From 2638508ca18719c11e0563dd9863839ac9b24e26 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 04:49:55 -0500 Subject: [PATCH] import jasper-2.0.14-5.el8 --- SOURCES/jasper-2.0.14-CVE-2020-27828.patch | 14 +++++++ SOURCES/jasper-2.0.14-CVE-2021-26927.patch | 47 ++++++++++++++++++++++ SOURCES/jasper-2.0.14-CVE-2021-3272.patch | 18 +++++++++ SPECS/jasper.spec | 15 ++++++- 4 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 SOURCES/jasper-2.0.14-CVE-2020-27828.patch create mode 100644 SOURCES/jasper-2.0.14-CVE-2021-26927.patch create mode 100644 SOURCES/jasper-2.0.14-CVE-2021-3272.patch diff --git a/SOURCES/jasper-2.0.14-CVE-2020-27828.patch b/SOURCES/jasper-2.0.14-CVE-2020-27828.patch new file mode 100644 index 0000000..5a3677c --- /dev/null +++ b/SOURCES/jasper-2.0.14-CVE-2020-27828.patch @@ -0,0 +1,14 @@ +diff -urNp a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c +--- a/src/libjasper/jpc/jpc_enc.c 2021-06-01 14:07:34.988061153 +0200 ++++ b/src/libjasper/jpc/jpc_enc.c 2021-06-01 14:08:32.100584582 +0200 +@@ -508,6 +508,10 @@ static jpc_enc_cp_t *cp_create(const cha + break; + case OPT_MAXRLVLS: + tccp->maxrlvls = atoi(jas_tvparser_getval(tvp)); ++ if(tccp->maxrlvls > JPC_MAXRLVLS) { ++ jas_eprintf("invalid number of resolution levels upper than %d\n",JPC_MAXRLVLS); ++ goto error; ++ } + break; + case OPT_SOP: + cp->tcp.csty |= JPC_COD_SOP; diff --git a/SOURCES/jasper-2.0.14-CVE-2021-26927.patch b/SOURCES/jasper-2.0.14-CVE-2021-26927.patch new file mode 100644 index 0000000..aeebae1 --- /dev/null +++ b/SOURCES/jasper-2.0.14-CVE-2021-26927.patch @@ -0,0 +1,47 @@ +diff -urNp a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c +--- a/src/libjasper/jp2/jp2_dec.c 2021-06-01 13:32:59.330396797 +0200 ++++ b/src/libjasper/jp2/jp2_dec.c 2021-06-01 13:46:16.982925961 +0200 +@@ -230,7 +230,8 @@ jas_image_t *jp2_decode(jas_stream_t *in + the value specified in the code stream? */ + if (dec->ihdr->data.ihdr.numcmpts != JAS_CAST(jas_uint, + jas_image_numcmpts(dec->image))) { +- jas_eprintf("warning: number of components mismatch\n"); ++ jas_eprintf("error: number of components mismatch (IHDR)\n"); ++ goto error; + } + + /* At least one component must be present. */ +@@ -253,7 +254,8 @@ jas_image_t *jp2_decode(jas_stream_t *in + with the data in the code stream? */ + if ((samedtype && dec->ihdr->data.ihdr.bpc != JP2_DTYPETOBPC(dtype)) || + (!samedtype && dec->ihdr->data.ihdr.bpc != JP2_IHDR_BPCNULL)) { +- jas_eprintf("warning: component data type mismatch\n"); ++ jas_eprintf("error: component data type mismatch (IHDR)\n"); ++ goto error; + } + + /* Is the compression type supported? */ +@@ -265,9 +267,10 @@ jas_image_t *jp2_decode(jas_stream_t *in + if (dec->bpcc) { + /* Is the number of components indicated in the BPCC box + consistent with the code stream data? */ +- if (dec->bpcc->data.bpcc.numcmpts != JAS_CAST(jas_uint, jas_image_numcmpts( +- dec->image))) { +- jas_eprintf("warning: number of components mismatch\n"); ++ if (dec->bpcc->data.bpcc.numcmpts != ++ JAS_CAST(jas_uint, jas_image_numcmpts(dec->image))) { ++ jas_eprintf("error: number of components mismatch (BPCC)\n"); ++ goto error; + } + /* Is the component data type information indicated in the BPCC + box consistent with the code stream data? */ +@@ -276,7 +279,8 @@ jas_image_t *jp2_decode(jas_stream_t *in + ++i) { + if (jas_image_cmptdtype(dec->image, i) != + JP2_BPCTODTYPE(dec->bpcc->data.bpcc.bpcs[i])) { +- jas_eprintf("warning: component data type mismatch\n"); ++ jas_eprintf("error: component data type mismatch (BPCC)\n"); ++ goto error; + } + } + } else { diff --git a/SOURCES/jasper-2.0.14-CVE-2021-3272.patch b/SOURCES/jasper-2.0.14-CVE-2021-3272.patch new file mode 100644 index 0000000..c239ad5 --- /dev/null +++ b/SOURCES/jasper-2.0.14-CVE-2021-3272.patch @@ -0,0 +1,18 @@ +diff -urNp a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c +--- a/src/libjasper/jp2/jp2_dec.c 2021-06-01 13:50:54.213552191 +0200 ++++ b/src/libjasper/jp2/jp2_dec.c 2021-06-01 14:02:40.016274587 +0200 +@@ -396,6 +396,14 @@ jas_image_t *jp2_decode(jas_stream_t *in + } + } + ++ /* Ensure that the number of channels being used by the decoder ++ matches the number of image components. */ ++ if (dec->numchans != jas_image_numcmpts(dec->image)) { ++ jas_eprintf("error: mismatch in number of components (%d != %d)\n", ++ dec->numchans, jas_image_numcmpts(dec->image)); ++ goto error; ++ } ++ + /* Mark all components as being of unknown type. */ + + for (i = 0; i < JAS_CAST(jas_uint, jas_image_numcmpts(dec->image)); ++i) { diff --git a/SPECS/jasper.spec b/SPECS/jasper.spec index 3dc31bf..5b1b653 100644 --- a/SPECS/jasper.spec +++ b/SPECS/jasper.spec @@ -6,7 +6,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper Version: 2.0.14 -Release: 4%{?dist} +Release: 5%{?dist} License: JasPer URL: http://www.ece.uvic.ca/~frodo/jasper/ @@ -14,6 +14,10 @@ Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.tar.gz Patch1: jasper-2.0.14-CVE-2016-9396.patch +Patch2: jasper-2.0.14-CVE-2021-26927.patch +Patch3: jasper-2.0.14-CVE-2021-3272.patch +Patch4: jasper-2.0.14-CVE-2020-27828.patch + # architecture related patches Patch100: jasper-2.0.2-test-ppc64-disable.patch Patch101: jasper-2.0.2-test-ppc64le-disable.patch @@ -62,6 +66,9 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} %setup -q -n %{name}-%{version} %patch1 -p1 -b .CVE-2016-9396 +%patch2 -p1 -b .CVE-2021-26927 +%patch3 -p1 -b .CVE-2021-3272 +%patch4 -p1 -b .CVE-2020-27828 # Need to disable one test to be able to build it on ppc64 arch # At ppc64 this test just stuck (nothing happend - no exception or error) @@ -136,6 +143,12 @@ popd %changelog +* Tue Jun 01 2021 Josef Ridky - 2.0.14-5 +- Fix CVE-2021-26927 (#1933860) +- Fix CVE-2021-26926 (#1922316) +- Fix CVE-2021-3272 (#1922283) +- Fix CVE-2020-27828 (#1905692) + * Wed May 30 2018 Josef Ridky - 2.0.14-4 - Fix CVE-2016-9396 (#1583722)