Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Dear release managers, as discussed in #939553[0], no DSA will be issued by the security team for CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached debdiff addresses this issue, along with CVE-2018-20847 and CVE-2018-21010. Patches for CVE-2018-20847 and CVE-2018-21010 are straight from upstream. Concerning CVE-2018-21010, I did a few changes to remove non-security related refactoring and improve readability. thanks! cheers, Hugo [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553 -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.1.2/debian/changelog --- openjpeg2-2.1.2/debian/changelog 2019-03-07 22:41:30.000000000 +0100 +++ openjpeg2-2.1.2/debian/changelog 2019-10-08 15:20:27.000000000 +0200 @@ -1,3 +1,16 @@ +openjpeg2 (2.1.2-1.1+deb9u4) stretch; urgency=medium + + * Non-maintainer upload. + * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile + (Closes: #939553). + * CVE-2018-20847: improper computation of values in the function + opj_get_encoding_parameters, leading to an integer overflow + (Closes: #931294). + * CVE-2016-9112: floating point exception or divide by zero in the + function opj_pi_next_cprl (Closes: #844551). + + -- Hugo Lefeuvre <h...@debian.org> Tue, 08 Oct 2019 15:20:27 +0200 + openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the Security Team. diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch --- openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch 2019-10-08 15:20:27.000000000 +0200 @@ -0,0 +1,59 @@ +Subject: fix division by zero and undefined behavior on shift in pi.c +Author: Even Rouault <even.roua...@spatialys.com> +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad +--- a/src/lib/openjp2/pi.c 2019-10-08 15:46:03.364003550 +0200 ++++ b/src/lib/openjp2/pi.c 2019-10-09 08:59:02.183880328 +0200 +@@ -360,6 +360,17 @@ + try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); + rpx = res->pdx + levelno; + rpy = res->pdy + levelno; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ /* in below tests */ ++ /* Fixes reading id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 */ ++ /* of https://github.com/uclouvain/openjpeg/issues/938 */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { ++ continue; ++ } ++ ++ /* See ISO-15441. B.12.1.3 Resolution level-position-component-layer progression */ + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ + continue; + } +@@ -441,6 +452,17 @@ + try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); + rpx = res->pdx + levelno; + rpy = res->pdy + levelno; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ /* in below tests */ ++ /* Relates to id:000019,sig:08,src:001098,op:flip1,pos:49 */ ++ /* of https://github.com/uclouvain/openjpeg/issues/938 */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { ++ continue; ++ } ++ ++ /* See ISO-15441. B.12.1.4 Position-component-resolution level-layer progression */ + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ + continue; + } +@@ -520,6 +542,17 @@ + try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno)); + rpx = res->pdx + levelno; + rpy = res->pdy + levelno; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ /* in below tests */ ++ /* Fixes reading id:000019,sig:08,src:001098,op:flip1,pos:49 */ ++ /* of https://github.com/uclouvain/openjpeg/issues/938 */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) { ++ continue; ++ } ++ ++ /* See ISO-15441. B.12.1.5 Component-position-resolution level-layer progression */ + if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){ + continue; + } diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2018-20847.patch openjpeg2-2.1.2/debian/patches/CVE-2018-20847.patch --- openjpeg2-2.1.2/debian/patches/CVE-2018-20847.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.1.2/debian/patches/CVE-2018-20847.patch 2019-10-08 15:20:27.000000000 +0200 @@ -0,0 +1,36 @@ +Description: fix integer overflow in opj_get_encoding_parameters + This bug is known at three places in the source code: + opj_get_all_encoding_parameters() and opj_tcd_init_tile() in pi.c and tcd.c + (both fixed _before_ the release of 2.1.2), and opj_get_encoding_parameters() + in pi.c. This patch addresses the issue in opj_get_encoding_parameters(). +Author: Young_X <yang...@hotmail.com> +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/c58df149900df862 +--- a/src/lib/openjp2/pi.c 2019-10-08 15:42:07.754437740 +0200 ++++ b/src/lib/openjp2/pi.c 2019-10-08 15:46:03.364003550 +0200 +@@ -574,6 +574,9 @@ + /* position in x and y of tile */ + OPJ_UINT32 p, q; + ++ /* non-corrected (in regard to image offset) tile offset */ ++ OPJ_UINT32 l_tx0, l_ty0; ++ + /* preconditions */ + assert(p_cp != 00); + assert(p_image != 00); +@@ -589,10 +592,12 @@ + q = p_tileno / p_cp->tw; + + /* find extent of tile */ +- *p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx), (OPJ_INT32)p_image->x0); +- *p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx), (OPJ_INT32)p_image->x1); +- *p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy), (OPJ_INT32)p_image->y0); +- *p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy), (OPJ_INT32)p_image->y1); ++ l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 so won't overflow */ ++ *p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0); ++ *p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), p_image->x1); ++ l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 so won't overflow */ ++ *p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0); ++ *p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), p_image->y1); + + /* max precision is 0 (can only grow) */ + *p_max_prec = 0; diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2018-21010.patch openjpeg2-2.1.2/debian/patches/CVE-2018-21010.patch --- openjpeg2-2.1.2/debian/patches/CVE-2018-21010.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.1.2/debian/patches/CVE-2018-21010.patch 2019-10-08 15:20:27.000000000 +0200 @@ -0,0 +1,26 @@ +Description: color_apply_icc_profile: avoid potential heap buffer overflow + This patch addresses CVE-2018-21010. It differs slightly from upstream's + patch in that we avoid whitespace refactoring and complex nested ifs. +Author: Even Rouault <even.roua...@spatialys.com>, Hugo Lefeuvre <h...@debian.org> +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c9 +--- a/src/bin/common/color.c 2019-10-08 15:26:20.349834699 +0200 ++++ b/src/bin/common/color.c 2019-10-08 15:28:25.492050700 +0200 +@@ -496,6 +496,18 @@ + + if(image->numcomps > 2)/* RGB, RGBA */ + { ++ ++ if (!(image->comps[0].w == image->comps[1].w && ++ image->comps[0].w == image->comps[2].w) || ++ !(image->comps[0].h == image->comps[1].h && ++ image->comps[0].h == image->comps[2].h)) ++ { ++ fprintf(stderr, ++ "[ERROR] Image components should have the same width and height\n"); ++ cmsDeleteTransform(transform); ++ return; ++ } ++ + if( prec <= 8 ) + { + unsigned char *inbuf, *outbuf, *in, *out; diff -Nru openjpeg2-2.1.2/debian/patches/series openjpeg2-2.1.2/debian/patches/series --- openjpeg2-2.1.2/debian/patches/series 2019-03-07 22:40:20.000000000 +0100 +++ openjpeg2-2.1.2/debian/patches/series 2019-10-08 15:20:27.000000000 +0200 @@ -15,3 +15,7 @@ CVE-2018-6616.patch CVE-2018-14423.patch CVE-2018-5785.patch + +CVE-2018-21010.patch +CVE-2018-20847.patch +CVE-2016-9112.patch
signature.asc
Description: PGP signature
