Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release managers, as discussed in #939553[0], no DSA will be issued by the security team for CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached debdiff addresses this issue, along with CVE-2018-20847. This is almost the same debdiff as #942024[1] (for stretch-pu). thanks! cheers, Hugo [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942024 -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog --- openjpeg2-2.3.0/debian/changelog 2019-03-10 18:34:51.000000000 +0100 +++ openjpeg2-2.3.0/debian/changelog 2019-10-17 14:48:09.000000000 +0200 @@ -1,3 +1,14 @@ +openjpeg2 (2.3.0-2+deb10u1) buster; urgency=high + + * Backport security fixes: + * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile + (Closes: #939553). + * CVE-2018-20847: improper computation of values in the function + opj_get_encoding_parameters, leading to an integer overflow + (Closes: #931294). + + -- Hugo Lefeuvre <h...@debian.org> Thu, 17 Oct 2019 14:48:09 +0200 + openjpeg2 (2.3.0-2) unstable; urgency=high [ Hugo Lefeuvre ] diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch --- openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 2019-10-17 14:43:51.000000000 +0200 @@ -0,0 +1,40 @@ +Description: fix integer overflow in opj_get_encoding_parameters + This bug is known at three places in the source code: + opj_get_all_encoding_parameters() and opj_tcd_init_tile() in pi.c and tcd.c + (both fixed _before_ the release of 2.1.2), and opj_get_encoding_parameters() + in pi.c. This patch addresses the issue in opj_get_encoding_parameters(). +Author: Young_X <yang...@hotmail.com> +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/c58df149900df862 +--- a/src/lib/openjp2/pi.c 2019-10-17 14:41:15.997977749 +0200 ++++ b/src/lib/openjp2/pi.c 2019-10-17 14:43:46.276679721 +0200 +@@ -748,6 +748,9 @@ + /* position in x and y of tile */ + OPJ_UINT32 p, q; + ++ /* non-corrected (in regard to image offset) tile offset */ ++ OPJ_UINT32 l_tx0, l_ty0; ++ + /* preconditions */ + assert(p_cp != 00); + assert(p_image != 00); +@@ -763,14 +766,12 @@ + q = p_tileno / p_cp->tw; + + /* find extent of tile */ +- *p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx), +- (OPJ_INT32)p_image->x0); +- *p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx), +- (OPJ_INT32)p_image->x1); +- *p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy), +- (OPJ_INT32)p_image->y0); +- *p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy), +- (OPJ_INT32)p_image->y1); ++ l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 so won't overflow */ ++ *p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0); ++ *p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), p_image->x1); ++ l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 so won't overflow */ ++ *p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0); ++ *p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), p_image->y1); + + /* max precision is 0 (can only grow) */ + *p_max_prec = 0; diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch --- openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 2019-10-17 14:34:45.000000000 +0200 @@ -0,0 +1,26 @@ +Description: color_apply_icc_profile: avoid potential heap buffer overflow + This patch addresses CVE-2018-21010. It differs slightly from upstream's + patch in that we avoid whitespace refactoring and complex nested ifs. +Author: Even Rouault <even.roua...@spatialys.com>, Hugo Lefeuvre <h...@debian.org> +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c9 +--- a/src/bin/common/color.c 2019-10-17 14:33:21.021771909 +0200 ++++ b/src/bin/common/color.c 2019-10-17 14:34:39.397137223 +0200 +@@ -597,6 +597,18 @@ + } + + if (image->numcomps > 2) { /* RGB, RGBA */ ++ ++ if (!(image->comps[0].w == image->comps[1].w && ++ image->comps[0].w == image->comps[2].w) || ++ !(image->comps[0].h == image->comps[1].h && ++ image->comps[0].h == image->comps[2].h)) ++ { ++ fprintf(stderr, ++ "[ERROR] Image components should have the same width and height\n"); ++ cmsDeleteTransform(transform); ++ return; ++ } ++ + if (prec <= 8) { + unsigned char *inbuf, *outbuf, *in, *out; + diff -Nru openjpeg2-2.3.0/debian/patches/series openjpeg2-2.3.0/debian/patches/series --- openjpeg2-2.3.0/debian/patches/series 2019-03-10 18:31:30.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/series 2019-10-17 14:41:01.000000000 +0200 @@ -5,3 +5,5 @@ CVE-2018-18088.patch CVE-2018-5785.patch CVE-2018-6616.patch +CVE-2018-21010.patch +CVE-2018-20847.patch
signature.asc
Description: PGP signature
