Your message dated Sun, 18 Apr 2010 13:58:36 +0000 with message-id <e1o3v1a-0001jb...@ries.debian.org> and subject line Bug#528543: fixed in jasper 1.900.1-5.1+lenny1 has caused the Debian Bug report #528543, regarding Security fix CVE-2007-2721 has been dropped to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 528543: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528543 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: jasper Severity: grave Tags: security A colleague of mine noticed that the patch for CVE-2007-2721 still applies to the Lenny version, although it should've been fixed. Further investigation revealed that the patch has been reverted by a later upload. I can't tell exactly in which upload, since shapshot.debian.net lacks the more recent uploads. The patch was correctly applied in 1.900.1-3: j...@omar:$ debdiff jasper_1.900.1-2.dsc jasper_1.900.1-3.dsc diff -u jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog --- jasper-1.900.1/debian/changelog +++ jasper-1.900.1/debian/changelog @@ -1,3 +1,9 @@ +jasper (1.900.1-3) unstable; urgency=low + + * Fixed segfaults on broken images (Closes: #413041) + + -- Roland Stigge <sti...@antcom.de> Tue, 10 Apr 2007 10:05:10 +0200 + jasper (1.900.1-2) experimental; urgency=low * Added jas_tmr.h to -dev package (Closes: #414705) only in patch2: unchanged: --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c +++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c @@ -982,7 +982,10 @@ compparms->numstepsizes = (len - n) / 2; break; } - if (compparms->numstepsizes > 0) { + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { compparms->stepsizes = jas_malloc(compparms->numstepsizes * sizeof(uint_fast16_t)); assert(compparms->stepsizes); However, it was later reverted, as debdiff between jasper_1.900.1-3.dsc and jasper_1.900.1-5.1.dsc reveals: --- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c @@ -982,10 +982,7 @@ compparms->numstepsizes = (len - n) / 2; break; } + if (compparms->numstepsizes > 0) { - if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { - jpc_qcx_destroycompparms(compparms); - return -1; - } else if (compparms->numstepsizes > 0) { compparms->stepsizes = jas_malloc(compparms->numstepsizes * sizeof(uint_fast16_t)); assert(compparms->stepsizes); I've also confirmed this with test compilations of jasper_1.900.1-3.dsc and jasper_1.900.1-5.1.dsc with the reproducer broken2.jp2. You seem to have reverted other changes as well, e.g. #514296. Cheers, Moritz -- System Information: Debian Release: 4.0 Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.26-ucs8-amd64 Locale: lang=de...@euro, lc_ctype=de...@euro (charmap=ISO-8859-15)
--- End Message ---
--- Begin Message ---Source: jasper Source-Version: 1.900.1-5.1+lenny1 We believe that the bug you reported is fixed in the latest version of jasper, which is due to be installed in the Debian FTP archive: jasper_1.900.1-5.1+lenny1.diff.gz to main/j/jasper/jasper_1.900.1-5.1+lenny1.diff.gz jasper_1.900.1-5.1+lenny1.dsc to main/j/jasper/jasper_1.900.1-5.1+lenny1.dsc libjasper-dev_1.900.1-5.1+lenny1_amd64.deb to main/j/jasper/libjasper-dev_1.900.1-5.1+lenny1_amd64.deb libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb to main/j/jasper/libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb libjasper1_1.900.1-5.1+lenny1_amd64.deb to main/j/jasper/libjasper1_1.900.1-5.1+lenny1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 528...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated jasper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 17 Apr 2010 15:13:01 +0200 Source: jasper Binary: libjasper1 libjasper-dev libjasper-runtime Architecture: source amd64 Version: 1.900.1-5.1+lenny1 Distribution: stable-security Urgency: high Maintainer: Roland Stigge <sti...@antcom.de> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: libjasper-dev - Development files for the JasPer JPEG-2000 library libjasper-runtime - Programs for manipulating JPEG-2000 files libjasper1 - The JasPer JPEG-2000 runtime library Closes: 506739 528543 Changes: jasper (1.900.1-5.1+lenny1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix code execution via crafted JPEG2000 images (CVE-2007-2721, closes: #528543). Fix was applied in 1.900.1-3 but accidentally dropped in 1.900.1-5.1. * Correct regression in fix for CVE-2008-3521 (Closes: #506739). Checksums-Sha1: a8c3e95efa140a7d35c0c98ec56feb1b2c046fc1 1396 jasper_1.900.1-5.1+lenny1.dsc a20dc389f5962661b7ab81777c8316f8faee3a99 1143400 jasper_1.900.1.orig.tar.gz d26eb2a6ee219bea4cccce44d98dabd54571930c 38678 jasper_1.900.1-5.1+lenny1.diff.gz 3fe7a6c15a916f3ebdd9205281e203fd1cbfbbf7 154896 libjasper1_1.900.1-5.1+lenny1_amd64.deb 8a8c719a75dbc16f217ab5c49908b5df4c51a77c 562728 libjasper-dev_1.900.1-5.1+lenny1_amd64.deb 827becfcf89ecb72d5d1c7223e346476a173164e 26194 libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb Checksums-Sha256: 7700d4601902ae9b9247e0059ce0e8cdb2bdf649ff61065980aa05de7cc22e6d 1396 jasper_1.900.1-5.1+lenny1.dsc 6cf104e2811f6088ca1dc76d87dd27c55178d3ccced20db8858d28ae22911a94 1143400 jasper_1.900.1.orig.tar.gz 200ac6d476c48407f57cbf19aa0aeb70330f8b167c856cb4fdbf42ac9689de9b 38678 jasper_1.900.1-5.1+lenny1.diff.gz 89993439d5d439fef97df59a0fc30740771b074686c80c33ddbcccd1578cf79c 154896 libjasper1_1.900.1-5.1+lenny1_amd64.deb b84e413e064b763fc410bc500687c2050311a87c41043bbfbe03f6fb1a3321d6 562728 libjasper-dev_1.900.1-5.1+lenny1_amd64.deb c91a2ffaca9477e07f789895e6d47f1b7eb3c4aaf78407a3f5604a4a8d1b304d 26194 libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb Files: f6ad7206fc3fd1897dcf43da8841305c 1396 graphics optional jasper_1.900.1-5.1+lenny1.dsc 4ae3dd938fd15f22f30577db5c9f27e9 1143400 graphics optional jasper_1.900.1.orig.tar.gz e9adb496921f3436fbe44fa5e1090b47 38678 graphics optional jasper_1.900.1-5.1+lenny1.diff.gz e919bc45ce2adcebd3485634ade788e7 154896 libs optional libjasper1_1.900.1-5.1+lenny1_amd64.deb 8062308efa68f1a617b3a46af852d98c 562728 libdevel optional libjasper-dev_1.900.1-5.1+lenny1_amd64.deb 20b30a3127443bb0ecbbb7d44140a6a0 26194 graphics optional libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJLybz8AAoJECIIoQCMVaAcbWUH/3nCBAsJ9bSP/VHX2R885rQ9 Pj+2fcbsUtnKyKU3V/FYPpsjwGganaMLGzNWZ+sLFYhRsY9IcEikaG4zTNoE6ndu E8MHdCvI5jASE2lhldJM4Y++axfZSdGWTV1WrJojFhcnx1nGccWBoHWi0FcZRiBl cei1UCq3Xmt8OlCd2UNwJTm9sBC456GObcGArkmQbHfiSoF4yzr956tIPj/BRNPa JwLEBULaQnx6Siu22UuLOGgbjlsXY3ZuHrfxvM6C+Yj6KxfUUGju4HXoeDvVaELV LKlSWFDg2fXZx0pdz7yUzaIHJZcYKYPgb34VXVGOjluWUgSHvuZPJ1MxKzMFFwg= =0Fsr -----END PGP SIGNATURE-----
--- End Message ---
