From 5744a984a6abbd8f91defd34cef5a741c02df567 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 13 Feb 2020 17:21:57 +0100 Subject: sync with Fedora Backport patch for CVE 2020-8112 --- openjpeg2-static.spec | 10 +++++++++- openjpeg2_CVE-2020-8112.patch | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 openjpeg2_CVE-2020-8112.patch diff --git a/openjpeg2-static.spec b/openjpeg2-static.spec index 35f14e9..ea1c2a0 100644 --- a/openjpeg2-static.spec +++ b/openjpeg2-static.spec @@ -11,7 +11,7 @@ Name: openjpeg2-static Version: 2.3.1 -Release: 4%{?dist} +Release: 6%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -28,6 +28,9 @@ Patch0: openjpeg2_opj2.patch # Backport patch for CVE 2020-6851 # https://github.com/uclouvain/openjpeg/issues/1228 Patch1: openjpeg2_CVE-2020-6851.patch +# Backport patch for CVE 2020-8112 +# https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074 +Patch2: openjpeg2_CVE-2020-8112.patch BuildRequires: cmake @@ -211,6 +214,7 @@ OpenJPEG2 JP3D module command line tools %setup -qn openjpeg-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 # Remove all third party libraries just to be sure find thirdparty/ -mindepth 1 -maxdepth 1 -type d -exec rm -rf {} \; @@ -342,6 +346,10 @@ make test -C %{_target_platform} %changelog +* Thu Feb 13 2020 Remi Collet - 2.3.1-6 +- sync with Fedora +- Backport patch for CVE 2020-8112 + * Mon Jan 20 2020 Remi Collet - 2.3.1-4 - sync with Fedora - Backport patch for CVE 2020-6851 diff --git a/openjpeg2_CVE-2020-8112.patch b/openjpeg2_CVE-2020-8112.patch new file mode 100644 index 0000000..95cb809 --- /dev/null +++ b/openjpeg2_CVE-2020-8112.patch @@ -0,0 +1,43 @@ +From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 30 Jan 2020 00:59:57 +0100 +Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow + +That could lead to later assertion failures. + +Fixes #1231 / CVE-2020-8112 +--- + src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +index deecc4dff..aa419030a 100644 +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, + /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ + l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; + l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; +- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; +- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, ++ (OPJ_INT32)l_pdx)) << l_pdx; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_x_end = (OPJ_INT32)tmp; ++ } ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, ++ (OPJ_INT32)l_pdy)) << l_pdy; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_y_end = (OPJ_INT32)tmp; ++ } + /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ + + l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( -- cgit