[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release managers,

as discussed in #939553[0], no DSA will be issued by the security team for
CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached
debdiff addresses this issue, along with CVE-2018-20847.

This is almost the same debdiff as #942024[1] (for stretch-pu).

thanks!

cheers,
Hugo

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942024

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

diff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog
--- openjpeg2-2.3.0/debian/changelog	2019-03-10 18:34:51.000000000 +0100
+++ openjpeg2-2.3.0/debian/changelog	2019-10-17 14:48:09.000000000 +0200
@@ -1,3 +1,14 @@
+openjpeg2 (2.3.0-2+deb10u1) buster; urgency=high
+
+  * Backport security fixes:
+  * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile
+    (Closes: #939553).
+  * CVE-2018-20847: improper computation of values in the function
+    opj_get_encoding_parameters, leading to an integer overflow
+    (Closes: #931294).
+
+ -- Hugo Lefeuvre <hle@debian.org>  Thu, 17 Oct 2019 14:48:09 +0200
+
 openjpeg2 (2.3.0-2) unstable; urgency=high
 
   [ Hugo Lefeuvre ]
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch	2019-10-17 14:43:51.000000000 +0200
@@ -0,0 +1,40 @@
+Description: fix integer overflow in opj_get_encoding_parameters
+ This bug is known at three places in the source code:
+ opj_get_all_encoding_parameters() and opj_tcd_init_tile() in pi.c and tcd.c
+ (both fixed _before_ the release of 2.1.2), and opj_get_encoding_parameters()
+ in pi.c. This patch addresses the issue in opj_get_encoding_parameters().
+Author: Young_X <YangX92@hotmail.com>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/c58df149900df862
+--- a/src/lib/openjp2/pi.c	2019-10-17 14:41:15.997977749 +0200
++++ b/src/lib/openjp2/pi.c	2019-10-17 14:43:46.276679721 +0200
+@@ -748,6 +748,9 @@
+     /* position in x and y of tile */
+     OPJ_UINT32 p, q;
+ 
++    /* non-corrected (in regard to image offset) tile offset */
++    OPJ_UINT32 l_tx0, l_ty0;
++
+     /* preconditions */
+     assert(p_cp != 00);
+     assert(p_image != 00);
+@@ -763,14 +766,12 @@
+     q = p_tileno / p_cp->tw;
+ 
+     /* find extent of tile */
+-    *p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx),
+-                         (OPJ_INT32)p_image->x0);
+-    *p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx),
+-                         (OPJ_INT32)p_image->x1);
+-    *p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy),
+-                         (OPJ_INT32)p_image->y0);
+-    *p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy),
+-                         (OPJ_INT32)p_image->y1);
++    l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 so won't overflow */
++    *p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0);
++    *p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), p_image->x1);
++    l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 so won't overflow */
++    *p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0);
++    *p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), p_image->y1);
+ 
+     /* max precision is 0 (can only grow) */
+     *p_max_prec = 0;
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch	2019-10-17 14:34:45.000000000 +0200
@@ -0,0 +1,26 @@
+Description: color_apply_icc_profile: avoid potential heap buffer overflow 
+ This patch addresses CVE-2018-21010. It differs slightly from upstream's
+ patch in that we avoid whitespace refactoring and complex nested ifs.
+Author: Even Rouault <even.rouault@spatialys.com>, Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c9
+--- a/src/bin/common/color.c	2019-10-17 14:33:21.021771909 +0200
++++ b/src/bin/common/color.c	2019-10-17 14:34:39.397137223 +0200
+@@ -597,6 +597,18 @@
+     }
+ 
+     if (image->numcomps > 2) { /* RGB, RGBA */
++
++	if (!(image->comps[0].w == image->comps[1].w &&
++	      image->comps[0].w == image->comps[2].w) ||
++	    !(image->comps[0].h == image->comps[1].h &&
++	      image->comps[0].h == image->comps[2].h))
++	{
++		fprintf(stderr,
++		"[ERROR] Image components should have the same width and height\n");
++		cmsDeleteTransform(transform);
++		return;
++	}
++
+         if (prec <= 8) {
+             unsigned char *inbuf, *outbuf, *in, *out;
+ 
diff -Nru openjpeg2-2.3.0/debian/patches/series openjpeg2-2.3.0/debian/patches/series
--- openjpeg2-2.3.0/debian/patches/series	2019-03-10 18:31:30.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/series	2019-10-17 14:41:01.000000000 +0200
@@ -5,3 +5,5 @@
 CVE-2018-18088.patch
 CVE-2018-5785.patch
 CVE-2018-6616.patch
+CVE-2018-21010.patch
+CVE-2018-20847.patch

Attachment: signature.asc
Description: PGP signature

Reply to: