From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 01 20:51:36 2017 Received: (at submit) by debbugs.gnu.org; 2 Sep 2017 00:51:36 +0000 Received: from localhost ([127.0.0.1]:40846 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnweo-0000pn-Vt for submit@debbugs.gnu.org; Fri, 01 Sep 2017 20:51:36 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42688) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dnwel-0000pZ-Bl for submit@debbugs.gnu.org; Fri, 01 Sep 2017 20:51:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnwee-0002Q7-B6 for submit@debbugs.gnu.org; Fri, 01 Sep 2017 20:51:21 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:34143) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnwee-0002Q3-7t for submit@debbugs.gnu.org; Fri, 01 Sep 2017 20:51:20 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33645) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnwec-0002GZ-8j for guix-patches@gnu.org; Fri, 01 Sep 2017 20:51:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnweY-0002NH-Pa for guix-patches@gnu.org; Fri, 01 Sep 2017 20:51:18 -0400 Received: from mout02.posteo.de ([185.67.36.66]:37191) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnweY-0002LD-55 for guix-patches@gnu.org; Fri, 01 Sep 2017 20:51:14 -0400 Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 1EC1A20BD4 for ; Sat, 2 Sep 2017 02:51:11 +0200 (CEST) Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 3xkcxB28GRz10BG; Sat, 2 Sep 2017 02:51:07 +0200 (CEST) From: Kei Kebreau To: guix-patches@gnu.org Subject: [PATCH] gnu: openjpeg: Fix CVE-2017-{14040,14041}. Date: Fri, 1 Sep 2017 20:51:01 -0400 Message-Id: <20170902005101.30290-1-kkebreau@posteo.net> X-Mailer: git-send-email 2.14.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit Cc: Kei Kebreau X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) * gnu/packages/image.scm (openjpeg)[source]: Add patches. * gnu/packages/patches/openjpeg-CVE-2017-14040.patch, gnu/packages/patches/openjpeg-CVE-2017-14041.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. --- gnu/local.mk | 2 + gnu/packages/image.scm | 4 +- gnu/packages/patches/openjpeg-CVE-2017-14040.patch | 83 ++++++++++++++++++++++ gnu/packages/patches/openjpeg-CVE-2017-14041.patch | 25 +++++++ 4 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14040.patch create mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14041.patch diff --git a/gnu/local.mk b/gnu/local.mk index 8c683b8e4..05a640428 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -888,6 +888,8 @@ dist_patch_DATA = \ %D%/packages/patches/openscenegraph-ffmpeg3.patch \ %D%/packages/patches/openexr-missing-samples.patch \ %D%/packages/patches/openjpeg-CVE-2017-12982.patch \ + %D%/packages/patches/openjpeg-CVE-2017-14040.patch \ + %D%/packages/patches/openjpeg-CVE-2017-14041.patch \ %D%/packages/patches/openldap-CVE-2017-9287.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openssl-runpath.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index e93248199..a6b8e3623 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -520,7 +520,9 @@ work.") (sha256 (base32 "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg")) - (patches (search-patches "openjpeg-CVE-2017-12982.patch")))) + (patches (search-patches "openjpeg-CVE-2017-12982.patch" + "openjpeg-CVE-2017-14040.patch" + "openjpeg-CVE-2017-14041.patch")))) (build-system cmake-build-system) (arguments ;; Trying to run `$ make check' results in a no rule fault. diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch new file mode 100644 index 000000000..bd7473ba0 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch @@ -0,0 +1,83 @@ +http://openwall.com/lists/oss-security/2017/08/28/3 +https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch + +From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 17 Aug 2017 11:47:40 +0200 +Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and + fixes unaligned load (#995) + +--- + src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------ + 1 file changed, 27 insertions(+), 12 deletions(-) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index a4eb81f6a..73dfc8d5f 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -580,13 +580,10 @@ struct tga_header { + }; + #endif /* INFORMATION_ONLY */ + +-static unsigned short get_ushort(const unsigned char *data) ++/* Returns a ushort from a little-endian serialized value */ ++static unsigned short get_tga_ushort(const unsigned char *data) + { +- unsigned short val = *(const unsigned short *)data; +-#ifdef OPJ_BIG_ENDIAN +- val = ((val & 0xffU) << 8) | (val >> 8); +-#endif +- return val; ++ return data[0] | (data[1] << 8); + } + + #define TGA_HEADER_SIZE 18 +@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel, + id_len = tga[0]; + /*cmap_type = tga[1];*/ + image_type = tga[2]; +- /*cmap_index = get_ushort(&tga[3]);*/ +- cmap_len = get_ushort(&tga[5]); ++ /*cmap_index = get_tga_ushort(&tga[3]);*/ ++ cmap_len = get_tga_ushort(&tga[5]); + cmap_entry_size = tga[7]; + + + #if 0 +- x_origin = get_ushort(&tga[8]); +- y_origin = get_ushort(&tga[10]); ++ x_origin = get_tga_ushort(&tga[8]); ++ y_origin = get_tga_ushort(&tga[10]); + #endif +- image_w = get_ushort(&tga[12]); +- image_h = get_ushort(&tga[14]); ++ image_w = get_tga_ushort(&tga[12]); ++ image_h = get_tga_ushort(&tga[14]); + pixel_depth = tga[16]; + image_desc = tga[17]; + +@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) + color_space = OPJ_CLRSPC_SRGB; + } + ++ /* If the declared file size is > 10 MB, check that the file is big */ ++ /* enough to avoid excessive memory allocations */ ++ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) { ++ char ch; ++ OPJ_UINT64 expected_file_size = ++ (OPJ_UINT64)image_width * image_height * numcomps; ++ long curpos = ftell(f); ++ if (expected_file_size > (OPJ_UINT64)INT_MAX) { ++ expected_file_size = (OPJ_UINT64)INT_MAX; ++ } ++ fseek(f, (long)expected_file_size - 1, SEEK_SET); ++ if (fread(&ch, 1, 1, f) != 1) { ++ fclose(f); ++ return NULL; ++ } ++ fseek(f, curpos, SEEK_SET); ++ } ++ + subsampling_dx = parameters->subsampling_dx; + subsampling_dy = parameters->subsampling_dy; + diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch new file mode 100644 index 000000000..6e3fccf3c --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch @@ -0,0 +1,25 @@ +http://openwall.com/lists/oss-security/2017/08/28/4 +https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch + +From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Fri, 18 Aug 2017 13:39:20 +0200 +Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997) + +--- + src/bin/jp2/convert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index 5459f7d44..e606c9be7 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) + } + + fseek(f, 0, SEEK_SET); +- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, ++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, + &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { + fclose(f); + fprintf(stderr, -- 2.14.1 From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 02 06:46:28 2017 Received: (at 28325) by debbugs.gnu.org; 2 Sep 2017 10:46:28 +0000 Received: from localhost ([127.0.0.1]:41530 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1do5wZ-0006QU-UP for submit@debbugs.gnu.org; Sat, 02 Sep 2017 06:46:28 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:45535) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1do5wV-0006QK-Gl for 28325@debbugs.gnu.org; Sat, 02 Sep 2017 06:46:26 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 590AF20B96; Sat, 2 Sep 2017 06:46:23 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Sat, 02 Sep 2017 06:46:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=i7fBDswDXKyo8wiRBIxrj9lfsJPSuoDIKmEEQjDMh k8=; b=HKjJ1nWwWnAixKIhIMJ5fwKKUC/xksq75nL4AS1pirxcFfgGj3Iy/nFUo SyC9tlMkDeIbLU7wiC4g0VLMXKqjmrD3h3mp8mC09ElVDmCInpTgvO4nKEnlwy0Z UdSwSpZ+uZs8N3N6QpA8K6Mx9ps+y9zJu5kFJSDf94kj0R8nvnZfW7j74aPno+Xu aj77fNJvt4DW03wDJtXRyELfJAhge9KqkNNORoaFfUnEI4JsJMIp9fdG4OVu+QJu RoJ0m4s0Qc8eArFS8Q7x1bZCXiPHZs5QlxgzG2j/UpoHIEwjr8Quv4LpdsEfXG0S nYCd1fhbJuIClMXy7LxxDHaNzpomQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=i7fBDswDXKyo8wiRBI xrj9lfsJPSuoDIKmEEQjDMhk8=; b=d03P3FWp3+O6nxUj6LBk4198V5EhebIHr1 yKAGHSjC13uB6xn/YVxEXUvl7fcH3gkNYDu8dIzujpDz6JZiJilCLk3c6RkU7B8c EH5MHUL/hVLnV3cktEJCLwxFQniQeFhUoiB37KYiBypq/vOwJYqbp90wHiLf5hIG MZwceu3N6Iyidu5g75ZBa3v9ldupV1J3z+pCp444HC9Btv0PCiwtUrlCiLZhas3k OqO3GB6Dysv76q+PtEPLQ76wiFP+A5CdQ/INpCkzyJTLMeSrkUHZxkw3HHAQdMvG O81arzxlaThNZkLB9u695jACqYLoNUkBrxErL/hBlsy75zYyVlpA== X-ME-Sender: X-Sasl-enc: nRLXje6jZM9nWW2TGfogUmuZbjzEsks0VILQRooYXg2V 1504349182 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id E71017E755; Sat, 2 Sep 2017 06:46:22 -0400 (EDT) From: Marius Bakke To: Kei Kebreau , 28325@debbugs.gnu.org Subject: Re: [bug#28325] [PATCH] gnu: openjpeg: Fix CVE-2017-{14040,14041}. In-Reply-To: <20170902005101.30290-1-kkebreau@posteo.net> References: <20170902005101.30290-1-kkebreau@posteo.net> User-Agent: Notmuch/0.25 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Sat, 02 Sep 2017 12:46:21 +0200 Message-ID: <87k21hl6o2.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28325 Cc: Kei Kebreau X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Kei Kebreau writes: > * gnu/packages/image.scm (openjpeg)[source]: Add patches. > * gnu/packages/patches/openjpeg-CVE-2017-14040.patch, > gnu/packages/patches/openjpeg-CVE-2017-14041.patch: New files. > * gnu/local.mk (dist_patch_DATA): Register them. LGTM. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmqi/0ACgkQoqBt8qM6 VPruUwf/UWobwblm3CvjcBZaB9dSsRHxq1XEPclHSBuyov3Jl3k0nkexsdW4yI2P nxOLCeH3FFZ1eQFYyH1OdbMyQXCJgKsVqfy5ngiKQLfcWRNeDe68B8TdTGeKl2M7 PKCMhsH+A823KkaBmKFK866xYyOuCuOEM8yMUUd99ndx91QwXcL2BoFO146xKKMh xofVlz9cAnMESOjvN4S+qyJz6K89t6j9PMdVeZ55y1N74k2F8M4alPCy5m+JEcb9 UKmKHOpVofCendB5Sbtz+MUC+oczPImjtvor4LRvnH2z4DyIUgmXAFl+HUIliSu8 8pTcFq2dkmY0pPGRWt3bMDiB4QSJfQ== =vYAw -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 02 10:22:10 2017 Received: (at 28325-done) by debbugs.gnu.org; 2 Sep 2017 14:22:10 +0000 Received: from localhost ([127.0.0.1]:43553 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1do9JJ-0005Su-UG for submit@debbugs.gnu.org; Sat, 02 Sep 2017 10:22:10 -0400 Received: from mout02.posteo.de ([185.67.36.66]:52685) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1do9JF-0005SC-Vj for 28325-done@debbugs.gnu.org; Sat, 02 Sep 2017 10:22:08 -0400 Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 5C7C320A0F for <28325-done@debbugs.gnu.org>; Sat, 2 Sep 2017 16:21:59 +0200 (CEST) Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 3xkywj503TzysT; Sat, 2 Sep 2017 16:21:57 +0200 (CEST) From: Kei Kebreau To: Marius Bakke Subject: Re: [bug#28325] [PATCH] gnu: openjpeg: Fix CVE-2017-{14040,14041}. References: <20170902005101.30290-1-kkebreau@posteo.net> <87k21hl6o2.fsf@fastmail.com> Date: Sat, 02 Sep 2017 10:21:53 -0400 In-Reply-To: <87k21hl6o2.fsf@fastmail.com> (Marius Bakke's message of "Sat, 02 Sep 2017 12:46:21 +0200") Message-ID: <87fuc5dvum.fsf@posteo.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: -5.1 (-----) X-Debbugs-Envelope-To: 28325-done Cc: 28325-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.1 (-----) --=-=-= Content-Type: text/plain Marius Bakke writes: > Kei Kebreau writes: > >> * gnu/packages/image.scm (openjpeg)[source]: Add patches. >> * gnu/packages/patches/openjpeg-CVE-2017-14040.patch, >> gnu/packages/patches/openjpeg-CVE-2017-14041.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Register them. > > LGTM. Pushed to master as d536113df0049e979a088a7794016d77a784b95c. Thanks for reviewing! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlmqvoEACgkQ5qXuPBlG eg3TVQ/6AteWW90dm1k+dSgxZOxlM7/7nGWI9Bh66vKMogFck9YyH6WjG17ot8Ki cG/ykTNFT1TyWYoQxuNg6XEGtiQaEXwJN8O08pTLbd5EY6qAIdjHUvEZVUKDDBrx k85bDiJuvPhoIrny0nsOOEZDpd3XCUX9H8aHnrVTORmGqUIMK3mGVnrRbT1ayEkd CkJDy3jRq5v8re6oPlpKmIk7cx83wgd3AZ+Vf2m1C8DFKy9S3liRjTrVhSo1yQqV Z3p3z0O/x37KDT51rmtcNBDf4fh0QBTwBhLaOK8H5k0ytH7jc7ZsyBPsmXLVMULt 90vQygT6pyxQxZ4zqvJZXzHz47GTDvE4pb++3AF4GAKfI61Xl1GFDcyoquRHE06J Y6aQJF6bfucA5/P8m0Zj+73zzVh6lpAdhPqtOuK4+pKuwM0PjVrbXNaoOCYKp1mf IWkDqV+yqsPInAjq0CWp1brSij4iO5N0+tfI0V1ccVcrzzzRYyZd8zJxrE/NL/I5 TjZWFBvsro6BgNnlEMCclgKpgCHmkVj6LU7Gz0YQXk7CC20o2vdreizI2tViW4J7 97TbCv+rbw20y/ka57EWuChLiFp287/kQrfAqsSekrXwoPfStnqf6GknZhS8/PXk bFUYPbrSbaFjGL/GIvTmrTpTSSHu/oOITjqkm5icDRSl0+YvS5w= =KhVd -----END PGP SIGNATURE----- --=-=-=-- From unknown Tue Aug 19 23:13:43 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sun, 01 Oct 2017 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator