On Fri, Sep 09, 2016 at 02:04:40AM -0400, Leo Famulari wrote: > * gnu/packages/patches/openjpeg-CVE-2016-7163.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/image.scm (openjpeg, openjpeg-2.0): Use it. > --- > gnu/local.mk | 1 + > gnu/packages/image.scm | 6 +- > gnu/packages/patches/openjpeg-CVE-2016-7163.patch | 71 > +++++++++++++++++++++++ > 3 files changed, 76 insertions(+), 2 deletions(-) > create mode 100644 gnu/packages/patches/openjpeg-CVE-2016-7163.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 8b042d5..668c9b2 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -702,6 +702,7 @@ dist_patch_DATA = > \ > %D%/packages/patches/ocaml-findlib-make-install.patch \ > %D%/packages/patches/openexr-missing-samples.patch \ > %D%/packages/patches/openjpeg-CVE-2015-6581.patch \ > + %D%/packages/patches/openjpeg-CVE-2016-7163.patch \ > %D%/packages/patches/openjpeg-use-after-free-fix.patch \ > %D%/packages/patches/openssl-runpath.patch \ > %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ > diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm > index a65bf39..64bc05d 100644 > --- a/gnu/packages/image.scm > +++ b/gnu/packages/image.scm > @@ -387,7 +387,8 @@ work.") > (sha256 > (base32 "00zzm303zvv4ijzancrsb1cqbph3pgz0nky92k9qx3fq9y0vnchj")) > (patches (search-patches "openjpeg-use-after-free-fix.patch" > - "openjpeg-CVE-2015-6581.patch")))) > + "openjpeg-CVE-2015-6581.patch" > + "openjpeg-CVE-2016-7163.patch")))) > (build-system cmake-build-system) > (arguments > ;; Trying to run `$ make check' results in a no rule fault. > @@ -424,7 +425,8 @@ error-resilience, a Java-viewer for j2k-images, ...") > (sha256 > (base32 "1c2xc3nl2mg511b63rk7hrckmy14681p1m44mzw3n1fyqnjm0b0z")) > (patches (search-patches "openjpeg-use-after-free-fix.patch" > - "openjpeg-CVE-2015-6581.patch")))))) > + "openjpeg-CVE-2015-6581.patch" > + "openjpeg-CVE-2016-7163.patch")))))) > > (define-public openjpeg-1 > (package (inherit openjpeg) > diff --git a/gnu/packages/patches/openjpeg-CVE-2016-7163.patch > b/gnu/packages/patches/openjpeg-CVE-2016-7163.patch > new file mode 100644 > index 0000000..68cf7b9 > --- /dev/null > +++ b/gnu/packages/patches/openjpeg-CVE-2016-7163.patch > @@ -0,0 +1,71 @@ > +Fix CVE-2016-7613 (Integer overflow in opj_pi_create_decode allowing > execution > +of arbitrary code): > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163 > +https://github.com/uclouvain/openjpeg/issues/826 > +http://seclists.org/oss-sec/2016/q3/442 > + > +Copied from upstream repository: > + > +https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f5b68a05681de4 > +https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e7415c6ef54d24 > + > +From ef01f18dfc6780b776d0674ed3e7415c6ef54d24 Mon Sep 17 00:00:00 2001 > +From: Matthieu Darbois <may...@users.noreply.github.com> > +Date: Thu, 8 Sep 2016 07:34:46 +0200 > +Subject: [PATCH] Cast to size_t before multiplication > + > +Prevent an integer overflow issue in function opj_pi_create_decode of > +pi.c. > +--- > + src/lib/openjp2/pi.c | 8 +++++++- > + 1 file changed, 7 insertions(+), 1 deletion(-) > + > +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c > +index cffad66..36e2ff0 100644 > +--- a/src/lib/openjp2/pi.c > ++++ b/src/lib/openjp2/pi.c > +@@ -1237,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t > *p_image, > + l_current_pi = l_pi; > + > + /* memory allocation for include */ > +- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * > l_step_l, sizeof(OPJ_INT16)); > ++ /* prevent an integer overflow issue */ > ++ l_current_pi->include = 00; > ++ if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U))) > ++ { > ++ l_current_pi->include = (OPJ_INT16*) > opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); > ++ } > ++ > + if > + (!l_current_pi->include) > + { > +-- > +2.10.0 > + > +Need to cast to size_t before multiplication otherwise overflow check is > useless. > +--- > + src/lib/openjp2/pi.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c > +index 36e2ff0..809b33d 100644 > +--- a/src/lib/openjp2/pi.c > ++++ b/src/lib/openjp2/pi.c > +@@ -1241,7 +1241,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t > *p_image, > + l_current_pi->include = 00; > + if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U))) > + { > +- l_current_pi->include = (OPJ_INT16*) > opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); > ++ l_current_pi->include = (OPJ_INT16*) > opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16)); > + } > + > + if > +-- > +2.10.0 > +
Was from here down put/left here intentionally? It looks out of place > +From c16bc057ba3f125051c9966cf1f5b68a05681de4 Mon Sep 17 00:00:00 2001 > +From: trylab <try...@users.noreply.github.com> > +Date: Tue, 6 Sep 2016 13:55:49 +0800 > +Subject: [PATCH] Fix an integer overflow issue (#809) > + > -- > 2.10.0 > > -- Efraim Flashner <efr...@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature