Your message dated Sat, 20 Jun 2009 15:17:21 +0000 with message-id <e1mi2jl-0002a0...@ries.debian.org> and subject line Bug#528543: fixed in jasper 1.900.1-6 has caused the Debian Bug report #528543, regarding Security fix CVE-2007-2721 has been dropped to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 528543: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528543 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: jasper Severity: grave Tags: security A colleague of mine noticed that the patch for CVE-2007-2721 still applies to the Lenny version, although it should've been fixed. Further investigation revealed that the patch has been reverted by a later upload. I can't tell exactly in which upload, since shapshot.debian.net lacks the more recent uploads. The patch was correctly applied in 1.900.1-3: j...@omar:$ debdiff jasper_1.900.1-2.dsc jasper_1.900.1-3.dsc diff -u jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog --- jasper-1.900.1/debian/changelog +++ jasper-1.900.1/debian/changelog @@ -1,3 +1,9 @@ +jasper (1.900.1-3) unstable; urgency=low + + * Fixed segfaults on broken images (Closes: #413041) + + -- Roland Stigge <sti...@antcom.de> Tue, 10 Apr 2007 10:05:10 +0200 + jasper (1.900.1-2) experimental; urgency=low * Added jas_tmr.h to -dev package (Closes: #414705) only in patch2: unchanged: --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c +++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c @@ -982,7 +982,10 @@ compparms->numstepsizes = (len - n) / 2; break; } - if (compparms->numstepsizes > 0) { + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { compparms->stepsizes = jas_malloc(compparms->numstepsizes * sizeof(uint_fast16_t)); assert(compparms->stepsizes); However, it was later reverted, as debdiff between jasper_1.900.1-3.dsc and jasper_1.900.1-5.1.dsc reveals: --- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c @@ -982,10 +982,7 @@ compparms->numstepsizes = (len - n) / 2; break; } + if (compparms->numstepsizes > 0) { - if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { - jpc_qcx_destroycompparms(compparms); - return -1; - } else if (compparms->numstepsizes > 0) { compparms->stepsizes = jas_malloc(compparms->numstepsizes * sizeof(uint_fast16_t)); assert(compparms->stepsizes); I've also confirmed this with test compilations of jasper_1.900.1-3.dsc and jasper_1.900.1-5.1.dsc with the reproducer broken2.jp2. You seem to have reverted other changes as well, e.g. #514296. Cheers, Moritz -- System Information: Debian Release: 4.0 Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.26-ucs8-amd64 Locale: lang=de...@euro, lc_ctype=de...@euro (charmap=ISO-8859-15)
--- End Message ---
--- Begin Message ---Source: jasper Source-Version: 1.900.1-6 We believe that the bug you reported is fixed in the latest version of jasper, which is due to be installed in the Debian FTP archive: jasper_1.900.1-6.diff.gz to pool/main/j/jasper/jasper_1.900.1-6.diff.gz jasper_1.900.1-6.dsc to pool/main/j/jasper/jasper_1.900.1-6.dsc libjasper-dev_1.900.1-6_i386.deb to pool/main/j/jasper/libjasper-dev_1.900.1-6_i386.deb libjasper-runtime_1.900.1-6_i386.deb to pool/main/j/jasper/libjasper-runtime_1.900.1-6_i386.deb libjasper1_1.900.1-6_i386.deb to pool/main/j/jasper/libjasper1_1.900.1-6_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 528...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roland Stigge <sti...@antcom.de> (supplier of updated jasper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 20 Jun 2009 15:21:16 +0200 Source: jasper Binary: libjasper1 libjasper-dev libjasper-runtime Architecture: source i386 Version: 1.900.1-6 Distribution: unstable Urgency: low Maintainer: Roland Stigge <sti...@antcom.de> Changed-By: Roland Stigge <sti...@antcom.de> Description: libjasper-dev - Development files for the JasPer JPEG-2000 library libjasper-runtime - Programs for manipulating JPEG-2000 files libjasper1 - The JasPer JPEG-2000 runtime library Closes: 501021 514296 528543 Changes: jasper (1.900.1-6) unstable; urgency=low . * Reverted to jasper 1.900.1-6 because 1.900.1-5.1 messed up (see #528543) but 1.900.1-5 wasn't available anymore. (Closes: #514296, #528543) * Re-applied patch from #275619 as in 1.900.1-5 * debian/control: Standards-Version: 3.8.2 * Applied patch by Nico Golde (Closes: #501021) - CVE-2008-3522[0]: Buffer overflow. - CVE-2008-3521[1]: unsecure temporary files handling. - CVE-2008-3520[2]: Multiple integer overflows. Checksums-Sha1: e829fe3915d331068ae23e1a3b8ad3638dbf0063 1051 jasper_1.900.1-6.dsc 152110d83f0d7432e4cd670fd2f1414e2d030ce7 51693 jasper_1.900.1-6.diff.gz 52a74a57c0339ef046616436390771c5a8c08610 144948 libjasper1_1.900.1-6_i386.deb 71d43b4461529f9873667a1795c9f9d27ece383a 550432 libjasper-dev_1.900.1-6_i386.deb 078780c3c1c7737508f4c8f13310772d0b82dc7f 23256 libjasper-runtime_1.900.1-6_i386.deb Checksums-Sha256: 6849dd060126f17536addc4d403b6373e986568718f60b1552bac298e2155c07 1051 jasper_1.900.1-6.dsc 2698b47958bc19b500ff4357cf23c2ea7ed6fa68ac5ed93ca938dee825a1d8c5 51693 jasper_1.900.1-6.diff.gz ed791259c7d71e8fb4bacbb24e7ba3ca5c41fbc58dc7be9286ba9769de1e8628 144948 libjasper1_1.900.1-6_i386.deb db59daa82d1985326ff912355aa39365e8e377eed1fd00e30cea64a8ddd7272f 550432 libjasper-dev_1.900.1-6_i386.deb 253628a300236a7bac1e9efa3f9d9a3763fe5e2d64ee137f7a87ecb9c532023d 23256 libjasper-runtime_1.900.1-6_i386.deb Files: 1bbf99f6346730734254702f113b162e 1051 graphics optional jasper_1.900.1-6.dsc c2eb4f212d3404e0978bb948654801ee 51693 graphics optional jasper_1.900.1-6.diff.gz d186c856176da46c66a9fb59a8d23db5 144948 libs optional libjasper1_1.900.1-6_i386.deb abf32e4eb98076c3d0e570080ecb04d2 550432 libdevel optional libjasper-dev_1.900.1-6_i386.deb 391e015affadbedc94fc81bacdfabcab 23256 graphics optional libjasper-runtime_1.900.1-6_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKPPLwcaH/YBv43g8RAivQAJ4t1hBxhNnlA0jj43QGDatxlK9kIQCfVRyZ r/KyRfQbyR8/NmjJTVODxso= =8zLF -----END PGP SIGNATURE-----
--- End Message ---
