From 96b242433035f4f57a7ce601c9ce4af7d6b2e56f87ff8ed0b4b028a19eaacd40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Wed, 13 Sep 2017 14:11:10 +0000 Subject: [PATCH] Accepting request 523789 from home:hpjansson:openjpeg2-cve-factory Add security fixes: openjpeg2-CVE-2016-10504.patch (CVE-2016-10504, bsc#1056351), openjpeg2-CVE-2016-10505.patch (CVE-2016-10505, bsc#1056363), openjpeg2-CVE-2016-10506.patch (CVE-2016-10506, bsc#1056396), openjpeg2-CVE-2017-12982.patch (CVE-2017-12982, bsc#1054696), openjpeg2-CVE-2017-14039.patch (CVE-2017-14039, CVE-2017-14164, bsc#1056622, bsc#1057511), openjpeg2-CVE-2017-14040.patch (CVE-2017-14040, bsc#1056621), openjpeg2-CVE-2017-14041.patch (CVE-2017-14041, bsc#1056562), openjpeg2-CVE-2017-14151.patch (CVE-2017-14151, bsc#1057336), openjpeg2-CVE-2017-14152.patch (CVE-2017-14152, bsc#1057335), most of which are critical, including heap and stack overwrites, over-reads and division by zero errors. OBS-URL: https://build.opensuse.org/request/show/523789 OBS-URL: https://build.opensuse.org/package/show/graphics/openjpeg2?expand=0&rev=28 --- openjpeg2-CVE-2016-10504.patch | 23 ++++++++ openjpeg2-CVE-2016-10505.patch | 47 ++++++++++++++++ openjpeg2-CVE-2016-10506.patch | 55 +++++++++++++++++++ openjpeg2-CVE-2017-12982.patch | 15 ++++++ openjpeg2-CVE-2017-14039.patch | 99 ++++++++++++++++++++++++++++++++++ openjpeg2-CVE-2017-14040.patch | 77 ++++++++++++++++++++++++++ openjpeg2-CVE-2017-14041.patch | 13 +++++ openjpeg2-CVE-2017-14151.patch | 22 ++++++++ openjpeg2-CVE-2017-14152.patch | 25 +++++++++ openjpeg2.changes | 17 ++++++ openjpeg2.spec | 29 +++++++++- 11 files changed, 421 insertions(+), 1 deletion(-) create mode 100644 openjpeg2-CVE-2016-10504.patch create mode 100644 openjpeg2-CVE-2016-10505.patch create mode 100644 openjpeg2-CVE-2016-10506.patch create mode 100644 openjpeg2-CVE-2017-12982.patch create mode 100644 openjpeg2-CVE-2017-14039.patch create mode 100644 openjpeg2-CVE-2017-14040.patch create mode 100644 openjpeg2-CVE-2017-14041.patch create mode 100644 openjpeg2-CVE-2017-14151.patch create mode 100644 openjpeg2-CVE-2017-14152.patch diff --git a/openjpeg2-CVE-2016-10504.patch b/openjpeg2-CVE-2016-10504.patch new file mode 100644 index 0000000..5156d8a --- /dev/null +++ b/openjpeg2-CVE-2016-10504.patch @@ -0,0 +1,23 @@ +commit 0a915d5e6b49c8428a28d0b858b9e274851b4b1c +Author: Hans Petter Jansson +Date: Fri Sep 8 00:22:18 2017 +0200 + + openjpeg2-CVE-2016-10504.patch + +diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +index 985ac5f..2e116b2 100644 +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1088,8 +1088,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_cod + { + OPJ_UINT32 l_data_size; + +- l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); +- ++ /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ ++ l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); ++ + if (l_data_size > p_code_block->data_size) { + if (p_code_block->data) { + opj_free(p_code_block->data - 1); /* again, why -1 */ diff --git a/openjpeg2-CVE-2016-10505.patch b/openjpeg2-CVE-2016-10505.patch new file mode 100644 index 0000000..d6601b7 --- /dev/null +++ b/openjpeg2-CVE-2016-10505.patch @@ -0,0 +1,47 @@ +diff --git a/src/bin/common/color.c b/src/bin/common/color.c +index 234c7bd..f42d982 100644 +--- a/src/bin/common/color.c ++++ b/src/bin/common/color.c +@@ -108,6 +108,7 @@ static void sycc444_to_rgb(opj_image_t *img) + d1 = g = (int*)malloc(sizeof(int) * max); + d2 = b = (int*)malloc(sizeof(int) * max); + ++ if(y == NULL || cb == NULL || cr == NULL) goto fails; + if(r == NULL || g == NULL || b == NULL) goto fails; + + for(i = 0U; i < max; ++i) +@@ -149,6 +150,7 @@ static void sycc422_to_rgb(opj_image_t *img) + d1 = g = (int*)malloc(sizeof(int) * max); + d2 = b = (int*)malloc(sizeof(int) * max); + ++ if(y == NULL || cb == NULL || cr == NULL) goto fails; + if(r == NULL || g == NULL || b == NULL) goto fails; + + /* if img->x0 is odd, then first column shall use Cb/Cr = 0 */ +@@ -918,6 +920,7 @@ void color_esycc_to_rgb(opj_image_t *image) + (image->numcomps < 3) + || (image->comps[0].dx != image->comps[1].dx) || (image->comps[0].dx != image->comps[2].dx) + || (image->comps[0].dy != image->comps[1].dy) || (image->comps[0].dy != image->comps[2].dy) ++ || !image->comps [0].data || !image->comps [1].data || !image->comps [2].data + ) { + fprintf(stderr,"%s:%d:color_esycc_to_rgb\n\tCAN NOT CONVERT\n", __FILE__,__LINE__); + return; +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 4df8d58..5c52ef4 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -814,6 +814,14 @@ int imagetobmp(opj_image_t * image, const char *outfile) { + fprintf(stderr, "Unsupported number of components: %d\n", image->comps[0].prec); + return 1; + } ++ ++ for (i = 0; i < image->numcomps; i++) { ++ if (image->comps[i].data == NULL) { ++ fprintf(stderr, "Missing image data\n"); ++ return 1; ++ } ++ } ++ + if (image->numcomps >= 3 && image->comps[0].dx == image->comps[1].dx + && image->comps[1].dx == image->comps[2].dx + && image->comps[0].dy == image->comps[1].dy diff --git a/openjpeg2-CVE-2016-10506.patch b/openjpeg2-CVE-2016-10506.patch new file mode 100644 index 0000000..a6c8992 --- /dev/null +++ b/openjpeg2-CVE-2016-10506.patch @@ -0,0 +1,55 @@ +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c +index 41a2f04..ca9b62f 100644 +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -360,6 +360,16 @@ if (!pi->tp_on){ + try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); + rpx = res->pdx + levelno; + rpy = res->pdy + levelno; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ /* in below tests */ ++ /* Fixes reading id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 */ ++ /* of https://github.com/uclouvain/openjpeg/issues/938 */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { ++ continue; ++ } ++ + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ + continue; + } +@@ -441,6 +451,16 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) { + try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); + rpx = res->pdx + levelno; + rpy = res->pdy + levelno; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ /* in below tests */ ++ /* Relates to id:000019,sig:08,src:001098,op:flip1,pos:49 */ ++ /* of https://github.com/uclouvain/openjpeg/issues/938 */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { ++ continue; ++ } ++ + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ + continue; + } +@@ -520,6 +540,16 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) { + try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); + rpx = res->pdx + levelno; + rpy = res->pdy + levelno; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ /* in below tests */ ++ /* Fixes reading id:000019,sig:08,src:001098,op:flip1,pos:49 */ ++ /* of https://github.com/uclouvain/openjpeg/issues/938 */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { ++ continue; ++ } ++ + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ + continue; + } diff --git a/openjpeg2-CVE-2017-12982.patch b/openjpeg2-CVE-2017-12982.patch new file mode 100644 index 0000000..de5e0bd --- /dev/null +++ b/openjpeg2-CVE-2017-12982.patch @@ -0,0 +1,15 @@ +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index ae83077..4df8d58 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -379,6 +379,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header) + + header->biBitCount = (OPJ_UINT16)getc(IN); + header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8); ++ if (header->biBitCount == 0) { ++ fprintf(stderr, "Error, invalid biBitCount %d\n", 0); ++ return OPJ_FALSE; ++ } + + if(header->biSize >= 40U) { + header->biCompression = (OPJ_UINT32)getc(IN); diff --git a/openjpeg2-CVE-2017-14039.patch b/openjpeg2-CVE-2017-14039.patch new file mode 100644 index 0000000..4153fc3 --- /dev/null +++ b/openjpeg2-CVE-2017-14039.patch @@ -0,0 +1,99 @@ +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 5cefffd..1844ac3 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -826,6 +826,7 @@ static OPJ_BOOL opj_j2k_write_tlm( opj_j2k_t *p_j2k, + */ + static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k, + OPJ_BYTE * p_data, ++ OPJ_UINT32 p_total_data_size, + OPJ_UINT32 * p_data_written, + const opj_stream_private_t *p_stream, + opj_event_mgr_t * p_manager ); +@@ -3963,6 +3964,7 @@ static OPJ_BOOL opj_j2k_write_tlm( opj_j2k_t *p_j2k, + + static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k, + OPJ_BYTE * p_data, ++ OPJ_UINT32 p_total_data_size, + OPJ_UINT32 * p_data_written, + const opj_stream_private_t *p_stream, + opj_event_mgr_t * p_manager +@@ -3973,6 +3975,12 @@ static OPJ_BOOL opj_j2k_write_sot( opj_j2k_t *p_j2k, + assert(p_manager != 00); + assert(p_stream != 00); + ++ if (p_total_data_size < 12) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Not enough bytes in output buffer to write SOT marker\n"); ++ return OPJ_FALSE; ++ } ++ + opj_write_bytes(p_data,J2K_MS_SOT,2); /* SOT */ + p_data += 2; + +@@ -4308,6 +4316,12 @@ static OPJ_BOOL opj_j2k_write_sod( opj_j2k_t *p_j2k, + assert(p_manager != 00); + assert(p_stream != 00); + ++ if (p_total_data_size < 4) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Not enough bytes in output buffer to write SOD marker\n"); ++ return OPJ_FALSE; ++ } ++ + opj_write_bytes(p_data,J2K_MS_SOD,2); /* SOD */ + p_data += 2; + +@@ -10625,7 +10639,7 @@ static OPJ_BOOL opj_j2k_write_first_tile_part (opj_j2k_t *p_j2k, + + l_current_nb_bytes_written = 0; + l_begin_data = p_data; +- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) ++ if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager)) + { + return OPJ_FALSE; + } +@@ -10712,7 +10726,7 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts( opj_j2k_t *p_j2k, + l_part_tile_size = 0; + l_begin_data = p_data; + +- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) { ++ if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager)) { + return OPJ_FALSE; + } + +@@ -10752,7 +10766,7 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts( opj_j2k_t *p_j2k, + l_part_tile_size = 0; + l_begin_data = p_data; + +- if (! opj_j2k_write_sot(p_j2k,p_data,&l_current_nb_bytes_written,p_stream,p_manager)) { ++ if (! opj_j2k_write_sot(p_j2k,p_data,p_total_data_size,&l_current_nb_bytes_written,p_stream,p_manager)) { + return OPJ_FALSE; + } + +diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c +index 5a8d440..f14cea8 100644 +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -585,6 +585,10 @@ static OPJ_BOOL opj_t2_encode_packet( OPJ_UINT32 tileno, + + /* */ + if (tcp->csty & J2K_CP_CSTY_SOP) { ++ if (length < 6) { ++ return OPJ_FALSE; ++ } ++ + c[0] = 255; + c[1] = 145; + c[2] = 0; +@@ -731,6 +735,10 @@ static OPJ_BOOL opj_t2_encode_packet( OPJ_UINT32 tileno, + + /* */ + if (tcp->csty & J2K_CP_CSTY_EPH) { ++ if (length < 2) { ++ return OPJ_FALSE; ++ } ++ + c[0] = 255; + c[1] = 146; + c += 2; diff --git a/openjpeg2-CVE-2017-14040.patch b/openjpeg2-CVE-2017-14040.patch new file mode 100644 index 0000000..6ec9ba2 --- /dev/null +++ b/openjpeg2-CVE-2017-14040.patch @@ -0,0 +1,77 @@ +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index deee4f6..f28c98d 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include "openjpeg.h" + #include "convert.h" +@@ -558,12 +559,9 @@ struct tga_header + }; + #endif /* INFORMATION_ONLY */ + +-static unsigned short get_ushort(const unsigned char *data) { +- unsigned short val = *(const unsigned short *)data; +-#ifdef OPJ_BIG_ENDIAN +- val = ((val & 0xffU) << 8) | (val >> 8); +-#endif +- return val; ++/* Returns a ushort from a little-endian serialized value */ ++static unsigned short get_tga_ushort(const unsigned char *data) { ++ return data[0] | (data[1] << 8); + } + + #define TGA_HEADER_SIZE 18 +@@ -589,17 +587,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel, + id_len = tga[0]; + /*cmap_type = tga[1];*/ + image_type = tga[2]; +- /*cmap_index = get_ushort(&tga[3]);*/ +- cmap_len = get_ushort(&tga[5]); ++ /*cmap_index = get_tga_ushort(&tga[3]);*/ ++ cmap_len = get_tga_ushort(&tga[5]); + cmap_entry_size = tga[7]; + + + #if 0 +- x_origin = get_ushort(&tga[8]); +- y_origin = get_ushort(&tga[10]); ++ x_origin = get_tga_ushort(&tga[8]); ++ y_origin = get_tga_ushort(&tga[10]); + #endif +- image_w = get_ushort(&tga[12]); +- image_h = get_ushort(&tga[14]); ++ image_w = get_tga_ushort(&tga[12]); ++ image_h = get_tga_ushort(&tga[14]); + pixel_depth = tga[16]; + image_desc = tga[17]; + +@@ -763,6 +761,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) { + color_space = OPJ_CLRSPC_SRGB; + } + ++ /* If the declared file size is > 10 MB, check that the file is big */ ++ /* enough to avoid excessive memory allocations */ ++ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) { ++ char ch; ++ OPJ_UINT64 expected_file_size = ++ (OPJ_UINT64)image_width * image_height * numcomps; ++ long curpos = ftell(f); ++ if (expected_file_size > (OPJ_UINT64)INT_MAX) { ++ expected_file_size = (OPJ_UINT64)INT_MAX; ++ } ++ fseek(f, (long)expected_file_size - 1, SEEK_SET); ++ if (fread(&ch, 1, 1, f) != 1) { ++ fclose(f); ++ return NULL; ++ } ++ fseek(f, curpos, SEEK_SET); ++ } ++ + subsampling_dx = parameters->subsampling_dx; + subsampling_dy = parameters->subsampling_dy; + diff --git a/openjpeg2-CVE-2017-14041.patch b/openjpeg2-CVE-2017-14041.patch new file mode 100644 index 0000000..924f5c7 --- /dev/null +++ b/openjpeg2-CVE-2017-14041.patch @@ -0,0 +1,13 @@ +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index f28c98d..2381f3a 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -1115,7 +1115,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) { + } + + fseek(f, 0, SEEK_SET); +- if( fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){ ++ if( fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d",temp,&endian1,&endian2,signtmp,&prec,temp,&w,temp,&h) != 9){ + fclose(f); + fprintf(stderr, "ERROR: Failed to read the right number of element from the fscanf() function!\n"); + return NULL; diff --git a/openjpeg2-CVE-2017-14151.patch b/openjpeg2-CVE-2017-14151.patch new file mode 100644 index 0000000..059b13d --- /dev/null +++ b/openjpeg2-CVE-2017-14151.patch @@ -0,0 +1,22 @@ +diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +index 2e116b2..2f50bfe 100644 +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1087,10 +1087,13 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate (opj_tcd_cblk_enc_t * p_code_blo + static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_code_block) + { + OPJ_UINT32 l_data_size; +- +- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ +- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * +- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); ++ ++ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ ++ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* TODO: is there a theoretical upper-bound for the compressed code */ ++ /* block size ? */ ++ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { + if (p_code_block->data) { diff --git a/openjpeg2-CVE-2017-14152.patch b/openjpeg2-CVE-2017-14152.patch new file mode 100644 index 0000000..811299c --- /dev/null +++ b/openjpeg2-CVE-2017-14152.patch @@ -0,0 +1,25 @@ +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 1844ac3..316b928 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -6104,10 +6104,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters, opj_ima + + /* Precincts */ + parameters->csty |= 0x01; +- parameters->res_spec = parameters->numresolution-1; +- for (i = 0; ires_spec; i++) { +- parameters->prcw_init[i] = 256; +- parameters->prch_init[i] = 256; ++ if (parameters->numresolution == 1) { ++ parameters->res_spec = 1; ++ parameters->prcw_init[0] = 128; ++ parameters->prch_init[0] = 128; ++ } else { ++ parameters->res_spec = parameters->numresolution - 1; ++ for (i = 0; i < parameters->res_spec; i++) { ++ parameters->prcw_init[i] = 256; ++ parameters->prch_init[i] = 256; ++ } + } + + /* The progression order shall be CPRL */ diff --git a/openjpeg2.changes b/openjpeg2.changes index 273ee8d..632981a 100644 --- a/openjpeg2.changes +++ b/openjpeg2.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Tue Sep 12 20:49:00 CEST 2017 - hpj@suse.com + +- Add security fixes: + openjpeg2-CVE-2016-10504.patch (CVE-2016-10504, bsc#1056351), + openjpeg2-CVE-2016-10505.patch (CVE-2016-10505, bsc#1056363), + openjpeg2-CVE-2016-10506.patch (CVE-2016-10506, bsc#1056396), + openjpeg2-CVE-2017-12982.patch (CVE-2017-12982, bsc#1054696), + openjpeg2-CVE-2017-14039.patch (CVE-2017-14039, CVE-2017-14164, + bsc#1056622, bsc#1057511), + openjpeg2-CVE-2017-14040.patch (CVE-2017-14040, bsc#1056621), + openjpeg2-CVE-2017-14041.patch (CVE-2017-14041, bsc#1056562), + openjpeg2-CVE-2017-14151.patch (CVE-2017-14151, bsc#1057336), + openjpeg2-CVE-2017-14152.patch (CVE-2017-14152, bsc#1057335), + most of which are critical, including heap and stack overwrites, + over-reads and division by zero errors. + ------------------------------------------------------------------- Mon Dec 19 08:42:02 UTC 2016 - normand@linux.vnet.ibm.com diff --git a/openjpeg2.spec b/openjpeg2.spec index 9c0d6d1..e40ff5c 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -1,7 +1,7 @@ # # spec file for package openjpeg2 # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -39,6 +39,24 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # CVE-2016-5152 is # https://pdfium.googlesource.com/pdfium.git/+/d8cc503575463ff3d81b22dad292665f2c88911e/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch Patch1: 0018-tcd_get_decoded_tile_size.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2016-10504.patch bsc#1056351 hpj@suse.com +Patch2: openjpeg2-CVE-2016-10504.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2016-10505.patch bsc#1056363 hpj@suse.com +Patch3: openjpeg2-CVE-2016-10505.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2016-10506.patch bsc#1056396 hpj@suse.com +Patch4: openjpeg2-CVE-2016-10506.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-12982.patch bsc#1054696 hpj@suse.com +Patch5: openjpeg2-CVE-2017-12982.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14039.patch bsc#1056622 bsc#1057511 hpj@suse.com +Patch6: openjpeg2-CVE-2017-14039.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14040.patch bsc#1056621 hpj@suse.com +Patch7: openjpeg2-CVE-2017-14040.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14041.patch bsc#1056562 hpj@suse.com +Patch8: openjpeg2-CVE-2017-14041.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14151.patch bsc#1057336 hpj@suse.com +Patch9: openjpeg2-CVE-2017-14151.patch +# PATCH-FIX-UPSTREAM openjpeg2-CVE-2017-14152.patch bsc#1057335 hpj@suse.com +Patch10: openjpeg2-CVE-2017-14152.patch %description The OpenJPEG library is an open-source JPEG 2000 codec written in C language. @@ -81,6 +99,15 @@ for d in thirdparty/*; do [ -d "$d" ] && rm -rf "$d" done %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 %build %cmake \