline, + f>rec?rec:f); + } + } +else /* cmyk output */ + { + int tmp; + + ptr=image; + while(cinfo.output_scanline<height) + { + jpeg_read_scanlines(&cinfo,&ptr,1); + ptr2=ptr; + for(f=0;f<width;f++,ptr+=3,ptr2+=4) + { + tmp=ptr2[3]; + ptr[0]=(tmp*ptr2[0])/255; + ptr[1]=(tmp*ptr2[1])/255; + ptr[2]=(tmp*ptr2[2])/255; + } + } } free(lineptrs);<<attachment: xzgv.CVE-2006-1060.jpg>>
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Version: 0.9+svn34-1 Also closed in this version that is actually in the changelog.
--- End Message ---
