openjpeg2
Attached is security patches for openjpeg2 from stretch. In particular:
CVE-2019-6988 - skipped, no upstream fix.
CVE-2020-27814 - applied, both patches. 2nd patch applied by hand.
CVE-2020-27823 - applied, by hand.
CVE-2020-27824 - applied, by hand. Patch applies cleanly, but nop
without patching the opj_dwt_getnorm_real also (existing function does
the same thing), which I did.
CVE-2020-27841 - applied, by hand. As far as I can tell most of the
upstream patch is simply passing around the manager object, which is
required for better error messages. I only applied the bits that look
like they have a security impact, without the error messages.
CVE-2020-27842 - skipped, no upstream fix.
CVE-2020-27843 - skipped, no upstream fix.
CVE-2020-27844 - skipped. Upstream patch replaces assert with if. Not
sure how this helps. Unless maybe assert is a nop. In any case, can't
find the code. Suspect we are not vulnerable.
CVE-2020-27845 - applied, by hand, error messages removed.
I note that this package doesn't seem to run tests on build. Which makes
me a bit nervous. It does come with tests, but so far my attempts to run
these tests have not been successful.
--
Brian May <bam@debian.org>
diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.1.2/debian/changelog
--- openjpeg2-2.1.2/debian/changelog 2020-07-11 01:34:00.000000000 +1000
+++ openjpeg2-2.1.2/debian/changelog 2021-02-04 08:18:38.000000000 +1100
@@ -1,3 +1,18 @@
+openjpeg2 (2.1.2-1.1+deb9u6) stretch-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Fix CVE-2020-27814: A heap-buffer overflow in the way openjpeg2
+ handled certain PNG format files.
+ * Fix CVE-2020-27823: Wrong computation of x1,y1 if -d option is used,
+ resulting in heap buffer overflow.
+ * Fix CVE-2020-27824: avoid global buffer overflow on irreversible conversion when
+ too many decomposition levels are specified.
+ * Fix CVE-2020-27841: crafted input to be processed by the openjpeg encoder
+ could cause an out-of-bounds read.
+ * Fix CVE-2020-27845: crafted input can cause out-of-bounds-read.
+
+ -- Brian May <bam@debian.org> Thu, 04 Feb 2021 08:18:38 +1100
+
openjpeg2 (2.1.2-1.1+deb9u5) stretch-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch 1970-01-01 10:00:00.000000000 +1000
+++ openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch 2021-02-04 08:18:20.000000000 +1100
@@ -0,0 +1,28 @@
+From 15cf3d95814dc931ca0ecb132f81cb152e051bae Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 23 Nov 2020 18:14:02 +0100
+Subject: [PATCH] Encoder: grow again buffer size in
+ opj_tcd_code_block_enc_allocate_data() (fixes #1283)
+
+---
+ src/lib/openjp2/tcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: openjpeg2-2.1.2/src/lib/openjp2/tcd.c
+===================================================================
+--- openjpeg2-2.1.2.orig/src/lib/openjp2/tcd.c
++++ openjpeg2-2.1.2/src/lib/openjp2/tcd.c
+@@ -1107,9 +1107,12 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
+
+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
++ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */
++ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */
++ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */
+ /* TODO: is there a theoretical upper-bound for the compressed code */
+ /* block size ? */
+- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
++ l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+
+ if (l_data_size > p_code_block->data_size) {
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch 1970-01-01 10:00:00.000000000 +1000
+++ openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch 2021-02-04 08:18:38.000000000 +1100
@@ -0,0 +1,25 @@
+From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:31:51 +0100
+Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
+ used, that would result in a heap buffer overflow (fixes #1284)
+
+---
+ src/bin/jp2/convertpng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: openjpeg2-2.1.2/src/bin/jp2/convertpng.c
+===================================================================
+--- openjpeg2-2.1.2.orig/src/bin/jp2/convertpng.c
++++ openjpeg2-2.1.2/src/bin/jp2/convertpng.c
+@@ -216,8 +216,8 @@ opj_image_t *pngtoimage(const char *read
+ if(image == NULL) goto fin;
+ image->x0 = (OPJ_UINT32)params->image_offset_x0;
+ image->y0 = (OPJ_UINT32)params->image_offset_y0;
+- image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32)params->subsampling_dx + 1 + image->x0);
+- image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)params->subsampling_dy + 1 + image->y0);
++ image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32)params->subsampling_dx + 1);
++ image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)params->subsampling_dy + 1);
+
+ row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32));
+ if(row32s == NULL) goto fin;
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27824.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27824.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2020-27824.patch 1970-01-01 10:00:00.000000000 +1000
+++ openjpeg2-2.1.2/debian/patches/CVE-2020-27824.patch 2021-02-04 08:18:38.000000000 +1100
@@ -0,0 +1,38 @@
+From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:37:07 +0100
+Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible
+ conversion when too many decomposition levels are specified (fixes #1286)
+
+---
+ src/lib/openjp2/dwt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openjpeg2-2.1.2/src/lib/openjp2/dwt.c
+===================================================================
+--- openjpeg2-2.1.2.orig/src/lib/openjp2/dwt.c
++++ openjpeg2-2.1.2/src/lib/openjp2/dwt.c
+@@ -525,6 +525,14 @@ OPJ_UINT32 opj_dwt_getgain_real(OPJ_UINT
+ /* Get norm of 9-7 wavelet. */
+ /* </summary> */
+ OPJ_FLOAT64 opj_dwt_getnorm_real(OPJ_UINT32 level, OPJ_UINT32 orient) {
++ /* FIXME ! This is just a band-aid to avoid a buffer overflow */
++ /* but the array should really be extended up to 33 resolution levels */
++ /* See https://github.com/uclouvain/openjpeg/issues/493 */
++ if (orient == 0 && level >= 10) {
++ level = 9;
++ } else if (orient > 0 && level >= 9) {
++ level = 8;
++ }
+ return opj_dwt_norms_real[orient][level];
+ }
+
+@@ -542,7 +550,7 @@ void opj_dwt_calc_explicit_stepsizes(opj
+ if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {
+ stepsize = 1.0;
+ } else {
+- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level];
++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient);
+ stepsize = (1 << (gain)) / norm;
+ }
+ opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0), (OPJ_INT32)(prec + gain), &tccp->stepsizes[bandno]);
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27841.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27841.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2020-27841.patch 1970-01-01 10:00:00.000000000 +1000
+++ openjpeg2-2.1.2/debian/patches/CVE-2020-27841.patch 2021-02-04 08:18:38.000000000 +1100
@@ -0,0 +1,40 @@
+From 00383e162ae2f8fc951f5745bf1011771acb8dce Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 2 Dec 2020 14:02:17 +0100
+Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs
+ https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836)
+
+---
+ src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++---------------
+ src/lib/openjp2/pi.h | 10 +++++++--
+ src/lib/openjp2/t2.c | 4 ++--
+ 3 files changed, 42 insertions(+), 21 deletions(-)
+
+Index: openjpeg2-2.1.2/src/lib/openjp2/pi.c
+===================================================================
+--- openjpeg2-2.1.2.orig/src/lib/openjp2/pi.c
++++ openjpeg2-2.1.2/src/lib/openjp2/pi.c
+@@ -408,6 +408,11 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ comp = &pi->comps[pi->compno];
+ goto LABEL_SKIP;
+@@ -500,6 +505,11 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ comp = &pi->comps[pi->compno];
+ goto LABEL_SKIP;
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27844.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27844.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2020-27844.patch 1970-01-01 10:00:00.000000000 +1000
+++ openjpeg2-2.1.2/debian/patches/CVE-2020-27844.patch 2021-02-04 08:18:38.000000000 +1100
@@ -0,0 +1,30 @@
+From 73fdf28342e4594019af26eb6a347a34eceb6296 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 2 Dec 2020 14:10:16 +0100
+Subject: [PATCH] opj_j2k_write_sod(): avoid potential heap buffer overflow
+ (fixes #1299) (probably master only)
+
+---
+ src/lib/openjp2/j2k.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 78d459259..8e343ab2e 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -4806,8 +4806,13 @@ static OPJ_BOOL opj_j2k_write_sod(opj_j2k_t *p_j2k,
+ }
+ }
+
+- assert(l_remaining_data >
+- p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT);
++ if (l_remaining_data <
++ p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Not enough bytes in output buffer to write SOD marker\n");
++ opj_tcd_marker_info_destroy(marker_info);
++ return OPJ_FALSE;
++ }
+ l_remaining_data -= p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT;
+
+ if (! opj_tcd_encode_tile(p_tile_coder, p_j2k->m_current_tile_number,
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27845.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27845.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2020-27845.patch 1970-01-01 10:00:00.000000000 +1000
+++ openjpeg2-2.1.2/debian/patches/CVE-2020-27845.patch 2021-02-04 08:18:38.000000000 +1100
@@ -0,0 +1,51 @@
+From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 4 Dec 2020 20:45:25 +0100
+Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302)
+
+---
+ src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+Index: openjpeg2-2.1.2/src/lib/openjp2/pi.c
+===================================================================
+--- openjpeg2-2.1.2.orig/src/lib/openjp2/pi.c
++++ openjpeg2-2.1.2/src/lib/openjp2/pi.c
+@@ -234,7 +234,12 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_
+ opj_pi_comp_t *comp = NULL;
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+-
++
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ comp = &pi->comps[pi->compno];
+ res = &comp->resolutions[pi->resno];
+@@ -275,6 +280,11 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ comp = &pi->comps[pi->compno];
+ res = &comp->resolutions[pi->resno];
+@@ -314,6 +324,11 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_
+ opj_pi_resolution_t *res = NULL;
+ OPJ_UINT32 index = 0;
+
++ if (pi->poc.compno0 >= pi->numcomps ||
++ pi->poc.compno1 >= pi->numcomps + 1) {
++ return OPJ_FALSE;
++ }
++
+ if (!pi->first) {
+ goto LABEL_SKIP;
+ } else {
diff -Nru openjpeg2-2.1.2/debian/patches/series openjpeg2-2.1.2/debian/patches/series
--- openjpeg2-2.1.2/debian/patches/series 2020-07-11 01:34:00.000000000 +1000
+++ openjpeg2-2.1.2/debian/patches/series 2021-02-04 08:18:38.000000000 +1100
@@ -23,3 +23,8 @@
CVE-2020-8112.patch
CVE-2020-6851.patch
CVE-2019-12973.patch
+CVE-2020-27814.patch
+CVE-2020-27823.patch
+CVE-2020-27824.patch
+CVE-2020-27841.patch
+CVE-2020-27845.patch
Reply to: