CVE-2014-8137, CVE-2014-8138 (#1175761)

This commit is contained in:
Jiri Popelka 2014-12-18 18:13:25 +01:00
parent 85a20e3e60
commit 206ab97ad5
3 changed files with 96 additions and 17 deletions

View File

@ -0,0 +1,57 @@
--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
return 0;
error:
- jas_icccurv_destroy(attrval);
return -1;
}
@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
#endif
return 0;
error:
- jas_icctxtdesc_destroy(attrval);
return -1;
}
@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
goto error;
return 0;
error:
- if (txt->string)
- jas_free(txt->string);
return -1;
}
@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
goto error;
return 0;
error:
- jas_icclut8_destroy(attrval);
return -1;
}
@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
goto error;
return 0;
error:
- jas_icclut16_destroy(attrval);
return -1;
}
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
case JP2_COLR_ICC:
iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
dec->colr->data.colr.iccplen);
- assert(iccprof);
+ if (!iccprof) {
+ jas_eprintf("error: failed to parse ICC profile\n");
+ goto error;
+ }
jas_iccprof_gethdr(iccprof, &icchdr);
jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));

View File

@ -0,0 +1,14 @@
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100
@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
/* Determine the type of each component. */
if (dec->cdef) {
for (i = 0; i < dec->numchans; ++i) {
+ /* Is the channel number reasonable? */
+ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
+ jas_eprintf("error: invalid channel number in CDEF box\n");
+ goto error;
+ }
jas_image_setcmpttype(dec->image,
dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
jp2_getct(jas_image_clrspc(dec->image),

View File

@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1
Name: jasper
Group: System Environment/Libraries
Version: 1.900.1
Release: 25%{?dist}
Release: 26%{?dist}
License: JasPer
URL: http://www.ece.uvic.ca/~frodo/jasper/
@ -33,15 +33,17 @@ Patch7: jasper-pkgconfig.patch
Patch8: jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch
Patch9: jasper-CVE-2014-9029.patch
Patch10: jasper-CVE-2014-8137.patch
Patch11: jasper-CVE-2014-8138.patch
# Issues found by static analysis of code
Patch10: jasper-1.900.1-Coverity-BAD_SIZEOF.patch
Patch11: jasper-1.900.1-Coverity-CHECKED_RETURN.patch
Patch12: jasper-1.900.1-Coverity-FORWARD_NULL.patch
Patch13: jasper-1.900.1-Coverity-NULL_RETURNS.patch
Patch14: jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
Patch15: jasper-1.900.1-Coverity-UNREACHABLE.patch
Patch16: jasper-1.900.1-Coverity-UNUSED_VALUE.patch
Patch110: jasper-1.900.1-Coverity-BAD_SIZEOF.patch
Patch111: jasper-1.900.1-Coverity-CHECKED_RETURN.patch
Patch112: jasper-1.900.1-Coverity-FORWARD_NULL.patch
Patch113: jasper-1.900.1-Coverity-NULL_RETURNS.patch
Patch114: jasper-1.900.1-Coverity-RESOURCE_LEAK.patch
Patch115: jasper-1.900.1-Coverity-UNREACHABLE.patch
Patch116: jasper-1.900.1-Coverity-UNUSED_VALUE.patch
# autoreconf
BuildRequires: autoconf automake libtool
@ -96,14 +98,16 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%patch7 -p1 -b .pkgconfig
%patch8 -p1 -b .CVE-2011-4516-4517
%patch9 -p1 -b .CVE-2014-9029
%patch10 -p1 -b .CVE-2014-8137-variant2
%patch11 -p1 -b .CVE-2014-8138
%patch10 -p1 -b .BAD_SIZEOF
%patch11 -p1 -b .CHECKED_RETURN
%patch12 -p1 -b .FORWARD_NULL
%patch13 -p1 -b .NULL_RETURNS
%patch14 -p1 -b .RESOURCE_LEAK
%patch15 -p1 -b .UNREACHABLE
%patch16 -p1 -b .UNUSED_VALUE
%patch110 -p1 -b .BAD_SIZEOF
%patch111 -p1 -b .CHECKED_RETURN
%patch112 -p1 -b .FORWARD_NULL
%patch113 -p1 -b .NULL_RETURNS
%patch114 -p1 -b .RESOURCE_LEAK
%patch115 -p1 -b .UNREACHABLE
%patch116 -p1 -b .UNUSED_VALUE
autoreconf --verbose --force --install
@ -173,6 +177,10 @@ make check
%changelog
* Thu Dec 18 2014 Jiri Popelka <jpopelka@redhat.com> - 1.900.1-26
- CVE-2014-8137 - double-free in jas_iccattrval_destroy() (oCERT-2014-012) (#1175761)
- CVE-2014-8138 - heap overflow in jp2_decode() (oCERT-2014-012) (#1175761)
* Thu Dec 04 2014 Jiri Popelka <jpopelka@redhat.com> - 1.900.1-25
- CVE-2014-9029 - incorrect component number check in COC, RGN and QCC
marker segment decoders (#1170650)
@ -213,7 +221,7 @@ make check
* Thu Oct 29 2009 Rex Dieter <rdieter@fedoraproject.org> - 1.900.1-14
- add pkgconfig support
* Mon Oct 13 2009 Rex Dieter <rdieter@fedoraproject.org> - 1.900.1-13
* Tue Oct 13 2009 Rex Dieter <rdieter@fedoraproject.org> - 1.900.1-13
- CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls (#461476)
- CVE-2008-3522 jasper: possible buffer overflow in
jas_stream_printf() (#461478)
@ -296,7 +304,7 @@ make check
- use %%{?dist}
- BR: libGL-devel
* Fri Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
* Thu Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt
* Sat Oct 23 2004 Rex Dieter <rexdieter at sf.net> 0:1.701.0-0.fdr.3