main/jasper: security fixes (CVE-2016-1577, CVE-2016-2089, CVE-2016-2116). Fixes #5236

(cherry picked from commit 244e4d797e740c7fedf8e3e9df9d9d85859b11b4)
author: Leonardo Arena <rnalrd@alpinelinux.org> 2016-03-11 15:10:06 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2016-03-11 15:16:30 +0000
commit: e8da5230ad1d093c3862cca920ceec95b812f23d (patch)
tree: af6c760b80142ebc8cec444993d2d83a15405b77
parent: 43f38ad334e6dbd364c7de66c2208f10692095a4 (diff)
download: aports-e8da5230ad1d093c3862cca920ceec95b812f23d.tar.bz2
aports-e8da5230ad1d093c3862cca920ceec95b812f23d.tar.xz
4 files changed, 127 insertions, 4 deletions
diff --git a/main/jasper/APKBUILD b/main/jasper/APKBUILD
index 1622e8f86b..20fa620d89 100644
--- a/main/jasper/APKBUILD
+++ b/main/jasper/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=jasper
 pkgver=1.900.1
-pkgrel=11
+pkgrel=12
 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
 url="http://www.ece.uvic.ca/~mdadams/jasper/"
 arch="all"
@@ -21,6 +21,9 @@ source="http://www.ece.uvic.ca/~mdadams/$pkgname/software/$pkgname-$pkgver.zip
 	CVE-2014-8158.patch
 	CVE-2014-9029.patch
 	CVE-2015-5203.patch
+	CVE-2016-1577.patch
+	CVE-2016-2089.patch
+	CVE-2016-2116.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -73,7 +76,10 @@ f386c336808e8fc840c8a5cb7fcc5902  CVE-2014-8137.patch
 1c55ee31d9ca88359abb0353b3f9d052  CVE-2014-8157.patch
 7e1266068d32cc9ecb8b75b6b1174cc3  CVE-2014-8158.patch
 83fd587d569d6b4c7e49f67caaef9bf9  CVE-2014-9029.patch
-78d55c9411bdca5250581a21b19a89c7  CVE-2015-5203.patch"
+78d55c9411bdca5250581a21b19a89c7  CVE-2015-5203.patch
+579f318c6809644b99441cd595541c15  CVE-2016-1577.patch
+45d6048316ff5fda476b2f4df0da4c44  CVE-2016-2089.patch
+36f603ee5922419f869f3bbb3ab453b3  CVE-2016-2116.patch"
 sha256sums="6b905a9c2aca2e275544212666eefc4eb44d95d0a57e4305457b407fe63f9494  jasper-1.900.1.zip
 fca9c4bddc284d6c59845e5b80adfd670e79c945f166d9624b117c6db0c10492  jpc_dec.c.patch
 e454f0fb1b994535ca02fa2468aa39ff153a78f3688db3808b6e953c44890e41  libjasper-stepsizes-overflow.patch
@@ -85,7 +91,10 @@ be19877bc67d843436288c85c17ab49917b1a3db7954b92f736f6cc3ca704756  jasper-1.900.1
 60160f1eecb4cbfe7d8277e091333e9c1b4af7eeaccdfa3b539ac9658bb6a474  CVE-2014-8157.patch
 1dce24d47bcfc599bde5fa625e8b9bfbd1c6c637e4358493276d8a96338ff8b7  CVE-2014-8158.patch
 a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1  CVE-2014-9029.patch
-7c73cdcca60a7ddffe4d5fe010d3f200870a8719dda571f578e7f437b7c8d6d0  CVE-2015-5203.patch"
+7c73cdcca60a7ddffe4d5fe010d3f200870a8719dda571f578e7f437b7c8d6d0  CVE-2015-5203.patch
+61bfc92b85f3fad4318e7268e422c9212b88178bc315826d9ed14c563750c262  CVE-2016-1577.patch
+331eb8361e028ce0479d5a1065fa74e348dea6d1d8982236697c098882917b21  CVE-2016-2089.patch
+e6d63d42c92769ba3a943367798c4a5a542b1c872fbe439cf5bc59f8468210bd  CVE-2016-2116.patch"
 sha512sums="e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6  jasper-1.900.1.zip
 c449c0a405f589135b384bc284508bfdd2a29b7bb94b806b960ce72238aa5789cc11fa7d704463ebda9a1384d8d085c603180f7b419e25a91d304b447708b82c  jpc_dec.c.patch
 bafdd22b8214e2993c0a61c06c27b11b4eef68db2e9c6d8786dd54dfae92e685094b66ad6c899d19df9f0f85d3aa4fe35152dd773c5bd9a1e8453ccf8518c799  libjasper-stepsizes-overflow.patch
@@ -97,4 +106,7 @@ ae9d1c85688f7711a5cd7765988e85c64bf5413dede80aa8c860caa505c079d6975410ccb3b0e18c
 44fc87f8a85a5c0b1f3669ca5ec139afcb8971f2d5bfd40ed95913dcf34fee4874301b580134ddca900091ef3cbfdd791b365a5c3ba74d0e8deb855b54322f68  CVE-2014-8157.patch
 7f2f2a990ced181fd5755cc630a8c6d75e8172c926c08350505f6b8b5e8e1f8b0891b4603a4c43da35f913c079f2759975ee7ee1532ebb87f06d01c165299ecb  CVE-2014-8158.patch
 20bac10654ea1b16d741bcc71ca91e484c4238cb285f551a19b1bac4c4cf8ec39bc33f8d3c42dbadd03e85eb667a8e286f208e9b20a5b39429bf8e4454bd9b16  CVE-2014-9029.patch
-911c813308af2cf0697b462e70bcb888a9e9a61399cbd0a6911133c3edd69ac50ddd57523c139080578373bceda1aa23af8ca979668f911785037250c7afcca1  CVE-2015-5203.patch"
+911c813308af2cf0697b462e70bcb888a9e9a61399cbd0a6911133c3edd69ac50ddd57523c139080578373bceda1aa23af8ca979668f911785037250c7afcca1  CVE-2015-5203.patch
+c953cadf37b21b80b313846bb3d0ececb25e3269d02cc8cc15d8a95587fcd8d0944f23d2b7d0a82b2242ea7c46993ea0b6ba33e885363d6484eeef51e5173116  CVE-2016-1577.patch
+7ca676a2bcdf17c140e31286cd704c288201e29e77dc698bbcbbd10d7a51bf95d10dae2ddcbe70e4701440a9bd3fd34ce2042579f568418de3be380c038a39ad  CVE-2016-2089.patch
+f6506e712911df55d2f2891a4036e6baa5db468a6345657b0115c9873494e5390a94a4efb204686fd9d44fc915a6e02d0882b1679889d7e6539cabbf953d6f64  CVE-2016-2116.patch"
diff --git a/main/jasper/CVE-2016-1577.patch b/main/jasper/CVE-2016-1577.patch
new file mode 100644
index 0000000000..41ebfc53e0
--- /dev/null
+++ b/main/jasper/CVE-2016-1577.patch
@@ -0,0 +1,14 @@
+Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy()
+Author: Tyler Hicks <tyhicks () canonical com>
+Bug-Ubuntu: https://launchpad.net/bugs/1547865
+
+--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c
++++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c
+@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre
+ 				if (jas_iccprof_setattr(prof, tagtabent->tag, attrval))
+ 					goto error;
+ 				jas_iccattrval_destroy(attrval);
++				attrval = 0;
+ 			} else {
+ #if 0
+ 				jas_eprintf("warning: skipping unknown tag type\n");
diff --git a/main/jasper/CVE-2016-2089.patch b/main/jasper/CVE-2016-2089.patch
new file mode 100644
index 0000000000..f978958330
--- /dev/null
+++ b/main/jasper/CVE-2016-2089.patch
@@ -0,0 +1,83 @@
+diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_image.c	2016-02-01 14:53:56.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_image.c	2016-02-01 21:49:58.746006339 +0100
+@@ -433,6 +433,10 @@ int jas_image_readcmpt(jas_image_t *imag
+ 		return -1;
+ 	}
+ 
++	if (!data->rows_) {
++		return -1;
++	}
++
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		if (jas_matrix_resize(data, height, width)) {
+ 			return -1;
+@@ -486,6 +490,10 @@ int jas_image_writecmpt(jas_image_t *ima
+ 		return -1;
+ 	}
+ 
++	if (!data->rows_) {
++		return -1;
++	}
++
+ 	if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) {
+ 		return -1;
+ 	}
+diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c
+--- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c	2016-02-01 14:53:56.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_seq.c	2016-02-01 21:53:45.149193159 +0100
+@@ -266,6 +266,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -286,6 +290,10 @@ void jas_matrix_clip(jas_matrix_t *matri
+ 	jas_seqent_t *data;
+ 	int rowstep;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -310,6 +318,10 @@ void jas_matrix_asr(jas_matrix_t *matrix
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	assert(n >= 0);
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+@@ -329,6 +341,10 @@ void jas_matrix_asl(jas_matrix_t *matrix
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
+@@ -371,6 +387,10 @@ void jas_matrix_setall(jas_matrix_t *mat
+ 	int rowstep;
+ 	jas_seqent_t *data;
+ 
++	if (!matrix->rows_) {
++		return;
++	}
++
+ 	rowstep = jas_matrix_rowstep(matrix);
+ 	for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i,
+ 	  rowstart += rowstep) {
diff --git a/main/jasper/CVE-2016-2116.patch b/main/jasper/CVE-2016-2116.patch
new file mode 100644
index 0000000000..e3cb421c79
--- /dev/null
+++ b/main/jasper/CVE-2016-2116.patch
@@ -0,0 +1,14 @@
+Description: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf()
+Author: Tyler Hicks <tyhicks () canonical com>
+
+--- jasper-1.900.1-debian1.orig/src/libjasper/base/jas_icc.c
++++ jasper-1.900.1-debian1/src/libjasper/base/jas_icc.c
+@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf
+ 	jas_stream_close(in);
+ 	return prof;
+ error:
++	if (in)
++		jas_stream_close(in);
+ 	return 0;
+ }
+
author	Leonardo Arena <rnalrd@alpinelinux.org>	2016-03-11 15:10:06 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2016-03-11 15:16:30 +0000
commit	e8da5230ad1d093c3862cca920ceec95b812f23d (patch)
tree	af6c760b80142ebc8cec444993d2d83a15405b77
parent	43f38ad334e6dbd364c7de66c2208f10692095a4 (diff)
download	aports-e8da5230ad1d093c3862cca920ceec95b812f23d.tar.bz2 aports-e8da5230ad1d093c3862cca920ceec95b812f23d.tar.xz