From e75e2d45d6c8982bf12513816b6fbd5eb5647a27 Mon Sep 17 00:00:00 2001 From: Helmut Pozimski Date: Mon, 11 Mar 2019 19:42:03 +0100 Subject: [PATCH] openjpeg2: add patches to fix several security vulnerabilities CVE-2017-17480 CVE-2018-5785 CVE-2018-6616 CVE-2018-14423 CVE-2018-18088 --- .../openjpeg2/patches/CVE-2017-17480.patch | 42 ++++++++++ .../openjpeg2/patches/CVE-2018-14423.patch | 60 ++++++++++++++ .../openjpeg2/patches/CVE-2018-18088.patch | 34 ++++++++ srcpkgs/openjpeg2/patches/CVE-2018-5785.patch | 79 +++++++++++++++++++ srcpkgs/openjpeg2/patches/CVE-2018-6616.patch | 69 ++++++++++++++++ srcpkgs/openjpeg2/template | 2 +- 6 files changed, 285 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/openjpeg2/patches/CVE-2017-17480.patch create mode 100644 srcpkgs/openjpeg2/patches/CVE-2018-14423.patch create mode 100644 srcpkgs/openjpeg2/patches/CVE-2018-18088.patch create mode 100644 srcpkgs/openjpeg2/patches/CVE-2018-5785.patch create mode 100644 srcpkgs/openjpeg2/patches/CVE-2018-6616.patch diff --git a/srcpkgs/openjpeg2/patches/CVE-2017-17480.patch b/srcpkgs/openjpeg2/patches/CVE-2017-17480.patch new file mode 100644 index 00000000000..f0953d4f449 --- /dev/null +++ b/srcpkgs/openjpeg2/patches/CVE-2017-17480.patch @@ -0,0 +1,42 @@ +From 0bc90e4062a5f9258c91eca018c019b179066c62 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Mon, 22 Oct 2018 16:59:41 +0200 +Subject: [PATCH] jp3d/jpwl convert: fix write stack buffer overflow + +Missing buffer length formatter in fscanf call might lead to write +stack buffer overflow. + +fixes #1044 (CVE-2017-17480) +--- + src/bin/jp3d/convert.c | 4 ++-- + src/bin/jpwl/convert.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c +index 23fd70b04..acad8f82a 100644 +--- src/bin/jp3d/convert.c ++++ src/bin/jp3d/convert.c +@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters) + fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]); + + fseek(f, 0, SEEK_SET); +- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2, +- signtmp, &prec, temp, &w, temp, &h); ++ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, ++ &endian2, signtmp, &prec, temp, &w, temp, &h); + + i = 0; + sign = '+'; +diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c +index f3bb670b0..73c1be729 100644 +--- src/bin/jpwl/convert.c ++++ src/bin/jpwl/convert.c +@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) + } + + fseek(f, 0, SEEK_SET); +- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, ++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, + &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { + fprintf(stderr, + "ERROR: Failed to read the right number of element from the fscanf() function!\n"); diff --git a/srcpkgs/openjpeg2/patches/CVE-2018-14423.patch b/srcpkgs/openjpeg2/patches/CVE-2018-14423.patch new file mode 100644 index 00000000000..182a1134365 --- /dev/null +++ b/srcpkgs/openjpeg2/patches/CVE-2018-14423.patch @@ -0,0 +1,60 @@ +From bd88611ed9ad7144ec4f3de54790cd848175891b Mon Sep 17 00:00:00 2001 +From: Young_X +Date: Fri, 23 Nov 2018 17:15:05 +0800 +Subject: [PATCH] [JP3D] To avoid divisions by zero / undefined behaviour on + shift (CVE-2018-14423 + +Signed-off-by: Young_X +--- + src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c +index a03be45e7..a58ebcc7c 100644 +--- src/lib/openjp3d/pi.c ++++ src/lib/openjp3d/pi.c +@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; diff --git a/srcpkgs/openjpeg2/patches/CVE-2018-18088.patch b/srcpkgs/openjpeg2/patches/CVE-2018-18088.patch new file mode 100644 index 00000000000..15caf600188 --- /dev/null +++ b/srcpkgs/openjpeg2/patches/CVE-2018-18088.patch @@ -0,0 +1,34 @@ +From cab352e249ed3372dd9355c85e837613fff98fa2 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Wed, 7 Nov 2018 18:48:29 +0100 +Subject: [PATCH] jp2: convert: fix null pointer dereference + +Tile components in a JP2 image might have null data pointer by defining a +zero component size (for example using large horizontal or vertical +sampling periods). This null data pointer leads to null image component +data pointer, causing crash when dereferenced without != null check in +imagetopnm. + +Add != null check. + +This commit addresses #1152 (CVE-2018-18088). +--- + src/bin/jp2/convert.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index fa02e31c5..e670cd82f 100644 +--- src/bin/jp2/convert.c ++++ src/bin/jp2/convert.c +@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split) + opj_version(), wr, hr, max); + + red = image->comps[compno].data; ++ if (!red) { ++ fclose(fdest); ++ continue; ++ } ++ + adjustR = + (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0); + diff --git a/srcpkgs/openjpeg2/patches/CVE-2018-5785.patch b/srcpkgs/openjpeg2/patches/CVE-2018-5785.patch new file mode 100644 index 00000000000..39f78d53a49 --- /dev/null +++ b/srcpkgs/openjpeg2/patches/CVE-2018-5785.patch @@ -0,0 +1,79 @@ +From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Sat, 22 Sep 2018 14:33:19 -0400 +Subject: [PATCH] convertbmp: fix issues with zero bitmasks + +In the case where a BMP file declares compression 3 (BI_BITFIELDS) +with header size <= 56, all bitmask values keep their initialization +value 0. This may lead to various undefined behavior later e.g. when +doing 1 << (l_comp->prec - 1). + +This issue does not affect files with bit count 16 because of a check +added in 16240e2 which sets default values to the color masks if they +are all 0. + +This commit adds similar checks for the 32 bit case. + +Also, if a BMP file declares compression 3 with header size >= 56 and +intentional 0 bitmasks, the same issue will be triggered in both the +16 and 32 bit count case. + +This commit adds checks to bmp_read_info_header() rejecting BMP files +with "intentional" 0 bitmasks. These checks might be removed in the +future when proper handling of zero bitmasks will be available in +openjpeg2. + +fixes #1057 (CVE-2018-5785) +--- + src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 084f70bb7..7fde99ab3 100644 +--- src/bin/jp2/convertbmp.c ++++ src/bin/jp2/convertbmp.c +@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header) + header->biRedMask |= (OPJ_UINT32)getc(IN) << 16; + header->biRedMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biRedMask) { ++ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask); ++ return OPJ_FALSE; ++ } ++ + header->biGreenMask = (OPJ_UINT32)getc(IN); + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8; + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16; + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biGreenMask) { ++ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask); ++ return OPJ_FALSE; ++ } ++ + header->biBlueMask = (OPJ_UINT32)getc(IN); + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8; + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16; + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biBlueMask) { ++ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask); ++ return OPJ_FALSE; ++ } ++ + header->biAlphaMask = (OPJ_UINT32)getc(IN); + header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8; + header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16; +@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters) + bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU, + 0x00000000U); + } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */ ++ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) && ++ (Info_h.biBlueMask == 0U)) { ++ Info_h.biRedMask = 0x00FF0000U; ++ Info_h.biGreenMask = 0x0000FF00U; ++ Info_h.biBlueMask = 0x000000FFU; ++ } + bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask, + Info_h.biBlueMask, Info_h.biAlphaMask); + } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */ diff --git a/srcpkgs/openjpeg2/patches/CVE-2018-6616.patch b/srcpkgs/openjpeg2/patches/CVE-2018-6616.patch new file mode 100644 index 00000000000..d19564edfd2 --- /dev/null +++ b/srcpkgs/openjpeg2/patches/CVE-2018-6616.patch @@ -0,0 +1,69 @@ +From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Fri, 14 Dec 2018 04:58:40 +0100 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +Fixes #1059 (CVE-2018-6616). +--- + src/bin/jp2/convertbmp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 85a47feaf..0af52f816 100644 +--- src/bin/jp2/convertbmp.c ++++ src/bin/jp2/convertbmp.c +@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, + static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; + +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = c1; ++ written++; + } + } else { + c = getc(IN); +@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + } + c1 = (OPJ_UINT8)c1_int; + *pix = c1; ++ written++; + } + if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ + c = getc(IN); +@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + } + } + }/* while() */ ++ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } ++ + return OPJ_TRUE; + } + diff --git a/srcpkgs/openjpeg2/template b/srcpkgs/openjpeg2/template index 91637e7d4d3..99c4bda4d92 100644 --- a/srcpkgs/openjpeg2/template +++ b/srcpkgs/openjpeg2/template @@ -1,7 +1,7 @@ # Template file for 'openjpeg2' pkgname=openjpeg2 version=2.3.0 -revision=2 +revision=3 wrksrc="openjpeg-${version}" build_style=cmake makedepends="libpng-devel lcms2-devel tiff-devel"