diff options
author | Efraim Flashner <efraim@flashner.co.il> | 2017-09-06 13:17:45 +0300 |
---|---|---|
committer | Efraim Flashner <efraim@flashner.co.il> | 2017-09-06 14:20:40 +0300 |
commit | 3b7c606965656e95725e9cd5f1c7cfc4d0ea18cf (patch) | |
tree | 5c89add513cbf830fcbea65d561ce882dc9a4654 /gnu | |
parent | f049e79dc34c112fca244946256920a5ce2e9db0 (diff) |
gnu: openjpeg: Fix CVE-2017-14151, CVE-2017-14152.
* gnu/packages/image.scm (openjpeg)[source]: Add patches.
* gnu/packages/patches/openjpeg-CVE-2017-14151.patch,
gnu/packages/patches/openjpeg-CVE-2017-14152.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 2 | ||||
-rw-r--r-- | gnu/packages/image.scm | 4 | ||||
-rw-r--r-- | gnu/packages/patches/openjpeg-CVE-2017-14151.patch | 46 | ||||
-rw-r--r-- | gnu/packages/patches/openjpeg-CVE-2017-14152.patch | 38 |
4 files changed, 89 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 2975c0208e..19dfa13449 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -888,6 +888,8 @@ dist_patch_DATA = \ %D%/packages/patches/openjpeg-CVE-2017-12982.patch \ %D%/packages/patches/openjpeg-CVE-2017-14040.patch \ %D%/packages/patches/openjpeg-CVE-2017-14041.patch \ + %D%/packages/patches/openjpeg-CVE-2017-14151.patch \ + %D%/packages/patches/openjpeg-CVE-2017-14152.patch \ %D%/packages/patches/openldap-CVE-2017-9287.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openssl-runpath.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 5d062b107b..3bb8de15c4 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -522,7 +522,9 @@ work.") "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg")) (patches (search-patches "openjpeg-CVE-2017-12982.patch" "openjpeg-CVE-2017-14040.patch" - "openjpeg-CVE-2017-14041.patch")))) + "openjpeg-CVE-2017-14041.patch" + "openjpeg-CVE-2017-14151.patch" + "openjpeg-CVE-2017-14152.patch")))) (build-system cmake-build-system) (arguments ;; Trying to run `$ make check' results in a no rule fault. diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch new file mode 100644 index 0000000000..4fcf6af6db --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch @@ -0,0 +1,46 @@ +https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch +http://openwall.com/lists/oss-security/2017/09/06/1 + +From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 14 Aug 2017 17:20:37 +0200 +Subject: [PATCH] Encoder: grow buffer size in + opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in + opj_mqc_flush (#982) + +--- + src/lib/openjp2/tcd.c | 7 +++++-- + tests/nonregression/test_suite.ctest.in | 2 ++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +index 301c7213e..53cdcf64d 100644 +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t * + { + OPJ_UINT32 l_data_size; + +- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ +- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ ++ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* TODO: is there a theoretical upper-bound for the compressed code */ ++ /* block size ? */ ++ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { +diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in +index aaf40d7d0..ffd964c2a 100644 +--- a/tests/nonregression/test_suite.ctest.in ++++ b/tests/nonregression/test_suite.ctest.in +@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban + # Same rate as Bretagne2_4.j2k + opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800 + ++opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1 ++ + # DECODER TEST SUITE + opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx + opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch new file mode 100644 index 0000000000..6c083be123 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch @@ -0,0 +1,38 @@ +https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch +http://openwall.com/lists/oss-security/2017/09/06/2 + +From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 15 Aug 2017 11:55:58 +0200 +Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in + opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985) + +--- + src/lib/openjp2/j2k.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index a2521ebbc..54b490a8c 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters, + + /* Precincts */ + parameters->csty |= 0x01; +- parameters->res_spec = parameters->numresolution - 1; +- for (i = 0; i < parameters->res_spec; i++) { +- parameters->prcw_init[i] = 256; +- parameters->prch_init[i] = 256; ++ if (parameters->numresolution == 1) { ++ parameters->res_spec = 1; ++ parameters->prcw_init[0] = 128; ++ parameters->prch_init[0] = 128; ++ } else { ++ parameters->res_spec = parameters->numresolution - 1; ++ for (i = 0; i < parameters->res_spec; i++) { ++ parameters->prcw_init[i] = 256; ++ parameters->prch_init[i] = 256; ++ } + } + + /* The progression order shall be CPRL */ |