aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2017-09-21 08:18:29 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2017-09-21 08:18:29 +0000
commit9513e587b007defbb6ef3590945ff49cbd73a270 (patch)
treef59e4e8fc09d834b5cf11006eab3fc6d7c8df40f
parent31f54779460bab8576eb569250b8543dca14ba6f (diff)
downloadaports-9513e587b007defbb6ef3590945ff49cbd73a270.tar.bz2
aports-9513e587b007defbb6ef3590945ff49cbd73a270.tar.xz
main/openjpeg: security fixes
- CVE-2017-14040 - CVE-2017-14041 - CVE-2017-14151 - CVE-2017-14152 - CVE-2017-14164 Fixes partially #7825. Not yet fixed CVE-2017-14039 since patch is not available for 2.2.0
-rw-r--r--main/openjpeg/APKBUILD23
-rw-r--r--main/openjpeg/CVE-2017-14040.patch80
-rw-r--r--main/openjpeg/CVE-2017-14041.patch22
-rw-r--r--main/openjpeg/CVE-2017-14151.patch43
-rw-r--r--main/openjpeg/CVE-2017-14152.patch35
-rw-r--r--main/openjpeg/CVE-2017-14164.patch86
6 files changed, 286 insertions, 3 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index bc3a38e750..970f81666b 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=openjpeg
pkgver=2.2.0
-pkgrel=1
+pkgrel=2
pkgdesc="Open-source implementation of JPEG2000 image codec"
url="http://www.openjpeg.org/"
arch="all"
@@ -13,7 +13,13 @@ makedepends="$depends_dev libpng-dev tiff-dev lcms-dev doxygen cmake"
install=""
subpackages="$pkgname-dev $pkgname-tools"
source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
- CVE-2017-12982.patch"
+ CVE-2017-12982.patch
+ CVE-2017-14040.patch
+ CVE-2017-14041.patch
+ CVE-2017-14151.patch
+ CVE-2017-14152.patch
+ CVE-2017-14164.patch"
+
builddir="${srcdir}/$pkgname-$pkgver"
build() {
@@ -28,6 +34,12 @@ build() {
}
# secfixes:
+# 2.2.0-r2:
+# - CVE-2017-14040
+# - CVE-2017-14041
+# - CVE-2017-14151
+# - CVE-2017-14152
+# - CVE-2017-14164
# 2.2.0-r1:
# - CVE-2017-12982
# 2.1.2-r1:
@@ -46,4 +58,9 @@ tools() {
}
sha512sums="20651c380bee582ab1950994c424cc00061ad852e9c5438fb32a9809e3f275571a4cc7e92589add0d91debf2394262e58f441c2dd918809fc1c602ed68396a3a openjpeg-2.2.0.tar.gz
-0e0ce7bdf53c4b6f1b2e9e5f855186763a1bea39b70bdc1fd5b60a5516036a04562cb43030e9946972009e3733d0efadb8ba4825939e32ba6b9419d6428ee9ad CVE-2017-12982.patch"
+0e0ce7bdf53c4b6f1b2e9e5f855186763a1bea39b70bdc1fd5b60a5516036a04562cb43030e9946972009e3733d0efadb8ba4825939e32ba6b9419d6428ee9ad CVE-2017-12982.patch
+532c268346ad6993d7085652fbebe65ec0412a8d12771b86c325ef9f1cb6e0f7252ac95dfb976fa00ecfffd7b140ddc74b2964b04764e0803fb7e8c344a2b58a CVE-2017-14040.patch
+d22735e20c7b08bb292bfda03a659481466a152294c388854aed3623ff769aed6c6491a8e6286b4dfdc8212a465b1596232e51fe8e8ba3a608ebf27b32d33d56 CVE-2017-14041.patch
+66019c7a30a6b6303992d518b8184e57b58824f8b63bc8857436aa404257bf1f1d64ab6100a5f0ed18fa1b41c09501e77230207ca028bc16db35fc2d834a6506 CVE-2017-14151.patch
+c244e0e4db1473583ffac6b31808b70bd3554e6eba7b357891aca7f8ad0ab687d433aac3d3f210349507cc54981b0171eb9a72e4a890925beaa2c9d9ee877dfd CVE-2017-14152.patch
+640cd731f5ee3a5fecbc8ca7c78d626c383155dbefe3a240319bcea81b5bc9996e028055ff64df192b5ed02e3a9e18b681b2ab4f106c3d555b68c93115dc6d01 CVE-2017-14164.patch"
diff --git a/main/openjpeg/CVE-2017-14040.patch b/main/openjpeg/CVE-2017-14040.patch
new file mode 100644
index 0000000000..dd9183dad1
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14040.patch
@@ -0,0 +1,80 @@
+From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Aug 2017 11:47:40 +0200
+Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
+ fixes unaligned load (#995)
+
+---
+ src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index a4eb81f6a..73dfc8d5f 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -580,13 +580,10 @@ struct tga_header {
+ };
+ #endif /* INFORMATION_ONLY */
+
+-static unsigned short get_ushort(const unsigned char *data)
++/* Returns a ushort from a little-endian serialized value */
++static unsigned short get_tga_ushort(const unsigned char *data)
+ {
+- unsigned short val = *(const unsigned short *)data;
+-#ifdef OPJ_BIG_ENDIAN
+- val = ((val & 0xffU) << 8) | (val >> 8);
+-#endif
+- return val;
++ return data[0] | (data[1] << 8);
+ }
+
+ #define TGA_HEADER_SIZE 18
+@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
+ id_len = tga[0];
+ /*cmap_type = tga[1];*/
+ image_type = tga[2];
+- /*cmap_index = get_ushort(&tga[3]);*/
+- cmap_len = get_ushort(&tga[5]);
++ /*cmap_index = get_tga_ushort(&tga[3]);*/
++ cmap_len = get_tga_ushort(&tga[5]);
+ cmap_entry_size = tga[7];
+
+
+ #if 0
+- x_origin = get_ushort(&tga[8]);
+- y_origin = get_ushort(&tga[10]);
++ x_origin = get_tga_ushort(&tga[8]);
++ y_origin = get_tga_ushort(&tga[10]);
+ #endif
+- image_w = get_ushort(&tga[12]);
+- image_h = get_ushort(&tga[14]);
++ image_w = get_tga_ushort(&tga[12]);
++ image_h = get_tga_ushort(&tga[14]);
+ pixel_depth = tga[16];
+ image_desc = tga[17];
+
+@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
+ color_space = OPJ_CLRSPC_SRGB;
+ }
+
++ /* If the declared file size is > 10 MB, check that the file is big */
++ /* enough to avoid excessive memory allocations */
++ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
++ char ch;
++ OPJ_UINT64 expected_file_size =
++ (OPJ_UINT64)image_width * image_height * numcomps;
++ long curpos = ftell(f);
++ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
++ expected_file_size = (OPJ_UINT64)INT_MAX;
++ }
++ fseek(f, (long)expected_file_size - 1, SEEK_SET);
++ if (fread(&ch, 1, 1, f) != 1) {
++ fclose(f);
++ return NULL;
++ }
++ fseek(f, curpos, SEEK_SET);
++ }
++
+ subsampling_dx = parameters->subsampling_dx;
+ subsampling_dy = parameters->subsampling_dy;
+
diff --git a/main/openjpeg/CVE-2017-14041.patch b/main/openjpeg/CVE-2017-14041.patch
new file mode 100644
index 0000000000..ebfe1ad27f
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14041.patch
@@ -0,0 +1,22 @@
+From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 18 Aug 2017 13:39:20 +0200
+Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
+
+---
+ src/bin/jp2/convert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index 5459f7d44..e606c9be7 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
+ }
+
+ fseek(f, 0, SEEK_SET);
+- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+ fclose(f);
+ fprintf(stderr,
diff --git a/main/openjpeg/CVE-2017-14151.patch b/main/openjpeg/CVE-2017-14151.patch
new file mode 100644
index 0000000000..c8a1fd65f1
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14151.patch
@@ -0,0 +1,43 @@
+From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 14 Aug 2017 17:20:37 +0200
+Subject: [PATCH] Encoder: grow buffer size in
+ opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
+ opj_mqc_flush (#982)
+
+---
+ src/lib/openjp2/tcd.c | 7 +++++--
+ tests/nonregression/test_suite.ctest.in | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index 301c7213e..53cdcf64d 100644
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
+ {
+ OPJ_UINT32 l_data_size;
+
+- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
++ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
++ /* TODO: is there a theoretical upper-bound for the compressed code */
++ /* block size ? */
++ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+ if (l_data_size > p_code_block->data_size) {
+diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
+index aaf40d7d0..ffd964c2a 100644
+--- a/tests/nonregression/test_suite.ctest.in
++++ b/tests/nonregression/test_suite.ctest.in
+@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
+ # Same rate as Bretagne2_4.j2k
+ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
+
++opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
++
+ # DECODER TEST SUITE
+ opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
+ opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/main/openjpeg/CVE-2017-14152.patch b/main/openjpeg/CVE-2017-14152.patch
new file mode 100644
index 0000000000..d165090a1a
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14152.patch
@@ -0,0 +1,35 @@
+From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 15 Aug 2017 11:55:58 +0200
+Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
+ opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
+
+---
+ src/lib/openjp2/j2k.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index a2521ebbc..54b490a8c 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
+
+ /* Precincts */
+ parameters->csty |= 0x01;
+- parameters->res_spec = parameters->numresolution - 1;
+- for (i = 0; i < parameters->res_spec; i++) {
+- parameters->prcw_init[i] = 256;
+- parameters->prch_init[i] = 256;
++ if (parameters->numresolution == 1) {
++ parameters->res_spec = 1;
++ parameters->prcw_init[0] = 128;
++ parameters->prch_init[0] = 128;
++ } else {
++ parameters->res_spec = parameters->numresolution - 1;
++ for (i = 0; i < parameters->res_spec; i++) {
++ parameters->prcw_init[i] = 256;
++ parameters->prch_init[i] = 256;
++ }
+ }
+
+ /* The progression order shall be CPRL */
diff --git a/main/openjpeg/CVE-2017-14164.patch b/main/openjpeg/CVE-2017-14164.patch
new file mode 100644
index 0000000000..a61b015180
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14164.patch
@@ -0,0 +1,86 @@
+From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 16 Aug 2017 17:09:10 +0200
+Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
+ (#991)
+
+---
+ src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 54b490a8c..16915452e 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+ * Writes the SOT marker (Start of tile-part)
+ *
+ * @param p_j2k J2K codec.
+- * @param p_data FIXME DOC
+- * @param p_data_written FIXME DOC
++ * @param p_data Output buffer
++ * @param p_total_data_size Output buffer size
++ * @param p_data_written Number of bytes written into stream
+ * @param p_stream the stream to write data to.
+ * @param p_manager the user event manager.
+ */
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_BYTE * p_data,
++ OPJ_UINT32 p_total_data_size,
+ OPJ_UINT32 * p_data_written,
+ const opj_stream_private_t *p_stream,
+ opj_event_mgr_t * p_manager);
+@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_BYTE * p_data,
++ OPJ_UINT32 p_total_data_size,
+ OPJ_UINT32 * p_data_written,
+ const opj_stream_private_t *p_stream,
+ opj_event_mgr_t * p_manager
+@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_UNUSED(p_stream);
+ OPJ_UNUSED(p_manager);
+
++ if (p_total_data_size < 12) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Not enough bytes in output buffer to write SOT marker\n");
++ return OPJ_FALSE;
++ }
++
+ opj_write_bytes(p_data, J2K_MS_SOT,
+ 2); /* SOT */
+ p_data += 2;
+@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
+
+ l_current_nb_bytes_written = 0;
+ l_begin_data = p_data;
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
++ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }
+@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+ l_part_tile_size = 0;
+ l_begin_data = p_data;
+
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data,
++ p_total_data_size,
++ &l_current_nb_bytes_written,
++ p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }
+@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+ l_part_tile_size = 0;
+ l_begin_data = p_data;
+
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data,
++ p_total_data_size,
++ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }