GNU bug report logs - #28325
[PATCH] gnu: openjpeg: Fix CVE-2017-{14040,14041}.

Previous Next

Package: guix-patches;

Reported by: Kei Kebreau <kkebreau <at> posteo.net>

Date: Sat, 2 Sep 2017 00:52:01 UTC

Severity: normal

Tags: patch

Done: Kei Kebreau <kkebreau <at> posteo.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28325 in the body.
You can then email your comments to 28325 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#28325; Package guix-patches. (Sat, 02 Sep 2017 00:52:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Kei Kebreau <kkebreau <at> posteo.net>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sat, 02 Sep 2017 00:52:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Kei Kebreau <kkebreau <at> posteo.net>
To: guix-patches <at> gnu.org
Cc: Kei Kebreau <kkebreau <at> posteo.net>
Subject: [PATCH] gnu: openjpeg: Fix CVE-2017-{14040,14041}.
Date: Fri,  1 Sep 2017 20:51:01 -0400

* gnu/packages/image.scm (openjpeg)[source]: Add patches.
* gnu/packages/patches/openjpeg-CVE-2017-14040.patch,
gnu/packages/patches/openjpeg-CVE-2017-14041.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                       |  2 +
 gnu/packages/image.scm                             |  4 +-
 gnu/packages/patches/openjpeg-CVE-2017-14040.patch | 83 ++++++++++++++++++++++
 gnu/packages/patches/openjpeg-CVE-2017-14041.patch | 25 +++++++
 4 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14040.patch
 create mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14041.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 8c683b8e4..05a640428 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -888,6 +888,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/openscenegraph-ffmpeg3.patch             \
   %D%/packages/patches/openexr-missing-samples.patch		\
   %D%/packages/patches/openjpeg-CVE-2017-12982.patch		\
+  %D%/packages/patches/openjpeg-CVE-2017-14040.patch		\
+  %D%/packages/patches/openjpeg-CVE-2017-14041.patch		\
   %D%/packages/patches/openldap-CVE-2017-9287.patch		\
   %D%/packages/patches/openocd-nrf52.patch			\
   %D%/packages/patches/openssl-runpath.patch			\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index e93248199..a6b8e3623 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -520,7 +520,9 @@ work.")
         (sha256
          (base32
           "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg"))
-        (patches (search-patches "openjpeg-CVE-2017-12982.patch"))))
+        (patches (search-patches "openjpeg-CVE-2017-12982.patch"
+                                 "openjpeg-CVE-2017-14040.patch"
+                                 "openjpeg-CVE-2017-14041.patch"))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch
new file mode 100644
index 000000000..bd7473ba0
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch
@@ -0,0 +1,83 @@
+http://openwall.com/lists/oss-security/2017/08/28/3
+https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch
+
+From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault <at> spatialys.com>
+Date: Thu, 17 Aug 2017 11:47:40 +0200
+Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
+ fixes unaligned load (#995)
+
+---
+ src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index a4eb81f6a..73dfc8d5f 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -580,13 +580,10 @@ struct tga_header {
+ };
+ #endif /* INFORMATION_ONLY */
+ 
+-static unsigned short get_ushort(const unsigned char *data)
++/* Returns a ushort from a little-endian serialized value */
++static unsigned short get_tga_ushort(const unsigned char *data)
+ {
+-    unsigned short val = *(const unsigned short *)data;
+-#ifdef OPJ_BIG_ENDIAN
+-    val = ((val & 0xffU) << 8) | (val >> 8);
+-#endif
+-    return val;
++    return data[0] | (data[1] << 8);
+ }
+ 
+ #define TGA_HEADER_SIZE 18
+@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
+     id_len = tga[0];
+     /*cmap_type = tga[1];*/
+     image_type = tga[2];
+-    /*cmap_index = get_ushort(&tga[3]);*/
+-    cmap_len = get_ushort(&tga[5]);
++    /*cmap_index = get_tga_ushort(&tga[3]);*/
++    cmap_len = get_tga_ushort(&tga[5]);
+     cmap_entry_size = tga[7];
+ 
+ 
+ #if 0
+-    x_origin = get_ushort(&tga[8]);
+-    y_origin = get_ushort(&tga[10]);
++    x_origin = get_tga_ushort(&tga[8]);
++    y_origin = get_tga_ushort(&tga[10]);
+ #endif
+-    image_w = get_ushort(&tga[12]);
+-    image_h = get_ushort(&tga[14]);
++    image_w = get_tga_ushort(&tga[12]);
++    image_h = get_tga_ushort(&tga[14]);
+     pixel_depth = tga[16];
+     image_desc  = tga[17];
+ 
+@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
+         color_space = OPJ_CLRSPC_SRGB;
+     }
+ 
++    /* If the declared file size is > 10 MB, check that the file is big */
++    /* enough to avoid excessive memory allocations */
++    if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
++        char ch;
++        OPJ_UINT64 expected_file_size =
++            (OPJ_UINT64)image_width * image_height * numcomps;
++        long curpos = ftell(f);
++        if (expected_file_size > (OPJ_UINT64)INT_MAX) {
++            expected_file_size = (OPJ_UINT64)INT_MAX;
++        }
++        fseek(f, (long)expected_file_size - 1, SEEK_SET);
++        if (fread(&ch, 1, 1, f) != 1) {
++            fclose(f);
++            return NULL;
++        }
++        fseek(f, curpos, SEEK_SET);
++    }
++
+     subsampling_dx = parameters->subsampling_dx;
+     subsampling_dy = parameters->subsampling_dy;
+ 
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch
new file mode 100644
index 000000000..6e3fccf3c
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch
@@ -0,0 +1,25 @@
+http://openwall.com/lists/oss-security/2017/08/28/4
+https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
+
+From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault <at> spatialys.com>
+Date: Fri, 18 Aug 2017 13:39:20 +0200
+Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
+
+---
+ src/bin/jp2/convert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index 5459f7d44..e606c9be7 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
+     }
+ 
+     fseek(f, 0, SEEK_SET);
+-    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
++    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+         fclose(f);
+         fprintf(stderr,
-- 
2.14.1
Information forwarded to guix-patches <at> gnu.org:
bug#28325; Package guix-patches. (Sat, 02 Sep 2017 10:47:02 GMT) Full text and rfc822 format available.

Message #8 received at 28325 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Kei Kebreau <kkebreau <at> posteo.net>, 28325 <at> debbugs.gnu.org
Cc: Kei Kebreau <kkebreau <at> posteo.net>
Subject: Re: [bug#28325] [PATCH] gnu: openjpeg: Fix CVE-2017-{14040,14041}.
Date: Sat, 02 Sep 2017 12:46:21 +0200

[Message part 1 (text/plain, inline)]
Kei Kebreau <kkebreau <at> posteo.net> writes:

> * gnu/packages/image.scm (openjpeg)[source]: Add patches.
> * gnu/packages/patches/openjpeg-CVE-2017-14040.patch,
> gnu/packages/patches/openjpeg-CVE-2017-14041.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register them.

LGTM.

[signature.asc (application/pgp-signature, inline)]
Reply sent to Kei Kebreau <kkebreau <at> posteo.net>:
You have taken responsibility. (Sat, 02 Sep 2017 14:23:02 GMT) Full text and rfc822 format available.
Notification sent to Kei Kebreau <kkebreau <at> posteo.net>:
bug acknowledged by developer. (Sat, 02 Sep 2017 14:23:05 GMT) Full text and rfc822 format available.

Message #13 received at 28325-done <at> debbugs.gnu.org (full text, mbox):

From: Kei Kebreau <kkebreau <at> posteo.net>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 28325-done <at> debbugs.gnu.org
Subject: Re: [bug#28325] [PATCH] gnu: openjpeg: Fix CVE-2017-{14040,14041}.
Date: Sat, 02 Sep 2017 10:21:53 -0400

[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes:

> Kei Kebreau <kkebreau <at> posteo.net> writes:
>
>> * gnu/packages/image.scm (openjpeg)[source]: Add patches.
>> * gnu/packages/patches/openjpeg-CVE-2017-14040.patch,
>> gnu/packages/patches/openjpeg-CVE-2017-14041.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register them.
>
> LGTM.

Pushed to master as d536113df0049e979a088a7794016d77a784b95c. Thanks for
reviewing!

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 01 Oct 2017 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 324 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.