Package: jasper Severity: grave Tags: security A colleague of mine noticed that the patch for CVE-2007-2721 still applies to the Lenny version, although it should've been fixed.
Further investigation revealed that the patch has been reverted by a later upload. I can't tell exactly in which upload, since shapshot.debian.net lacks the more recent uploads. The patch was correctly applied in 1.900.1-3: j...@omar:$ debdiff jasper_1.900.1-2.dsc jasper_1.900.1-3.dsc diff -u jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog --- jasper-1.900.1/debian/changelog +++ jasper-1.900.1/debian/changelog @@ -1,3 +1,9 @@ +jasper (1.900.1-3) unstable; urgency=low + + * Fixed segfaults on broken images (Closes: #413041) + + -- Roland Stigge <sti...@antcom.de> Tue, 10 Apr 2007 10:05:10 +0200 + jasper (1.900.1-2) experimental; urgency=low * Added jas_tmr.h to -dev package (Closes: #414705) only in patch2: unchanged: --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c +++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c @@ -982,7 +982,10 @@ compparms->numstepsizes = (len - n) / 2; break; } - if (compparms->numstepsizes > 0) { + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { compparms->stepsizes = jas_malloc(compparms->numstepsizes * sizeof(uint_fast16_t)); assert(compparms->stepsizes); However, it was later reverted, as debdiff between jasper_1.900.1-3.dsc and jasper_1.900.1-5.1.dsc reveals: --- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c +++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c @@ -982,10 +982,7 @@ compparms->numstepsizes = (len - n) / 2; break; } + if (compparms->numstepsizes > 0) { - if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { - jpc_qcx_destroycompparms(compparms); - return -1; - } else if (compparms->numstepsizes > 0) { compparms->stepsizes = jas_malloc(compparms->numstepsizes * sizeof(uint_fast16_t)); assert(compparms->stepsizes); I've also confirmed this with test compilations of jasper_1.900.1-3.dsc and jasper_1.900.1-5.1.dsc with the reproducer broken2.jp2. You seem to have reverted other changes as well, e.g. #514296. Cheers, Moritz -- System Information: Debian Release: 4.0 Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.26-ucs8-amd64 Locale: lang=de...@euro, lc_ctype=de...@euro (charmap=ISO-8859-15) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org