From b6898f73c1e804334b26eb5f67578f7e31c99f03 Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Fri, 11 Dec 2020 12:22:26 +0100 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openjpeg2.git#14c537271510fdc92e4c9cea3c6dd09402aa7e2d --- openjpeg2.spec | 11 ++++++++++- openjpeg2_CVE-2020-27823.patch | 26 ++++++++++++++++++++++++++ openjpeg2_CVE-2020-27824.patch | 23 +++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 openjpeg2_CVE-2020-27823.patch create mode 100644 openjpeg2_CVE-2020-27824.patch diff --git a/openjpeg2.spec b/openjpeg2.spec index 3406a80..38186b8 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -8,7 +8,7 @@ Name: openjpeg2 Version: 2.3.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -31,6 +31,12 @@ Patch2: openjpeg2_CVE-2020-8112.patch # Backport patch for CVE-2020-27814 # https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc Patch3: openjpeg2_CVE-2020-27814.patch +# Backport patch for CVE-2020-27824 +# https://github.com/uclouvain/openjpeg/pull/1292/commits/6daf5f3e1ec6eff03b7982889874a3de6617db8d +Patch4: openjpeg2_CVE-2020-27824.patch +# Backport patch for CVE-2020-27823 +# https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919 +Patch5: openjpeg2_CVE-2020-27823.patch BuildRequires: cmake @@ -333,6 +339,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer %changelog +* Thu Dec 10 2020 Sandro Mani - 2.3.1-9 +* Backport patches for CVE-2020-27824 and CVE-2020-27823 + * Sat Nov 28 2020 Sandro Mani - 2.3.1-8 - Backport patch for CVE-2020-27814 diff --git a/openjpeg2_CVE-2020-27823.patch b/openjpeg2_CVE-2020-27823.patch new file mode 100644 index 0000000..02fa0ac --- /dev/null +++ b/openjpeg2_CVE-2020-27823.patch @@ -0,0 +1,26 @@ +From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 30 Nov 2020 22:31:51 +0100 +Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is + used, that would result in a heap buffer overflow (fixes #1284) + +--- + src/bin/jp2/convertpng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c +index 328c91beb..00f596e27 100644 +--- a/src/bin/jp2/convertpng.c ++++ b/src/bin/jp2/convertpng.c +@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params) + image->x0 = (OPJ_UINT32)params->image_offset_x0; + image->y0 = (OPJ_UINT32)params->image_offset_y0; + image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32) +- params->subsampling_dx + 1 + image->x0); ++ params->subsampling_dx + 1); + image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32) +- params->subsampling_dy + 1 + image->y0); ++ params->subsampling_dy + 1); + + row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32)); + if (row32s == NULL) { diff --git a/openjpeg2_CVE-2020-27824.patch b/openjpeg2_CVE-2020-27824.patch new file mode 100644 index 0000000..8301f7e --- /dev/null +++ b/openjpeg2_CVE-2020-27824.patch @@ -0,0 +1,23 @@ +From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 30 Nov 2020 22:37:07 +0100 +Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible + conversion when too many decomposition levels are specified (fixes #1286) + +--- + src/lib/openjp2/dwt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/openjp2/dwt.c b/src/lib/openjp2/dwt.c +index ee9eb5e63..4164ba090 100644 +--- a/src/lib/openjp2/dwt.c ++++ b/src/lib/openjp2/dwt.c +@@ -1976,7 +1976,7 @@ void opj_dwt_calc_explicit_stepsizes(opj_tccp_t * tccp, OPJ_UINT32 prec) + if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) { + stepsize = 1.0; + } else { +- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level]; ++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient); + stepsize = (1 << (gain)) / norm; + } + opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0),