Debian Bug report logs - #413041
jasper: Heap corruption on malformed image input.

version graph

Package: libjasper-1.701-1; Maintainer for libjasper-1.701-1 is (unknown);

Reported by: Sami Liedes <sliedes@cc.hut.fi>

Date: Thu, 1 Mar 2007 03:42:01 UTC

Severity: grave

Tags: etch, patch, sarge, security

Fixed in version jasper/1.900.1-3

Done: Roland Stigge <stigge@antcom.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sami Liedes <sliedes@cc.hut.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 05:37:39 +0200
[Message part 1 (text/plain, inline)]
Package: imagemagick
Version: 7:6.2.4.5.dfsg1-0.14
Severity: normal

[Cc: to security team, as this almost certainly concerns them]

The attached files all crash imagemagick (eg. XXXtojpg $filename) on
amd64, some with SEGV, some with glibc detected heap corruption. I
consider it quite likely that some of these are exploitable, but as
I'm not sure, only filing as Severity: normal as to not annoy you :)

	Sami


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)

Versions of packages imagemagick depends on:
ii  libbz2-1.0          1.0.3-6              high-quality block-sorting file co
ii  libc6               2.3.6.ds1-13         GNU C Library: Shared libraries
ii  libfreetype6        2.2.1-5              FreeType 2 font engine, shared lib
ii  libice6             1:1.0.1-2            X11 Inter-Client Exchange library
ii  libjasper-1.701-1   1.701.0-2            The JasPer JPEG-2000 runtime libra
ii  libjpeg62           6b-13                The Independent JPEG Group's JPEG 
ii  liblcms1            1.15-1               Color management library
ii  libmagick9          7:6.2.4.5.dfsg1-0.14 Image manipulation library
ii  libpng12-0          1.2.15~beta5-1       PNG library - runtime
ii  libsm6              1:1.0.1-3            X11 Session Management library
ii  libtiff4            3.8.2-7              Tag Image File Format (TIFF) libra
ii  libx11-6            2:1.0.3-5            X11 client-side library
ii  libxext6            1:1.0.1-2            X11 miscellaneous extension librar
ii  libxml2             2.6.27.dfsg-1        GNOME XML library
ii  libxt6              1:1.0.2-2            X11 toolkit intrinsics library
ii  zlib1g              1:1.2.3-13           compression library - runtime

imagemagick recommends no packages.

-- no debconf information
[broken.cin (application/octet-stream, attachment)]
[broken.cur (application/octet-stream, attachment)]
[broken.dcx (application/octet-stream, attachment)]
[broken.jp2 (application/octet-stream, attachment)]
[broken.jpc (application/octet-stream, attachment)]
[broken.mng (video/x-mng, attachment)]
[broken.pcx (image/pcx, attachment)]
[broken.pict (application/octet-stream, attachment)]
[broken.sgi (application/octet-stream, attachment)]
[broken.sun (text/plain, attachment)]
[broken.xwd (image/x-xwindowdump, attachment)]
[broken2.bmp (image/x-ms-bmp, attachment)]
[broken2.jp2 (application/octet-stream, attachment)]
[broken2.ppm (image/x-portable-pixmap, attachment)]
[broken3.jp2 (application/octet-stream, attachment)]
[broken4.jp2 (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #10 received at 412945@bugs.debian.org (full text, mbox):

From: Sami Liedes <sliedes@cc.hut.fi>
To: 412945@bugs.debian.org, team@security.debian.org
Subject: Re: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 08:27:30 +0200
[Message part 1 (text/plain, inline)]
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on

Whoops, sorry. The command that crashes is "convert broken.$format
out.jpg".

	Sami

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #15 received at 412945@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Sami Liedes <sliedes@cc.hut.fi>, 412945@bugs.debian.org
Subject: Re: Bug#412945: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 21:01:48 +0100
clone 412945 -1
reassign -1 graphicsmagick
retitle -1 graphicsmagick: Segfault in BMP coder.
severity -1 important
clone 412945 -2
reassign -2 graphicsmagick
retitle -2 [AMD64][IA64] graphicsmagick: Segfault in ICON coder.
severity -2 important
clone 412945 -3
reassign -3 graphicsmagick
retitle -3 graphicsmagick: Multiple segfaults in JP2 coder.
severity -3 important
clone 412945 -4
reassign -4 graphicsmagick
retitle -4 graphicsmagick: Multiple segfaults in PCX coder.
severity -4 important
clone 412945 -5
reassign -5 graphicsmagick
retitle -5 graphicsmagick: Segfault in PNG coder.
severity -5 important
clone 412945 -6
reassign -6 graphicsmagick
retitle -6 graphicsmagick: Segfault in PICT coder.
severity -6 important
clone 412945 -7
reassign -7 graphicsmagick
retitle -7 graphicsmagick: Segfault in PNM coder.
severity -7 important
clone 412945 -8
reassign -8 graphicsmagick
retitle -8 graphicsmagick: Segfault during conversion from CINEON coder.
severity -8 important
clone 412945 -9
reassign -9 graphicsmagick
retitle -9 graphicsmagick: Segfault during conversion from SUN coder.
severity -9 important
clone 412945 -10
reassign -10 graphicsmagick
retitle -10 graphicsmagick: Segfault during conversion from XWD coder.
severity -10 important
clone 412945 -11
reassign -11 graphicsmagick
retitle -11 graphicsmagick: Heap corruption in JP2 coder.
severity -11 important
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on
> amd64, some with SEGV, some with glibc detected heap corruption. I
> consider it quite likely that some of these are exploitable, but as
> I'm not sure, only filing as Severity: normal as to not annoy you :)

Thanks. I've done a quick screening to investigate which of those affect
graphicsmagick, and have cloned individual bugs as I'm probably unable
to deal with all of them in one go. Bug severity might change once I've
had a closer look at the individual issues. Here's the detailed list for
current graphicsmagick:

Broken import
=============

The following coders show problems on "gm identify".

bmp:
        broken2.bmp ... Segmentation fault
icon (amd64 and ia64, i386 okay):
        broken.cur ... Segmentation fault
jp2:
        broken.jpc ... Segmentation fault
        broken2.jp2 ... Segmentation fault
        broken4.jp2 ... cannot get marker segment
        *** glibc detected *** double free or corruption (!prev): 0x0809d1b8 ***
        (hangs afterwards)
pcx:
        broken.dcx ... Segmentation fault
        broken.pcx ... Segmentation fault
png:
        broken.mng ... Segmentation fault
pict/jpeg:
        broken.pict ... Segmentation fault
pnm:
        broken2.ppm ... Segmentation fault

Broken conversion
=================

The following coders show no problems on "gm identify", but break with
"gm convert" to jpg and gif.

cineon: 
        broken.cin ... Segmentation fault
sun:
        broken.sun ... Segmentation fault
xwd:
        broken.xwd ... Segmentation fault

Not affected
============

The following testcases did not show any problems with either
"gm identify" or "gm convert" on i386, amd64, and ia64.

jp2 (but affected by other testcases):
        broken.jp2 ... error: no code stream found
        gm identify: Unable to decode image file (broken.jp2).
        broken3.jp2 ... error: no code stream found
        gm identify: Unable to decode image file (broken3.jp2).
sgi:
        broken.sgi ... gm identify: Improper image header (broken.sgi).

I'll look into each of these in more detail and use the separate bugs
for tracking.

Regards,

Daniel.




Bug 412945 cloned as bug 413031. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413032. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413033. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413034. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413035. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413036. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413037. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413038. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413039. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413040. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413041. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `imagemagick' to `graphicsmagick'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important' from `normal' Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413041; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #48 received at 413041@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 413033@bugs.debian.org, 413041@bugs.debian.org, 413033-submitter@bugs.debian.org
Cc: Roland Stigge <stigge@antcom.de>
Subject: Re: Bug#413033: graphicsmagick: Multiple segfaults in JP2 coder.
Date: Mon, 5 Mar 2007 22:59:47 +0100
reassign 413033 libjasper-1.701-1
reassign 413041 libjasper-1.701-1
retitle 413033 jasper: Segfault on malformed image input.
retitle 413041 jasper: Heap corruption on malformed image input.
severity 413041 grave
tag 413041 + security
thanks

Hm, so it helps to remember a) to Bcc to control@bugs, and b) that I
already cloned separate bugs for the segfault and the heap corruption
problems, respectively. So for reference, #413033 is concerned with
testcase "broken.jpc", #413041 is about "broken2.jp2", and
"broken4.jp2". The latter probably has security implications, as
detailed in an earlier message to #413033.

Thanks,

Daniel.




Bug reassigned from package `graphicsmagick' to `libjasper-1.701-1'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `grave' from `important' Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413041; Package libjasper-1.701-1. Full text and rfc822 format available.

Acknowledgement sent to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #61 received at 413041@bugs.debian.org (full text, mbox):

From: Roland Stigge <stigge@antcom.de>
To: 413041@bugs.debian.org
Subject: jasper: heap corruption and segv's
Date: Sun, 11 Mar 2007 18:15:38 +0100
Hi,

I can reproduce the problem with i386, too. Working on it.

Thanks,

bye,
  Roland



Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#413041; Package libjasper-1.701-1. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. Full text and rfc822 format available.

Message #66 received at 413041@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Roland Stigge <stigge@antcom.de>, 413041@bugs.debian.org
Subject: Re: Bug#413041: jasper: heap corruption and segv's
Date: Mon, 26 Mar 2007 19:29:55 +0200
On Sun, Mar 11, 2007 at 06:15:38PM +0100, Roland Stigge wrote:
> Hi,
> 
> I can reproduce the problem with i386, too. Working on it.

Has there been any progress on this?


Kurt




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413041; Package libjasper-1.701-1. Full text and rfc822 format available.

Acknowledgement sent to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #71 received at 413041@bugs.debian.org (full text, mbox):

From: Roland Stigge <stigge@antcom.de>
To: Kurt Roeckx <kurt@roeckx.be>, 413041@bugs.debian.org, control@buga.debian.org
Subject: Re: Bug#413041: jasper: heap corruption and segv's
Date: Tue, 27 Mar 2007 09:38:19 +0200
tag 413041 help
thanks

Kurt Roeckx wrote:
>> I can reproduce the problem with i386, too. Working on it.
> 
> Has there been any progress on this?

Unfortunately, no. :( Too many things to do and too little time...



Tags added: help Request was from Roland Stigge <stigge@antcom.de> to control@bugs.debian.org. (Tue, 27 Mar 2007 08:18:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#413041; Package libjasper-1.701-1. Full text and rfc822 format available.

Acknowledgement sent to ldoolitt@recycle.lbl.gov:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. Full text and rfc822 format available.

Message #78 received at 413041@bugs.debian.org (full text, mbox):

From: ldoolitt@recycle.lbl.gov
To: 413041@bugs.debian.org
Subject: bug reproduces in standalone jasper
Date: Tue, 27 Mar 2007 11:08:20 -0700
I have to walk away from this bug for a while.  Maybe this
message can give someone else a head start.

It's quite a Heisenbug, disappearing when you put any
malloc in besides vanilla libc; I tried electric fence
and dmalloc, I understand valgrind is the same.

My comments refer to broken2.jp2.  The bug reproduces easily
in an out-of-the-box build of jasper_1.701.0.orig.tar.gz.
I find that much easier to work with than a full Debian build,
with all its shared library gyrations.

tar -xvzf jasper_1.701.0.orig.tar.gz
cd jasper-1.701.0
./configure
make
gdb src/appl/imginfo
run -f /path/to/broken2.jp2
*** glibc detected *** double free or corruption (!prev):
0x000000000054ecb0 ***

Program received signal SIGABRT, Aborted.
0x00002b65b5d5907b in raise () from /lib/libc.so.6

I can trace the main file parsing loop that starts in
src/libjasper/jpc/jpc_dec.c:369.  It makes its way through the
get, check, process, and destroy phases of "marker segments" of
type SOC, SIZ, COM, COD, QCD, and QCC.  It crashes in the destroy
phase of a second QCC marker segment.  Yes, I added a bunch of
printf's.  They don't seem to affect the bug they way a different
malloc library does.

Just in case it's a hint to any jasper experts reading, the
two QCC headers printed by jpc_qcc_dumpparms() are
type = 0xff5d (QCC); len = 20;compno = 1; qntsty = 0; numguard = 2; numstepsizes = 16
type = 0xff5d (QCC); len = 2068;compno = 2; qntsty = 0; numguard = 2; numstepsizes = 2064

I have to admit that doesn't mean much to me.

     - Larry



Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#413041; Package libjasper-1.701-1. Full text and rfc822 format available.

Acknowledgement sent to ldoolitt@recycle.lbl.gov:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. Full text and rfc822 format available.

Message #83 received at 413041@bugs.debian.org (full text, mbox):

From: ldoolitt@recycle.lbl.gov
To: 413041@bugs.debian.org
Subject: Re: bug reproduces in standalone jasper
Date: Tue, 27 Mar 2007 14:54:55 -0700
On Tue, Mar 27, 2007 at 11:08:20AM -0700, ldoolitt@recycle.lbl.gov wrote:
> It's quite a Heisenbug, disappearing when you put any
> malloc in besides vanilla libc; I tried electric fence
> and dmalloc, I understand valgrind is the same.

I don't know what went wrong the first time, I tried
again and Electric Fence found it.  Please test.
"It works for me" on both broken2.jp2 and broken4.jp2.

diff -ur jasper-1.701.0/src/libjasper/jpc/jpc_dec.c jasper-1.701.0.new/src/libjasper/jpc/jpc_dec.c
--- jasper-1.701.0/src/libjasper/jpc/jpc_dec.c	2004-02-08 17:34:40.000000000 -0800
+++ jasper-1.701.0.new/src/libjasper/jpc/jpc_dec.c	2007-03-27 14:49:47.000000000 -0700
@@ -1706,6 +1706,7 @@
 
 	if ((flags & JPC_QCC) || !(ccp->flags & JPC_QCC)) {
 		ccp->flags |= flags | JPC_QSET;
+		assert (compparms->numstepsizes <= 3 * JPC_MAXRLVLS + 1);
 		for (bandno = 0; bandno < compparms->numstepsizes; ++bandno) {
 			ccp->stepsizes[bandno] = compparms->stepsizes[bandno];
 		}



Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#413041; Package libjasper-1.701-1. Full text and rfc822 format available.

Acknowledgement sent to Sam Hocevar <sam@zoy.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. Full text and rfc822 format available.

Message #88 received at 413041@bugs.debian.org (full text, mbox):

From: Sam Hocevar <sam@zoy.org>
To: ldoolitt@recycle.lbl.gov
Cc: 413041@bugs.debian.org
Subject: Re: bug reproduces in standalone jasper
Date: Fri, 6 Apr 2007 01:40:40 +0200
[Message part 1 (text/plain, inline)]
tag 413041 +patch
thanks

On Tue, Mar 27, 2007, ldoolitt@recycle.lbl.gov wrote:

> I don't know what went wrong the first time, I tried
> again and Electric Fence found it.  Please test.
> "It works for me" on both broken2.jp2 and broken4.jp2.

   Your patch works, with all broken*.jp2 files. Here is a slightly
better one that checks the numstepsizes value a bit before and returns
an error instead of using assert().

Cheers,
-- 
Sam.
[patch-libjasper-stepsizes-overflow.diff (text/x-diff, attachment)]

Tags added: patch Request was from Sam Hocevar <sam@zoy.org> to control@bugs.debian.org. (Thu, 05 Apr 2007 23:42:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413041; Package libjasper-1.701-1. Full text and rfc822 format available.

Acknowledgement sent to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #95 received at 413041@bugs.debian.org (full text, mbox):

From: Roland Stigge <stigge@antcom.de>
To: Sam Hocevar <sam@zoy.org>, 413041@bugs.debian.org
Cc: ldoolitt@recycle.lbl.gov, debian-release@lists.debian.org
Subject: Re: Bug#413041: bug reproduces in standalone jasper
Date: Fri, 06 Apr 2007 16:04:47 +0200
Hi Sam and Larry,

Sam Hocevar wrote:
>> I don't know what went wrong the first time, I tried
>> again and Electric Fence found it.  Please test.
>> "It works for me" on both broken2.jp2 and broken4.jp2.
> 
>    Your patch works, with all broken*.jp2 files. Here is a slightly
> better one that checks the numstepsizes value a bit before and returns
> an error instead of using assert().

Thanks for all your work on this! Your last patch looks good, and I
could upload it right away.

So, RMs, is there anything special I should care about when uploading
this lib (besides the usual QA-checks) at this stage of release? I would
just upload to unstable and ask you to let it into etch.

Thanks,

Roland



Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#413041; Package libjasper-1.701-1. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. Full text and rfc822 format available.

Message #100 received at 413041@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Roland Stigge <stigge@antcom.de>
Cc: Sam Hocevar <sam@zoy.org>, 413041@bugs.debian.org, ldoolitt@recycle.lbl.gov, debian-release@lists.debian.org
Subject: Re: Bug#413041: bug reproduces in standalone jasper
Date: Fri, 6 Apr 2007 13:52:00 -0700
On Fri, Apr 06, 2007 at 04:04:47PM +0200, Roland Stigge wrote:
> Hi Sam and Larry,

> Sam Hocevar wrote:
> >> I don't know what went wrong the first time, I tried
> >> again and Electric Fence found it.  Please test.
> >> "It works for me" on both broken2.jp2 and broken4.jp2.

> >    Your patch works, with all broken*.jp2 files. Here is a slightly
> > better one that checks the numstepsizes value a bit before and returns
> > an error instead of using assert().

> Thanks for all your work on this! Your last patch looks good, and I
> could upload it right away.

> So, RMs, is there anything special I should care about when uploading
> this lib (besides the usual QA-checks) at this stage of release? I would
> just upload to unstable and ask you to let it into etch.

Please do upload it to unstable, but it is no longer possible to push that
fix from unstable into etch because the binary packages will simply not be
available in time before etch is closed down for release.

So after uploading to unstable, please coordinate with the security team to
get security builds issued for both sarge and etch (this will not happen
before Monday).  Please note that sarge and etch will require separate
builds, and because sarge and etch have the same version of the package,
special care will need to be taken to ensure the etch version number sorts
after the sarge version number to cleanly support upgrades (since sarge >
etch alphabetically).

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Tags removed: help Request was from Roland Stigge <stigge@antcom.de> to control@bugs.debian.org. (Tue, 10 Apr 2007 07:48:08 GMT) Full text and rfc822 format available.

Reply sent to Roland Stigge <stigge@antcom.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sami Liedes <sliedes@cc.hut.fi>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #107 received at 413041-close@bugs.debian.org (full text, mbox):

From: Roland Stigge <stigge@antcom.de>
To: 413041-close@bugs.debian.org
Subject: Bug#413041: fixed in jasper 1.900.1-3
Date: Wed, 18 Apr 2007 18:32:02 +0000
Source: jasper
Source-Version: 1.900.1-3

We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive:

jasper_1.900.1-3.diff.gz
  to pool/main/j/jasper/jasper_1.900.1-3.diff.gz
jasper_1.900.1-3.dsc
  to pool/main/j/jasper/jasper_1.900.1-3.dsc
libjasper-dev_1.900.1-3_i386.deb
  to pool/main/j/jasper/libjasper-dev_1.900.1-3_i386.deb
libjasper-runtime_1.900.1-3_i386.deb
  to pool/main/j/jasper/libjasper-runtime_1.900.1-3_i386.deb
libjasper1_1.900.1-3_i386.deb
  to pool/main/j/jasper/libjasper1_1.900.1-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 413041@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Stigge <stigge@antcom.de> (supplier of updated jasper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 10 Apr 2007 10:05:10 +0200
Source: jasper
Binary: libjasper-dev libjasper-runtime libjasper1
Architecture: source i386
Version: 1.900.1-3
Distribution: unstable
Urgency: low
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Roland Stigge <stigge@antcom.de>
Description: 
 libjasper-dev - Development files for the JasPer JPEG-2000 library
 libjasper-runtime - Programs for manipulating JPEG-2000 files
 libjasper1 - The JasPer JPEG-2000 runtime library
Closes: 413041
Changes: 
 jasper (1.900.1-3) unstable; urgency=low
 .
   * Fixed segfaults on broken images (Closes: #413041)
Files: 
 77ae9a828a71f7328ba1721d6f22b039 667 graphics optional jasper_1.900.1-3.dsc
 f49f9521d7b8f4624452ebf15f95daec 41866 graphics optional jasper_1.900.1-3.diff.gz
 e7bf3cd54c1283ff5f5d8814e7964f7c 141768 libs optional libjasper1_1.900.1-3_i386.deb
 6b080c17c3b39dc229babd8b94628da3 547572 libdevel optional libjasper-dev_1.900.1-3_i386.deb
 8563e07591b3e9a1fd1ac7619bf4fed9 23022 graphics optional libjasper-runtime_1.900.1-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGG0e0caH/YBv43g8RAvb3AKDKpTEljtLFv5EB4Nf9rKMNLrePBACfUoBi
lnyCIfD6O3MNQB5rUWn2YI8=
=ar12
-----END PGP SIGNATURE-----




Tags added: sarge, etch Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Thu, 19 Jul 2007 23:33:02 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 08:06:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:39:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.