diff -Nru jasper-1.900.1-debian1/debian/changelog jasper-1.900.1-debian1/debian/changelog --- jasper-1.900.1-debian1/debian/changelog 2018-06-27 14:58:51.000000000 +0000 +++ jasper-1.900.1-debian1/debian/changelog 2021-01-08 14:30:59.000000000 +0000 @@ -1,3 +1,22 @@ +jasper (1.900.1-debian1-2.4ubuntu1.3) xenial-security; urgency=medium + + * SECURITY UPDATE: NULL pointer dereference + - debian/patches/CVE-2018-18873.patch: check components for RGB, + fixes NULL pointer deference in src/libjasper/ras/ras_enc.c. + - CVE-2018-18873 + * SECURITY UPDATE: Null pointer dereference + - debian/patches/CVE-2018-19542-and-CVE-2017-9782.patch: fix numchans mixup, + NULL dereference in src/libjasper/jp2/jp2_dec.c. + - CVE-2018-19542 + - CVE-2017-9782 + * SECURITY UPDATE: Out of bounds write + - debian/patches/CVE-2020-27828.patch: avoid maxrlvls more + than upper bound to cause heap-buffer-overflow in + src/libjasper/jpc/jpc_enc.c. + - CVE-2020-27828 + + -- Leonidas Da Silva Barbosa Fri, 08 Jan 2021 11:19:23 -0300 + jasper (1.900.1-debian1-2.4ubuntu1.2) xenial-security; urgency=medium * SECURITY UPDATE: double-free in jasper_image_stop_load diff -Nru jasper-1.900.1-debian1/debian/patches/CVE-2018-18873.patch jasper-1.900.1-debian1/debian/patches/CVE-2018-18873.patch --- jasper-1.900.1-debian1/debian/patches/CVE-2018-18873.patch 1970-01-01 00:00:00.000000000 +0000 +++ jasper-1.900.1-debian1/debian/patches/CVE-2018-18873.patch 2021-01-08 14:18:42.000000000 +0000 @@ -0,0 +1,30 @@ +From 12db8078ba17a8ffc5cc2429fb506988f0f11b44 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Sun, 28 Jun 2020 13:25:12 +0200 +Subject: [PATCH] ras_enc: check components for RGB, fixes NULL pointer + dereference + +Fixes CVE-2018-18873 + +Closes https://github.com/jasper-maint/jasper/issues/15 +Closes https://github.com/mdadams/jasper/issues/184 +--- + src/libjasper/ras/ras_enc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/libjasper/ras/ras_enc.c b/src/libjasper/ras/ras_enc.c +index 85ff9a3..dc4f151 100644 +--- a/src/libjasper/ras/ras_enc.c ++++ b/src/libjasper/ras/ras_enc.c +@@ -232,6 +232,11 @@ static int ras_putdatastd(jas_stream_t *out, ras_hdr_t *hdr, jas_image_t *image, + + assert(numcmpts <= 3); + ++ if (RAS_ISRGB(hdr) && numcmpts < 3) { ++ /* need 3 components for RGB */ ++ return -1; ++ } ++ + for (i = 0; i < 3; ++i) { + data[i] = 0; + } diff -Nru jasper-1.900.1-debian1/debian/patches/CVE-2018-19542-and-CVE-2017-9782.patch jasper-1.900.1-debian1/debian/patches/CVE-2018-19542-and-CVE-2017-9782.patch --- jasper-1.900.1-debian1/debian/patches/CVE-2018-19542-and-CVE-2017-9782.patch 1970-01-01 00:00:00.000000000 +0000 +++ jasper-1.900.1-debian1/debian/patches/CVE-2018-19542-and-CVE-2017-9782.patch 2021-01-08 14:19:00.000000000 +0000 @@ -0,0 +1,32 @@ +From 839b1bcf0450ff036c28e8db40a7abf886e02891 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Wed, 24 Jun 2020 21:21:46 +0200 +Subject: [PATCH] jp2_dec: fix `numchans` mixup + +When iterating over `dec->cdef->data.cdef.ents`, we need to use its +`numchans` variable, not the one in `jp2_dec_t`. + +Fixes CVE-2018-19543 +Fixes CVE-2017-9782 + +Closes https://github.com/jasper-maint/jasper/issues/13 +Closes https://github.com/jasper-maint/jasper/issues/18 +Closes https://github.com/mdadams/jasper/issues/140 +Closes https://github.com/mdadams/jasper/issues/182 +--- + src/libjasper/jp2/jp2_dec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: jasper-1.900.1-debian1/src/libjasper/jp2/jp2_dec.c +=================================================================== +--- jasper-1.900.1-debian1.orig/src/libjasper/jp2/jp2_dec.c ++++ jasper-1.900.1-debian1/src/libjasper/jp2/jp2_dec.c +@@ -388,7 +388,7 @@ jas_image_t *jp2_decode(jas_stream_t *in + + /* Determine the type of each component. */ + if (dec->cdef) { +- for (i = 0; i < dec->numchans; ++i) { ++ for (i = 0; i < dec->cdef->data.cdef.numchans; ++i) { + /* Is the channel number reasonable? */ + if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { + jas_eprintf("error: invalid channel number in CDEF box\n"); diff -Nru jasper-1.900.1-debian1/debian/patches/CVE-2020-27828.patch jasper-1.900.1-debian1/debian/patches/CVE-2020-27828.patch --- jasper-1.900.1-debian1/debian/patches/CVE-2020-27828.patch 1970-01-01 00:00:00.000000000 +0000 +++ jasper-1.900.1-debian1/debian/patches/CVE-2020-27828.patch 2021-01-08 14:19:16.000000000 +0000 @@ -0,0 +1,25 @@ +From 4cd52b5daac62b00a0a328451544807ddecf775f Mon Sep 17 00:00:00 2001 +From: yuan +Date: Mon, 30 Nov 2020 19:03:20 +0800 +Subject: [PATCH] Avoid maxrlvls more than upper bound to cause + heap-buffer-overflow + +--- + src/libjasper/jpc/jpc_enc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: jasper-1.900.1-debian1/src/libjasper/jpc/jpc_enc.c +=================================================================== +--- jasper-1.900.1-debian1.orig/src/libjasper/jpc/jpc_enc.c ++++ jasper-1.900.1-debian1/src/libjasper/jpc/jpc_enc.c +@@ -502,6 +502,10 @@ static jpc_enc_cp_t *cp_create(char *opt + break; + case OPT_MAXRLVLS: + tccp->maxrlvls = atoi(jas_tvparser_getval(tvp)); ++ if(tccp->maxrlvls > JPC_MAXRLVLS) { ++ jas_eprintf("invalid number of resolution levels upper than %d\n",JPC_MAXRLVLS); ++ goto error; ++ } + break; + case OPT_SOP: + cp->tcp.csty |= JPC_COD_SOP; diff -Nru jasper-1.900.1-debian1/debian/patches/series jasper-1.900.1-debian1/debian/patches/series --- jasper-1.900.1-debian1/debian/patches/series 2018-06-27 11:48:32.000000000 +0000 +++ jasper-1.900.1-debian1/debian/patches/series 2021-01-08 14:30:37.000000000 +0000 @@ -30,3 +30,6 @@ CVE-2016-10250.patch CVE-2017-6850.patch CVE-2017-1000050.patch +CVE-2018-18873.patch +CVE-2018-19542-and-CVE-2017-9782.patch +CVE-2020-27828.patch