summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CVE-2022-1122.patch12
-rw-r--r--openjpeg2-static.spec10
2 files changed, 21 insertions, 1 deletions
diff --git a/CVE-2022-1122.patch b/CVE-2022-1122.patch
new file mode 100644
index 0000000..7b3f905
--- /dev/null
+++ b/CVE-2022-1122.patch
@@ -0,0 +1,12 @@
+diff -rupN --no-dereference openjpeg-2.4.0/src/bin/jp2/opj_decompress.c openjpeg-2.4.0-new/src/bin/jp2/opj_decompress.c
+--- openjpeg-2.4.0/src/bin/jp2/opj_decompress.c 2022-03-28 22:01:04.615605223 +0200
++++ openjpeg-2.4.0-new/src/bin/jp2/opj_decompress.c 2022-03-28 22:01:04.662605454 +0200
+@@ -1351,7 +1351,7 @@ int main(int argc, char **argv)
+ int it_image;
+ num_images = get_num_images(img_fol.imgdirpath);
+
+- dirptr = (dircnt_t*)malloc(sizeof(dircnt_t));
++ dirptr = (dircnt_t*)calloc(1, sizeof(dircnt_t));
+ if (!dirptr) {
+ destroy_parameters(&parameters);
+ return EXIT_FAILURE;
diff --git a/openjpeg2-static.spec b/openjpeg2-static.spec
index f0339cc..0eac83c 100644
--- a/openjpeg2-static.spec
+++ b/openjpeg2-static.spec
@@ -11,7 +11,7 @@
Name: openjpeg2-static
Version: 2.4.0
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: C-Library for JPEG 2000
# windirent.h is MIT, the rest is BSD
@@ -32,6 +32,9 @@ Patch1: CVE-2021-29338.patch
# Backport proposed patch for heap buffer overflow (#1957616)
# See https://github.com/uclouvain/openjpeg/issues/1347
Patch2: heap-buffer-overflow.patch
+# Backport patch for CVE-2022-1122
+# See https://github.com/uclouvain/openjpeg/commit/0afbdcf3e6d0d2bd2e16a0c4d513ee3cf86e460d
+Patch3: CVE-2022-1122.patch
BuildRequires: cmake
@@ -216,6 +219,7 @@ OpenJPEG2 JP3D module command line tools
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
# Remove all third party libraries just to be sure
find thirdparty/ -mindepth 1 -maxdepth 1 -type d -exec rm -rf {} \;
@@ -347,6 +351,10 @@ make test -C %{_target_platform}
%changelog
+* Tue Mar 29 2022 Remi Collet <remi@remirepo.net> - 2.4.0-2
+- sync with Fedora
+- Backport fix for CVE-2022-1122
+
* Mon May 31 2021 Remi Collet <remi@remirepo.net> - 2.4.0-1
- sync with Fedora
- Update to 2.4.0