From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: [PATCH 1/2] gnu: openjpeg-2.*: Fix CVE-2016-7163. Date: Fri, 9 Sep 2016 10:15:58 +0300 Message-ID: <20160909071557.GA5507@macbook42.flashner.co.il> References: <27adc51d1fc250e1900d84d32f7e73d6bf67e04a.1473400918.git.leo@famulari.name> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39482) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1biG2o-000759-19 for guix-devel@gnu.org; Fri, 09 Sep 2016 03:16:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1biG2j-0001Sf-Da for guix-devel@gnu.org; Fri, 09 Sep 2016 03:16:12 -0400 Received: from flashner.co.il ([178.62.234.194]:37428) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1biG2j-0001Qr-2l for guix-devel@gnu.org; Fri, 09 Sep 2016 03:16:09 -0400 Content-Disposition: inline In-Reply-To: <27adc51d1fc250e1900d84d32f7e73d6bf67e04a.1473400918.git.leo@famulari.name> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --wac7ysb48OaltWcw Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 09, 2016 at 02:04:40AM -0400, Leo Famulari wrote: > * gnu/packages/patches/openjpeg-CVE-2016-7163.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/image.scm (openjpeg, openjpeg-2.0): Use it. > --- > gnu/local.mk | 1 + > gnu/packages/image.scm | 6 +- > gnu/packages/patches/openjpeg-CVE-2016-7163.patch | 71 +++++++++++++++++= ++++++ > 3 files changed, 76 insertions(+), 2 deletions(-) > create mode 100644 gnu/packages/patches/openjpeg-CVE-2016-7163.patch >=20 > diff --git a/gnu/local.mk b/gnu/local.mk > index 8b042d5..668c9b2 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -702,6 +702,7 @@ dist_patch_DATA =3D \ > %D%/packages/patches/ocaml-findlib-make-install.patch \ > %D%/packages/patches/openexr-missing-samples.patch \ > %D%/packages/patches/openjpeg-CVE-2015-6581.patch \ > + %D%/packages/patches/openjpeg-CVE-2016-7163.patch \ > %D%/packages/patches/openjpeg-use-after-free-fix.patch \ > %D%/packages/patches/openssl-runpath.patch \ > %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ > diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm > index a65bf39..64bc05d 100644 > --- a/gnu/packages/image.scm > +++ b/gnu/packages/image.scm > @@ -387,7 +387,8 @@ work.") > (sha256 > (base32 "00zzm303zvv4ijzancrsb1cqbph3pgz0nky92k9qx3fq9y0vnchj")) > (patches (search-patches "openjpeg-use-after-free-fix.patch" > - "openjpeg-CVE-2015-6581.patch")))) > + "openjpeg-CVE-2015-6581.patch" > + "openjpeg-CVE-2016-7163.patch")))) > (build-system cmake-build-system) > (arguments > ;; Trying to run `$ make check' results in a no rule fault. > @@ -424,7 +425,8 @@ error-resilience, a Java-viewer for j2k-images, ...") > (sha256 > (base32 "1c2xc3nl2mg511b63rk7hrckmy14681p1m44mzw3n1fyqnjm0b0z")) > (patches (search-patches "openjpeg-use-after-free-fix.patch" > - "openjpeg-CVE-2015-6581.patch")))))) > + "openjpeg-CVE-2015-6581.patch" > + "openjpeg-CVE-2016-7163.patch")))))) > =20 > (define-public openjpeg-1 > (package (inherit openjpeg) > diff --git a/gnu/packages/patches/openjpeg-CVE-2016-7163.patch b/gnu/pack= ages/patches/openjpeg-CVE-2016-7163.patch > new file mode 100644 > index 0000000..68cf7b9 > --- /dev/null > +++ b/gnu/packages/patches/openjpeg-CVE-2016-7163.patch > @@ -0,0 +1,71 @@ > +Fix CVE-2016-7613 (Integer overflow in opj_pi_create_decode allowing exe= cution > +of arbitrary code): > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7163 > +https://github.com/uclouvain/openjpeg/issues/826 > +http://seclists.org/oss-sec/2016/q3/442 > + > +Copied from upstream repository: > + > +https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f= 5b68a05681de4 > +https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e= 7415c6ef54d24 > + > +From ef01f18dfc6780b776d0674ed3e7415c6ef54d24 Mon Sep 17 00:00:00 2001 > +From: Matthieu Darbois > +Date: Thu, 8 Sep 2016 07:34:46 +0200 > +Subject: [PATCH] Cast to size_t before multiplication > + > +Prevent an integer overflow issue in function opj_pi_create_decode of > +pi.c. > +--- > + src/lib/openjp2/pi.c | 8 +++++++- > + 1 file changed, 7 insertions(+), 1 deletion(-) > + > +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c > +index cffad66..36e2ff0 100644 > +--- a/src/lib/openjp2/pi.c > ++++ b/src/lib/openjp2/pi.c > +@@ -1237,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image= _t *p_image, > + l_current_pi =3D l_pi; > +=20 > + /* memory allocation for include */ > +- l_current_pi->include =3D (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1= ) * l_step_l, sizeof(OPJ_INT16)); > ++ /* prevent an integer overflow issue */ > ++ l_current_pi->include =3D 00; > ++ if (l_step_l <=3D (SIZE_MAX / (l_tcp->numlayers + 1U))) > ++ { > ++ l_current_pi->include =3D (OPJ_INT16*) opj_calloc((l_tcp->numlayers += 1) * l_step_l, sizeof(OPJ_INT16)); > ++ } > ++ > + if > + (!l_current_pi->include) > + { > +--=20 > +2.10.0 > + > +Need to cast to size_t before multiplication otherwise overflow check is= useless. > +--- > + src/lib/openjp2/pi.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c > +index 36e2ff0..809b33d 100644 > +--- a/src/lib/openjp2/pi.c > ++++ b/src/lib/openjp2/pi.c > +@@ -1241,7 +1241,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_= t *p_image, > + l_current_pi->include =3D 00; > + if (l_step_l <=3D (SIZE_MAX / (l_tcp->numlayers + 1U))) > + { > +- l_current_pi->include =3D (OPJ_INT16*) opj_calloc((l_tcp->numlayers += 1) * l_step_l, sizeof(OPJ_INT16)); > ++ l_current_pi->include =3D (OPJ_INT16*) opj_calloc((size_t)(l_tcp->num= layers + 1U) * l_step_l, sizeof(OPJ_INT16)); > + } > +=20 > + if > +--=20 > +2.10.0 > + Was from here down put/left here intentionally? It looks out of place > +From c16bc057ba3f125051c9966cf1f5b68a05681de4 Mon Sep 17 00:00:00 2001 > +From: trylab > +Date: Tue, 6 Sep 2016 13:55:49 +0800 > +Subject: [PATCH] Fix an integer overflow issue (#809) > + > --=20 > 2.10.0 >=20 >=20 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --wac7ysb48OaltWcw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJX0mGhAAoJEPTB05F+rO6T3JkP/0MqSjmcWpYTRyhWuYjcSSXN ykI4p4NfaBWTotd4V/9Q5ldddEe1KEifssSv/h/REf/piZ5EOVCh1UdGwfpJ8dgJ rSbQKlIVGYhtA+XQnHa6w3AyFmOdencyEEilNT9eowwrcpyCS7XodYHOQ3aV2KPN /0xxBkwStYz4PIzJB6XnxUXVv6rAteJ6dVr+XbBEvtb9kbMvTK/gQg3dRRn51ows DVgMx4T0qihHzDcklwcixC/Xk2oJ5IoltsT7zAiPvpioWzD2wp2IIQCBgyYVNTLK CQP6504idT2oSFfjDhM7FVFt79WYGovDHIAX9zwjO1Z3f3mtHjwAyZOq8sFMeexL EKBtBMF/ybe1ccSxBWlc3DNto96xQC8J7z8I/FtQQij3RL0aDZLs628pC5cWSika ooZPp5AAIxyT6zZB1ZgFgL8/BSGxYZ4V1Y1AhpKGqGa5t+HRE2OoQejZhyH4cBn0 Jrdal9BvLGgUU96OQGU1U7TmI9dP+Mk3Z2tpY6FLeln7XMngJTCtee+Rto+aOcRV 5CSPj8AMDjylgMxry35obLE7dHE4ey4+GPntybIY66qhF7FBCRGEIWQpnMcYtwP2 X1g7REywwobWc7bYYElZyhLk9U4ueK0WDRUrhoTw8f2ap3ze5pA7lSocswN5G91y tGf1jfFHm0yaZKBVg40e =gdNB -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--