guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/02: gnu: openjpeg: Fix CVE-2017-14151, CVE-2017-14152.

From: Efraim Flashner
Subject: 01/02: gnu: openjpeg: Fix CVE-2017-14151, CVE-2017-14152.
Date: Wed, 6 Sep 2017 07:21:35 -0400 (EDT) 
efraim pushed a commit to branch master
in repository guix.

commit 3b7c606965656e95725e9cd5f1c7cfc4d0ea18cf
Author: Efraim Flashner <address@hidden>
Date:   Wed Sep 6 13:17:45 2017 +0300

    gnu: openjpeg: Fix CVE-2017-14151, CVE-2017-14152.
    
    * gnu/packages/image.scm (openjpeg)[source]: Add patches.
    * gnu/packages/patches/openjpeg-CVE-2017-14151.patch,
    gnu/packages/patches/openjpeg-CVE-2017-14152.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                       |  2 +
 gnu/packages/image.scm                             |  4 +-
 gnu/packages/patches/openjpeg-CVE-2017-14151.patch | 46 ++++++++++++++++++++++
 gnu/packages/patches/openjpeg-CVE-2017-14152.patch | 38 ++++++++++++++++++
 4 files changed, 89 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 2975c02..19dfa13 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -888,6 +888,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/openjpeg-CVE-2017-12982.patch           \
   %D%/packages/patches/openjpeg-CVE-2017-14040.patch           \
   %D%/packages/patches/openjpeg-CVE-2017-14041.patch           \
+  %D%/packages/patches/openjpeg-CVE-2017-14151.patch           \
+  %D%/packages/patches/openjpeg-CVE-2017-14152.patch           \
   %D%/packages/patches/openldap-CVE-2017-9287.patch            \
   %D%/packages/patches/openocd-nrf52.patch                     \
   %D%/packages/patches/openssl-runpath.patch                   \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 5d062b1..3bb8de1 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -522,7 +522,9 @@ work.")
           "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg"))
         (patches (search-patches "openjpeg-CVE-2017-12982.patch"
                                  "openjpeg-CVE-2017-14040.patch"
-                                 "openjpeg-CVE-2017-14041.patch"))))
+                                 "openjpeg-CVE-2017-14041.patch"
+                                 "openjpeg-CVE-2017-14151.patch"
+                                 "openjpeg-CVE-2017-14152.patch"))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch 
b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch
new file mode 100644
index 0000000..4fcf6af
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch
@@ -0,0 +1,46 @@
+https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
+http://openwall.com/lists/oss-security/2017/09/06/1
+
+From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <address@hidden>
+Date: Mon, 14 Aug 2017 17:20:37 +0200
+Subject: [PATCH] Encoder: grow buffer size in
+ opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
+ opj_mqc_flush (#982)
+
+---
+ src/lib/openjp2/tcd.c                   | 7 +++++--
+ tests/nonregression/test_suite.ctest.in | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index 301c7213e..53cdcf64d 100644
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1187,8 +1187,11 @@ static OPJ_BOOL 
opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
+ {
+     OPJ_UINT32 l_data_size;
+ 
+-    /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 
*/
+-    l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++    /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
++    /* and actually +2 required for 
https://github.com/uclouvain/openjpeg/issues/982 */
++    /* TODO: is there a theoretical upper-bound for the compressed code */
++    /* block size ? */
++    l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+                                    (p_code_block->y1 - p_code_block->y0) * 
(OPJ_INT32)sizeof(OPJ_UINT32));
+ 
+     if (l_data_size > p_code_block->data_size) {
+diff --git a/tests/nonregression/test_suite.ctest.in 
b/tests/nonregression/test_suite.ctest.in
+index aaf40d7d0..ffd964c2a 100644
+--- a/tests/nonregression/test_suite.ctest.in
++++ b/tests/nonregression/test_suite.ctest.in
+@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o 
@TEMP_PATH@/Bretagne2_empty_ban
+ # Same rate as Bretagne2_4.j2k
+ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o 
@TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
+ 
++opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
++
+ # DECODER TEST SUITE
+ opj_decompress -i  @INPUT_NR_PATH@/Bretagne2.j2k -o 
@TEMP_PATH@/Bretagne2.j2k.pgx
+ opj_decompress -i  @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch 
b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch
new file mode 100644
index 0000000..6c083be
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch
@@ -0,0 +1,38 @@
+https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
+http://openwall.com/lists/oss-security/2017/09/06/2
+
+From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
+From: Even Rouault <address@hidden>
+Date: Tue, 15 Aug 2017 11:55:58 +0200
+Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
+ opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
+
+---
+ src/lib/openjp2/j2k.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index a2521ebbc..54b490a8c 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -6573,10 +6573,16 @@ static void 
opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
+ 
+     /* Precincts */
+     parameters->csty |= 0x01;
+-    parameters->res_spec = parameters->numresolution - 1;
+-    for (i = 0; i < parameters->res_spec; i++) {
+-        parameters->prcw_init[i] = 256;
+-        parameters->prch_init[i] = 256;
++    if (parameters->numresolution == 1) {
++        parameters->res_spec = 1;
++        parameters->prcw_init[0] = 128;
++        parameters->prch_init[0] = 128;
++    } else {
++        parameters->res_spec = parameters->numresolution - 1;
++        for (i = 0; i < parameters->res_spec; i++) {
++            parameters->prcw_init[i] = 256;
++            parameters->prch_init[i] = 256;
++        }
+     }
+ 
+     /* The progression order shall be CPRL */
reply via email to
[Prev in Thread] Current Thread [Next in Thread]