[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: jasper: Add fixes for CVE-2016-1577, CVE-2016-2089, CVE-2016
|
From: |
Efraim Flashner |
|
Subject: |
01/01: gnu: jasper: Add fixes for CVE-2016-1577, CVE-2016-2089, CVE-2016-2116. |
|
Date: |
Tue, 08 Mar 2016 09:56:01 +0000 |
efraim pushed a commit to branch master
in repository guix.
commit e224495ce1ce373cc43b49faa538116c9cac1466
Author: Efraim Flashner <address@hidden>
Date: Tue Mar 8 11:49:04 2016 +0200
gnu: jasper: Add fixes for CVE-2016-1577, CVE-2016-2089, CVE-2016-2116.
* gnu/packages/patches/jasper-CVE-2016-1557.patch,
gnu/packages/patches/jasper-CVE-2016-2089.patch,
gnu/packages/patches/jasper-CVE-2016-2116.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/image.scm (jasper)[source]: Add patches.
---
gnu-system.am | 3 +
gnu/packages/image.scm | 6 +-
gnu/packages/patches/jasper-CVE-2016-1577.patch | 19 +++++
gnu/packages/patches/jasper-CVE-2016-2089.patch | 90 +++++++++++++++++++++++
gnu/packages/patches/jasper-CVE-2016-2116.patch | 19 +++++
5 files changed, 136 insertions(+), 1 deletions(-)
diff --git a/gnu-system.am b/gnu-system.am
index f4f1b89..4566eca 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -543,7 +543,10 @@ dist_patch_DATA =
\
gnu/packages/patches/jasper-CVE-2014-8157.patch \
gnu/packages/patches/jasper-CVE-2014-8158.patch \
gnu/packages/patches/jasper-CVE-2014-9029.patch \
+ gnu/packages/patches/jasper-CVE-2016-1577.patch \
gnu/packages/patches/jasper-CVE-2016-1867.patch \
+ gnu/packages/patches/jasper-CVE-2016-2089.patch \
+ gnu/packages/patches/jasper-CVE-2016-2116.patch \
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
gnu/packages/patches/kmod-module-directory.patch \
gnu/packages/patches/ldc-disable-tests.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 2d2f0f2..4b99fb6 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2015 Amirouche Boubekki <address@hidden>
;;; Copyright © 2014 John Darrington <address@hidden>
;;; Copyright © 2016 Leo Famulari <address@hidden>
+;;; Copyright © 2016 Efraim Flashner <address@hidden>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -736,7 +737,10 @@ convert, manipulate, filter and display a wide variety of
image formats.")
(search-patch "jasper-CVE-2014-8157.patch")
(search-patch "jasper-CVE-2014-8158.patch")
(search-patch "jasper-CVE-2014-9029.patch")
- (search-patch "jasper-CVE-2016-1867.patch")))))
+ (search-patch "jasper-CVE-2016-1577.patch")
+ (search-patch "jasper-CVE-2016-1867.patch")
+ (search-patch "jasper-CVE-2016-2089.patch")
+ (search-patch "jasper-CVE-2016-2116.patch")))))
(build-system gnu-build-system)
(native-inputs
`(("unzip" ,unzip)))
diff --git a/gnu/packages/patches/jasper-CVE-2016-1577.patch
b/gnu/packages/patches/jasper-CVE-2016-1577.patch
new file mode 100644
index 0000000..75bbd52
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2016-1577.patch
@@ -0,0 +1,19 @@
+Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
+Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12
+Bug-Ubuntu: https://launchpad.net/bugs/1547865
+Bug-Debian: https://bugs.debian.org/816625
+Forwarded: not-needed
+Author: Tyler Hicks <address@hidden>
+Reviewed-by: Salvatore Bonaccorso <address@hidden>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ if (jas_iccprof_setattr(prof, tagtabent->tag,
attrval))
+ goto error;
+ jas_iccattrval_destroy(attrval);
++ attrval = 0;
+ } else {
+ #if 0
+ jas_eprintf("warning: skipping unknown tag
type\n");
diff --git a/gnu/packages/patches/jasper-CVE-2016-2089.patch
b/gnu/packages/patches/jasper-CVE-2016-2089.patch
new file mode 100644
index 0000000..95d4b61
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2016-2089.patch
@@ -0,0 +1,90 @@
+Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in
jas_matrix_clip()
+Origin: vendor
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636
+Bug-Debian: https://bugs.debian.org/812978
+Forwarded: not-needed
+Author: Tomas Hoger <address@hidden>
+Reviewed-by: Salvatore Bonaccorso <address@hidden>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_image.c
++++ b/src/libjasper/base/jas_image.c
+@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) !=
width) {
+ if (jas_matrix_resize(data, height, width)) {
+ return -1;
+@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ return -1;
+ }
+
++ if (!data->rows_) {
++ return -1;
++ }
++
+ if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) !=
width) {
+ return -1;
+ }
+--- a/src/libjasper/base/jas_seq.c
++++ b/src/libjasper/base/jas_seq.c
+@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ jas_seqent_t *data;
+ int rowstep;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ assert(n >= 0);
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
+@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ int rowstep;
+ jas_seqent_t *data;
+
++ if (!matrix->rows_) {
++ return;
++ }
++
+ rowstep = jas_matrix_rowstep(matrix);
+ for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ rowstart += rowstep) {
diff --git a/gnu/packages/patches/jasper-CVE-2016-2116.patch
b/gnu/packages/patches/jasper-CVE-2016-2116.patch
new file mode 100644
index 0000000..cdb616f
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2016-2116.patch
@@ -0,0 +1,19 @@
+Description: CVE-2016-2116: Prevent jas_stream_t memory leak in
jas_iccprof_createfrombuf()
+Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12
+Bug-Debian: https://bugs.debian.org/816626
+Forwarded: not-needed
+Author: Tyler Hicks <address@hidden>
+Reviewed-by: Salvatore Bonaccorso <address@hidden>
+Last-Update: 2016-03-05
+
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
+ jas_stream_close(in);
+ return prof;
+ error:
++ if (in)
++ jas_stream_close(in);
+ return 0;
+ }
+