~ruther/guix-local

3b7c606965656e95725e9cd5f1c7cfc4d0ea18cf — Efraim Flashner 8 years ago f049e79 
gnu: openjpeg: Fix CVE-2017-14151, CVE-2017-14152.

* gnu/packages/image.scm (openjpeg)[source]: Add patches.
* gnu/packages/patches/openjpeg-CVE-2017-14151.patch,
gnu/packages/patches/openjpeg-CVE-2017-14152.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
patch browse .tar.gz 
4 files changed, 89 insertions(+), 1 deletions(-)

M gnu/local.mk
M gnu/packages/image.scm
A gnu/packages/patches/openjpeg-CVE-2017-14151.patch
A gnu/packages/patches/openjpeg-CVE-2017-14152.patch

M gnu/local.mk => gnu/local.mk +2 -0
@@ 888,6 888,8 @@ dist_patch_DATA =						\
  %D%/packages/patches/openjpeg-CVE-2017-12982.patch		\
  %D%/packages/patches/openjpeg-CVE-2017-14040.patch		\
  %D%/packages/patches/openjpeg-CVE-2017-14041.patch		\
  %D%/packages/patches/openjpeg-CVE-2017-14151.patch		\
  %D%/packages/patches/openjpeg-CVE-2017-14152.patch		\
  %D%/packages/patches/openldap-CVE-2017-9287.patch		\
  %D%/packages/patches/openocd-nrf52.patch			\
  %D%/packages/patches/openssl-runpath.patch			\


M gnu/packages/image.scm => gnu/packages/image.scm +3 -1
@@ 522,7 522,9 @@ work.")
          "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg"))
        (patches (search-patches "openjpeg-CVE-2017-12982.patch"
                                 "openjpeg-CVE-2017-14040.patch"
                                 "openjpeg-CVE-2017-14041.patch"))))
                                 "openjpeg-CVE-2017-14041.patch"
                                 "openjpeg-CVE-2017-14151.patch"
                                 "openjpeg-CVE-2017-14152.patch"))))
    (build-system cmake-build-system)
    (arguments
      ;; Trying to run `$ make check' results in a no rule fault.


A gnu/packages/patches/openjpeg-CVE-2017-14151.patch => gnu/packages/patches/openjpeg-CVE-2017-14151.patch +46 -0
@@ 0,0 1,46 @@
https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
http://openwall.com/lists/oss-security/2017/09/06/1

From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 14 Aug 2017 17:20:37 +0200
Subject: [PATCH] Encoder: grow buffer size in
 opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
 opj_mqc_flush (#982)

---
 src/lib/openjp2/tcd.c                   | 7 +++++--
 tests/nonregression/test_suite.ctest.in | 2 ++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
index 301c7213e..53cdcf64d 100644
--- a/src/lib/openjp2/tcd.c
+++ b/src/lib/openjp2/tcd.c
@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
 {
     OPJ_UINT32 l_data_size;
 
-    /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
-    l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+    /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+    /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+    /* TODO: is there a theoretical upper-bound for the compressed code */
+    /* block size ? */
+    l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
                                    (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
 
     if (l_data_size > p_code_block->data_size) {
diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
index aaf40d7d0..ffd964c2a 100644
--- a/tests/nonregression/test_suite.ctest.in
+++ b/tests/nonregression/test_suite.ctest.in
@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
 # Same rate as Bretagne2_4.j2k
 opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
 
+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
+
 # DECODER TEST SUITE
 opj_decompress -i  @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
 opj_decompress -i  @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx


A gnu/packages/patches/openjpeg-CVE-2017-14152.patch => gnu/packages/patches/openjpeg-CVE-2017-14152.patch +38 -0
@@ 0,0 1,38 @@
https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
http://openwall.com/lists/oss-security/2017/09/06/2

From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 15 Aug 2017 11:55:58 +0200
Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
 opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)

---
 src/lib/openjp2/j2k.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index a2521ebbc..54b490a8c 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
 
     /* Precincts */
     parameters->csty |= 0x01;
-    parameters->res_spec = parameters->numresolution - 1;
-    for (i = 0; i < parameters->res_spec; i++) {
-        parameters->prcw_init[i] = 256;
-        parameters->prch_init[i] = 256;
+    if (parameters->numresolution == 1) {
+        parameters->res_spec = 1;
+        parameters->prcw_init[0] = 128;
+        parameters->prch_init[0] = 128;
+    } else {
+        parameters->res_spec = parameters->numresolution - 1;
+        for (i = 0; i < parameters->res_spec; i++) {
+            parameters->prcw_init[i] = 256;
+            parameters->prch_init[i] = 256;
+        }
     }
 
     /* The progression order shall be CPRL */