Debian Bug report logs - #528543
Security fix CVE-2007-2721 has been dropped

version graph

Package: jasper; Maintainer for jasper is Roland Stigge <stigge@antcom.de>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Wed, 13 May 2009 14:21:02 UTC

Severity: grave

Tags: security

Fixed in versions jasper/1.900.1-6, jasper/1.900.1-5.1+lenny1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Security Team <team@security.debian.org>, Roland Stigge <stigge@antcom.de>:
Bug#528543; Package jasper. (Wed, 13 May 2009 14:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Security Team <team@security.debian.org>, Roland Stigge <stigge@antcom.de>. (Wed, 13 May 2009 14:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Security fix CVE-2007-2721 has been dropped
Date: Wed, 13 May 2009 16:18:30 +0200
Package: jasper
Severity: grave
Tags: security

A colleague of mine noticed that the patch for CVE-2007-2721 still
applies to the Lenny version, although it should've been fixed.

Further investigation revealed that the patch has been reverted
by a later upload. I can't tell exactly in which upload, since
shapshot.debian.net lacks the more recent uploads.

The patch was correctly applied in 1.900.1-3:

jmm@omar:$ debdiff jasper_1.900.1-2.dsc jasper_1.900.1-3.dsc
diff -u jasper-1.900.1/debian/changelog jasper-1.900.1/debian/changelog
--- jasper-1.900.1/debian/changelog
+++ jasper-1.900.1/debian/changelog
@@ -1,3 +1,9 @@
+jasper (1.900.1-3) unstable; urgency=low
+
+  * Fixed segfaults on broken images (Closes: #413041)
+
+ -- Roland Stigge <stigge@antcom.de>  Tue, 10 Apr 2007 10:05:10 +0200
+
 jasper (1.900.1-2) experimental; urgency=low

   * Added jas_tmr.h to -dev package (Closes: #414705)
only in patch2:
unchanged:
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
@@ -982,7 +982,10 @@
                compparms->numstepsizes = (len - n) / 2;
                break;
        }
-       if (compparms->numstepsizes > 0) {
+       if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+               jpc_qcx_destroycompparms(compparms);
+                return -1;
+        } else if (compparms->numstepsizes > 0) {
                compparms->stepsizes = jas_malloc(compparms->numstepsizes *
                  sizeof(uint_fast16_t));
                assert(compparms->stepsizes);

However, it was later reverted, as debdiff between jasper_1.900.1-3.dsc 
and jasper_1.900.1-5.1.dsc reveals:

--- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c
@@ -982,10 +982,7 @@
                compparms->numstepsizes = (len - n) / 2;
                break;
        }
+       if (compparms->numstepsizes > 0) {
-       if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
-               jpc_qcx_destroycompparms(compparms);
-                return -1;
-        } else if (compparms->numstepsizes > 0) {
                compparms->stepsizes = jas_malloc(compparms->numstepsizes *
                  sizeof(uint_fast16_t));
                assert(compparms->stepsizes);

I've also confirmed this with test compilations of jasper_1.900.1-3.dsc 
and jasper_1.900.1-5.1.dsc with the reproducer broken2.jp2.

You seem to have reverted other changes as well, e.g. #514296.

Cheers,
        Moritz

-- System Information:
Debian Release: 4.0
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.26-ucs8-amd64
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)




Reply sent to Roland Stigge <stigge@antcom.de>:
You have taken responsibility. (Sat, 20 Jun 2009 15:39:04 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sat, 20 Jun 2009 15:39:04 GMT) Full text and rfc822 format available.

Message #10 received at 528543-close@bugs.debian.org (full text, mbox):

From: Roland Stigge <stigge@antcom.de>
To: 528543-close@bugs.debian.org
Subject: Bug#528543: fixed in jasper 1.900.1-6
Date: Sat, 20 Jun 2009 15:17:21 +0000
Source: jasper
Source-Version: 1.900.1-6

We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive:

jasper_1.900.1-6.diff.gz
  to pool/main/j/jasper/jasper_1.900.1-6.diff.gz
jasper_1.900.1-6.dsc
  to pool/main/j/jasper/jasper_1.900.1-6.dsc
libjasper-dev_1.900.1-6_i386.deb
  to pool/main/j/jasper/libjasper-dev_1.900.1-6_i386.deb
libjasper-runtime_1.900.1-6_i386.deb
  to pool/main/j/jasper/libjasper-runtime_1.900.1-6_i386.deb
libjasper1_1.900.1-6_i386.deb
  to pool/main/j/jasper/libjasper1_1.900.1-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528543@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Stigge <stigge@antcom.de> (supplier of updated jasper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 20 Jun 2009 15:21:16 +0200
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source i386
Version: 1.900.1-6
Distribution: unstable
Urgency: low
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Roland Stigge <stigge@antcom.de>
Description: 
 libjasper-dev - Development files for the JasPer JPEG-2000 library
 libjasper-runtime - Programs for manipulating JPEG-2000 files
 libjasper1 - The JasPer JPEG-2000 runtime library
Closes: 501021 514296 528543
Changes: 
 jasper (1.900.1-6) unstable; urgency=low
 .
   * Reverted to jasper 1.900.1-6 because 1.900.1-5.1 messed up (see #528543)
     but 1.900.1-5 wasn't available anymore. (Closes: #514296, #528543)
   * Re-applied patch from #275619 as in 1.900.1-5
   * debian/control: Standards-Version: 3.8.2
   * Applied patch by Nico Golde (Closes: #501021)
      - CVE-2008-3522[0]: Buffer overflow.
      - CVE-2008-3521[1]: unsecure temporary files handling.
      - CVE-2008-3520[2]: Multiple integer overflows.
Checksums-Sha1: 
 e829fe3915d331068ae23e1a3b8ad3638dbf0063 1051 jasper_1.900.1-6.dsc
 152110d83f0d7432e4cd670fd2f1414e2d030ce7 51693 jasper_1.900.1-6.diff.gz
 52a74a57c0339ef046616436390771c5a8c08610 144948 libjasper1_1.900.1-6_i386.deb
 71d43b4461529f9873667a1795c9f9d27ece383a 550432 libjasper-dev_1.900.1-6_i386.deb
 078780c3c1c7737508f4c8f13310772d0b82dc7f 23256 libjasper-runtime_1.900.1-6_i386.deb
Checksums-Sha256: 
 6849dd060126f17536addc4d403b6373e986568718f60b1552bac298e2155c07 1051 jasper_1.900.1-6.dsc
 2698b47958bc19b500ff4357cf23c2ea7ed6fa68ac5ed93ca938dee825a1d8c5 51693 jasper_1.900.1-6.diff.gz
 ed791259c7d71e8fb4bacbb24e7ba3ca5c41fbc58dc7be9286ba9769de1e8628 144948 libjasper1_1.900.1-6_i386.deb
 db59daa82d1985326ff912355aa39365e8e377eed1fd00e30cea64a8ddd7272f 550432 libjasper-dev_1.900.1-6_i386.deb
 253628a300236a7bac1e9efa3f9d9a3763fe5e2d64ee137f7a87ecb9c532023d 23256 libjasper-runtime_1.900.1-6_i386.deb
Files: 
 1bbf99f6346730734254702f113b162e 1051 graphics optional jasper_1.900.1-6.dsc
 c2eb4f212d3404e0978bb948654801ee 51693 graphics optional jasper_1.900.1-6.diff.gz
 d186c856176da46c66a9fb59a8d23db5 144948 libs optional libjasper1_1.900.1-6_i386.deb
 abf32e4eb98076c3d0e570080ecb04d2 550432 libdevel optional libjasper-dev_1.900.1-6_i386.deb
 391e015affadbedc94fc81bacdfabcab 23256 graphics optional libjasper-runtime_1.900.1-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKPPLwcaH/YBv43g8RAivQAJ4t1hBxhNnlA0jj43QGDatxlK9kIQCfVRyZ
r/KyRfQbyR8/NmjJTVODxso=
=8zLF
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sun, 18 Apr 2010 14:10:48 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sun, 18 Apr 2010 14:10:48 GMT) Full text and rfc822 format available.

Message #15 received at 528543-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 528543-close@bugs.debian.org
Subject: Bug#528543: fixed in jasper 1.900.1-5.1+lenny1
Date: Sun, 18 Apr 2010 13:58:36 +0000
Source: jasper
Source-Version: 1.900.1-5.1+lenny1

We believe that the bug you reported is fixed in the latest version of
jasper, which is due to be installed in the Debian FTP archive:

jasper_1.900.1-5.1+lenny1.diff.gz
  to main/j/jasper/jasper_1.900.1-5.1+lenny1.diff.gz
jasper_1.900.1-5.1+lenny1.dsc
  to main/j/jasper/jasper_1.900.1-5.1+lenny1.dsc
libjasper-dev_1.900.1-5.1+lenny1_amd64.deb
  to main/j/jasper/libjasper-dev_1.900.1-5.1+lenny1_amd64.deb
libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb
  to main/j/jasper/libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb
libjasper1_1.900.1-5.1+lenny1_amd64.deb
  to main/j/jasper/libjasper1_1.900.1-5.1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528543@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated jasper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 Apr 2010 15:13:01 +0200
Source: jasper
Binary: libjasper1 libjasper-dev libjasper-runtime
Architecture: source amd64
Version: 1.900.1-5.1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 libjasper-dev - Development files for the JasPer JPEG-2000 library
 libjasper-runtime - Programs for manipulating JPEG-2000 files
 libjasper1 - The JasPer JPEG-2000 runtime library
Closes: 506739 528543
Changes: 
 jasper (1.900.1-5.1+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix code execution via crafted JPEG2000 images
     (CVE-2007-2721, closes: #528543). Fix was applied in 1.900.1-3
     but accidentally dropped in 1.900.1-5.1.
   * Correct regression in fix for CVE-2008-3521 (Closes: #506739).
Checksums-Sha1: 
 a8c3e95efa140a7d35c0c98ec56feb1b2c046fc1 1396 jasper_1.900.1-5.1+lenny1.dsc
 a20dc389f5962661b7ab81777c8316f8faee3a99 1143400 jasper_1.900.1.orig.tar.gz
 d26eb2a6ee219bea4cccce44d98dabd54571930c 38678 jasper_1.900.1-5.1+lenny1.diff.gz
 3fe7a6c15a916f3ebdd9205281e203fd1cbfbbf7 154896 libjasper1_1.900.1-5.1+lenny1_amd64.deb
 8a8c719a75dbc16f217ab5c49908b5df4c51a77c 562728 libjasper-dev_1.900.1-5.1+lenny1_amd64.deb
 827becfcf89ecb72d5d1c7223e346476a173164e 26194 libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb
Checksums-Sha256: 
 7700d4601902ae9b9247e0059ce0e8cdb2bdf649ff61065980aa05de7cc22e6d 1396 jasper_1.900.1-5.1+lenny1.dsc
 6cf104e2811f6088ca1dc76d87dd27c55178d3ccced20db8858d28ae22911a94 1143400 jasper_1.900.1.orig.tar.gz
 200ac6d476c48407f57cbf19aa0aeb70330f8b167c856cb4fdbf42ac9689de9b 38678 jasper_1.900.1-5.1+lenny1.diff.gz
 89993439d5d439fef97df59a0fc30740771b074686c80c33ddbcccd1578cf79c 154896 libjasper1_1.900.1-5.1+lenny1_amd64.deb
 b84e413e064b763fc410bc500687c2050311a87c41043bbfbe03f6fb1a3321d6 562728 libjasper-dev_1.900.1-5.1+lenny1_amd64.deb
 c91a2ffaca9477e07f789895e6d47f1b7eb3c4aaf78407a3f5604a4a8d1b304d 26194 libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb
Files: 
 f6ad7206fc3fd1897dcf43da8841305c 1396 graphics optional jasper_1.900.1-5.1+lenny1.dsc
 4ae3dd938fd15f22f30577db5c9f27e9 1143400 graphics optional jasper_1.900.1.orig.tar.gz
 e9adb496921f3436fbe44fa5e1090b47 38678 graphics optional jasper_1.900.1-5.1+lenny1.diff.gz
 e919bc45ce2adcebd3485634ade788e7 154896 libs optional libjasper1_1.900.1-5.1+lenny1_amd64.deb
 8062308efa68f1a617b3a46af852d98c 562728 libdevel optional libjasper-dev_1.900.1-5.1+lenny1_amd64.deb
 20b30a3127443bb0ecbbb7d44140a6a0 26194 graphics optional libjasper-runtime_1.900.1-5.1+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJLybz8AAoJECIIoQCMVaAcbWUH/3nCBAsJ9bSP/VHX2R885rQ9
Pj+2fcbsUtnKyKU3V/FYPpsjwGganaMLGzNWZ+sLFYhRsY9IcEikaG4zTNoE6ndu
E8MHdCvI5jASE2lhldJM4Y++axfZSdGWTV1WrJojFhcnx1nGccWBoHWi0FcZRiBl
cei1UCq3Xmt8OlCd2UNwJTm9sBC456GObcGArkmQbHfiSoF4yzr956tIPj/BRNPa
JwLEBULaQnx6Siu22UuLOGgbjlsXY3ZuHrfxvM6C+Yj6KxfUUGju4HXoeDvVaELV
LKlSWFDg2fXZx0pdz7yUzaIHJZcYKYPgb34VXVGOjluWUgSHvuZPJ1MxKzMFFwg=
=0Fsr
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:37:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:46:08 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.