media-libs/jasper: Import fixes for CVE-2014-8137/8 from fedora, #533744

Package-Manager: portage-2.2.15/cvs/Linux x86_64 Manifest-Sign-Key: 0xB9D4F231BD1558AB!
author: Justin Lecher <jlec@gentoo.org> 2015-01-04 18:18:44 +0000
committer: Justin Lecher <jlec@gentoo.org> 2015-01-04 18:18:44 +0000
commit: 2342a2c37ca8d7111e1d112a5f1c2e23828bf72b (patch)
tree: 47ab72818012dcce16a983425c7aa1f12477c2ed /media-libs/jasper
parent: version bump, drop old (diff)
download: historical-2342a2c37ca8d7111e1d112a5f1c2e23828bf72b.tar.gz
historical-2342a2c37ca8d7111e1d112a5f1c2e23828bf72b.tar.bz2
historical-2342a2c37ca8d7111e1d112a5f1c2e23828bf72b.zip
5 files changed, 149 insertions, 17 deletions
diff --git a/media-libs/jasper/ChangeLog b/media-libs/jasper/ChangeLog
index 70d96dc7227c..c028cd5af2aa 100644
--- a/media-libs/jasper/ChangeLog
+++ b/media-libs/jasper/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-libs/jasper
-# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/ChangeLog,v 1.104 2014/12/26 10:40:05 jlec Exp $
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/ChangeLog,v 1.105 2015/01/04 18:18:17 jlec Exp $
+
+*jasper-1.900.1-r8 (04 Jan 2015)
+
+  04 Jan 2015; Justin Lecher <jlec@gentoo.org> +jasper-1.900.1-r8.ebuild,
+  +files/jasper-CVE-2014-8137.patch, +files/jasper-CVE-2014-8138.patch:
+  Import fixes for CVE-2014-8137/8 from fedora, #533744
 
   26 Dec 2014; Justin Lecher <jlec@gentoo.org> -jasper-1.900.1-r6.ebuild:
   Drop vulnerable version
diff --git a/media-libs/jasper/Manifest b/media-libs/jasper/Manifest
index b224d6a9ca19..817df42a14fe 100644
--- a/media-libs/jasper/Manifest
+++ b/media-libs/jasper/Manifest
@@ -4,29 +4,32 @@ Hash: SHA512
 AUX CVE-2011-4516+7.patch 1000 SHA256 4c8973cd8f46aabdccfab850b9fdbda0cc44b443a7fb9d22530b3725ca8e7eef SHA512 00e4b51becb6aed5e98d5e69146232e352a75fc97b5aa1958c2d5e3e27f09a87c7488b1a2b28f98388b4c700568241493e107e7506067eb82121dcab7e09bdb4 WHIRLPOOL 664404ba7488ddd4d2f4cfd90baad0a66ebd318a5110354a98cf5454dab7b3f01c56aff33c31d8ae5fce979b99c8eb2159b3636920656dc8c571fc55620e61eb
 AUX jasper-1.701.0-GL-ac.patch 487 SHA256 f0c1794cca1fbee9f7a97f3b47b2a98250cb619526b3c7377b0958fb31b08bd7 SHA512 6f5aef3aba774308720deb5f844681c882d062b317196bdbc81499dd7f9d6fd380b849da3dc5d3b6699940c0090c23eaed43aff4e1aa28bca3e293970243afad WHIRLPOOL 09a905d0db771356976f67df8b049ef045f85062ba1f753b5f5921a8c8be3daefbe5addf2a496ef55fd68cf94a4348a4c2f9de6e84eef3b63860d51d3f95e147
 AUX jasper-1.701.0-GL.patch 553 SHA256 b99a48047f5ac8b8f8db4147a6938b8f918e0f671b76f8d17dc7068fda74d282 SHA512 6038d0a7fc3c3fb288d38eb7d87373aef15365dc2f11d4e985a30f4ba3e669238182f6fcad62e126d66ce51d9f255ec287919af17de0f2c28440c15e01d73994 WHIRLPOOL a460190fa4e20ed25143e649d197f3df67bcc372e55febbebbdea39b25f878036b5af9e2411383807d24fe58c07e997990e006d08d1126619f785c0b0258eec1
+AUX jasper-CVE-2014-8137.patch 1547 SHA256 27350b9a72067e0325464b1e51f0fcab2701db26c918d82aac977dc345a02999 SHA512 b689b8fdc3dfa7f7ffcb9d7e94c7eb8d11127adf55e2f67cb2311fe1495eb7a4a234e34bc50315059b85a257b083670a383a7cc751705fcacc49727c11152510 WHIRLPOOL 514aaa7803ef7861b42374c4590740a34a768747e67c9e089b698b0a73750f8d5ff8c2dfc1a322b00797757c44eb81ada97d7949fb454ec2247114c100ff7adc
+AUX jasper-CVE-2014-8138.patch 682 SHA256 597966eabef1eeb4155415352cee37492def0abb09349e1764ae92645f3a20c1 SHA512 ae9d1c85688f7711a5cd7765988e85c64bf5413dede80aa8c860caa505c079d6975410ccb3b0e18c65d84624226c5e12667bb7613a91e3856dab4f99483c2956 WHIRLPOOL c4e63768afc72cb63bef7136b7d0b6e803b582f698210668ed47ac601b375c729e27bffad906739dfe02fe2f2615ca553dddb5c53a5ec084c086f6a292debd3e
 AUX jasper-CVE-2014-9029.patch 1116 SHA256 a43747e7597a2a5108befd4acd31a582101a66096a752e61de853bc860d2a8e1 SHA512 20bac10654ea1b16d741bcc71ca91e484c4238cb285f551a19b1bac4c4cf8ec39bc33f8d3c42dbadd03e85eb667a8e286f208e9b20a5b39429bf8e4454bd9b16 WHIRLPOOL 63244c1a4601de0c3ddcee00edc259062f1effa5e58180ac7e207e8ff71bb019990de6abe4cb1cdefb41dded1a96380aa0dd7bb46f729000c57c1e04abea9bb0
 AUX jasper-pkgconfig.patch 1691 SHA256 325003c739023264f368db2ce30598038706f45a8ec8a5a1f81fa855496e0ed1 SHA512 3cb1fe20b34e46c2d04f17eac6e1831d226368e4a7037be8324eb469b0217e1ad0520bb9d321a0f7c510828ca8505c4c42d4c54045606d0e9f2dad81c8ee21eb WHIRLPOOL 13e97b718827a712a4ee65162e6adafec1672fd9f96e8d773124b91e43c4571d5ab0975802fbf44d10fa2d4f9a895ff1fbd6adeaf817c7e70cfa08198c9425cf
 DIST jasper-1.900.1-fixes-20120611.patch.bz2 26303 SHA256 8727c94843f141c311be54eed97eca18f96542f52b991df6f7d4f005bad2ec59 SHA512 36ec1735a89008fa6be16698f78ca5ec52d4ef34f10653ba3bf081c665c4e2d747cdbd7bfc0d56859ad4dc0fac166cf08248336d25d3ba8e7feb57e65d5c5ef6 WHIRLPOOL 341639dc208c44eefb18d14b16bc74591989e4ec0bf6426bee1ed161f1c997a23dad487ac821f2bf8e1ae16ae74d6174dce39a913b44b4e24628a7a1510395a7
 DIST jasper-1.900.1.zip 1415752 SHA256 6b905a9c2aca2e275544212666eefc4eb44d95d0a57e4305457b407fe63f9494 SHA512 e3a3c803de848b50482f5bd693b1945197c6999285226c45b671855734d7bb2611fbe6f28cd8ba9c56a4ea59417795eba42d72516c9fec93b8fbaa21b8210cb6 WHIRLPOOL cd53901537bb8d32706e82326bf01f7f960af5172e2da738d1fcc9c5a4087829210a177d3df96617cf289e5db8ec97e06aa6cd60ada3b887db65418b90e9a86b
 EBUILD jasper-1.900.1-r7.ebuild 1520 SHA256 cd0525c99b1858368b55e65c473ac462cd9a72be1d4f01caf9f4c26c5c7b6bda SHA512 11ae0d94b763106275d4ba29157ff237cd758fc149c2f5dac46fa338364154c6ef200f3d2f15670f12574fdf7ec91b253e699a9f09945ad4491f26f045d55a2d WHIRLPOOL bbda3ea0765d09cb17ea1e38f49697751d07ba5acc0627a2513a04b6a44857b4cd6c57a10a8f7bf4ff96d573f19ed93d1ecbe6975b60c3bb0257cd998d20890c
-MISC ChangeLog 12915 SHA256 c48c83391f5390c299083c621a84fe4be6319fd23f079153e186dbd9b62e7dce SHA512 2d93ecf31ebfc9b796b9a614169c212e2dfd27f7d25b4f431032e83350e9a5187d27c4a57c65a0c00c50d66db7dc2438ba1f82121b2bb45626169f21b35789fc WHIRLPOOL 7dc967a8afcbd1462eae19ce4ff3762c52646ed190583b6cd37680016f4956bc3df13bd29ecc8cc7735d2aba42fcb69ff91bc3746c29a967d48e331a4f995b2a
+EBUILD jasper-1.900.1-r8.ebuild 1611 SHA256 beac2d1312071b38871e2ead1782879a3ec339d658b8deb6a7df08b828f01b13 SHA512 d067027ccd85e3c741471c302a6307ccdf9240e0db4c80305b6e01163fd424d353674dd7b3607091a84a4031084fba0683931f5f93373f02b84730034884432c WHIRLPOOL be27991bbbc280367bb4c514c834b0ace8d3dc5ecc7686fa1a6321ad11d4b9bf51e1f77b7b2be54fd0eae971832fd3a29666c11102d5163d27360326bd6ce461
+MISC ChangeLog 13152 SHA256 d3ed3b16726451c3693ad70dbd36f6bf6466ba6d85a91b796ab17b53b5347f8d SHA512 bc4d6b580513b40be649c296d3fb07cbb77f2dc3377396c8d39629a6a96cc2d9a0888f790afb40e39bff2c2e079edc45175337c49e294f68b651f04ab02c74ff WHIRLPOOL 878e3b144fdc3b3b32e0489682752696895aa9861e383fb109cecf3d5674ecd8be356474f7fbe9e046973693c39fe2df66f9386b83eb06d2900c954a55d011aa
 MISC metadata.xml 158 SHA256 dae7918daac89b300804812d32584889aa1c4e8b9edeced06006900494457a6d SHA512 e4901a5df84502b46aa85ec01804ce680332cebe6148e4a9c8201a38935ee0d4a753bcdb3f18765b06019926a05bf099c0ed61395aa98211610ab7fdb8d7f895 WHIRLPOOL 2f12466ef66cc7b89ec428cd4b498b20f12ca6dbb219f180ac12985dfc4195882ea95809797828a720fe69a0e560d12de9c271f8aacaa06fba09c9c1ccd589e5
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0
 
-iQJ8BAEBCgBmBQJUnTtSXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
+iQJ8BAEBCgBmBQJUqYSaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
 ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQyQ0JDQjFGMzBDQ0UxMjFGNENDNDgxMDdC
-OUQ0RjIzMUJEMTU1OEFCAAoJELnU8jG9FVirNAIP/0Tq1DA260QoljO2JtzfQ4n0
-wqJfWZCaaVh0BaePG2urrm6OTRwq8dSuiHROcOinEJJvzGADbSNqF2bScJJpqsTG
-Hq32TxaVTWwbn+qqE3yUHYuShnf+6UtUDbYWktoh9jlVU+udEZ8/eC/DIEp4HT8t
-Eyg9UhH2d4QTYatcR070By/jL4rZopfhVK9dCfJz98t4cEqiKgWNy2psDvPcDJBI
-nJzO2H5kCBrYPePIB7Zff2G/+/2zR585lfcHyTkDbaVJaUEOx1YbPSYkvpxvogDq
-cSpp5Jyxk1chICzfxfENnlCGyExHSQZtrIHuRdDoCIDyf01ZXX/g2gVYd/zIKOAG
-u9IVjsqovv5NrilUNzTSnyQ9ntMQc3CRYmZQ4M3G/GT9+PNkcCnzRmi7Tg7FIG+X
-GrlKGT4IUbxoGGuEH1ZSGGETtvhlTQUh0ZHmgNAU6GRw7wxMxEiYGcESmPtFH6P3
-ECUaw5r8Rk9KKz/doWgUxtULuAwlX1zJkP//e2m5weqoYtUFofOQjAQb1VX1nPjh
-sQShS30Tq8QIdy2G4prPXy33kpDa6yxB1gf9p0TSE+Nas0Jn2Y8Q2gi2DNmcRv8g
-3dfdZsRLMK/WV1kWq+Ww0IOAVpm5ZmfDVAjC5NWQ+mZCuH/SEPtUtqQcol3qk8fg
-EU2eayBp2I1Ff8DETf8I
-=6sws
+OUQ0RjIzMUJEMTU1OEFCAAoJELnU8jG9FVirL8QP/1YXuLzNOXb7SFko140LHr0T
+B80C66VbE8RqkNhSTuUsLBZKcCZK+NBUetL3AVAYaBZV+CUDNalh6/bLbThFqdvY
+vsnKaAW0szXK0zG+wYuRcc6tqZDIkPrELxje1eVU1M1v5QOGsmyeShJAvUatb46m
+6a2vzAs1IDMELgKixIYVynUV+y7tTmuV5QaA4sa2G/W/oLlFfxZOgFjskJ3IoCDn
+Mi+w66xV/qCtjsQMzN+3ARIrCiz+6xTp2jeQb994xo3szHfG6kKGaHbAaa/5Di77
+YIyN4XePIDyZv8RVzew3ELY3zwCiEo4JwzRz08SDX7ZbY47Dz1Ml8XD50I/cstbH
+lqU3G6Qn13HN3IERx3esRtehZ4+C+dCKGegAhKp5IwxfLVes/9ZGe4+vNpSXFc2c
+t76xRogZYMsBNEnpT7aLgNq1AeV0IXInEOaKofOSBL70tKaWHaL6BRR3/1PmPzKY
+6RhUDQhrt+qGyKqx+wzQXlb3nRNQT1SdoDWWyRFWBnSyF90OlsIJgppCpEZgC179
+CjDSxFIpQiiF9ueYTO0ASaEYhZ115EBH4BWiMfabD00wc0XVjTku7DJTnhnXcEWL
+r2DxfscMZyYEtbaSaMmYWalyMXYdpsUt4JJjhgW8+hZlsPiIh6mh8/qXZqXJlh2U
++yiqZG7ceBV98SsEqiNN
+=9JX8
 -----END PGP SIGNATURE-----
diff --git a/media-libs/jasper/files/jasper-CVE-2014-8137.patch b/media-libs/jasper/files/jasper-CVE-2014-8137.patch
new file mode 100644
index 000000000000..9600cd3231de
--- /dev/null
+++ b/media-libs/jasper/files/jasper-CVE-2014-8137.patch
@@ -0,0 +1,57 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c	2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ 	return 0;
+ 
+ error:
+-	jas_icccurv_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ 	return 0;
+ error:
+-	jas_icctxtdesc_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ 		goto error;
+ 	return 0;
+ error:
+-	if (txt->string)
+-		jas_free(txt->string);
+ 	return -1;
+ }
+ 
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut8_destroy(attrval);
+ 	return -1;
+ }
+ 
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ 		goto error;
+ 	return 0;
+ error:
+-	jas_icclut16_destroy(attrval);
+ 	return -1;
+ }
+ 
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	case JP2_COLR_ICC:
+ 		iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ 		  dec->colr->data.colr.iccplen);
+-		assert(iccprof);
++		if (!iccprof) {
++			jas_eprintf("error: failed to parse ICC profile\n");
++			goto error;
++		}
+ 		jas_iccprof_gethdr(iccprof, &icchdr);
+ 		jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ 		jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
diff --git a/media-libs/jasper/files/jasper-CVE-2014-8138.patch b/media-libs/jasper/files/jasper-CVE-2014-8138.patch
new file mode 100644
index 000000000000..5aaf8abb1d5e
--- /dev/null
+++ b/media-libs/jasper/files/jasper-CVE-2014-8138.patch
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c	2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	/* Determine the type of each component. */
+ 	if (dec->cdef) {
+ 		for (i = 0; i < dec->numchans; ++i) {
++			/* Is the channel number reasonable? */
++			if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++				jas_eprintf("error: invalid channel number in CDEF box\n");
++				goto error;
++			}
+ 			jas_image_setcmpttype(dec->image,
+ 			  dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ 			  jp2_getct(jas_image_clrspc(dec->image),
diff --git a/media-libs/jasper/jasper-1.900.1-r8.ebuild b/media-libs/jasper/jasper-1.900.1-r8.ebuild
new file mode 100644
index 000000000000..b3e32ae7b1a9
--- /dev/null
+++ b/media-libs/jasper/jasper-1.900.1-r8.ebuild
@@ -0,0 +1,52 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/jasper-1.900.1-r8.ebuild,v 1.1 2015/01/04 18:18:17 jlec Exp $
+
+EAPI=5
+
+# outdated './configure': breaks in 'USE=opengl ABI_X86="32 64"' case:
+#  uses /usr/lib64 for 32-bit ABI.
+AUTOTOOLS_AUTORECONF=yes
+
+inherit autotools-multilib
+
+DESCRIPTION="software-based implementation of the codec specified in the JPEG-2000 Part-1 standard"
+HOMEPAGE="http://www.ece.uvic.ca/~mdadams/jasper/"
+SRC_URI="
+	http://www.ece.uvic.ca/~mdadams/${PN}/software/${P}.zip
+	mirror://gentoo/${P}-fixes-20120611.patch.bz2"
+
+LICENSE="JasPer2.0"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris ~x86-solaris"
+IUSE="jpeg opengl static-libs"
+
+RDEPEND="
+	jpeg? ( >=virtual/jpeg-0-r2:0[${MULTILIB_USEDEP}] )
+	opengl? (
+		>=virtual/opengl-7.0-r1:0[${MULTILIB_USEDEP}]
+		>=media-libs/freeglut-2.8.1:0[${MULTILIB_USEDEP}]
+		virtual/glu
+		)"
+DEPEND="${RDEPEND}
+	app-arch/unzip"
+
+PATCHES=(
+	"${WORKDIR}"/${P}-fixes-20120611.patch
+	"${FILESDIR}"/${PN}-1.701.0-GL-ac.patch
+	"${FILESDIR}"/${PN}-1.701.0-GL.patch
+	"${FILESDIR}"/${PN}-CVE-2014-9029.patch
+	"${FILESDIR}"/${PN}-CVE-2014-8137.patch
+	"${FILESDIR}"/${PN}-CVE-2014-8138.patch
+	"${FILESDIR}"/${PN}-pkgconfig.patch
+	)
+
+DOCS=( NEWS README doc/. )
+
+src_configure() {
+	local myeconfargs=(
+		$(use_enable jpeg libjpeg)
+		$(use_enable opengl)
+		)
+	autotools-multilib_src_configure
+}
author	Justin Lecher <jlec@gentoo.org>	2015-01-04 18:18:44 +0000
committer	Justin Lecher <jlec@gentoo.org>	2015-01-04 18:18:44 +0000
commit	2342a2c37ca8d7111e1d112a5f1c2e23828bf72b (patch)
tree	47ab72818012dcce16a983425c7aa1f12477c2ed /media-libs/jasper
parent	version bump, drop old (diff)
download	historical-2342a2c37ca8d7111e1d112a5f1c2e23828bf72b.tar.gz historical-2342a2c37ca8d7111e1d112a5f1c2e23828bf72b.tar.bz2 historical-2342a2c37ca8d7111e1d112a5f1c2e23828bf72b.zip