diff --git a/.gitignore b/.gitignore index 440f060..7ffeb40 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ jasper-1.900.1.zip /jasper-1.900.2.tar.gz /jasper-1.900.3.tar.gz /jasper-1.900.13.tar.gz +/jasper-1.900.28.tar.gz diff --git a/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch b/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch deleted file mode 100644 index f753080..0000000 --- a/jasper-1.900.1-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 jasper-1.900.1/src/libjasper/jpc/jpc_cs.c ---- jasper-1.900.1/src/libjasper/jpc/jpc_cs.c.CERT-VU-887409 2011-10-25 17:25:39.000000000 +0200 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-10-25 17:29:14.379371908 +0200 -@@ -744,6 +744,10 @@ static int jpc_cox_getcompparms(jpc_ms_t - return -1; - } - compparms->numrlvls = compparms->numdlvls + 1; -+ if (compparms->numrlvls > JPC_MAXRLVLS) { -+ jpc_cox_destroycompparms(compparms); -+ return -1; -+ } - if (prtflag) { - for (i = 0; i < compparms->numrlvls; ++i) { - if (jpc_getuint8(in, &tmp)) { -@@ -1331,7 +1335,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms - jpc_crgcomp_t *comp; - uint_fast16_t compno; - crg->numcomps = cstate->numcomps; -- if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) { -+ if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) { - return -1; - } - for (compno = 0, comp = crg->comps; compno < cstate->numcomps; diff --git a/jasper-1.900.1-Coverity-NULL_RETURNS.patch b/jasper-1.900.1-Coverity-NULL_RETURNS.patch deleted file mode 100644 index 4c72270..0000000 --- a/jasper-1.900.1-Coverity-NULL_RETURNS.patch +++ /dev/null @@ -1,61 +0,0 @@ -Error: NULL_RETURNS -base/jas_image.c:213: returned_null: Function "jas_image_create0" returns null (checked 6 out of 7 times). -base/jas_image.c:213: var_assigned: Assigning: "newimage" = null return value from "jas_image_create0". -base/jas_image.c:214: dereference: Dereferencing a pointer that might be null "newimage" when calling "jas_image_growcmpts". -base/jas_image.c:777: deref_parm: Directly dereferencing parameter "image". - -base/jas_seq.c:223: returned_null: Function "jas_malloc" returns null (checked 110 out of 119 times). -base/jas_seq.c:223: var_assigned: Assigning: "mat0->rows_" = null return value from "jas_malloc". -base/jas_seq.c:225: dereference: Dereferencing a null pointer "mat0->rows_". - -jp2/jp2_cod.c:484: returned_null: Function "jas_stream_memopen" returns null (checked 12 out of 15 times). -jp2/jp2_cod.c:484: var_assigned: Assigning: "tmpstream" = null return value from "jas_stream_memopen". -jp2/jp2_cod.c:490: dereference: Dereferencing a pointer that might be null "tmpstream" when calling "jas_stream_tell". -base/jas_stream.c:677: deref_parm: Directly dereferencing parameter "stream". - - -diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_image.c ---- jasper-1.900.1/src/libjasper/base/jas_image.c.NULL_RETURNS 2011-12-08 14:00:05.350020869 +0100 -+++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:00:06.638004766 +0100 -@@ -210,7 +210,10 @@ jas_image_t *jas_image_copy(jas_image_t - jas_image_t *newimage; - int cmptno; - -- newimage = jas_image_create0(); -+ if (!(newimage = jas_image_create0())) { -+ goto error; -+ } -+ - if (jas_image_growcmpts(newimage, image->numcmpts_)) { - goto error; - } -diff -up jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS jasper-1.900.1/src/libjasper/base/jas_seq.c ---- jasper-1.900.1/src/libjasper/base/jas_seq.c.NULL_RETURNS 2011-12-08 14:00:05.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2011-12-08 14:15:12.449680562 +0100 -@@ -220,7 +220,11 @@ void jas_matrix_bindsub(jas_matrix_t *ma - mat0->numrows_ = r1 - r0 + 1; - mat0->numcols_ = c1 - c0 + 1; - mat0->maxrows_ = mat0->numrows_; -- mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)); -+ if (!(mat0->rows_ = jas_alloc2(mat0->maxrows_, sizeof(jas_seqent_t *)))) { -+ jas_matrix_destroy(mat0); -+ return; -+ } -+ - for (i = 0; i < mat0->numrows_; ++i) { - mat0->rows_[i] = mat1->rows_[r0 + i] + c0; - } -diff -up jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS jasper-1.900.1/src/libjasper/jp2/jp2_cod.c ---- jasper-1.900.1/src/libjasper/jp2/jp2_cod.c.NULL_RETURNS 2011-12-08 14:00:05.633017331 +0100 -+++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2011-12-08 14:00:06.677004279 +0100 -@@ -481,7 +481,9 @@ int jp2_box_put(jp2_box_t *box, jas_stre - dataflag = !(box->info->flags & (JP2_BOX_SUPER | JP2_BOX_NODATA)); - - if (dataflag) { -- tmpstream = jas_stream_memopen(0, 0); -+ if (!(tmpstream = jas_stream_memopen(0, 0))) { -+ goto error; -+ } - if (box->ops->putdata) { - if ((*box->ops->putdata)(box, tmpstream)) { - goto error; diff --git a/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch b/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch deleted file mode 100644 index 76f5da7..0000000 --- a/jasper-1.900.1-Coverity-RESOURCE_LEAK.patch +++ /dev/null @@ -1,202 +0,0 @@ -Error: RESOURCE_LEAK -src/appl/imgcmp.c:504: var_assign: Assigning: "diffimage" = storage returned from "jas_image_create(3, compparms, 1025)". -src/appl/imgcmp.c:511: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to. -src/appl/imgcmp.c:537: leaked_storage: Variable "diffimage" going out of scope leaks the storage it points to. - -base/jas_image.c:254: var_assign: Assigning: "newcmpt" = storage returned from "jas_image_cmpt_create0()". -base/jas_image.c:268: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. -base/jas_image.c:271: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. -base/jas_image.c:274: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. -base/jas_image.c:277: leaked_storage: Variable "newcmpt" going out of scope leaks the storage it points to. - -base/jas_cm.c:611: var_assign: Assigning: "newpxformseq" = storage returned from "jas_cmpxformseq_create()". -base/jas_cm.c:617: leaked_storage: Variable "newpxformseq" going out of scope leaks the storage it points to. - -base/jas_cm.c:343: var_assign: Assigning: "newprof" = storage returned from "jas_cmprof_create()". -base/jas_cm.c:358: leaked_storage: Variable "newprof" going out of scope leaks the storage it points to. - -base/jas_cm.c:380: var_assign: Assigning: "xform" = storage returned from "jas_malloc(sizeof (jas_cmxform_t) /*16*/)". -base/jas_cm.c:461: leaked_storage: Variable "xform" going out of scope leaks the storage it points to. - -base/jas_image.c:1379: var_assign: Assigning: "xform" = storage returned from "jas_cmxform_create(inprof, outprof, NULL, 0, intent, 0)". -base/jas_image.c:1444: leaked_storage: Variable "xform" going out of scope leaks the storage it points to. - -base/jas_image.c:1306: var_assign: Assigning: "inimage" = storage returned from "jas_image_copy(image)". -base/jas_image.c:1444: leaked_storage: Variable "inimage" going out of scope leaks the storage it points to. - -base/jas_image.c:1345: var_assign: Assigning: "outimage" = storage returned from "jas_image_create0()". -base/jas_image.c:1444: leaked_storage: Variable "outimage" going out of scope leaks the storage it points to. - -bmp/bmp_enc.c:187: var_assign: Assigning: "info" = storage returned from "bmp_info_create()". -bmp/bmp_enc.c:208: leaked_storage: Variable "info" going out of scope leaks the storage it points to. - -jpc/jpc_tagtree.c:111: var_assign: Assigning: "tree" = storage returned from "jpc_tagtree_alloc()". -jpc/jpc_tagtree.c:129: leaked_storage: Variable "tree" going out of scope leaks the storage it points to. - -jpc/jpc_dec.c:452: var_assign: Assigning: "compinfos" = storage returned from "jas_malloc(dec->numcomps * sizeof (jas_image_cmptparm_t) /*56*/)". -jpc/jpc_dec.c:468: leaked_storage: Variable "compinfos" going out of scope leaks the storage it points to. - -jpc/jpc_dec.c:1483: var_assign: Assigning: "cp" = storage returned from "jas_malloc(sizeof (jpc_dec_cp_t) /*48*/)". -jpc/jpc_dec.c:1493: leaked_storage: Variable "cp" going out of scope leaks the storage it points to. -jpc/jpc_dec.c:1497: leaked_storage: Variable "cp" going out of scope leaks the storage it points to. - -mif/mif_cod.c:523: var_assign: Assigning: "cmpt" = storage returned from "mif_cmpt_create()". -mif/mif_cod.c:568: leaked_storage: Variable "cmpt" going out of scope leaks the storage it points to. - -mif/mif_cod.c:568: leaked_storage: Variable "tvp" going out of scope leaks the storage it points to. - - -diff -up jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK jasper-1.900.1/src/appl/imgcmp.c ---- jasper-1.900.1/src/appl/imgcmp.c.RESOURCE_LEAK 2007-01-19 22:43:08.000000000 +0100 -+++ jasper-1.900.1/src/appl/imgcmp.c 2011-12-08 14:16:04.727027007 +0100 -@@ -507,6 +507,7 @@ jas_image_t *makediffimage(jas_matrix_t - - for (i = 0; i < 3; ++i) { - if (!(diffdata[i] = jas_matrix_create(height, width))) { -+ jas_image_destroy(diffimage); - fprintf(stderr, "internal error\n"); - return 0; - } -@@ -534,6 +535,7 @@ jas_image_t *makediffimage(jas_matrix_t - - for (i = 0; i < 3; ++i) { - if (jas_image_writecmpt(diffimage, i, 0, 0, width, height, diffdata[i])) { -+ jas_image_destroy(diffimage); - return 0; - } - } -diff -up jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_cm.c ---- jasper-1.900.1/src/libjasper/base/jas_cm.c.RESOURCE_LEAK 2011-12-08 14:16:03.387043758 +0100 -+++ jasper-1.900.1/src/libjasper/base/jas_cm.c 2011-12-08 14:16:04.728026994 +0100 -@@ -355,6 +355,8 @@ jas_cmprof_t *jas_cmprof_copy(jas_cmprof - } - return newprof; - error: -+ if (newprof) -+ jas_cmprof_destroy(newprof); - return 0; - } - -@@ -458,6 +460,8 @@ jas_cmxform_t *jas_cmxform_create(jas_cm - } - return xform; - error: -+ if (xform) -+ jas_cmxform_destroy(xform); - return 0; - } - -@@ -614,6 +618,8 @@ static jas_cmpxformseq_t *jas_cmpxformse - goto error; - return newpxformseq; - error: -+ if (newpxformseq) -+ jas_cmpxformseq_destroy(newpxformseq); - return 0; - } - -diff -up jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/base/jas_image.c ---- jasper-1.900.1/src/libjasper/base/jas_image.c.RESOURCE_LEAK 2011-12-08 14:16:04.635028156 +0100 -+++ jasper-1.900.1/src/libjasper/base/jas_image.c 2011-12-08 14:16:04.776026394 +0100 -@@ -268,15 +268,19 @@ static jas_image_cmpt_t *jas_image_cmpt_ - newcmpt->cps_ = cmpt->cps_; - newcmpt->type_ = cmpt->type_; - if (!(newcmpt->stream_ = jas_stream_memopen(0, 0))) { -+ jas_image_cmpt_destroy(newcmpt); - return 0; - } - if (jas_stream_seek(cmpt->stream_, 0, SEEK_SET)) { -+ jas_image_cmpt_destroy(newcmpt); - return 0; - } - if (jas_stream_copy(newcmpt->stream_, cmpt->stream_, -1)) { -+ jas_image_cmpt_destroy(newcmpt); - return 0; - } - if (jas_stream_seek(newcmpt->stream_, 0, SEEK_SET)) { -+ jas_image_cmpt_destroy(newcmpt); - return 0; - } - return newcmpt; -@@ -1443,5 +1447,11 @@ jas_image_dump(outimage, stderr); - #endif - return outimage; - error: -+ if (xform) -+ jas_cmxform_destroy(xform); -+ if (inimage) -+ jas_image_destroy(inimage); -+ if (outimage) -+ jas_image_destroy(outimage); - return 0; - } -diff -up jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/bmp/bmp_enc.c ---- jasper-1.900.1/src/libjasper/bmp/bmp_enc.c.RESOURCE_LEAK 2007-01-19 22:43:07.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/bmp/bmp_enc.c 2011-12-08 14:16:04.826025768 +0100 -@@ -205,16 +205,19 @@ int bmp_encode(jas_image_t *image, jas_s - - /* Write the bitmap header. */ - if (bmp_puthdr(out, &hdr)) { -+ bmp_info_destroy(info); - return -1; - } - - /* Write the bitmap information. */ - if (bmp_putinfo(out, info)) { -+ bmp_info_destroy(info); - return -1; - } - - /* Write the bitmap data. */ - if (bmp_putdata(out, info, image, enc->cmpts)) { -+ bmp_info_destroy(info); - return -1; - } - -diff -up jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_dec.c ---- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c.RESOURCE_LEAK 2011-12-08 14:16:04.594028668 +0100 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2011-12-08 14:17:25.677014992 +0100 -@@ -465,6 +465,7 @@ static int jpc_dec_process_sot(jpc_dec_t - - if (!(dec->image = jas_image_create(dec->numcomps, compinfos, - JAS_CLRSPC_UNKNOWN))) { -+ jas_free(compinfos); - return -1; - } - jas_free(compinfos); -@@ -1490,10 +1491,11 @@ static jpc_dec_cp_t *jpc_dec_cp_create(u - cp->mctid = 0; - cp->csty = 0; - if (!(cp->ccps = jas_alloc2(cp->numcomps, sizeof(jpc_dec_ccp_t)))) { -+ jpc_dec_cp_destroy(cp); - return 0; - } - if (!(cp->pchglist = jpc_pchglist_create())) { -- jas_free(cp->ccps); -+ jpc_dec_cp_destroy(cp); - return 0; - } - for (compno = 0, ccp = cp->ccps; compno < cp->numcomps; -diff -up jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c ---- jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c.RESOURCE_LEAK 2011-12-08 14:16:04.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_tagtree.c 2011-12-08 14:17:55.905637082 +0100 -@@ -126,6 +126,7 @@ jpc_tagtree_t *jpc_tagtree_create(int nu - } while (n > 1); - - if (!(tree->nodes_ = jas_alloc2(tree->numnodes_, sizeof(jpc_tagtreenode_t)))) { -+ jpc_tagtree_destroy(tree); - return 0; - } - -diff -up jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK jasper-1.900.1/src/libjasper/mif/mif_cod.c ---- jasper-1.900.1/src/libjasper/mif/mif_cod.c.RESOURCE_LEAK 2011-12-08 14:16:04.250032970 +0100 -+++ jasper-1.900.1/src/libjasper/mif/mif_cod.c 2011-12-08 14:16:04.967024005 +0100 -@@ -564,7 +564,7 @@ static int mif_process_cmpt(mif_hdr_t *h - break; - case MIF_DATA: - if (!(cmpt->data = jas_strdup(jas_tvparser_getval(tvp)))) { -- return -1; -+ goto error; - } - break; - } diff --git a/jasper.spec b/jasper.spec index 09b22f0..75aa0df 100644 --- a/jasper.spec +++ b/jasper.spec @@ -6,7 +6,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper Group: System Environment/Libraries -Version: 1.900.13 +Version: 1.900.28 Release: 1%{?dist} %if "%{version}" > "1.900.1" @@ -128,7 +128,7 @@ make check %files libs %doc COPYRIGHT LICENSE NEWS README -%{_libdir}/libjasper.so.1* +%{_libdir}/libjasper.so.4* %files utils %{_bindir}/jiv @@ -137,6 +137,11 @@ make check %changelog +* Mon Nov 14 2016 Josef Ridky - 1.900.28-1 +- New upstream release 1.900.28 (#1389636) +- CVE-2016-9262 jasper: Multiple overflow vulnerabilities leading to use after free (#1393883) +- Upgrade libjasper.so.1* to libjasper.so.4* + * Mon Oct 24 2016 Josef Ridky - 1.900.13-1 - New upstream release 1.900.13 (#1385637) - Release contains security fix for CVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693 (#1385516) diff --git a/patch-libjasper-stepsizes-overflow.diff b/patch-libjasper-stepsizes-overflow.diff deleted file mode 100644 index 097559f..0000000 --- a/patch-libjasper-stepsizes-overflow.diff +++ /dev/null @@ -1,14 +0,0 @@ ---- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2007-01-19 22:43:07.000000000 +0100 -+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2007-04-06 01:29:02.000000000 +0200 -@@ -982,7 +982,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc - compparms->numstepsizes = (len - n) / 2; - break; - } -- if (compparms->numstepsizes > 0) { -+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { -+ jpc_qcx_destroycompparms(compparms); -+ return -1; -+ } else if (compparms->numstepsizes > 0) { - compparms->stepsizes = jas_malloc(compparms->numstepsizes * - sizeof(uint_fast16_t)); - assert(compparms->stepsizes); diff --git a/sources b/sources index 0ab0692..d872fa0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2436b251a38155308e83a4c752bb10b6 jasper-1.900.13.tar.gz +979fd58a439ccaba8eb3b806d7e6a87e jasper-1.900.28.tar.gz