Resolves: #1472888 - fix CVE-2017-1000050

This commit is contained in:
Josef Ridky 2017-08-25 13:05:09 +02:00
parent afe878c123
commit 3dd700edaf
2 changed files with 22 additions and 2 deletions

View File

@ -0,0 +1,15 @@
diff -urNp old/src/libjasper/jp2/jp2_enc.c new/src/libjasper/jp2/jp2_enc.c
--- old/src/libjasper/jp2/jp2_enc.c 2017-08-25 12:49:46.242889564 +0200
+++ new/src/libjasper/jp2/jp2_enc.c 2017-08-25 12:56:41.041654317 +0200
@@ -115,6 +115,11 @@ int jp2_encode(jas_image_t *image, jas_s
iccstream = 0;
iccprof = 0;
+ if (jas_image_numcmpts(image) < 1) {
+ jas_eprintf("image must have at least one component\n");
+ goto error;
+ }
+
allcmptssame = 1;
sgnd = jas_image_cmptsgnd(image, 0);
prec = jas_image_cmptprec(image, 0);

View File

@ -7,7 +7,7 @@ Summary: Implementation of the JPEG-2000 standard, Part 1
Name: jasper Name: jasper
Group: System Environment/Libraries Group: System Environment/Libraries
Version: 2.0.12 Version: 2.0.12
Release: 3%{?dist} Release: 4%{?dist}
%if "%{version}" > "1.900.1" %if "%{version}" > "1.900.1"
%define ext .tar.gz %define ext .tar.gz
@ -23,6 +23,7 @@ Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}%{ext}
# during the memory allocations # during the memory allocations
# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520 # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3520
Patch1: jasper-1.900.1-CVE-2008-3520.patch Patch1: jasper-1.900.1-CVE-2008-3520.patch
Patch2: jasper-2.0.12-CVE-2017-1000050.patch
# architecture related patches # architecture related patches
Patch100: jasper-2.0.2-test-ppc64-disable.patch Patch100: jasper-2.0.2-test-ppc64-disable.patch
@ -73,6 +74,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%prep %prep
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
%patch1 -p1 -b .CVE-2008-3520 %patch1 -p1 -b .CVE-2008-3520
%patch2 -p1 -b .CVE-2017-1000050
# Need to disable one test to be able to build it on ppc64 arch # Need to disable one test to be able to build it on ppc64 arch
# At ppc64 this test just stuck (nothing happend - no exception or error) # At ppc64 this test just stuck (nothing happend - no exception or error)
@ -150,6 +152,9 @@ popd
%changelog %changelog
* Fri Aug 25 2017 Josef Ridky <jridky@redhat.com> - 2.0.12-4
- CVE-2017-1000050 jasper: NULL pointer exception in jp2_encode() (#1472888)
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.12-3 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.12-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
@ -162,7 +167,7 @@ popd
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.10-2 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jan 17 2017 Josef Ridky <jridky@redhat.com> - 2.0.10-1 * Tue Jan 17 2017 Josef Ridky <jridky@redhat.com> - 2.0.10-1
- New upstream release 2.0.10 (#1403401) - New upstream release 2.0.10 (#1403401)
* Thu Dec 1 2016 Josef Ridky <jridky@redhat.com> - 2.0.2-1 * Thu Dec 1 2016 Josef Ridky <jridky@redhat.com> - 2.0.2-1