jasper CVE-2014-9029, CVE-2014-8137, CVE-2014-8138, CVE-2011-4516-and-CVE-2011-4517

jasper/PKGBUILD

@@ -1,46 +1,67 @@
 #
-# Platform Packages for Chakra, part of chakra-project.org
+# Platform Packages for Chakra, part of chakraos.org
 #
-# maintainer (i686): Phil Miller <philm[at]chakra-project[dog]org>
-# maintainer (x86_64): Manuel Tortosa <manutortosa[at]chakra-project[dot]org>
+# maintainer (x86_64): AlmAck <gluca86[at]gmail[dot]com>
 # contributor (x86_64): Giuseppe Calà <jiveaxe@gmail.com>
 
 pkgname=jasper
 pkgver=1.900.1
-pkgrel=6
+pkgrel=7
 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard"
-arch=('i686' 'x86_64')
+arch=('x86_64')
 url="http://www.ece.uvic.ca/~mdadams/jasper/"
 license=('custom:JasPer2.0')
 depends=('libjpeg' 'freeglut' 'libxi' 'libxmu' 'mesa')
 makedepends=('unzip')
-options=('!libtool')
-source=(http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.zip jpc_dec.c.patch
-        patch-libjasper-stepsizes-overflow.diff jasper-1.900.1-CVE-2008-3520.patch
-        jasper-1.900.1-CVE-2008-3522.patch)
-md5sums=('a342b2b4495b3e1394e161eb5d85d754' '36de7128eea6f701c1e2e13ce5bd8d37'\
-         '24785d8eb3eea19eec7e77d59f3e6a25' '911bb13529483c093d12c15eed4e9243'\
-         'ed441f30c4231f319d9ff77d86db2ef9')
-sha1sums=('9c5735f773922e580bf98c7c7dfda9bbed4c5191' 'c1a0176a15210c0af14d85e55ce566921957d780'\
-         'f298566fef08c8a589d072582112cd51c72c3983' '2483dba925670bf29f531d85d73c4e5ada513b01'\
-         '0e7b6142cd9240ffb15a1ed7297c43c76fa09ee4')
+source=("http://www.ece.uvic.ca/~mdadams/${pkgname}/software/${pkgname}-${pkgver}.zip"
+        jpc_dec.c.patch
+        patch-libjasper-stepsizes-overflow.diff
+        jasper-1.900.1-CVE-2008-3520.patch
+        jasper-1.900.1-CVE-2008-3522.patch
+        jasper-1.900.1-CVE-2014-9029.patch
+        jasper-1.900.1-CVE-2014-8137.patch
+        jasper-avoid-assert-abort.diff
+        jasper-1.900.1-CVE-2014-8138.patch
+        jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch
+        jasper-1.900.1-fix-filename-buffer-overflow.patch)
+md5sums=('a342b2b4495b3e1394e161eb5d85d754'
+         '36de7128eea6f701c1e2e13ce5bd8d37'
+         '24785d8eb3eea19eec7e77d59f3e6a25'
+         '911bb13529483c093d12c15eed4e9243'
+         'ed441f30c4231f319d9ff77d86db2ef9'
+         '82ad4b6391ad1c244e687846cac2210c'
+         '54d15ea7a5e7c7712d0a3a50c5173d2c'
+         '645a2d53b2e6b093c9d8ff54f9d2c887'
+         '1ec04bd2483a3ad2186b2178c237fd3b'
+         'c0e3ad1b78a79b4a76d24beff1dcc6cd'
+         '38403f9c82a18547beca16c9c6f4ce7a')
+
+prepare() {
+  cd ${pkgname}-${pkgver}
+
+  patch -p1 -i "${srcdir}/jpc_dec.c.patch"
+  patch -p1 -i "${srcdir}/patch-libjasper-stepsizes-overflow.diff"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2008-3522.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-9029.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8137.patch"
+  patch -p1 -i "${srcdir}/jasper-avoid-assert-abort.diff"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2014-8138.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch"
+  patch -p1 -i "${srcdir}/jasper-1.900.1-fix-filename-buffer-overflow.patch"
+}
 
 build() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
+  cd ${pkgname}-${pkgver}
 
-	patch -Np1 < "${srcdir}/jpc_dec.c.patch"
-	patch -Np1 < "${srcdir}/patch-libjasper-stepsizes-overflow.diff"
-	patch -Np1 < "${srcdir}/jasper-1.900.1-CVE-2008-3520.patch"
-	patch -Np1 < "${srcdir}/jasper-1.900.1-CVE-2008-3522.patch"
-
-	./configure --prefix=/usr --mandir=/usr/share/man --enable-shared
-	make
+  ./configure --prefix=/usr --mandir=/usr/share/man --enable-shared
+  make
 }
 
 package() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
+  cd ${pkgname}-${pkgver}
 
-	make DESTDIR="${pkgdir}" install
-	install -Dm644 LICENSE \
-		"${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+  make DESTDIR="${pkgdir}" install
+  install -Dm644 LICENSE \
+        "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 }

jasper/jasper-1.900.1-CVE-2011-4516-and-CVE-2011-4517.patch

@@ -0,0 +1,30 @@
+Description: Fix for CVE-2011-4516 and CVE-2011-4517
+ This patch fixes a possible denial of service and code execution via
+ heap-based buffer overflows.
+Author: Michael Gilbert <michael.s.gilbert@gmail.com>
+Origin: Patch thanks to Red Hat
+
+Index: jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
+===================================================================
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c	2011-12-19 09:35:34.186909298 -0500
++++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2011-12-19 09:35:51.198909832 -0500
+@@ -744,6 +744,10 @@
+ 		return -1;
+ 	}
+ 	compparms->numrlvls = compparms->numdlvls + 1;
++	if (compparms->numrlvls > JPC_MAXRLVLS) {
++		jpc_cox_destroycompparms(compparms);
++		return -1;
++	}
+ 	if (prtflag) {
+ 		for (i = 0; i < compparms->numrlvls; ++i) {
+ 			if (jpc_getuint8(in, &tmp)) {
+@@ -1331,7 +1335,7 @@
+ 	jpc_crgcomp_t *comp;
+ 	uint_fast16_t compno;
+ 	crg->numcomps = cstate->numcomps;
+-	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
++	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
+ 		return -1;
+ 	}
+ 	for (compno = 0, comp = crg->comps; compno < cstate->numcomps;

jasper/jasper-1.900.1-CVE-2014-8137.patch

@@ -0,0 +1,43 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c	2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ 	return 0;
+ 
+ error:
+-	jas_icccurv_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ 	return 0;
+ error:
+-	jas_icctxtdesc_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ 		goto error;
+ 	return 0;
+ error:
+-	if (txt->string)
+-		jas_free(txt->string);
+ 	return -1;
+ }
+ 
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut8_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut16_destroy(attrval);
+ 	return -1;
+ }
+ 

jasper/jasper-1.900.1-CVE-2014-8138.patch

@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	/* Determine the type of each component. */
+ 	if (dec->cdef) {
+ 		for (i = 0; i < dec->numchans; ++i) {
++			/* Is the channel number reasonable? */
++			if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++				jas_eprintf("error: invalid channel number in CDEF box\n");
++				goto error;
++			}
+ 			jas_image_setcmpttype(dec->image,
+ 			  dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ 			  jp2_getct(jas_image_clrspc(dec->image),

jasper/jasper-1.900.1-CVE-2014-9029.patch

@@ -0,0 +1,29 @@
+--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c	2014-11-27 12:45:44.000000000 +0100
++++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c	2014-11-27 12:44:58.000000000 +0100
+@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
+ 	jpc_coc_t *coc = &ms->parms.coc;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, coc->compno) > dec->numcomps) {
++	if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in COC marker segment\n");
+ 		return -1;
+ 	}
+@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
+ 	jpc_rgn_t *rgn = &ms->parms.rgn;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
++	if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in RGN marker segment\n");
+ 		return -1;
+ 	}
+@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
+ 	jpc_qcc_t *qcc = &ms->parms.qcc;
+ 	jpc_dec_tile_t *tile;
+ 
+-	if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
++	if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
+ 		jas_eprintf("invalid component number in QCC marker segment\n");
+ 		return -1;
+ 	}

jasper/jasper-1.900.1-fix-filename-buffer-overflow.patch

@@ -0,0 +1,37 @@
+Description: Filename buffer overflow fix
+ This patch fixes a security hole by a bad buffer size handling.
+Author: Roland Stigge <stigge@antcom.de>
+Bug-Debian: http://bugs.debian.org/645118
+
+--- a/src/libjasper/include/jasper/jas_stream.h
++++ b/src/libjasper/include/jasper/jas_stream.h
+@@ -77,6 +77,7 @@
+ #include <jasper/jas_config.h>
+ 
+ #include <stdio.h>
++#include <limits.h>
+ #if defined(HAVE_FCNTL_H)
+ #include <fcntl.h>
+ #endif
+@@ -99,6 +100,12 @@ extern "C" {
+ #define O_BINARY	0
+ #endif
+ 
++#ifdef PATH_MAX
++#define JAS_PATH_MAX PATH_MAX
++#else
++#define JAS_PATH_MAX 4096
++#endif
++
+ /*
+  * Stream open flags.
+  */
+@@ -251,7 +258,7 @@ typedef struct {
+ typedef struct {
+ 	int fd;
+ 	int flags;
+-	char pathname[L_tmpnam + 1];
++	char pathname[JAS_PATH_MAX + 1];
+ } jas_stream_fileobj_t;
+ 
+ #define	JAS_STREAM_FILEOBJ_DELONCLOSE	0x01

jasper/jasper-avoid-assert-abort.diff

@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	case JP2_COLR_ICC:
+ 		iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ 		  dec->colr->data.colr.iccplen);
+-		assert(iccprof);
++		if (!iccprof) {
++			jas_eprintf("error: failed to parse ICC profile\n");
++			goto error;
++		}
+ 		jas_iccprof_gethdr(iccprof, &icchdr);
+ 		jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ 		jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));