diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-09-21 10:37:10 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-09-21 10:37:53 +0200 |
commit | 2b2d458b50da34ebb2659bbdcaecac89f7945dd6 (patch) | |
tree | c0a695ce050da039b8f96eb678e7e36a7ab0ef32 | |
parent | ee0854478ac13a09a35a848e82d9bd24e60b3468 (diff) | |
download | aports-2b2d458b50da34ebb2659bbdcaecac89f7945dd6.tar.bz2 aports-2b2d458b50da34ebb2659bbdcaecac89f7945dd6.tar.xz |
main/jasper: security fix for CVE-2015-5203
ref #4557
-rw-r--r-- | main/jasper/APKBUILD | 12 | ||||
-rw-r--r-- | main/jasper/CVE-2015-5203.patch | 198 |
2 files changed, 206 insertions, 4 deletions
diff --git a/main/jasper/APKBUILD b/main/jasper/APKBUILD index 748435bc76..9a713a3e01 100644 --- a/main/jasper/APKBUILD +++ b/main/jasper/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=jasper pkgver=1.900.1 -pkgrel=9 +pkgrel=10 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard" url="http://www.ece.uvic.ca/~mdadams/jasper/" arch="all" @@ -16,6 +16,7 @@ source="http://www.ece.uvic.ca/~mdadams/$pkgname/software/$pkgname-$pkgver.zip jasper-1.900.1-CVE-2008-3522.patch jasper-1.900.1-bnc725758.patch CVE-2014-9029.patch + CVE-2015-5203.patch " _builddir="$srcdir"/$pkgname-$pkgver @@ -62,18 +63,21 @@ md5sums="a342b2b4495b3e1394e161eb5d85d754 jasper-1.900.1.zip 911bb13529483c093d12c15eed4e9243 jasper-1.900.1-CVE-2008-3520.patch ed441f30c4231f319d9ff77d86db2ef9 jasper-1.900.1-CVE-2008-3522.patch eaf73536f989e629a8c06533e4e6fad5 jasper-1.900.1-bnc725758.patch -83fd587d569d6b4c7e49f67caaef9bf9 CVE-2014-9029.patch" +83fd587d569d6b4c7e49f67caaef9bf9 CVE-2014-9029.patch +484df1eab8e50bcda1b6c1bdfc91339e CVE-2015-5203.patch" sha256sums="6b905a9c2aca2e275544212666eefc4eb44d95d0a57e4305457b407fe63f9494 jasper-1.900.1.zip fca9c4bddc284d6c59845e5b80adfd670e79c945f166d9624b117c6db0c10492 jpc_dec.c.patch e454f0fb1b994535ca02fa2468aa39ff153a78f3688db3808b6e953c44890e41 libjasper-stepsizes-overflow.patch 02236060cae28be5ac46d90ca17ce2de17e975574dd761d9117994e69bdc38d6 jasper-1.900.1-CVE-2008-3520.patch b0272ce179ead3692942246523462db33c0f2a92bd9f9a117ff40e8ec963fbac jasper-1.900.1-CVE-2008-3522.patch be19877bc67d843436288c85c17ab49917b1a3db7954b92f736f6cc3ca704756 jasper-1.900.1-bnc725758.patch -a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1 CVE-2014-9029.patch" +a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1 CVE-2014-9029.patch +6b89a3766e6c6bf3a6203a8936273020aa8bad994f86d203eea9c7441b11bf65 CVE-2015-5203.patch" sha512sums="e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6 jasper-1.900.1.zip c449c0a405f589135b384bc284508bfdd2a29b7bb94b806b960ce72238aa5789cc11fa7d704463ebda9a1384d8d085c603180f7b419e25a91d304b447708b82c jpc_dec.c.patch bafdd22b8214e2993c0a61c06c27b11b4eef68db2e9c6d8786dd54dfae92e685094b66ad6c899d19df9f0f85d3aa4fe35152dd773c5bd9a1e8453ccf8518c799 libjasper-stepsizes-overflow.patch d337207260b3ac7e40e92326d95364ef21128431235e6ef9e345a6c781f328fd3aaf0dbfb8c7dde2403ab0cfc89cda664c3f2fec673187589358fe58521e83a1 jasper-1.900.1-CVE-2008-3520.patch d686c26f1432b522f41948c7bd188f9b74c455671d5f30ab97144977b22d4e778e475fea6d8128b607218a061c50f2cc767e66413455805e8843c04d901f708d jasper-1.900.1-CVE-2008-3522.patch a83fe196d4305fea6f2265e1bcb64dd4841bf4355ca661c46841de44c9f642f995e13929111833f23f51168282d2da06c0544956edc3a863d13be2b584c1ad73 jasper-1.900.1-bnc725758.patch -20bac10654ea1b16d741bcc71ca91e484c4238cb285f551a19b1bac4c4cf8ec39bc33f8d3c42dbadd03e85eb667a8e286f208e9b20a5b39429bf8e4454bd9b16 CVE-2014-9029.patch" +20bac10654ea1b16d741bcc71ca91e484c4238cb285f551a19b1bac4c4cf8ec39bc33f8d3c42dbadd03e85eb667a8e286f208e9b20a5b39429bf8e4454bd9b16 CVE-2014-9029.patch +ccff9980c0e697877700e362cb865d454d8351d12c2b0459118aaedef5e1663fb3a4e2c042bb90a74c2b67237bb5723e6b181b073e223f71a3341d87531177b4 CVE-2015-5203.patch" diff --git a/main/jasper/CVE-2015-5203.patch b/main/jasper/CVE-2015-5203.patch new file mode 100644 index 0000000000..5bf53b36f7 --- /dev/null +++ b/main/jasper/CVE-2015-5203.patch @@ -0,0 +1,198 @@ +From a0ad33bedb339e4f9f35f9637a976320ec81f508 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Mon, 17 Aug 2015 +Subject: CVE-2015-5203 + +Prevent integer conversion errors. + +jasper is vulnerable to integer conversion errors that can be leveraged, +via crafted input, to trigger faults such as double free's. This patch +addresses that by using size_t for buffer sizes. + +--- + src/libjasper/base/jas_stream.c | 10 +++++----- + src/libjasper/include/jasper/jas_stream.h | 8 ++++---- + src/libjasper/jpc/jpc_qmfb.c | 16 ++++++++-------- + src/libjasper/mif/mif_cod.c | 4 ++-- + 4 files changed, 19 insertions(+), 19 deletions(-) + +--- a/src/libjasper/include/jasper/jas_stream.h ++++ b/src/libjasper/include/jasper/jas_stream.h +@@ -215,7 +215,7 @@ typedef struct { + uchar *bufstart_; + + /* The buffer size. */ +- int bufsize_; ++ size_t bufsize_; + + /* The current position in the buffer. */ + uchar *ptr_; +@@ -267,7 +267,7 @@ typedef struct { + uchar *buf_; + + /* The allocated size of the buffer for holding file data. */ +- int bufsize_; ++ size_t bufsize_; + + /* The length of the file. */ + int_fast32_t len_; +@@ -291,7 +291,7 @@ typedef struct { + jas_stream_t *jas_stream_fopen(const char *filename, const char *mode); + + /* Open a memory buffer as a stream. */ +-jas_stream_t *jas_stream_memopen(char *buf, int bufsize); ++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize); + + /* Open a file descriptor as a stream. */ + jas_stream_t *jas_stream_fdopen(int fd, const char *mode); +@@ -366,7 +366,7 @@ int jas_stream_printf(jas_stream_t *stre + int jas_stream_puts(jas_stream_t *stream, const char *s); + + /* Read a line of input from a stream. */ +-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize); ++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize); + + /* Look at the next character to be read from a stream without actually + removing it from the stream. */ +--- a/src/libjasper/base/jas_stream.c ++++ b/src/libjasper/base/jas_stream.c +@@ -99,7 +99,7 @@ static int jas_strtoopenmode(const char + static void jas_stream_destroy(jas_stream_t *stream); + static jas_stream_t *jas_stream_create(void); + static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, +- int bufsize); ++ size_t bufsize); + + static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt); + static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt); +@@ -168,7 +168,7 @@ static jas_stream_t *jas_stream_create() + return stream; + } + +-jas_stream_t *jas_stream_memopen(char *buf, int bufsize) ++jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize) + { + jas_stream_t *stream; + jas_stream_memobj_t *obj; +@@ -570,7 +570,7 @@ int jas_stream_puts(jas_stream_t *stream + return 0; + } + +-char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) ++char *jas_stream_gets(jas_stream_t *stream, char *buf, size_t bufsize) + { + int c; + char *bufptr; +@@ -694,7 +694,7 @@ long jas_stream_tell(jas_stream_t *strea + \******************************************************************************/ + + static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, +- int bufsize) ++ size_t bufsize) + { + /* If this function is being called, the buffer should not have been + initialized yet. */ +@@ -987,7 +987,7 @@ static int mem_read(jas_stream_obj_t *ob + return cnt; + } + +-static int mem_resize(jas_stream_memobj_t *m, int bufsize) ++static int mem_resize(jas_stream_memobj_t *m, size_t bufsize) + { + unsigned char *buf; + +--- a/src/libjasper/jpc/jpc_qmfb.c ++++ b/src/libjasper/jpc/jpc_qmfb.c +@@ -305,7 +305,7 @@ jpc_qmfb2d_t jpc_ns_qmfb2d = { + void jpc_qmfb_split_row(jpc_fix_t *a, int numcols, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numcols, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); + #if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; + #else +@@ -373,7 +373,7 @@ void jpc_qmfb_split_col(jpc_fix_t *a, in + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + #if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; + #else +@@ -441,7 +441,7 @@ void jpc_qmfb_split_colgrp(jpc_fix_t *a, + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + #if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; + #else +@@ -530,7 +530,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + int stride, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + #if !defined(HAVE_VLA) + jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE * JPC_QMFB_COLGRPSIZE]; + #else +@@ -618,7 +618,7 @@ void jpc_qmfb_split_colres(jpc_fix_t *a, + void jpc_qmfb_join_row(jpc_fix_t *a, int numcols, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numcols, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numcols, 1); + #if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; + #else +@@ -683,7 +683,7 @@ void jpc_qmfb_join_col(jpc_fix_t *a, int + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + #if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE]; + #else +@@ -748,7 +748,7 @@ void jpc_qmfb_join_colgrp(jpc_fix_t *a, + int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + #if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; + #else +@@ -834,7 +834,7 @@ void jpc_qmfb_join_colres(jpc_fix_t *a, + int stride, int parity) + { + +- int bufsize = JPC_CEILDIVPOW2(numrows, 1); ++ size_t bufsize = JPC_CEILDIVPOW2(numrows, 1); + #if !defined(HAVE_VLA) + jpc_fix_t joinbuf[QMFB_JOINBUFSIZE * JPC_QMFB_COLGRPSIZE]; + #else +--- a/src/libjasper/mif/mif_cod.c ++++ b/src/libjasper/mif/mif_cod.c +@@ -107,7 +107,7 @@ static int mif_hdr_put(mif_hdr_t *hdr, j + static int mif_hdr_addcmpt(mif_hdr_t *hdr, int cmptno, mif_cmpt_t *cmpt); + static mif_cmpt_t *mif_cmpt_create(void); + static void mif_cmpt_destroy(mif_cmpt_t *cmpt); +-static char *mif_getline(jas_stream_t *jas_stream, char *buf, int bufsize); ++static char *mif_getline(jas_stream_t *jas_stream, char *buf, size_t bufsize); + static int mif_getc(jas_stream_t *in); + static mif_hdr_t *mif_makehdrfromimage(jas_image_t *image); + +@@ -658,7 +658,7 @@ static void mif_cmpt_destroy(mif_cmpt_t + * MIF parsing code. + \******************************************************************************/ + +-static char *mif_getline(jas_stream_t *stream, char *buf, int bufsize) ++static char *mif_getline(jas_stream_t *stream, char *buf, size_t bufsize) + { + int c; + char *bufptr; + |