aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/openjpeg/APKBUILD49
-rw-r--r--main/openjpeg/CVE-2017-14040.patch80
-rw-r--r--main/openjpeg/CVE-2017-14041.patch22
-rw-r--r--main/openjpeg/CVE-2017-14151.patch43
-rw-r--r--main/openjpeg/CVE-2017-14152.patch35
-rw-r--r--main/openjpeg/CVE-2017-14164.patch86
6 files changed, 302 insertions, 13 deletions
diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD
index 7f8c248fb1..3c89a34529 100644
--- a/main/openjpeg/APKBUILD
+++ b/main/openjpeg/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Maintainer:
pkgname=openjpeg
-pkgver=2.1.2
-pkgrel=2
+pkgver=2.2.0
+pkgrel=0
pkgdesc="Open-source implementation of JPEG2000 image codec"
url="http://www.openjpeg.org/"
arch="all"
@@ -13,8 +13,13 @@ makedepends="$depends_dev libpng-dev tiff-dev lcms-dev doxygen cmake"
install=""
subpackages="$pkgname-dev $pkgname-tools"
source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz
- CVE-2016-9580-9581.patch
- CVE-2017-12982.patch"
+ CVE-2017-12982.patch
+ CVE-2017-14040.patch
+ CVE-2017-14041.patch
+ CVE-2017-14151.patch
+ CVE-2017-14152.patch
+ CVE-2017-14164.patch"
+
builddir="${srcdir}/$pkgname-$pkgver"
build() {
@@ -29,6 +34,12 @@ build() {
}
# secfixes:
+# 2.2.0-r0:
+# - CVE-2017-14040
+# - CVE-2017-14041
+# - CVE-2017-14151
+# - CVE-2017-14152
+# - CVE-2017-14164
# 2.1.2-r2:
# - CVE-2017-12982
# 2.1.2-r1:
@@ -46,12 +57,24 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-md5sums="40a7bfdcc66280b3c1402a0eb1a27624 openjpeg-2.1.2.tar.gz
-a5971d486b670e76d5e473ff15e65405 CVE-2016-9580-9581.patch
-8dac6b8c8cb72f43e59ce785ea07eb32 CVE-2017-12982.patch"
-sha256sums="4ce77b6ef538ef090d9bde1d5eeff8b3069ab56c4906f083475517c2c023dfa7 openjpeg-2.1.2.tar.gz
-e352e9480925a31804d965c673545eeaa32d0a47605abaaa09b515ca956058ba CVE-2016-9580-9581.patch
-2693934f4e57a57ec28f9b4fa7664c79e8a200910ef7fbe41a72b8cf1e5b711f CVE-2017-12982.patch"
-sha512sums="411067e33c8e4da9921d0281e932a4ac2af592cf822bfad828daea9e2b9c414859455bcec6d912ce76460ea462fa4cbd94a401333bda5716ec017d18b8e5942c openjpeg-2.1.2.tar.gz
-bffe1126c18296fdc1e7f98437e2b468b8b16c4903d504dc9abf24a9b8e02f18e86200038c5a59c061c40d41b42f6b378776ed0040559bb362a3a592928941d7 CVE-2016-9580-9581.patch
-0e0ce7bdf53c4b6f1b2e9e5f855186763a1bea39b70bdc1fd5b60a5516036a04562cb43030e9946972009e3733d0efadb8ba4825939e32ba6b9419d6428ee9ad CVE-2017-12982.patch"
+md5sums="269bb0b175476f3addcc0d03bd9a97b6 openjpeg-2.2.0.tar.gz
+8dac6b8c8cb72f43e59ce785ea07eb32 CVE-2017-12982.patch
+2f16d123a34518bd2d89020f1d7b5bfe CVE-2017-14040.patch
+f9eb736858243cef1e93479c9cb035a6 CVE-2017-14041.patch
+d181ddab2dfc27b025a79b4b0de05fbb CVE-2017-14151.patch
+77cadc5bc2891ed79669b330bf22c41e CVE-2017-14152.patch
+2a145c081ee1f02c97d68f469e9bbf14 CVE-2017-14164.patch"
+sha256sums="6fddbce5a618e910e03ad00d66e7fcd09cc6ee307ce69932666d54c73b7c6e7b openjpeg-2.2.0.tar.gz
+2693934f4e57a57ec28f9b4fa7664c79e8a200910ef7fbe41a72b8cf1e5b711f CVE-2017-12982.patch
+d3edf997981dade53f44fb0659eff297db4fb44d197ef1d3ad0861a061221995 CVE-2017-14040.patch
+62acd64dfb0aa17135b9b2fa7bdf032ab77524e29f3a817a8309a2fe04828593 CVE-2017-14041.patch
+c07fee74428ce8ced1de20785e20f26974f57cd75bb64d30e9534ed156e0004b CVE-2017-14151.patch
+7b8d8ed43cbf85331b876eea10263c8fbbbcb5bacc38ce014d3d859d095d8090 CVE-2017-14152.patch
+a764be45f861650c56fccca7bf74ae40329e6cdf1fe59be84bb0250f9e1dee94 CVE-2017-14164.patch"
+sha512sums="20651c380bee582ab1950994c424cc00061ad852e9c5438fb32a9809e3f275571a4cc7e92589add0d91debf2394262e58f441c2dd918809fc1c602ed68396a3a openjpeg-2.2.0.tar.gz
+0e0ce7bdf53c4b6f1b2e9e5f855186763a1bea39b70bdc1fd5b60a5516036a04562cb43030e9946972009e3733d0efadb8ba4825939e32ba6b9419d6428ee9ad CVE-2017-12982.patch
+532c268346ad6993d7085652fbebe65ec0412a8d12771b86c325ef9f1cb6e0f7252ac95dfb976fa00ecfffd7b140ddc74b2964b04764e0803fb7e8c344a2b58a CVE-2017-14040.patch
+d22735e20c7b08bb292bfda03a659481466a152294c388854aed3623ff769aed6c6491a8e6286b4dfdc8212a465b1596232e51fe8e8ba3a608ebf27b32d33d56 CVE-2017-14041.patch
+66019c7a30a6b6303992d518b8184e57b58824f8b63bc8857436aa404257bf1f1d64ab6100a5f0ed18fa1b41c09501e77230207ca028bc16db35fc2d834a6506 CVE-2017-14151.patch
+c244e0e4db1473583ffac6b31808b70bd3554e6eba7b357891aca7f8ad0ab687d433aac3d3f210349507cc54981b0171eb9a72e4a890925beaa2c9d9ee877dfd CVE-2017-14152.patch
+640cd731f5ee3a5fecbc8ca7c78d626c383155dbefe3a240319bcea81b5bc9996e028055ff64df192b5ed02e3a9e18b681b2ab4f106c3d555b68c93115dc6d01 CVE-2017-14164.patch"
diff --git a/main/openjpeg/CVE-2017-14040.patch b/main/openjpeg/CVE-2017-14040.patch
new file mode 100644
index 0000000000..dd9183dad1
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14040.patch
@@ -0,0 +1,80 @@
+From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Aug 2017 11:47:40 +0200
+Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
+ fixes unaligned load (#995)
+
+---
+ src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index a4eb81f6a..73dfc8d5f 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -580,13 +580,10 @@ struct tga_header {
+ };
+ #endif /* INFORMATION_ONLY */
+
+-static unsigned short get_ushort(const unsigned char *data)
++/* Returns a ushort from a little-endian serialized value */
++static unsigned short get_tga_ushort(const unsigned char *data)
+ {
+- unsigned short val = *(const unsigned short *)data;
+-#ifdef OPJ_BIG_ENDIAN
+- val = ((val & 0xffU) << 8) | (val >> 8);
+-#endif
+- return val;
++ return data[0] | (data[1] << 8);
+ }
+
+ #define TGA_HEADER_SIZE 18
+@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
+ id_len = tga[0];
+ /*cmap_type = tga[1];*/
+ image_type = tga[2];
+- /*cmap_index = get_ushort(&tga[3]);*/
+- cmap_len = get_ushort(&tga[5]);
++ /*cmap_index = get_tga_ushort(&tga[3]);*/
++ cmap_len = get_tga_ushort(&tga[5]);
+ cmap_entry_size = tga[7];
+
+
+ #if 0
+- x_origin = get_ushort(&tga[8]);
+- y_origin = get_ushort(&tga[10]);
++ x_origin = get_tga_ushort(&tga[8]);
++ y_origin = get_tga_ushort(&tga[10]);
+ #endif
+- image_w = get_ushort(&tga[12]);
+- image_h = get_ushort(&tga[14]);
++ image_w = get_tga_ushort(&tga[12]);
++ image_h = get_tga_ushort(&tga[14]);
+ pixel_depth = tga[16];
+ image_desc = tga[17];
+
+@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
+ color_space = OPJ_CLRSPC_SRGB;
+ }
+
++ /* If the declared file size is > 10 MB, check that the file is big */
++ /* enough to avoid excessive memory allocations */
++ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
++ char ch;
++ OPJ_UINT64 expected_file_size =
++ (OPJ_UINT64)image_width * image_height * numcomps;
++ long curpos = ftell(f);
++ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
++ expected_file_size = (OPJ_UINT64)INT_MAX;
++ }
++ fseek(f, (long)expected_file_size - 1, SEEK_SET);
++ if (fread(&ch, 1, 1, f) != 1) {
++ fclose(f);
++ return NULL;
++ }
++ fseek(f, curpos, SEEK_SET);
++ }
++
+ subsampling_dx = parameters->subsampling_dx;
+ subsampling_dy = parameters->subsampling_dy;
+
diff --git a/main/openjpeg/CVE-2017-14041.patch b/main/openjpeg/CVE-2017-14041.patch
new file mode 100644
index 0000000000..ebfe1ad27f
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14041.patch
@@ -0,0 +1,22 @@
+From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 18 Aug 2017 13:39:20 +0200
+Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
+
+---
+ src/bin/jp2/convert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
+index 5459f7d44..e606c9be7 100644
+--- a/src/bin/jp2/convert.c
++++ b/src/bin/jp2/convert.c
+@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
+ }
+
+ fseek(f, 0, SEEK_SET);
+- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+ fclose(f);
+ fprintf(stderr,
diff --git a/main/openjpeg/CVE-2017-14151.patch b/main/openjpeg/CVE-2017-14151.patch
new file mode 100644
index 0000000000..c8a1fd65f1
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14151.patch
@@ -0,0 +1,43 @@
+From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 14 Aug 2017 17:20:37 +0200
+Subject: [PATCH] Encoder: grow buffer size in
+ opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
+ opj_mqc_flush (#982)
+
+---
+ src/lib/openjp2/tcd.c | 7 +++++--
+ tests/nonregression/test_suite.ctest.in | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
+index 301c7213e..53cdcf64d 100644
+--- a/src/lib/openjp2/tcd.c
++++ b/src/lib/openjp2/tcd.c
+@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
+ {
+ OPJ_UINT32 l_data_size;
+
+- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
++ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
++ /* TODO: is there a theoretical upper-bound for the compressed code */
++ /* block size ? */
++ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+ if (l_data_size > p_code_block->data_size) {
+diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
+index aaf40d7d0..ffd964c2a 100644
+--- a/tests/nonregression/test_suite.ctest.in
++++ b/tests/nonregression/test_suite.ctest.in
+@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
+ # Same rate as Bretagne2_4.j2k
+ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
+
++opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
++
+ # DECODER TEST SUITE
+ opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
+ opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/main/openjpeg/CVE-2017-14152.patch b/main/openjpeg/CVE-2017-14152.patch
new file mode 100644
index 0000000000..d165090a1a
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14152.patch
@@ -0,0 +1,35 @@
+From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 15 Aug 2017 11:55:58 +0200
+Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
+ opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
+
+---
+ src/lib/openjp2/j2k.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index a2521ebbc..54b490a8c 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
+
+ /* Precincts */
+ parameters->csty |= 0x01;
+- parameters->res_spec = parameters->numresolution - 1;
+- for (i = 0; i < parameters->res_spec; i++) {
+- parameters->prcw_init[i] = 256;
+- parameters->prch_init[i] = 256;
++ if (parameters->numresolution == 1) {
++ parameters->res_spec = 1;
++ parameters->prcw_init[0] = 128;
++ parameters->prch_init[0] = 128;
++ } else {
++ parameters->res_spec = parameters->numresolution - 1;
++ for (i = 0; i < parameters->res_spec; i++) {
++ parameters->prcw_init[i] = 256;
++ parameters->prch_init[i] = 256;
++ }
+ }
+
+ /* The progression order shall be CPRL */
diff --git a/main/openjpeg/CVE-2017-14164.patch b/main/openjpeg/CVE-2017-14164.patch
new file mode 100644
index 0000000000..a61b015180
--- /dev/null
+++ b/main/openjpeg/CVE-2017-14164.patch
@@ -0,0 +1,86 @@
+From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 16 Aug 2017 17:09:10 +0200
+Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
+ (#991)
+
+---
+ src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 54b490a8c..16915452e 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+ * Writes the SOT marker (Start of tile-part)
+ *
+ * @param p_j2k J2K codec.
+- * @param p_data FIXME DOC
+- * @param p_data_written FIXME DOC
++ * @param p_data Output buffer
++ * @param p_total_data_size Output buffer size
++ * @param p_data_written Number of bytes written into stream
+ * @param p_stream the stream to write data to.
+ * @param p_manager the user event manager.
+ */
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_BYTE * p_data,
++ OPJ_UINT32 p_total_data_size,
+ OPJ_UINT32 * p_data_written,
+ const opj_stream_private_t *p_stream,
+ opj_event_mgr_t * p_manager);
+@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_BYTE * p_data,
++ OPJ_UINT32 p_total_data_size,
+ OPJ_UINT32 * p_data_written,
+ const opj_stream_private_t *p_stream,
+ opj_event_mgr_t * p_manager
+@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_UNUSED(p_stream);
+ OPJ_UNUSED(p_manager);
+
++ if (p_total_data_size < 12) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Not enough bytes in output buffer to write SOT marker\n");
++ return OPJ_FALSE;
++ }
++
+ opj_write_bytes(p_data, J2K_MS_SOT,
+ 2); /* SOT */
+ p_data += 2;
+@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
+
+ l_current_nb_bytes_written = 0;
+ l_begin_data = p_data;
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
++ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }
+@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+ l_part_tile_size = 0;
+ l_begin_data = p_data;
+
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data,
++ p_total_data_size,
++ &l_current_nb_bytes_written,
++ p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }
+@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+ l_part_tile_size = 0;
+ l_begin_data = p_data;
+
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data,
++ p_total_data_size,
++ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }