diff options
| author | Francesco Colista <fcolista@alpinelinux.org> | 2017-08-07 12:59:38 +0000 |
|---|---|---|
| committer | Francesco Colista <fcolista@alpinelinux.org> | 2017-08-07 12:59:38 +0000 |
| commit | cf17d6fc9fa94f652d8a1582d77d32ed03407167 (patch) | |
| tree | 415797ef61360bac8b5cf07c7243cb3f2d788446 | |
| parent | 51070ff952c1adf89a89b3724e439af394ef5be8 (diff) | |
main/jasper: security fix CVE-2017-1000050. Fixes #7576
| -rw-r--r-- | main/jasper/APKBUILD | 17 | ||||
| -rw-r--r-- | main/jasper/CVE-2017-1000050.patch | 16 |
2 files changed, 29 insertions, 4 deletions
diff --git a/main/jasper/APKBUILD b/main/jasper/APKBUILD index 8e93a6cdcc2..aea63dc5b42 100644 --- a/main/jasper/APKBUILD +++ b/main/jasper/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=jasper pkgver=1.900.1 -pkgrel=12 +pkgrel=13 pkgdesc="A software-based implementation of the codec specified in the emerging JPEG-2000 Part-1 standard" url="http://www.ece.uvic.ca/~mdadams/jasper/" arch="all" @@ -24,9 +24,15 @@ source="http://www.ece.uvic.ca/~mdadams/$pkgname/software/$pkgname-$pkgver.zip CVE-2016-1577.patch CVE-2016-2089.patch CVE-2016-2116.patch + CVE-2017-1000050.patch " _builddir="$srcdir"/$pkgname-$pkgver + +# secfixes: +# 1.900.1-r13 +# - CVE-2017-1000050 + prepare() { cd "$_builddir" for i in $source; do @@ -78,7 +84,8 @@ f386c336808e8fc840c8a5cb7fcc5902 CVE-2014-8137.patch 78d55c9411bdca5250581a21b19a89c7 CVE-2015-5203.patch 579f318c6809644b99441cd595541c15 CVE-2016-1577.patch 45d6048316ff5fda476b2f4df0da4c44 CVE-2016-2089.patch -36f603ee5922419f869f3bbb3ab453b3 CVE-2016-2116.patch" +36f603ee5922419f869f3bbb3ab453b3 CVE-2016-2116.patch +0476c6c99c4cbccd24903a194981c052 CVE-2017-1000050.patch" sha256sums="6b905a9c2aca2e275544212666eefc4eb44d95d0a57e4305457b407fe63f9494 jasper-1.900.1.zip fca9c4bddc284d6c59845e5b80adfd670e79c945f166d9624b117c6db0c10492 jpc_dec.c.patch e454f0fb1b994535ca02fa2468aa39ff153a78f3688db3808b6e953c44890e41 libjasper-stepsizes-overflow.patch @@ -93,7 +100,8 @@ a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1 CVE-2014-9029. 7c73cdcca60a7ddffe4d5fe010d3f200870a8719dda571f578e7f437b7c8d6d0 CVE-2015-5203.patch 61bfc92b85f3fad4318e7268e422c9212b88178bc315826d9ed14c563750c262 CVE-2016-1577.patch 331eb8361e028ce0479d5a1065fa74e348dea6d1d8982236697c098882917b21 CVE-2016-2089.patch -e6d63d42c92769ba3a943367798c4a5a542b1c872fbe439cf5bc59f8468210bd CVE-2016-2116.patch" +e6d63d42c92769ba3a943367798c4a5a542b1c872fbe439cf5bc59f8468210bd CVE-2016-2116.patch +3a0661f016e3f16071f5c8fb95b620bf3e31298103219753c6230a164a9767ec CVE-2017-1000050.patch" sha512sums="e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6 jasper-1.900.1.zip c449c0a405f589135b384bc284508bfdd2a29b7bb94b806b960ce72238aa5789cc11fa7d704463ebda9a1384d8d085c603180f7b419e25a91d304b447708b82c jpc_dec.c.patch bafdd22b8214e2993c0a61c06c27b11b4eef68db2e9c6d8786dd54dfae92e685094b66ad6c899d19df9f0f85d3aa4fe35152dd773c5bd9a1e8453ccf8518c799 libjasper-stepsizes-overflow.patch @@ -108,4 +116,5 @@ ae9d1c85688f7711a5cd7765988e85c64bf5413dede80aa8c860caa505c079d6975410ccb3b0e18c 911c813308af2cf0697b462e70bcb888a9e9a61399cbd0a6911133c3edd69ac50ddd57523c139080578373bceda1aa23af8ca979668f911785037250c7afcca1 CVE-2015-5203.patch c953cadf37b21b80b313846bb3d0ececb25e3269d02cc8cc15d8a95587fcd8d0944f23d2b7d0a82b2242ea7c46993ea0b6ba33e885363d6484eeef51e5173116 CVE-2016-1577.patch 7ca676a2bcdf17c140e31286cd704c288201e29e77dc698bbcbbd10d7a51bf95d10dae2ddcbe70e4701440a9bd3fd34ce2042579f568418de3be380c038a39ad CVE-2016-2089.patch -f6506e712911df55d2f2891a4036e6baa5db468a6345657b0115c9873494e5390a94a4efb204686fd9d44fc915a6e02d0882b1679889d7e6539cabbf953d6f64 CVE-2016-2116.patch" +f6506e712911df55d2f2891a4036e6baa5db468a6345657b0115c9873494e5390a94a4efb204686fd9d44fc915a6e02d0882b1679889d7e6539cabbf953d6f64 CVE-2016-2116.patch +2851d1cd7ed372cde5f9d6d6610e2c5507f5a8d571b1db9fc9afce64a1b35a78776d547b8281da770ab4d2f20c2e87cde989a16c17017c80ab12eedd8164cbb8 CVE-2017-1000050.patch" diff --git a/main/jasper/CVE-2017-1000050.patch b/main/jasper/CVE-2017-1000050.patch new file mode 100644 index 00000000000..9a6a611e6d3 --- /dev/null +++ b/main/jasper/CVE-2017-1000050.patch @@ -0,0 +1,16 @@ +diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c +index 9a5e106..af4d9a4 100644 +--- a/src/libjasper/jp2/jp2_enc.c ++++ b/src/libjasper/jp2/jp2_enc.c +@@ -115,6 +115,11 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr) + iccstream = 0; + iccprof = 0; + ++ if (jas_image_numcmpts(image) < 1) { ++ jas_eprintf("image must have at least one component\n"); ++ goto error; ++ } ++ + allcmptssame = 1; + sgnd = jas_image_cmptsgnd(image, 0); + prec = jas_image_cmptprec(image, 0); |