From 4c73673fd8d36f24a0187aac1e2a1bbb8791dbaa65c3650d6dabe07b85beb6d2 Mon Sep 17 00:00:00 2001 From: Brian White Date: Tue, 19 Dec 2023 12:27:06 +0000 Subject: [PATCH] Accepting request 1134021 from home:pgajdos - security update - added patches fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler + jbigkit-CVE-2022-1210.patch OBS-URL: https://build.opensuse.org/request/show/1134021 OBS-URL: https://build.opensuse.org/package/show/graphics/jbigkit?expand=0&rev=19 --- jbigkit-CVE-2022-1210.patch | 36 ++++++++++++++++++++++++++++++++++++ jbigkit.changes | 8 ++++++++ jbigkit.spec | 7 ++++--- 3 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 jbigkit-CVE-2022-1210.patch diff --git a/jbigkit-CVE-2022-1210.patch b/jbigkit-CVE-2022-1210.patch new file mode 100644 index 0000000..bb03fc0 --- /dev/null +++ b/jbigkit-CVE-2022-1210.patch @@ -0,0 +1,36 @@ +Index: jbigkit-2.1/libjbig/jbig.c +=================================================================== +--- jbigkit-2.1.orig/libjbig/jbig.c ++++ jbigkit-2.1/libjbig/jbig.c +@@ -2051,6 +2051,7 @@ void jbg_dec_init(struct jbg_dec_state * + s->xmax = 4294967295UL; + s->ymax = 4294967295UL; + s->dmax = 256; ++ s->maxmem = 2000000000; /* no final image larger than 2 GB by default */ + s->s = NULL; + + return; +@@ -2640,6 +2641,10 @@ int jbg_dec_in(struct jbg_dec_state *s, + return JBG_EIMPL | 5; + s->options = s->buffer[19]; + ++ /* will the final image require more bytes than permitted by s->maxmem? */ ++ if (s->maxmem / s->planes / s->yd / jbg_ceil_half(s->xd, 3) == 0) ++ return JBG_ENOMEM; /* increase s->maxmem if needed */ ++ + /* calculate number of stripes that will be required */ + s->stripes = jbg_stripes(s->l0, s->yd, s->d); + +Index: jbigkit-2.1/libjbig/jbig.h +=================================================================== +--- jbigkit-2.1.orig/libjbig/jbig.h ++++ jbigkit-2.1/libjbig/jbig.h +@@ -181,6 +181,8 @@ struct jbg_dec_state { + unsigned long xmax, ymax; /* if possible abort before image gets * + * larger than this size */ + int dmax; /* abort after this layer */ ++ size_t maxmem; /* return JBG_ENOMEM if final image layer D ++ would require more than maxmem bytes */ + }; + + diff --git a/jbigkit.changes b/jbigkit.changes index d9fa137..5cbe118 100644 --- a/jbigkit.changes +++ b/jbigkit.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Dec 19 12:07:52 UTC 2023 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler + + jbigkit-CVE-2022-1210.patch + ------------------------------------------------------------------- Wed Aug 24 10:46:45 UTC 2022 - Andreas Schwab diff --git a/jbigkit.spec b/jbigkit.spec index 181ef87..44050c8 100644 --- a/jbigkit.spec +++ b/jbigkit.spec @@ -1,7 +1,7 @@ # # spec file for package jbigkit # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,8 @@ URL: http://www.cl.cam.ac.uk/~mgk25/jbigkit/ Source0: http://www.cl.cam.ac.uk/~mgk25/download/%{name}-%{version}.tar.gz Source42: baselibs.conf Patch0: %{name}-%{version}-shlib.patch +# CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler +Patch1: jbigkit-CVE-2022-1210.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define libname libjbig @@ -69,8 +71,7 @@ The jbigkit package contains tools for converting between PBM and JBIG1 formats. %prep -%setup -%patch0 -p1 +%autosetup -p1 %build export CFLAGS="%optflags -I../libjbig" CXXFLAGS="%optflags"