From f74deba4afb4c6618f73f659d72e1aba81fa8b69814d793a3d6edd23b1fafe45 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 29 Aug 2023 10:51:27 +0000 Subject: [PATCH] - security update - added patches fix CVE-2021-46310 [bsc#1214670], divide by zero in IW44Image.cpp + djvulibre-CVE-2021-46310.patch fix CVE-2021-46312 [bsc#1214672], divide by zero in IW44EncodeCodec.cpp + djvulibre-CVE-2021-46312.patch OBS-URL: https://build.opensuse.org/package/show/graphics/djvulibre?expand=0&rev=48 --- djvulibre-CVE-2021-46310.patch | 17 +++++++++++++++++ djvulibre-CVE-2021-46312.patch | 18 ++++++++++++++++++ djvulibre.changes | 10 ++++++++++ djvulibre.spec | 6 ++++++ 4 files changed, 51 insertions(+) create mode 100644 djvulibre-CVE-2021-46310.patch create mode 100644 djvulibre-CVE-2021-46312.patch diff --git a/djvulibre-CVE-2021-46310.patch b/djvulibre-CVE-2021-46310.patch new file mode 100644 index 0000000..989983f --- /dev/null +++ b/djvulibre-CVE-2021-46310.patch @@ -0,0 +1,17 @@ +Index: djvulibre-3.5.28/libdjvu/IW44Image.cpp +=================================================================== +--- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp ++++ djvulibre-3.5.28/libdjvu/IW44Image.cpp +@@ -676,10 +676,10 @@ IW44Image::Map::image(signed char *img8, + // Allocate reconstruction buffer + short *data16; + size_t sz = bw * bh; ++ if (sz == 0) // bw or bh is zero ++ G_THROW("IW44Image: zero size image (corrupted file?)"); + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); +- if (sz == 0) +- G_THROW("IW44Image: zero size image (corrupted file?)"); + GPBuffer gdata16(data16,sz); + if (data16 == NULL) + G_THROW("IW44Image: unable to allocate image data"); diff --git a/djvulibre-CVE-2021-46312.patch b/djvulibre-CVE-2021-46312.patch new file mode 100644 index 0000000..b984f75 --- /dev/null +++ b/djvulibre-CVE-2021-46312.patch @@ -0,0 +1,18 @@ +Index: djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp +=================================================================== +--- djvulibre-3.5.28.orig/libdjvu/IW44EncodeCodec.cpp ++++ djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp +@@ -1424,7 +1424,12 @@ IWBitmap::Encode::init(const GBitmap &bm + int h = bm.rows(); + int g = bm.get_grays()-1; + signed char *buffer; +- GPBuffer gbuffer(buffer,w*h); ++ size_t sz = w * h; ++ if (sz == 0 || g <= 0) // w or h is zero or g is not positive ++ G_THROW("IWBitmap: zero size image (corrupted file?)"); ++ if (sz / (size_t)w != (size_t)h) // multiplication overflow ++ G_THROW("IWBitmap: image size exceeds maximum (corrupted file?)"); ++ GPBuffer gbuffer(buffer,sz); + // Prepare gray level conversion table + signed char bconv[256]; + for (i=0; i<256; i++) diff --git a/djvulibre.changes b/djvulibre.changes index 9edd061..7f8836f 100644 --- a/djvulibre.changes +++ b/djvulibre.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Aug 29 10:48:49 UTC 2023 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2021-46310 [bsc#1214670], divide by zero in IW44Image.cpp + + djvulibre-CVE-2021-46310.patch + fix CVE-2021-46312 [bsc#1214672], divide by zero in IW44EncodeCodec.cpp + + djvulibre-CVE-2021-46312.patch + ------------------------------------------------------------------- Wed May 4 09:30:24 UTC 2022 - Marcus Meissner diff --git a/djvulibre.spec b/djvulibre.spec index cd0de61..83306d4 100644 --- a/djvulibre.spec +++ b/djvulibre.spec @@ -37,6 +37,10 @@ Patch2: djvulibre-CVE-2021-32492.patch Patch3: djvulibre-CVE-2021-32493.patch # CVE-2021-3500 [bsc#1186253], Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file Patch4: djvulibre-CVE-2021-3500.patch +# CVE-2021-46310 [bsc#1214670], divide by zero in IW44Image.cpp +Patch5: djvulibre-CVE-2021-46310.patch +# CVE-2021-46312 [bsc#1214672], divide by zero in IW44EncodeCodec.cpp +Patch6: djvulibre-CVE-2021-46312.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: hicolor-icon-theme @@ -94,6 +98,8 @@ This package contains the documentation. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 %build # configure script missing; generate using autogen.sh