diff options
author | Francesco Colista <fcolista@alpinelinux.org> | 2017-09-21 08:18:29 +0000 |
---|---|---|
committer | Francesco Colista <fcolista@alpinelinux.org> | 2017-09-21 08:18:29 +0000 |
commit | 9513e587b007defbb6ef3590945ff49cbd73a270 (patch) | |
tree | f59e4e8fc09d834b5cf11006eab3fc6d7c8df40f | |
parent | 31f54779460bab8576eb569250b8543dca14ba6f (diff) | |
download | aports-9513e587b007defbb6ef3590945ff49cbd73a270.tar.bz2 aports-9513e587b007defbb6ef3590945ff49cbd73a270.tar.xz |
main/openjpeg: security fixes
- CVE-2017-14040
- CVE-2017-14041
- CVE-2017-14151
- CVE-2017-14152
- CVE-2017-14164
Fixes partially #7825.
Not yet fixed CVE-2017-14039 since patch is not available for 2.2.0
-rw-r--r-- | main/openjpeg/APKBUILD | 23 | ||||
-rw-r--r-- | main/openjpeg/CVE-2017-14040.patch | 80 | ||||
-rw-r--r-- | main/openjpeg/CVE-2017-14041.patch | 22 | ||||
-rw-r--r-- | main/openjpeg/CVE-2017-14151.patch | 43 | ||||
-rw-r--r-- | main/openjpeg/CVE-2017-14152.patch | 35 | ||||
-rw-r--r-- | main/openjpeg/CVE-2017-14164.patch | 86 |
6 files changed, 286 insertions, 3 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD index bc3a38e750..970f81666b 100644 --- a/main/openjpeg/APKBUILD +++ b/main/openjpeg/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=openjpeg pkgver=2.2.0 -pkgrel=1 +pkgrel=2 pkgdesc="Open-source implementation of JPEG2000 image codec" url="http://www.openjpeg.org/" arch="all" @@ -13,7 +13,13 @@ makedepends="$depends_dev libpng-dev tiff-dev lcms-dev doxygen cmake" install="" subpackages="$pkgname-dev $pkgname-tools" source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz - CVE-2017-12982.patch" + CVE-2017-12982.patch + CVE-2017-14040.patch + CVE-2017-14041.patch + CVE-2017-14151.patch + CVE-2017-14152.patch + CVE-2017-14164.patch" + builddir="${srcdir}/$pkgname-$pkgver" build() { @@ -28,6 +34,12 @@ build() { } # secfixes: +# 2.2.0-r2: +# - CVE-2017-14040 +# - CVE-2017-14041 +# - CVE-2017-14151 +# - CVE-2017-14152 +# - CVE-2017-14164 # 2.2.0-r1: # - CVE-2017-12982 # 2.1.2-r1: @@ -46,4 +58,9 @@ tools() { } sha512sums="20651c380bee582ab1950994c424cc00061ad852e9c5438fb32a9809e3f275571a4cc7e92589add0d91debf2394262e58f441c2dd918809fc1c602ed68396a3a openjpeg-2.2.0.tar.gz -0e0ce7bdf53c4b6f1b2e9e5f855186763a1bea39b70bdc1fd5b60a5516036a04562cb43030e9946972009e3733d0efadb8ba4825939e32ba6b9419d6428ee9ad CVE-2017-12982.patch" +0e0ce7bdf53c4b6f1b2e9e5f855186763a1bea39b70bdc1fd5b60a5516036a04562cb43030e9946972009e3733d0efadb8ba4825939e32ba6b9419d6428ee9ad CVE-2017-12982.patch +532c268346ad6993d7085652fbebe65ec0412a8d12771b86c325ef9f1cb6e0f7252ac95dfb976fa00ecfffd7b140ddc74b2964b04764e0803fb7e8c344a2b58a CVE-2017-14040.patch +d22735e20c7b08bb292bfda03a659481466a152294c388854aed3623ff769aed6c6491a8e6286b4dfdc8212a465b1596232e51fe8e8ba3a608ebf27b32d33d56 CVE-2017-14041.patch +66019c7a30a6b6303992d518b8184e57b58824f8b63bc8857436aa404257bf1f1d64ab6100a5f0ed18fa1b41c09501e77230207ca028bc16db35fc2d834a6506 CVE-2017-14151.patch +c244e0e4db1473583ffac6b31808b70bd3554e6eba7b357891aca7f8ad0ab687d433aac3d3f210349507cc54981b0171eb9a72e4a890925beaa2c9d9ee877dfd CVE-2017-14152.patch +640cd731f5ee3a5fecbc8ca7c78d626c383155dbefe3a240319bcea81b5bc9996e028055ff64df192b5ed02e3a9e18b681b2ab4f106c3d555b68c93115dc6d01 CVE-2017-14164.patch" diff --git a/main/openjpeg/CVE-2017-14040.patch b/main/openjpeg/CVE-2017-14040.patch new file mode 100644 index 0000000000..dd9183dad1 --- /dev/null +++ b/main/openjpeg/CVE-2017-14040.patch @@ -0,0 +1,80 @@ +From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 17 Aug 2017 11:47:40 +0200 +Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and + fixes unaligned load (#995) + +--- + src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------ + 1 file changed, 27 insertions(+), 12 deletions(-) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index a4eb81f6a..73dfc8d5f 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -580,13 +580,10 @@ struct tga_header { + }; + #endif /* INFORMATION_ONLY */ + +-static unsigned short get_ushort(const unsigned char *data) ++/* Returns a ushort from a little-endian serialized value */ ++static unsigned short get_tga_ushort(const unsigned char *data) + { +- unsigned short val = *(const unsigned short *)data; +-#ifdef OPJ_BIG_ENDIAN +- val = ((val & 0xffU) << 8) | (val >> 8); +-#endif +- return val; ++ return data[0] | (data[1] << 8); + } + + #define TGA_HEADER_SIZE 18 +@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel, + id_len = tga[0]; + /*cmap_type = tga[1];*/ + image_type = tga[2]; +- /*cmap_index = get_ushort(&tga[3]);*/ +- cmap_len = get_ushort(&tga[5]); ++ /*cmap_index = get_tga_ushort(&tga[3]);*/ ++ cmap_len = get_tga_ushort(&tga[5]); + cmap_entry_size = tga[7]; + + + #if 0 +- x_origin = get_ushort(&tga[8]); +- y_origin = get_ushort(&tga[10]); ++ x_origin = get_tga_ushort(&tga[8]); ++ y_origin = get_tga_ushort(&tga[10]); + #endif +- image_w = get_ushort(&tga[12]); +- image_h = get_ushort(&tga[14]); ++ image_w = get_tga_ushort(&tga[12]); ++ image_h = get_tga_ushort(&tga[14]); + pixel_depth = tga[16]; + image_desc = tga[17]; + +@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) + color_space = OPJ_CLRSPC_SRGB; + } + ++ /* If the declared file size is > 10 MB, check that the file is big */ ++ /* enough to avoid excessive memory allocations */ ++ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) { ++ char ch; ++ OPJ_UINT64 expected_file_size = ++ (OPJ_UINT64)image_width * image_height * numcomps; ++ long curpos = ftell(f); ++ if (expected_file_size > (OPJ_UINT64)INT_MAX) { ++ expected_file_size = (OPJ_UINT64)INT_MAX; ++ } ++ fseek(f, (long)expected_file_size - 1, SEEK_SET); ++ if (fread(&ch, 1, 1, f) != 1) { ++ fclose(f); ++ return NULL; ++ } ++ fseek(f, curpos, SEEK_SET); ++ } ++ + subsampling_dx = parameters->subsampling_dx; + subsampling_dy = parameters->subsampling_dy; + diff --git a/main/openjpeg/CVE-2017-14041.patch b/main/openjpeg/CVE-2017-14041.patch new file mode 100644 index 0000000000..ebfe1ad27f --- /dev/null +++ b/main/openjpeg/CVE-2017-14041.patch @@ -0,0 +1,22 @@ +From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Fri, 18 Aug 2017 13:39:20 +0200 +Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997) + +--- + src/bin/jp2/convert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index 5459f7d44..e606c9be7 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) + } + + fseek(f, 0, SEEK_SET); +- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, ++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, + &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { + fclose(f); + fprintf(stderr, diff --git a/main/openjpeg/CVE-2017-14151.patch b/main/openjpeg/CVE-2017-14151.patch new file mode 100644 index 0000000000..c8a1fd65f1 --- /dev/null +++ b/main/openjpeg/CVE-2017-14151.patch @@ -0,0 +1,43 @@ +From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 14 Aug 2017 17:20:37 +0200 +Subject: [PATCH] Encoder: grow buffer size in + opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in + opj_mqc_flush (#982) + +--- + src/lib/openjp2/tcd.c | 7 +++++-- + tests/nonregression/test_suite.ctest.in | 2 ++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +index 301c7213e..53cdcf64d 100644 +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t * + { + OPJ_UINT32 l_data_size; + +- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ +- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ ++ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* TODO: is there a theoretical upper-bound for the compressed code */ ++ /* block size ? */ ++ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { +diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in +index aaf40d7d0..ffd964c2a 100644 +--- a/tests/nonregression/test_suite.ctest.in ++++ b/tests/nonregression/test_suite.ctest.in +@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban + # Same rate as Bretagne2_4.j2k + opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800 + ++opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1 ++ + # DECODER TEST SUITE + opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx + opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx diff --git a/main/openjpeg/CVE-2017-14152.patch b/main/openjpeg/CVE-2017-14152.patch new file mode 100644 index 0000000000..d165090a1a --- /dev/null +++ b/main/openjpeg/CVE-2017-14152.patch @@ -0,0 +1,35 @@ +From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 15 Aug 2017 11:55:58 +0200 +Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in + opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985) + +--- + src/lib/openjp2/j2k.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index a2521ebbc..54b490a8c 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters, + + /* Precincts */ + parameters->csty |= 0x01; +- parameters->res_spec = parameters->numresolution - 1; +- for (i = 0; i < parameters->res_spec; i++) { +- parameters->prcw_init[i] = 256; +- parameters->prch_init[i] = 256; ++ if (parameters->numresolution == 1) { ++ parameters->res_spec = 1; ++ parameters->prcw_init[0] = 128; ++ parameters->prch_init[0] = 128; ++ } else { ++ parameters->res_spec = parameters->numresolution - 1; ++ for (i = 0; i < parameters->res_spec; i++) { ++ parameters->prcw_init[i] = 256; ++ parameters->prch_init[i] = 256; ++ } + } + + /* The progression order shall be CPRL */ diff --git a/main/openjpeg/CVE-2017-14164.patch b/main/openjpeg/CVE-2017-14164.patch new file mode 100644 index 0000000000..a61b015180 --- /dev/null +++ b/main/openjpeg/CVE-2017-14164.patch @@ -0,0 +1,86 @@ +From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 16 Aug 2017 17:09:10 +0200 +Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow + (#991) + +--- + src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 54b490a8c..16915452e 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k, + * Writes the SOT marker (Start of tile-part) + * + * @param p_j2k J2K codec. +- * @param p_data FIXME DOC +- * @param p_data_written FIXME DOC ++ * @param p_data Output buffer ++ * @param p_total_data_size Output buffer size ++ * @param p_data_written Number of bytes written into stream + * @param p_stream the stream to write data to. + * @param p_manager the user event manager. + */ + static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_BYTE * p_data, ++ OPJ_UINT32 p_total_data_size, + OPJ_UINT32 * p_data_written, + const opj_stream_private_t *p_stream, + opj_event_mgr_t * p_manager); +@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k, + + static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_BYTE * p_data, ++ OPJ_UINT32 p_total_data_size, + OPJ_UINT32 * p_data_written, + const opj_stream_private_t *p_stream, + opj_event_mgr_t * p_manager +@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_UNUSED(p_stream); + OPJ_UNUSED(p_manager); + ++ if (p_total_data_size < 12) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Not enough bytes in output buffer to write SOT marker\n"); ++ return OPJ_FALSE; ++ } ++ + opj_write_bytes(p_data, J2K_MS_SOT, + 2); /* SOT */ + p_data += 2; +@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k, + + l_current_nb_bytes_written = 0; + l_begin_data = p_data; +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size, ++ &l_current_nb_bytes_written, p_stream, + p_manager)) { + return OPJ_FALSE; + } +@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k, + l_part_tile_size = 0; + l_begin_data = p_data; + +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, ++ p_total_data_size, ++ &l_current_nb_bytes_written, ++ p_stream, + p_manager)) { + return OPJ_FALSE; + } +@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k, + l_part_tile_size = 0; + l_begin_data = p_data; + +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, ++ p_total_data_size, ++ &l_current_nb_bytes_written, p_stream, + p_manager)) { + return OPJ_FALSE; + } |