Bug#528543: Security fix CVE-2007-2721 has been dropped

[Moritz Muehlenhoff]

Package: jasper
Severity: grave
Tags: security

A colleague of mine noticed that the patch for CVE-2007-2721 still
applies to the Lenny version, although it should've been fixed.

Further investigation revealed that the patch has been reverted
by a later upload. I can't tell exactly in which upload, since
shapshot.debian.net lacks the more recent uploads.

The patch was correctly applied in 1.900.1-3:

j...@omar:$ debdiff jasper_1.900.1-2.dsc jasper_1.900.1-3.dsc
diff -u jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog
--- jasper-1.900.1/debian/changelog
+++ jasper-1.900.1/debian/changelog
@@ -1,3 +1,9 @@
+jasper (1.900.1-3) unstable; urgency=low
+
+  * Fixed segfaults on broken images (Closes: #413041)
+
+ -- Roland Stigge <sti...@antcom.de>  Tue, 10 Apr 2007 10:05:10 +0200
+
 jasper (1.900.1-2) experimental; urgency=low

   * Added jas_tmr.h to -dev package (Closes: #414705)
only in patch2:
unchanged:
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
@@ -982,7 +982,10 @@
                compparms->numstepsizes = (len - n) / 2;
                break;
        }
-       if (compparms->numstepsizes > 0) {
+       if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+               jpc_qcx_destroycompparms(compparms);
+                return -1;
+        } else if (compparms->numstepsizes > 0) {
                compparms->stepsizes = jas_malloc(compparms->numstepsizes *
                  sizeof(uint_fast16_t));
                assert(compparms->stepsizes);

However, it was later reverted, as debdiff between jasper_1.900.1-3.dsc 
and jasper_1.900.1-5.1.dsc reveals:

--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c
@@ -982,10 +982,7 @@
                compparms->numstepsizes = (len - n) / 2;
                break;
        }
+       if (compparms->numstepsizes > 0) {
-       if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
-               jpc_qcx_destroycompparms(compparms);
-                return -1;
-        } else if (compparms->numstepsizes > 0) {
                compparms->stepsizes = jas_malloc(compparms->numstepsizes *
                  sizeof(uint_fast16_t));
                assert(compparms->stepsizes);

I've also confirmed this with test compilations of jasper_1.900.1-3.dsc 
and jasper_1.900.1-5.1.dsc with the reproducer broken2.jp2.

You seem to have reverted other changes as well, e.g. #514296.

Cheers,
        Moritz

-- System Information:
Debian Release: 4.0
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.26-ucs8-amd64
Locale: lang=de...@euro, lc_ctype=de...@euro (charmap=ISO-8859-15)



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org