From aa3cad9000d51a3aae7dd04933776c7efd7f3b87 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 10 Dec 2020 14:36:36 +0100 Subject: sync with Fedora Backport patches for CVE-2020-27824 and CVE-2020-27823 --- openjpeg2-static.spec | 18 +++++++++++++++++- openjpeg2_CVE-2020-27814.patch | 16 ++++++++++++++++ openjpeg2_CVE-2020-27823.patch | 26 ++++++++++++++++++++++++++ openjpeg2_CVE-2020-27824.patch | 23 +++++++++++++++++++++++ openjpeg2_CVE-2020-6851.patch | 19 ++++--------------- openjpeg2_CVE-2020-8112.patch | 21 ++++----------------- openjpeg2_opj2.patch | 4 ++-- 7 files changed, 92 insertions(+), 35 deletions(-) create mode 100644 openjpeg2_CVE-2020-27814.patch create mode 100644 openjpeg2_CVE-2020-27823.patch create mode 100644 openjpeg2_CVE-2020-27824.patch diff --git a/openjpeg2-static.spec b/openjpeg2-static.spec index ea1c2a0..2ee7543 100644 --- a/openjpeg2-static.spec +++ b/openjpeg2-static.spec @@ -11,7 +11,7 @@ Name: openjpeg2-static Version: 2.3.1 -Release: 6%{?dist} +Release: 9%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -31,6 +31,15 @@ Patch1: openjpeg2_CVE-2020-6851.patch # Backport patch for CVE 2020-8112 # https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074 Patch2: openjpeg2_CVE-2020-8112.patch +# Backport patch for CVE-2020-27814 +# https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc +Patch3: openjpeg2_CVE-2020-27814.patch +# Backport patch for CVE-2020-27824 +# https://github.com/uclouvain/openjpeg/pull/1292/commits/6daf5f3e1ec6eff03b7982889874a3de6617db8d +Patch4: openjpeg2_CVE-2020-27824.patch +# Backport patch for CVE-2020-27823 +# https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919 +Patch5: openjpeg2_CVE-2020-27823.patch BuildRequires: cmake @@ -215,6 +224,9 @@ OpenJPEG2 JP3D module command line tools %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 # Remove all third party libraries just to be sure find thirdparty/ -mindepth 1 -maxdepth 1 -type d -exec rm -rf {} \; @@ -346,6 +358,10 @@ make test -C %{_target_platform} %changelog +* Thu Feb 13 2020 Remi Collet - 2.3.1-9 +- sync with Fedora +- Backport patches for CVE-2020-27824 and CVE-2020-27823 + * Thu Feb 13 2020 Remi Collet - 2.3.1-6 - sync with Fedora - Backport patch for CVE 2020-8112 diff --git a/openjpeg2_CVE-2020-27814.patch b/openjpeg2_CVE-2020-27814.patch new file mode 100644 index 0000000..cbb8007 --- /dev/null +++ b/openjpeg2_CVE-2020-27814.patch @@ -0,0 +1,16 @@ +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/tcd.c openjpeg-2.3.1-new/src/lib/openjp2/tcd.c +--- openjpeg-2.3.1/src/lib/openjp2/tcd.c 2020-11-28 23:29:38.701863373 +0100 ++++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c 2020-11-28 23:29:38.704863383 +0100 +@@ -1235,9 +1235,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + + /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ ++ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/openjpeg2_CVE-2020-27823.patch b/openjpeg2_CVE-2020-27823.patch new file mode 100644 index 0000000..02fa0ac --- /dev/null +++ b/openjpeg2_CVE-2020-27823.patch @@ -0,0 +1,26 @@ +From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 30 Nov 2020 22:31:51 +0100 +Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is + used, that would result in a heap buffer overflow (fixes #1284) + +--- + src/bin/jp2/convertpng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c +index 328c91beb..00f596e27 100644 +--- a/src/bin/jp2/convertpng.c ++++ b/src/bin/jp2/convertpng.c +@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params) + image->x0 = (OPJ_UINT32)params->image_offset_x0; + image->y0 = (OPJ_UINT32)params->image_offset_y0; + image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32) +- params->subsampling_dx + 1 + image->x0); ++ params->subsampling_dx + 1); + image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32) +- params->subsampling_dy + 1 + image->y0); ++ params->subsampling_dy + 1); + + row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32)); + if (row32s == NULL) { diff --git a/openjpeg2_CVE-2020-27824.patch b/openjpeg2_CVE-2020-27824.patch new file mode 100644 index 0000000..8301f7e --- /dev/null +++ b/openjpeg2_CVE-2020-27824.patch @@ -0,0 +1,23 @@ +From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 30 Nov 2020 22:37:07 +0100 +Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible + conversion when too many decomposition levels are specified (fixes #1286) + +--- + src/lib/openjp2/dwt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c +index ee9eb5e63..4164ba090 100644 +--- a/src/lib/openjp2/dwt.c ++++ b/src/lib/openjp2/dwt.c +@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec) + if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) { + stepsize = 1.0; + } else { +- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level]; ++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient); + stepsize = (1 << (gain)) / norm; + } + opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0), diff --git a/openjpeg2_CVE-2020-6851.patch b/openjpeg2_CVE-2020-6851.patch index 9a70291..5e2cfd7 100644 --- a/openjpeg2_CVE-2020-6851.patch +++ b/openjpeg2_CVE-2020-6851.patch @@ -1,18 +1,7 @@ -From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 11 Jan 2020 01:51:19 +0100 -Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose - coordinates are beyond INT_MAX (fixes #1228) - ---- - src/lib/openjp2/j2k.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c -index 14f6ff41a..922550eb1 100644 ---- a/src/lib/openjp2/j2k.c -+++ b/src/lib/openjp2/j2k.c -@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/j2k.c openjpeg-2.3.1-new/src/lib/openjp2/j2k.c +--- openjpeg-2.3.1/src/lib/openjp2/j2k.c 2019-04-02 14:45:15.000000000 +0200 ++++ openjpeg-2.3.1-new/src/lib/openjp2/j2k.c 2020-11-28 23:29:38.618863089 +0100 +@@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dim l_img_comp = p_image->comps; for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { OPJ_INT32 l_h, l_w; diff --git a/openjpeg2_CVE-2020-8112.patch b/openjpeg2_CVE-2020-8112.patch index 95cb809..dd6e1b9 100644 --- a/openjpeg2_CVE-2020-8112.patch +++ b/openjpeg2_CVE-2020-8112.patch @@ -1,20 +1,7 @@ -From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 30 Jan 2020 00:59:57 +0100 -Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow - -That could lead to later assertion failures. - -Fixes #1231 / CVE-2020-8112 ---- - src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c -index deecc4dff..aa419030a 100644 ---- a/src/lib/openjp2/tcd.c -+++ b/src/lib/openjp2/tcd.c -@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, +diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/tcd.c openjpeg-2.3.1-new/src/lib/openjp2/tcd.c +--- openjpeg-2.3.1/src/lib/openjp2/tcd.c 2019-04-02 14:45:15.000000000 +0200 ++++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c 2020-11-28 23:29:38.662863239 +0100 +@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; diff --git a/openjpeg2_opj2.patch b/openjpeg2_opj2.patch index 4a531ad..f4ecd0c 100644 --- a/openjpeg2_opj2.patch +++ b/openjpeg2_opj2.patch @@ -1,6 +1,6 @@ -diff -rupN openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt +diff -rupN --no-dereference openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt --- openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt 2019-04-02 14:45:15.000000000 +0200 -+++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt 2019-04-02 16:14:13.726252297 +0200 ++++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt 2020-11-28 23:29:38.576862946 +0100 @@ -44,6 +44,8 @@ endif() # Loop over all executables: foreach(exe opj_decompress opj_compress opj_dump) -- cgit