On Thu, 20 Mar 2014 21:55:31 +0000, Phil Wyett wrote: > Hi all, > > SL uses the openjpeg library 1.4. This is quite an aged release.
Yes, but newer versions plain fail to decode images in SL... See below. > Has the version bundled with SL been fixed or update arranged for the > known CVE against it? > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3535 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3358 That's an interesting question... And the reply is no ! I therefor tried to apply the various patches In found in Linux distro repositories for the packages they provide for libopenjpeg v1.4. I found three patches: CVE-2009-5030, CVE-2012-3535 and CVE-2012-3358. While the fixes for CVE-2009-5030 and CVE-2012-3535 don't pose an issue once applied, CVE-2012-3358 definitely breaks image decoding in SL: it's probably the reason why all newer/"fixed" versions of lipopenjpeg fail to work with the viewer ! The culprit code is the added check done on "totlen" in j2k_read_sot() when USE_JPWL is disabled (which is the case for the viewer): totlen *does* get larger than the actual total length when decoding at non-zero discard levels !!! You will find the working patches attached (untouched CVE-2009-5030 and CVE-2012-3535 patches and fixed CVE-2012-3358 patch). Note that more fixes went into the OpenJPEG library used by most TPVs (I fixed gcc v4.5+ warnings in mine, for example) the latter now including the library sources into their source tree (in indra/libopenjpeg) rather than using LL's pre-compiled library... Regards, Henri.
OpenJPEG_v1_3-CVE-2009-5030.diff
Description: Binary data
OpenJPEG_v1_3-CVE-2012-3358-fixed.diff
Description: Binary data
OpenJPEG_v1_3-CVE-2012-3535.patch
Description: Binary data
_______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges