diff options
author | Francesco Colista <fcolista@alpinelinux.org> | 2019-01-01 07:33:41 +0000 |
---|---|---|
committer | Francesco Colista <fcolista@alpinelinux.org> | 2019-01-01 07:33:41 +0000 |
commit | 50f991efc36983c48ef31001e2cb0433b2745479 (patch) | |
tree | fa350dd70e9230eaaf58fbda1e33feafec2abaf9 | |
parent | ae0e1afc56d1216820fd8bb0acf8a23f272b111e (diff) | |
download | aports-50f991efc36983c48ef31001e2cb0433b2745479.tar.bz2 aports-50f991efc36983c48ef31001e2cb0433b2745479.tar.xz |
main/openjpeg: security fixes
-rw-r--r-- | main/openjpeg/APKBUILD | 11 | ||||
-rw-r--r-- | main/openjpeg/CVE-2018-14423.patch | 60 | ||||
-rw-r--r-- | main/openjpeg/CVE-2018-6616.patch | 69 |
3 files changed, 138 insertions, 2 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD index 6806171431..ca8426a5c1 100644 --- a/main/openjpeg/APKBUILD +++ b/main/openjpeg/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=openjpeg pkgver=2.3.0 -pkgrel=1 +pkgrel=2 pkgdesc="Open-source implementation of JPEG2000 image codec" url="http://www.openjpeg.org/" arch="all" @@ -13,6 +13,8 @@ subpackages="$pkgname-dev $pkgname-tools" source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz CVE-2017-17480.patch CVE-2018-18088.patch + CVE-2018-14423.patch + CVE-2018-6616.patch " builddir="${srcdir}/$pkgname-$pkgver" @@ -27,6 +29,9 @@ build() { } # secfixes: +# 2.3.0-r2: +# - CVE-2018-14423 +# - CVE-2018-6616 # 2.3.0-r1: # - CVE-2017-17480 # - CVE-2018-18088 @@ -57,4 +62,6 @@ tools() { sha512sums="0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 openjpeg-2.3.0.tar.gz 15f4292ab6e19ecad1d47772ea28154bc7bbf9b9ba68467c5750e0c823efe3657e5973c08b81456f649fb789b6772ddaf5122f23a530ae0f6a9e5adb61c51c74 CVE-2017-17480.patch -24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch" +24b646f2b24cfbe9babe8b5c622069178998f35d0b82f5034ff12f8df5f3ffd35f4f8bcc195dfec1072d8f8847d200c3d28f689ec16f29ab9ce895dbabd044bb CVE-2018-18088.patch +4292a05e63ec1ba1ec30e02cd981e9aab617e42831a799bc777b03174bcbc4c49d8b45534668a5237f06c0361865b0ff9bd71f40e2fcab370af6cf9c256c8537 CVE-2018-14423.patch +9c5eccb7b00e8ed6e473db61aaaf9d37462b9a5c5efabb2af3e0d701922c54827aee55253404c149605fa9103adf6f4375a684c89f17a7fe7bdf85988b5db222 CVE-2018-6616.patch" diff --git a/main/openjpeg/CVE-2018-14423.patch b/main/openjpeg/CVE-2018-14423.patch new file mode 100644 index 0000000000..81fcb59345 --- /dev/null +++ b/main/openjpeg/CVE-2018-14423.patch @@ -0,0 +1,60 @@ +From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001 +From: Young_X <YangX92@hotmail.com> +Date: Fri, 23 Nov 2018 17:15:05 +0800 +Subject: [PATCH] [JP3D] To avoid divisions by zero / undefined behaviour on + shift (CVE-2018-14423 + +Signed-off-by: Young_X <YangX92@hotmail.com> +--- + src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c +index a03be45e7..a58ebcc7c 100644 +--- a/src/lib/openjp3d/pi.c ++++ b/src/lib/openjp3d/pi.c +@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; diff --git a/main/openjpeg/CVE-2018-6616.patch b/main/openjpeg/CVE-2018-6616.patch new file mode 100644 index 0000000000..497aa3aaca --- /dev/null +++ b/main/openjpeg/CVE-2018-6616.patch @@ -0,0 +1,69 @@ +From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre <hle@debian.org> +Date: Fri, 14 Dec 2018 04:58:40 +0100 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +Fixes #1059 (CVE-2018-6616). +--- + src/bin/jp2/convertbmp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 85a47feaf..0af52f816 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, + static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; + +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = c1; ++ written++; + } + } else { + c = getc(IN); +@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + } + c1 = (OPJ_UINT8)c1_int; + *pix = c1; ++ written++; + } + if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ + c = getc(IN); +@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + } + } + }/* while() */ ++ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } ++ + return OPJ_TRUE; + } + |