On Thu, 20 Mar 2014 21:55:31 +, Phil Wyett wrote:
> Hi all,
>
> SL uses the openjpeg library 1.4. This is quite an aged release.
Yes, but newer versions plain fail to decode images in SL... See below.
> Has the version bundled with SL been fixed or update arranged for the
> known CVE against it?
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3535
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3358
That's an interesting question... And the reply is no !
I therefor tried to apply the various patches In found in Linux distro
repositories for the packages they provide for libopenjpeg v1.4. I found
three patches: CVE-2009-5030, CVE-2012-3535 and CVE-2012-3358.
While the fixes for CVE-2009-5030 and CVE-2012-3535 don't pose an issue
once applied, CVE-2012-3358 definitely breaks image decoding in SL: it's
probably the reason why all newer/"fixed" versions of lipopenjpeg fail
to work with the viewer !
The culprit code is the added check done on "totlen" in j2k_read_sot()
when USE_JPWL is disabled (which is the case for the viewer): totlen
*does* get larger than the actual total length when decoding at non-zero
discard levels !!!
You will find the working patches attached (untouched CVE-2009-5030 and
CVE-2012-3535 patches and fixed CVE-2012-3358 patch).
Note that more fixes went into the OpenJPEG library used by most TPVs
(I fixed gcc v4.5+ warnings in mine, for example) the latter now
including the library sources into their source tree (in
indra/libopenjpeg) rather than using LL's pre-compiled library...
Regards,
Henri.
OpenJPEG_v1_3-CVE-2009-5030.diff
Description: Binary data
OpenJPEG_v1_3-CVE-2012-3358-fixed.diff
Description: Binary data
OpenJPEG_v1_3-CVE-2012-3535.patch
Description: Binary data
___
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting privileges
