aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2019-01-01 07:33:41 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2019-01-01 07:33:41 +0000
commit50f991efc36983c48ef31001e2cb0433b2745479 (patch)
treefa350dd70e9230eaaf58fbda1e33feafec2abaf9
parentae0e1afc56d1216820fd8bb0acf8a23f272b111e (diff)
downloadaports-50f991efc36983c48ef31001e2cb0433b2745479.tar.bz2
aports-50f991efc36983c48ef31001e2cb0433b2745479.tar.xz
main/openjpeg: security fixes
- CVE-2018-14423 - CVE-2018-6616 this commit fixes #9797
-rw-r--r--main/openjpeg/APKBUILD11
-rw-r--r--main/openjpeg/CVE-2018-14423.patch60
-rw-r--r--main/openjpeg/CVE-2018-6616.patch69
3 files changed, 138 insertions, 2 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index 6806171431..ca8426a5c1 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=openjpeg
pkgver=2.3.0
-pkgrel=1
+pkgrel=2
pkgdesc="Open-source implementation of JPEG2000 image codec"
url="http://www.openjpeg.org/"
arch="all"
@@ -13,6 +13,8 @@ subpackages="$pkgname-dev $pkgname-tools"
source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
CVE-2017-17480.patch
CVE-2018-18088.patch
+ CVE-2018-14423.patch
+ CVE-2018-6616.patch
"
builddir="${srcdir}/$pkgname-$pkgver"
@@ -27,6 +29,9 @@ build() {
}
# secfixes:
+# 2.3.0-r2:
+# - CVE-2018-14423
+# - CVE-2018-6616
# 2.3.0-r1:
# - CVE-2017-17480
# - CVE-2018-18088
@@ -57,4 +62,6 @@ tools() {
sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz
15f4292ab6e19ecad1d47772ea28154bc7bbf9b9ba68467c5750e0c823efe3657e5973c08b81456f649fb789b6772ddaf5122f23a530ae0f6a9e5adb61c51c74 CVE-2017-17480.patch
-24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch"
+24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch
+4292a05e63ec1ba1ec30e02cd981e9aab617e42831a799bc777b03174bcbc4c49d8b45534668a5237f06c0361865b0ff9bd71f40e2fcab370af6cf9c256c8537 CVE-2018-14423.patch
+9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222 CVE-2018-6616.patch"
diff --git a/main/openjpeg/CVE-2018-14423.patch b/main/openjpeg/CVE-2018-14423.patch
new file mode 100644
index 0000000000..81fcb59345
--- /dev/null
+++ b/main/openjpeg/CVE-2018-14423.patch
@@ -0,0 +1,60 @@
+From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Fri, 23 Nov 2018 17:15:05 +0800
+Subject: [PATCH] [JP3D] To avoid divisions by zero / undefined behaviour on
+ shift (CVE-2018-14423
+
+Signed-off-by: Young_X <YangX92@hotmail.com>
+---
+ src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c
+index a03be45e7..a58ebcc7c 100644
+--- a/src/lib/openjp3d/pi.c
++++ b/src/lib/openjp3d/pi.c
+@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi)
+ rpx = res->pdx + levelnox;
+ rpy = res->pdy + levelnoy;
+ rpz = res->pdz + levelnoz;
++
++ /* To avoid divisions by zero / undefined behaviour on shift */
++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++ continue;
++ }
++
+ if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+ (trx0 << levelnox) % (1 << rpx)))) {
+ continue;
+@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi)
+ rpx = res->pdx + levelnox;
+ rpy = res->pdy + levelnoy;
+ rpz = res->pdz + levelnoz;
++
++ /* To avoid divisions by zero / undefined behaviour on shift */
++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++ continue;
++ }
++
+ if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+ (trx0 << levelnox) % (1 << rpx)))) {
+ continue;
+@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi)
+ rpx = res->pdx + levelnox;
+ rpy = res->pdy + levelnoy;
+ rpz = res->pdz + levelnoz;
++
++ /* To avoid divisions by zero / undefined behaviour on shift */
++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++ continue;
++ }
++
+ if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+ (trx0 << levelnox) % (1 << rpx)))) {
+ continue;
diff --git a/main/openjpeg/CVE-2018-6616.patch b/main/openjpeg/CVE-2018-6616.patch
new file mode 100644
index 0000000000..497aa3aaca
--- /dev/null
+++ b/main/openjpeg/CVE-2018-6616.patch
@@ -0,0 +1,69 @@
+From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Fri, 14 Dec 2018 04:58:40 +0100
+Subject: [PATCH] convertbmp: detect invalid file dimensions early
+
+width/length dimensions read from bmp headers are not necessarily
+valid. For instance they may have been maliciously set to very large
+values with the intention to cause DoS (large memory allocation, stack
+overflow). In these cases we want to detect the invalid size as early
+as possible.
+
+This commit introduces a counter which verifies that the number of
+written bytes corresponds to the advertized width/length.
+
+Fixes #1059 (CVE-2018-6616).
+---
+ src/bin/jp2/convertbmp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index 85a47feaf..0af52f816 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride,
+ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+ OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
+ {
+- OPJ_UINT32 x, y;
++ OPJ_UINT32 x, y, written;
+ OPJ_UINT8 *pix;
+ const OPJ_UINT8 *beyond;
+
+ beyond = pData + stride * height;
+ pix = pData;
+
+- x = y = 0U;
++ x = y = written = 0U;
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ *pix = c1;
++ written++;
+ }
+ } else {
+ c = getc(IN);
+@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+ }
+ c1 = (OPJ_UINT8)c1_int;
+ *pix = c1;
++ written++;
+ }
+ if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
+ c = getc(IN);
+@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+ }
+ }
+ }/* while() */
++
++ if (written != width * height) {
++ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
++ return OPJ_FALSE;
++ }
++
+ return OPJ_TRUE;
+ }
+