Backport patches for CVE-2020-27841, CVE-2020-27842, CVE-2020-27843, CVE-2020-27845

2020-12-17 16:31:44 +01:00 · 2020-12-17 16:31:44 +01:00 · 8e0ddcd8ad
commit 8e0ddcd8ad
parent 14c5372715
7 changed files with 29 additions and 36 deletions
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -8,7 +8,7 @@

 Name:           openjpeg2
 Version:        2.3.1
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        C-Library for JPEG 2000

 # windirent.h is MIT, the rest is BSD
@ -37,6 +37,18 @@ Patch4:         openjpeg2_CVE-2020-27824.patch
 # Backport patch for CVE-2020-27823
 # https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919
 Patch5:         openjpeg2_CVE-2020-27823.patch
+# Backport patch for CVE-2020-27841
+# https://github.com/rouault/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce
+Patch6:         openjpeg2_CVE-2020-27841.patch
+# Backport patch for CVE-2020-27842
+# https://github.com/uclouvain/openjpeg/pull/1296/commits/fbd30b064f8f9607d500437b6fedc41431fd6cdc
+Patch7:         openjpeg2_CVE-2020-27842.patch
+# Backport patch for CVE-2020-27843
+# https://github.com/rouault/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121
+Patch8:         openjpeg2_CVE-2020-27843.patch
+# Backport patch for CVE-2020-27845
+# https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63
+Patch9:         openjpeg2_CVE-2020-27845.patch


 BuildRequires:  cmake
@ -339,6 +351,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer


 %changelog
+* Thu Dec 17 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-10
+* Backport patches for CVE-2020-27841, CVE-2020-27842, CVE-2020-27843, CVE-2020-27845
+
 * Thu Dec 10 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-9
 * Backport patches for CVE-2020-27824 and CVE-2020-27823

--- a/openjpeg2_CVE-2020-27814.patch
+++ b/openjpeg2_CVE-2020-27814.patch
@ -1,6 +1,6 @@
 diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/tcd.c openjpeg-2.3.1-new/src/lib/openjp2/tcd.c
--- openjpeg-2.3.1/src/lib/openjp2/tcd.c	2020-11-28 23:29:38.701863373 +0100
-+++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c	2020-11-28 23:29:38.704863383 +0100
+--- openjpeg-2.3.1/src/lib/openjp2/tcd.c	2020-12-17 16:25:44.797030458 +0100
+++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c	2020-12-17 16:25:44.799030456 +0100
@@ -1235,9 +1235,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
 
     /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
--- a/openjpeg2_CVE-2020-27823.patch
+++ b/openjpeg2_CVE-2020-27823.patch
@ -1,18 +1,7 @@
-From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 30 Nov 2020 22:31:51 +0100
-Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is
- used, that would result in a heap buffer overflow (fixes #1284)
-
---
- src/bin/jp2/convertpng.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c
-index 328c91beb..00f596e27 100644
--- a/src/bin/jp2/convertpng.c
-+++ b/src/bin/jp2/convertpng.c
-@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params)
+diff -rupN --no-dereference openjpeg-2.3.1/src/bin/jp2/convertpng.c openjpeg-2.3.1-new/src/bin/jp2/convertpng.c
+--- openjpeg-2.3.1/src/bin/jp2/convertpng.c	2019-04-02 14:45:15.000000000 +0200
+++ openjpeg-2.3.1-new/src/bin/jp2/convertpng.c	2020-12-17 16:25:44.882030380 +0100
+@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read
     image->x0 = (OPJ_UINT32)params->image_offset_x0;
     image->y0 = (OPJ_UINT32)params->image_offset_y0;
     image->x1 = (OPJ_UINT32)(image->x0 + (width  - 1) * (OPJ_UINT32)
--- a/openjpeg2_CVE-2020-27824.patch
+++ b/openjpeg2_CVE-2020-27824.patch
@ -1,18 +1,7 @@
-From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 30 Nov 2020 22:37:07 +0100
-Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible
- conversion when too many decomposition levels are specified (fixes #1286)
-
---
- src/lib/openjp2/dwt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c
-index ee9eb5e63..4164ba090 100644
--- a/src/lib/openjp2/dwt.c
-+++ b/src/lib/openjp2/dwt.c
-@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec)
+diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/dwt.c openjpeg-2.3.1-new/src/lib/openjp2/dwt.c
+--- openjpeg-2.3.1/src/lib/openjp2/dwt.c	2019-04-02 14:45:15.000000000 +0200
+++ openjpeg-2.3.1-new/src/lib/openjp2/dwt.c	2020-12-17 16:25:44.842030417 +0100
+@@ -1293,7 +1293,7 @@ void opj_dwt_calc_explicit_stepsizes(opj
         if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) {
             stepsize = 1.0;
         } else {
--- a/openjpeg2_CVE-2020-6851.patch
+++ b/openjpeg2_CVE-2020-6851.patch
@ -1,6 +1,6 @@
 diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/j2k.c openjpeg-2.3.1-new/src/lib/openjp2/j2k.c
 --- openjpeg-2.3.1/src/lib/openjp2/j2k.c	2019-04-02 14:45:15.000000000 +0200
-+++ openjpeg-2.3.1-new/src/lib/openjp2/j2k.c	2020-11-28 23:29:38.618863089 +0100
+++ openjpeg-2.3.1-new/src/lib/openjp2/j2k.c	2020-12-17 16:25:44.708030540 +0100
@@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dim
     l_img_comp = p_image->comps;
     for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
--- a/openjpeg2_CVE-2020-8112.patch
+++ b/openjpeg2_CVE-2020-8112.patch
@ -1,6 +1,6 @@
 diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/tcd.c openjpeg-2.3.1-new/src/lib/openjp2/tcd.c
 --- openjpeg-2.3.1/src/lib/openjp2/tcd.c	2019-04-02 14:45:15.000000000 +0200
-+++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c	2020-11-28 23:29:38.662863239 +0100
+++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c	2020-12-17 16:25:44.754030498 +0100
@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile
             /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000)  */
             l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
--- a/openjpeg2_opj2.patch
+++ b/openjpeg2_opj2.patch
@ -1,6 +1,6 @@
 diff -rupN --no-dereference openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt
 --- openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt	2019-04-02 14:45:15.000000000 +0200
-+++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt	2020-11-28 23:29:38.576862946 +0100
+++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt	2020-12-17 16:25:44.665030580 +0100
@@ -44,6 +44,8 @@ endif()
 # Loop over all executables:
 foreach(exe opj_decompress opj_compress opj_dump)