[Pkg-phototools-devel] openjpeg2 security fixes and maintenance
Hugo Lefeuvre
hle at debian.org
Mon Mar 4 13:07:07 GMT 2019
Hi Mathieu,
openjpeg2 is affected by several security issues in Buster. I have recently
worked on these vulnerabilities as part of my lts duties and upstreamed
several fixes. I think it would be nice to have Buster patched as well so I
prepared an NMU.
You can find a debdiff in attachment (patches have been tested sperately,
whole update not tested yet).
Would you mind if I added myself as uploader? I'm starting to get quite
confident with this codebase and might be able to help for future security
support.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
-------------- next part --------------
diff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog
--- openjpeg2-2.3.0/debian/changelog 2018-12-02 18:18:22.000000000 +0100
+++ openjpeg2-2.3.0/debian/changelog 2019-03-04 12:55:05.000000000 +0100
@@ -1,3 +1,19 @@
+openjpeg2 (2.3.0-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in
+ jp3d/convert.c (Closes: #884738).
+ * CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and
+ pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873).
+ * CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c
+ (Closes: #910763).
+ * CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the
+ opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533).
+ * CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of
+ openjp2/t1.c (Closes: #889683).
+
+ -- Hugo Lefeuvre <hle at debian.org> Mon, 04 Mar 2019 12:55:05 +0100
+
openjpeg2 (2.3.0-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2017-17480.patch openjpeg2-2.3.0/debian/patches/CVE-2017-17480.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2017-17480.patch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2017-17480.patch 2019-03-04 12:55:05.000000000 +0100
@@ -0,0 +1,29 @@
+Description: jp3d/jpwl convert: fix write stack buffer overflow
+ Missing buffer length formatter in fscanf call might lead to write
+ stack buffer overflow.
+Author: Hugo Lefeuvre <hle at debian.org>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62
+--- a/src/bin/jp3d/convert.c 2017-10-05 00:23:14.000000000 +0200
++++ b/src/bin/jp3d/convert.c 2019-03-04 12:58:37.362461916 +0100
+@@ -297,8 +297,8 @@
+ fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
+
+ fseek(f, 0, SEEK_SET);
+- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
+- signtmp, &prec, temp, &w, temp, &h);
++ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
++ &endian2, signtmp, &prec, temp, &w, temp, &h);
+
+ i = 0;
+ sign = '+';
+--- a/src/bin/jpwl/convert.c 2017-10-05 00:23:14.000000000 +0200
++++ b/src/bin/jpwl/convert.c 2019-03-04 12:58:37.362461916 +0100
+@@ -1348,7 +1348,7 @@
+ }
+
+ fseek(f, 0, SEEK_SET);
+- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+ &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+ fprintf(stderr,
+ "ERROR: Failed to read the right number of element from the fscanf() function!\n");
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-14423.patch openjpeg2-2.3.0/debian/patches/CVE-2018-14423.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-14423.patch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-14423.patch 2019-03-04 12:55:05.000000000 +0100
@@ -0,0 +1,50 @@
+Description: jp3d: avoid divisions by zero / undefined behaviour on shift
+Author: Young_X <YangX92 at hotmail.com>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b
+--- a/src/lib/openjp3d/pi.c 2017-10-05 00:23:14.000000000 +0200
++++ b/src/lib/openjp3d/pi.c 2019-03-04 13:10:50.383000628 +0100
+@@ -223,6 +223,14 @@
+ rpx = res->pdx + levelnox;
+ rpy = res->pdy + levelnoy;
+ rpz = res->pdz + levelnoz;
++
++ /* To avoid divisions by zero / undefined behaviour on shift */
++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++ continue;
++ }
++
+ if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+ (trx0 << levelnox) % (1 << rpx)))) {
+ continue;
+@@ -329,6 +337,14 @@
+ rpx = res->pdx + levelnox;
+ rpy = res->pdy + levelnoy;
+ rpz = res->pdz + levelnoz;
++
++ /* To avoid divisions by zero / undefined behaviour on shift */
++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++ continue;
++ }
++
+ if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+ (trx0 << levelnox) % (1 << rpx)))) {
+ continue;
+@@ -432,6 +448,14 @@
+ rpx = res->pdx + levelnox;
+ rpy = res->pdy + levelnoy;
+ rpz = res->pdz + levelnoz;
++
++ /* To avoid divisions by zero / undefined behaviour on shift */
++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy ||
++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) {
++ continue;
++ }
++
+ if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
+ (trx0 << levelnox) % (1 << rpx)))) {
+ continue;
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-18088.patch openjpeg2-2.3.0/debian/patches/CVE-2018-18088.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-18088.patch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-18088.patch 2019-03-04 12:55:05.000000000 +0100
@@ -0,0 +1,24 @@
+Description: jp2: convert: fix null pointer dereference
+ Tile components in a JP2 image might have null data pointer by defining a
+ zero component size (for example using large horizontal or vertical
+ sampling periods). This null data pointer leads to null image component
+ data pointer, causing crash when dereferenced without != null check in
+ imagetopnm.
+ .
+ Add != null check.
+Author: Hugo Lefeuvre <hle at debian.org>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2
+--- a/src/bin/jp2/convert.c 2017-10-05 00:23:14.000000000 +0200
++++ b/src/bin/jp2/convert.c 2019-03-04 13:17:42.184753185 +0100
+@@ -2210,6 +2210,11 @@
+ opj_version(), wr, hr, max);
+
+ red = image->comps[compno].data;
++ if (!red) {
++ fclose(fdest);
++ continue;
++ }
++
+ adjustR =
+ (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
+
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-5785.patch openjpeg2-2.3.0/debian/patches/CVE-2018-5785.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-5785.patch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-5785.patch 2019-03-04 12:55:05.000000000 +0100
@@ -0,0 +1,69 @@
+Description: convertbmp: fix issues with zero bitmasks
+ In the case where a BMP file declares compression 3 (BI_BITFIELDS)
+ with header size <= 56, all bitmask values keep their initialization
+ value 0. This may lead to various undefined behavior later e.g. when
+ doing 1 << (l_comp->prec - 1).
+ .
+ This issue does not affect files with bit count 16 because of a check
+ added in 16240e2 which sets default values to the color masks if they
+ are all 0.
+ .
+ This commit adds similar checks for the 32 bit case.
+ .
+ Also, if a BMP file declares compression 3 with header size >= 56 and
+ intentional 0 bitmasks, the same issue will be triggered in both the
+ 16 and 32 bit count case.
+ .
+ This commit adds checks to bmp_read_info_header() rejecting BMP files
+ with "intentional" 0 bitmasks. These checks might be removed in the
+ future when proper handling of zero bitmasks will be available in
+ openjpeg2.
+Author: Hugo Lefeuvre <hle at debian.org>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975
+--- a/src/bin/jp2/convertbmp.c 2017-10-05 00:23:14.000000000 +0200
++++ b/src/bin/jp2/convertbmp.c 2019-03-04 13:21:18.182489081 +0100
+@@ -435,16 +435,31 @@
+ header->biRedMask |= (OPJ_UINT32)getc(IN) << 16;
+ header->biRedMask |= (OPJ_UINT32)getc(IN) << 24;
+
++ if (!header->biRedMask) {
++ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask);
++ return OPJ_FALSE;
++ }
++
+ header->biGreenMask = (OPJ_UINT32)getc(IN);
+ header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8;
+ header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16;
+ header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24;
+
++ if (!header->biGreenMask) {
++ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask);
++ return OPJ_FALSE;
++ }
++
+ header->biBlueMask = (OPJ_UINT32)getc(IN);
+ header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8;
+ header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16;
+ header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24;
+
++ if (!header->biBlueMask) {
++ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask);
++ return OPJ_FALSE;
++ }
++
+ header->biAlphaMask = (OPJ_UINT32)getc(IN);
+ header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8;
+ header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16;
+@@ -831,6 +846,12 @@
+ bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU,
+ 0x00000000U);
+ } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */
++ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) &&
++ (Info_h.biBlueMask == 0U)) {
++ Info_h.biRedMask = 0x00FF0000U;
++ Info_h.biGreenMask = 0x0000FF00U;
++ Info_h.biBlueMask = 0x000000FFU;
++ }
+ bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask,
+ Info_h.biBlueMask, Info_h.biAlphaMask);
+ } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-6616.patch openjpeg2-2.3.0/debian/patches/CVE-2018-6616.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-6616.patch 1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-6616.patch 2019-03-04 12:55:05.000000000 +0100
@@ -0,0 +1,59 @@
+Description: convertbmp: detect invalid file dimensions early
+ width/length dimensions read from bmp headers are not necessarily
+ valid. For instance they may have been maliciously set to very large
+ values with the intention to cause DoS (large memory allocation, stack
+ overflow). In these cases we want to detect the invalid size as early
+ as possible.
+ .
+ This commit introduces a counter which verifies that the number of
+ written bytes corresponds to the advertized width/length.
+Author: Hugo Lefeuvre <hle at debian.org>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3
+--- a/src/bin/jp2/convertbmp.c 2019-03-04 13:28:27.107134602 +0100
++++ b/src/bin/jp2/convertbmp.c 2019-03-04 13:29:15.778697169 +0100
+@@ -534,14 +534,14 @@
+ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+ OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
+ {
+- OPJ_UINT32 x, y;
++ OPJ_UINT32 x, y, written;
+ OPJ_UINT8 *pix;
+ const OPJ_UINT8 *beyond;
+
+ beyond = pData + stride * height;
+ pix = pData;
+
+- x = y = 0U;
++ x = y = written = 0U;
+ while (y < height) {
+ int c = getc(IN);
+ if (c == EOF) {
+@@ -561,6 +561,7 @@
+ for (j = 0; (j < c) && (x < width) &&
+ ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+ *pix = c1;
++ written++;
+ }
+ } else {
+ c = getc(IN);
+@@ -598,6 +599,7 @@
+ }
+ c1 = (OPJ_UINT8)c1_int;
+ *pix = c1;
++ written++;
+ }
+ if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
+ c = getc(IN);
+@@ -608,6 +610,12 @@
+ }
+ }
+ }/* while() */
++
++ if (written != width * height) {
++ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
++ return OPJ_FALSE;
++ }
++
+ return OPJ_TRUE;
+ }
+
diff -Nru openjpeg2-2.3.0/debian/patches/series openjpeg2-2.3.0/debian/patches/series
--- openjpeg2-2.3.0/debian/patches/series 2018-12-02 18:17:30.000000000 +0100
+++ openjpeg2-2.3.0/debian/patches/series 2019-03-04 12:55:05.000000000 +0100
@@ -1,2 +1,7 @@
multiarch_path.patch
java9.patch
+CVE-2017-17480.patch
+CVE-2018-14423.patch
+CVE-2018-18088.patch
+CVE-2018-5785.patch
+CVE-2018-6616.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-phototools-devel/attachments/20190304/44d95256/attachment.sig>
More information about the Pkg-phototools-devel
mailing list