From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33912) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnwfN-0002PU-G3 for guix-patches@gnu.org; Fri, 01 Sep 2017 20:52:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnwfK-0002kv-EK for guix-patches@gnu.org; Fri, 01 Sep 2017 20:52:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:60398) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dnwfK-0002kh-AS for guix-patches@gnu.org; Fri, 01 Sep 2017 20:52:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dnwfJ-0000qZ-VY for guix-patches@gnu.org; Fri, 01 Sep 2017 20:52:01 -0400 Subject: [bug#28325] [PATCH] gnu: openjpeg: Fix CVE-2017-{14040,14041}. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33645) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnwec-0002GZ-8j for guix-patches@gnu.org; Fri, 01 Sep 2017 20:51:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnweY-0002NH-Pa for guix-patches@gnu.org; Fri, 01 Sep 2017 20:51:18 -0400 Received: from mout02.posteo.de ([185.67.36.66]:37191) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnweY-0002LD-55 for guix-patches@gnu.org; Fri, 01 Sep 2017 20:51:14 -0400 Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 1EC1A20BD4 for ; Sat, 2 Sep 2017 02:51:11 +0200 (CEST) From: Kei Kebreau Date: Fri, 1 Sep 2017 20:51:01 -0400 Message-Id: <20170902005101.30290-1-kkebreau@posteo.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 28325@debbugs.gnu.org Cc: Kei Kebreau * gnu/packages/image.scm (openjpeg)[source]: Add patches. * gnu/packages/patches/openjpeg-CVE-2017-14040.patch, gnu/packages/patches/openjpeg-CVE-2017-14041.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. --- gnu/local.mk | 2 + gnu/packages/image.scm | 4 +- gnu/packages/patches/openjpeg-CVE-2017-14040.patch | 83 ++++++++++++++++++++++ gnu/packages/patches/openjpeg-CVE-2017-14041.patch | 25 +++++++ 4 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14040.patch create mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14041.patch diff --git a/gnu/local.mk b/gnu/local.mk index 8c683b8e4..05a640428 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -888,6 +888,8 @@ dist_patch_DATA = \ %D%/packages/patches/openscenegraph-ffmpeg3.patch \ %D%/packages/patches/openexr-missing-samples.patch \ %D%/packages/patches/openjpeg-CVE-2017-12982.patch \ + %D%/packages/patches/openjpeg-CVE-2017-14040.patch \ + %D%/packages/patches/openjpeg-CVE-2017-14041.patch \ %D%/packages/patches/openldap-CVE-2017-9287.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openssl-runpath.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index e93248199..a6b8e3623 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -520,7 +520,9 @@ work.") (sha256 (base32 "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg")) - (patches (search-patches "openjpeg-CVE-2017-12982.patch")))) + (patches (search-patches "openjpeg-CVE-2017-12982.patch" + "openjpeg-CVE-2017-14040.patch" + "openjpeg-CVE-2017-14041.patch")))) (build-system cmake-build-system) (arguments ;; Trying to run `$ make check' results in a no rule fault. diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch new file mode 100644 index 000000000..bd7473ba0 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch @@ -0,0 +1,83 @@ +http://openwall.com/lists/oss-security/2017/08/28/3 +https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch + +From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 17 Aug 2017 11:47:40 +0200 +Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and + fixes unaligned load (#995) + +--- + src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------ + 1 file changed, 27 insertions(+), 12 deletions(-) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index a4eb81f6a..73dfc8d5f 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -580,13 +580,10 @@ struct tga_header { + }; + #endif /* INFORMATION_ONLY */ + +-static unsigned short get_ushort(const unsigned char *data) ++/* Returns a ushort from a little-endian serialized value */ ++static unsigned short get_tga_ushort(const unsigned char *data) + { +- unsigned short val = *(const unsigned short *)data; +-#ifdef OPJ_BIG_ENDIAN +- val = ((val & 0xffU) << 8) | (val >> 8); +-#endif +- return val; ++ return data[0] | (data[1] << 8); + } + + #define TGA_HEADER_SIZE 18 +@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel, + id_len = tga[0]; + /*cmap_type = tga[1];*/ + image_type = tga[2]; +- /*cmap_index = get_ushort(&tga[3]);*/ +- cmap_len = get_ushort(&tga[5]); ++ /*cmap_index = get_tga_ushort(&tga[3]);*/ ++ cmap_len = get_tga_ushort(&tga[5]); + cmap_entry_size = tga[7]; + + + #if 0 +- x_origin = get_ushort(&tga[8]); +- y_origin = get_ushort(&tga[10]); ++ x_origin = get_tga_ushort(&tga[8]); ++ y_origin = get_tga_ushort(&tga[10]); + #endif +- image_w = get_ushort(&tga[12]); +- image_h = get_ushort(&tga[14]); ++ image_w = get_tga_ushort(&tga[12]); ++ image_h = get_tga_ushort(&tga[14]); + pixel_depth = tga[16]; + image_desc = tga[17]; + +@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) + color_space = OPJ_CLRSPC_SRGB; + } + ++ /* If the declared file size is > 10 MB, check that the file is big */ ++ /* enough to avoid excessive memory allocations */ ++ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) { ++ char ch; ++ OPJ_UINT64 expected_file_size = ++ (OPJ_UINT64)image_width * image_height * numcomps; ++ long curpos = ftell(f); ++ if (expected_file_size > (OPJ_UINT64)INT_MAX) { ++ expected_file_size = (OPJ_UINT64)INT_MAX; ++ } ++ fseek(f, (long)expected_file_size - 1, SEEK_SET); ++ if (fread(&ch, 1, 1, f) != 1) { ++ fclose(f); ++ return NULL; ++ } ++ fseek(f, curpos, SEEK_SET); ++ } ++ + subsampling_dx = parameters->subsampling_dx; + subsampling_dy = parameters->subsampling_dy; + diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch new file mode 100644 index 000000000..6e3fccf3c --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch @@ -0,0 +1,25 @@ +http://openwall.com/lists/oss-security/2017/08/28/4 +https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch + +From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Fri, 18 Aug 2017 13:39:20 +0200 +Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997) + +--- + src/bin/jp2/convert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index 5459f7d44..e606c9be7 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) + } + + fseek(f, 0, SEEK_SET); +- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, ++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, + &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { + fclose(f); + fprintf(stderr, -- 2.14.1