lepton: CVE-2016-6234 CVE-2016-6235 CVE-2016-6236 CVE-2016-6237 CVE-2016-6238

Debian Bug report logs - #831814
lepton: CVE-2016-6234 CVE-2016-6235 CVE-2016-6236 CVE-2016-6237 CVE-2016-6238

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: lepton: CVE-2016-6234 CVE-2016-6235 CVE-2016-6236 CVE-2016-6237 CVE-2016-6238

Date: Tue, 19 Jul 2016 19:48:33 +0200

Source: lepton
Version: 1.0-2
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

Multiple issues were found in lepton. The CVE request was at
http://www.openwall.com/lists/oss-security/2016/07/17/1 referencing
https://github.com/dropbox/lepton/issues/26 (note to compile with
address sanitizer to reproduce the issues).

lepton got several CVE assigned in subsequent
http://www.openwall.com/lists/oss-security/2016/07/17/6

I'm not sure if current master fixes all the reported cases from #26.

Regards,
Salvatore

Message #10 received at 831814@bugs.debian.org (full text, mbox, reply):

From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 831814@bugs.debian.org

Subject: Re: [Pkg-phototools-devel] Bug#831814: lepton: CVE-2016-6234 CVE-2016-6235 CVE-2016-6236 CVE-2016-6237 CVE-2016-6238

Date: Fri, 22 Jul 2016 09:39:38 +0800

[Message part 1 (text/plain, inline)]

On Tue, Jul 19, 2016 at 07:48:33PM +0200, Salvatore Bonaccorso wrote:
> Source: lepton
> Version: 1.0-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Hi,
> 
> Multiple issues were found in lepton. The CVE request was at
> http://www.openwall.com/lists/oss-security/2016/07/17/1 referencing
> https://github.com/dropbox/lepton/issues/26 (note to compile with
> address sanitizer to reproduce the issues).
> 
> lepton got several CVE assigned in subsequent
> http://www.openwall.com/lists/oss-security/2016/07/17/6
> 
> I'm not sure if current master fixes all the reported cases from #26.

Hi,

I tested all samples in GitHub #26 and the error outputs change from
ASSERTION_FAILURE to UNSUPPORTED_JPEG in 1.2.1, so I think the issue is
solved in that version.


% lepton global_bof.jpeg    
lepton v1.0-
header information is incomplete6556934 bytes needed to decompress this
file
::::BILL::::
EXP1_EDGE: 268435456.0 vs 0.0 = 0.0%
SIGN_EDGE: 268435456.0 vs 0.0 = 0.0%
EXP1_DC: 268435456.0 vs 0.0 = 0.0%
SIGN_DC: 268435456.0 vs 0.0 = 0.0%
Overall 7x7: 0.0 vs 0.0 = 0.0%
Overall Edge: 536870912.0 vs 0.0 = 0.0%
Overall DC: 536870912.0 vs 0.0 = 0.0%
Overall Misc: 0.0 vs 0.0 = 0.0%
Total: 1073741824.0 vs 0.0 = 0.0%
::::::::::::
ASSERTION_FAILURE
SHORT_READ%                                                                                                                                                                                             
% ~/src/debian/lepton/lepton global_bof.jpeg
lepton v1.0-
14882054 bytes needed to decompress this file
UNSUPPORTED_JPEG
SHORT_READ


-- 
ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Debian Developer (https://nm.debian.org/public/person/czchen)
Key fingerprint = EC9F 905D 866D BE46 A896  C827 BE0C 9242 03F4 552D
                  BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 831814-close@bugs.debian.org (full text, mbox, reply):

From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>

To: 831814-close@bugs.debian.org

Subject: Bug#831814: fixed in lepton 1.2.1-1

Date: Fri, 22 Jul 2016 17:24:24 +0000

Source: lepton
Source-Version: 1.2.1-1

We believe that the bug you reported is fixed in the latest version of
lepton, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 831814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <czchen@debian.org> (supplier of updated lepton package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Jul 2016 00:43:13 +0800
Source: lepton
Binary: lepton
Architecture: source amd64
Version: 1.2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Description:
 lepton     - tool to compress JPEGs losslessly
Closes: 831814 831897
Changes:
 lepton (1.2.1-1) unstable; urgency=medium
 .
   * New upstream release. Closes: #831814
   * Kill lepton after unit test to ensure no process leaves after build.
     Closes: #831897
   * Set architecture to i386 amd64 x32 due to SSE.
Checksums-Sha1:
 39a2e0a067889d05c3409d8e977ea01d80e4d89e 2027 lepton_1.2.1-1.dsc
 fe246da5d87a666bd69d3e4c19f3b80ccb5a9044 50226336 lepton_1.2.1.orig.tar.gz
 2ab3523ba372642debbdd1275a138141675ff03a 5488 lepton_1.2.1-1.debian.tar.xz
 357e122afcd7edd7f9c3f90364978e985ff058aa 1525772 lepton-dbgsym_1.2.1-1_amd64.deb
 76f6b04cda18a715f88058fb46558ea181a4063f 149396 lepton_1.2.1-1_amd64.deb
Checksums-Sha256:
 a49dcb17c352e7e4e413557a17b4260f99dd8f8f3bcf21d8988072c91781b571 2027 lepton_1.2.1-1.dsc
 c4612dbbc88527be2e27fddf53aadf1bfc117e744db67e373ef8940449cdec97 50226336 lepton_1.2.1.orig.tar.gz
 4d21ae6137be48217d922ee680b0e9c002458333731421e79f477dab07dff475 5488 lepton_1.2.1-1.debian.tar.xz
 6422bc0b984d7d8d774ea822cfd9098b218991668d998fa75abebdaf032e00d8 1525772 lepton-dbgsym_1.2.1-1_amd64.deb
 ea0d1cac132e26f631953f70c81319ebecf335de71545d4d73c1c16ad88139a7 149396 lepton_1.2.1-1_amd64.deb
Files:
 dc06bed90a5675ce2630f8a8d200d750 2027 graphics optional lepton_1.2.1-1.dsc
 79fad1d65eb68efed0222b1db4916429 50226336 graphics optional lepton_1.2.1.orig.tar.gz
 f281ca2f3cacae9fa5be7887179fe3ff 5488 graphics optional lepton_1.2.1-1.debian.tar.xz
 cb26ba11dd6d2475aad15478082a5b1b 1525772 debug extra lepton-dbgsym_1.2.1-1_amd64.deb
 100e4036def98e3002538099e8c7e827 149396 graphics optional lepton_1.2.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXklFAAAoJELTYlw90nD9qB0oQAIjDoZvmrDNwP4oP3JqT5F39
agXKYl2NJvIAztzQce90jLAk7x93le0sFgzoDmudzNhm5GHCyZeyVFqas7xbvR9G
Z2j1bBrkRSOBo7cvZOddKhjI/waMy8b8LDkvmwMhuFgC24XYKnipnJlLCgu7pXGG
Lg/qn1cYd1/jafeDPMK/HeA4vxcWvcoy+MPthIfJzbQdB4775Y60JqiYqWfDXIOy
mSolGfhfJA+WOsv0eUTENV15rjYNlA7FKxWyLvTi0oKnpwk6Ad+A/WyUT+6oO3z2
t/piyuYhBXFWMo5GdT/9tDCV6jUj/ruSA+e+NDV1RGktq7PMKToBgI6RHlwjjBFq
AGC1E3OJZKdvPOWE54CfZiC/8ebKiQXRTbdQP1DSkBoy4SCRBbuoteA6e1neOlrH
jYTeQCR8yUOfmAW0cXMG+R21HZ1lUzYRfIsqtFC3ytS2S/p8cNCjNUszdmaEshx2
Xg/O1njTwo/P8Hy9WLkjgoBqAdA/PNm88Nqd8niJfyxqe0jkZwSsZ75+KUGti/Vb
qDgyAyBfiq0ZyuXoLCPYHyCy8m9h/QsJy61KOOuY1/WBs1REJNw0RHcV6/+oHsdo
pCe1XDDlETWqAz8jvekJNWw5NhGCzR8lcQUDBpKXgmt3SOswPpOsWc7wUgb9yguj
24L9Hk+7qEMz7k95et90
=DmuX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.