gnu: openjpeg: Fix CVE-2017-{14040,14041}.

* gnu/packages/image.scm (openjpeg)[source]: Add patches.
* gnu/packages/patches/openjpeg-CVE-2017-14040.patch,
gnu/packages/patches/openjpeg-CVE-2017-14041.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
This commit is contained in:
Kei Kebreau 2017-09-01 20:45:49 -04:00
parent 65e4109cdc
commit d536113df0
No known key found for this signature in database
GPG Key ID: E6A5EE3C19467A0D
4 changed files with 113 additions and 1 deletions

View File

@ -888,6 +888,8 @@ dist_patch_DATA = \
%D%/packages/patches/openscenegraph-ffmpeg3.patch \ %D%/packages/patches/openscenegraph-ffmpeg3.patch \
%D%/packages/patches/openexr-missing-samples.patch \ %D%/packages/patches/openexr-missing-samples.patch \
%D%/packages/patches/openjpeg-CVE-2017-12982.patch \ %D%/packages/patches/openjpeg-CVE-2017-12982.patch \
%D%/packages/patches/openjpeg-CVE-2017-14040.patch \
%D%/packages/patches/openjpeg-CVE-2017-14041.patch \
%D%/packages/patches/openldap-CVE-2017-9287.patch \ %D%/packages/patches/openldap-CVE-2017-9287.patch \
%D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openocd-nrf52.patch \
%D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-runpath.patch \

View File

@ -520,7 +520,9 @@ work.")
(sha256 (sha256
(base32 (base32
"0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg")) "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg"))
(patches (search-patches "openjpeg-CVE-2017-12982.patch")))) (patches (search-patches "openjpeg-CVE-2017-12982.patch"
"openjpeg-CVE-2017-14040.patch"
"openjpeg-CVE-2017-14041.patch"))))
(build-system cmake-build-system) (build-system cmake-build-system)
(arguments (arguments
;; Trying to run `$ make check' results in a no rule fault. ;; Trying to run `$ make check' results in a no rule fault.

View File

@ -0,0 +1,83 @@
http://openwall.com/lists/oss-security/2017/08/28/3
https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch
From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Aug 2017 11:47:40 +0200
Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
fixes unaligned load (#995)
---
src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 12 deletions(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index a4eb81f6a..73dfc8d5f 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -580,13 +580,10 @@ struct tga_header {
};
#endif /* INFORMATION_ONLY */
-static unsigned short get_ushort(const unsigned char *data)
+/* Returns a ushort from a little-endian serialized value */
+static unsigned short get_tga_ushort(const unsigned char *data)
{
- unsigned short val = *(const unsigned short *)data;
-#ifdef OPJ_BIG_ENDIAN
- val = ((val & 0xffU) << 8) | (val >> 8);
-#endif
- return val;
+ return data[0] | (data[1] << 8);
}
#define TGA_HEADER_SIZE 18
@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
id_len = tga[0];
/*cmap_type = tga[1];*/
image_type = tga[2];
- /*cmap_index = get_ushort(&tga[3]);*/
- cmap_len = get_ushort(&tga[5]);
+ /*cmap_index = get_tga_ushort(&tga[3]);*/
+ cmap_len = get_tga_ushort(&tga[5]);
cmap_entry_size = tga[7];
#if 0
- x_origin = get_ushort(&tga[8]);
- y_origin = get_ushort(&tga[10]);
+ x_origin = get_tga_ushort(&tga[8]);
+ y_origin = get_tga_ushort(&tga[10]);
#endif
- image_w = get_ushort(&tga[12]);
- image_h = get_ushort(&tga[14]);
+ image_w = get_tga_ushort(&tga[12]);
+ image_h = get_tga_ushort(&tga[14]);
pixel_depth = tga[16];
image_desc = tga[17];
@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
color_space = OPJ_CLRSPC_SRGB;
}
+ /* If the declared file size is > 10 MB, check that the file is big */
+ /* enough to avoid excessive memory allocations */
+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
+ char ch;
+ OPJ_UINT64 expected_file_size =
+ (OPJ_UINT64)image_width * image_height * numcomps;
+ long curpos = ftell(f);
+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
+ expected_file_size = (OPJ_UINT64)INT_MAX;
+ }
+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
+ if (fread(&ch, 1, 1, f) != 1) {
+ fclose(f);
+ return NULL;
+ }
+ fseek(f, curpos, SEEK_SET);
+ }
+
subsampling_dx = parameters->subsampling_dx;
subsampling_dy = parameters->subsampling_dy;

View File

@ -0,0 +1,25 @@
http://openwall.com/lists/oss-security/2017/08/28/4
https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 18 Aug 2017 13:39:20 +0200
Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
---
src/bin/jp2/convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index 5459f7d44..e606c9be7 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
}
fseek(f, 0, SEEK_SET);
- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
&endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
fclose(f);
fprintf(stderr,