Backport patches for CVE-2020-27824 and CVE-2020-27823

2020-12-10 12:38:24 +01:00 · 2020-12-10 12:38:24 +01:00 · 14c5372715
commit 14c5372715
parent f7e0d8451b
3 changed files with 59 additions and 1 deletions
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -8,7 +8,7 @@

 Name:           openjpeg2
 Version:        2.3.1
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        C-Library for JPEG 2000

 # windirent.h is MIT, the rest is BSD
@ -31,6 +31,12 @@ Patch2:         openjpeg2_CVE-2020-8112.patch
 # Backport patch for CVE-2020-27814
 # https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc
 Patch3:         openjpeg2_CVE-2020-27814.patch
+# Backport patch for CVE-2020-27824
+# https://github.com/uclouvain/openjpeg/pull/1292/commits/6daf5f3e1ec6eff03b7982889874a3de6617db8d
+Patch4:         openjpeg2_CVE-2020-27824.patch
+# Backport patch for CVE-2020-27823
+# https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919
+Patch5:         openjpeg2_CVE-2020-27823.patch


 BuildRequires:  cmake
@ -333,6 +339,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer


 %changelog
+* Thu Dec 10 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-9
+* Backport patches for CVE-2020-27824 and CVE-2020-27823
+
 * Sat Nov 28 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-8
 - Backport patch for CVE-2020-27814

--- a/openjpeg2_CVE-2020-27823.patch
+++ b/openjpeg2_CVE-2020-27823.patch
@ -0,0 +1,26 @@
+From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:31:51 +0100
+Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
+ used, that would result in a heap buffer overflow (fixes #1284)
+
+---
+ src/bin/jp2/convertpng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
+index 328c91beb..00f596e27 100644
+--- a/src/bin/jp2/convertpng.c
+++ b/src/bin/jp2/convertpng.c
+@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
+     image->x0 = (OPJ_UINT32)params->image_offset_x0;
+     image->y0 = (OPJ_UINT32)params->image_offset_y0;
+     image->x1 = (OPJ_UINT32)(image->x0 + (width  - 1) * (OPJ_UINT32)
+-                             params->subsampling_dx + 1 + image->x0);
+                             params->subsampling_dx + 1);
+     image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)
+-                             params->subsampling_dy + 1 + image->y0);
+                             params->subsampling_dy + 1);
+ 
+     row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32));
+     if (row32s == NULL) {
--- a/openjpeg2_CVE-2020-27824.patch
+++ b/openjpeg2_CVE-2020-27824.patch
@ -0,0 +1,23 @@
+From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 30 Nov 2020 22:37:07 +0100
+Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible
+ conversion when too many decomposition levels are specified (fixes #1286)
+
+---
+ src/lib/openjp2/dwt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
+index ee9eb5e63..4164ba090 100644
+--- a/src/lib/openjp2/dwt.c
+++ b/src/lib/openjp2/dwt.c
+@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec)
+         if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {
+             stepsize = 1.0;
+         } else {
+-            OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level];
+            OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient);
+             stepsize = (1 << (gain)) / norm;
+         }
+         opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0),