aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2017-09-10 22:00:35 +0300
committerEfraim Flashner <efraim@flashner.co.il>2017-09-10 22:00:35 +0300
commit338b58e0ea880f7cccbe43de21eccbf1440ac6af (patch)
treedadb43fad7b8c94519f1953901d5b8056f770556
parent224bb4b6f9fa7c14fbbaac682ec0b5d1a48c616d (diff)
downloadpatches-338b58e0ea880f7cccbe43de21eccbf1440ac6af.tar
patches-338b58e0ea880f7cccbe43de21eccbf1440ac6af.tar.gz
gnu: openjpeg: Fix CVE-2017-14164.
* gnu/packages/image.scm (openjpeg)[source]: Add patch. * gnu/packages/patches/openjpeg-CVE-2017-14164.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/image.scm3
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14164.patch89
3 files changed, 92 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 43eac7717a..c92b93dbd2 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -895,6 +895,7 @@ dist_patch_DATA = \
%D%/packages/patches/openjpeg-CVE-2017-14041.patch \
%D%/packages/patches/openjpeg-CVE-2017-14151.patch \
%D%/packages/patches/openjpeg-CVE-2017-14152.patch \
+ %D%/packages/patches/openjpeg-CVE-2017-14164.patch \
%D%/packages/patches/openldap-CVE-2017-9287.patch \
%D%/packages/patches/openocd-nrf52.patch \
%D%/packages/patches/openssl-runpath.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 3bb8de15c4..d45f08d9df 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -524,7 +524,8 @@ work.")
"openjpeg-CVE-2017-14040.patch"
"openjpeg-CVE-2017-14041.patch"
"openjpeg-CVE-2017-14151.patch"
- "openjpeg-CVE-2017-14152.patch"))))
+ "openjpeg-CVE-2017-14152.patch"
+ "openjpeg-CVE-2017-14164.patch"))))
(build-system cmake-build-system)
(arguments
;; Trying to run `$ make check' results in a no rule fault.
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
new file mode 100644
index 0000000000..2bfc5a6a85
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
@@ -0,0 +1,89 @@
+https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
+http://openwall.com/lists/oss-security/2017/09/06/3
+
+From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 16 Aug 2017 17:09:10 +0200
+Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
+ (#991)
+
+---
+ src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 54b490a8c..16915452e 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+ * Writes the SOT marker (Start of tile-part)
+ *
+ * @param p_j2k J2K codec.
+- * @param p_data FIXME DOC
+- * @param p_data_written FIXME DOC
++ * @param p_data Output buffer
++ * @param p_total_data_size Output buffer size
++ * @param p_data_written Number of bytes written into stream
+ * @param p_stream the stream to write data to.
+ * @param p_manager the user event manager.
+ */
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_BYTE * p_data,
++ OPJ_UINT32 p_total_data_size,
+ OPJ_UINT32 * p_data_written,
+ const opj_stream_private_t *p_stream,
+ opj_event_mgr_t * p_manager);
+@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_BYTE * p_data,
++ OPJ_UINT32 p_total_data_size,
+ OPJ_UINT32 * p_data_written,
+ const opj_stream_private_t *p_stream,
+ opj_event_mgr_t * p_manager
+@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_UNUSED(p_stream);
+ OPJ_UNUSED(p_manager);
+
++ if (p_total_data_size < 12) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Not enough bytes in output buffer to write SOT marker\n");
++ return OPJ_FALSE;
++ }
++
+ opj_write_bytes(p_data, J2K_MS_SOT,
+ 2); /* SOT */
+ p_data += 2;
+@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
+
+ l_current_nb_bytes_written = 0;
+ l_begin_data = p_data;
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
++ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }
+@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+ l_part_tile_size = 0;
+ l_begin_data = p_data;
+
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data,
++ p_total_data_size,
++ &l_current_nb_bytes_written,
++ p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }
+@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+ l_part_tile_size = 0;
+ l_begin_data = p_data;
+
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data,
++ p_total_data_size,
++ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }