From b75c22566d745071a95aee12b475fafa485c0289 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 13 May 2025 14:46:22 +0000 Subject: [PATCH] import UBI openjpeg2-2.4.0-8.el9 --- SOURCES/openjpeg2-2.5.2-cve-2024-56826.patch | 108 +++++++++++++++++++ SOURCES/openjpeg2-2.5.2-cve-2024-56827.patch | 14 +++ SOURCES/openjpeg2-CVE-2021-3575.patch | 49 ++++----- SPECS/openjpeg2.spec | 11 +- 4 files changed, 153 insertions(+), 29 deletions(-) create mode 100644 SOURCES/openjpeg2-2.5.2-cve-2024-56826.patch create mode 100644 SOURCES/openjpeg2-2.5.2-cve-2024-56827.patch diff --git a/SOURCES/openjpeg2-2.5.2-cve-2024-56826.patch b/SOURCES/openjpeg2-2.5.2-cve-2024-56826.patch new file mode 100644 index 0000000..32807be --- /dev/null +++ b/SOURCES/openjpeg2-2.5.2-cve-2024-56826.patch @@ -0,0 +1,108 @@ +diff --git a/src/bin/common/color.c b/src/bin/common/color.c +index ae5d648da..e4924a152 100644 +--- a/src/bin/common/color.c ++++ b/src/bin/common/color.c +@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t *img) + { + int *d0, *d1, *d2, *r, *g, *b; + const int *y, *cb, *cr; +- size_t maxw, maxh, max, offx, loopmaxw; ++ size_t maxw, maxh, max, offx, loopmaxw, comp12w; + int offset, upb; + size_t i; + +@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t *img) + upb = (1 << upb) - 1; + + maxw = (size_t)img->comps[0].w; ++ comp12w = (size_t)img->comps[1].w; + maxh = (size_t)img->comps[0].h; + max = maxw * maxh; + +@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t *img) + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + ++y; + ++r; + ++g; + ++b; +- ++cb; +- ++cr; ++ if (j / 2 < comp12w) { ++ ++cb; ++ ++cr; ++ } + } + } + +@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t *img) + { + int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb; + const int *y, *cb, *cr, *ny; +- size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh; ++ size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w; + int offset, upb; + size_t i; + +@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t *img) + upb = (1 << upb) - 1; + + maxw = (size_t)img->comps[0].w; ++ comp12w = (size_t)img->comps[1].w; + maxh = (size_t)img->comps[0].h; + max = maxw * maxh; + +@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t *img) + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + ++y; + ++r; + ++g; + ++b; + +- sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb); ++ } else { ++ sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb); ++ } + ++ny; + ++nr; + ++ng; + ++nb; +- ++cb; +- ++cr; ++ if (j / 2 < comp12w) { ++ ++cb; ++ ++cr; ++ } + } + y += maxw; + r += maxw; +@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t *img) + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + } + } + diff --git a/SOURCES/openjpeg2-2.5.2-cve-2024-56827.patch b/SOURCES/openjpeg2-2.5.2-cve-2024-56827.patch new file mode 100644 index 0000000..adc0127 --- /dev/null +++ b/SOURCES/openjpeg2-2.5.2-cve-2024-56827.patch @@ -0,0 +1,14 @@ +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 7dc389fa2..b5903a59c 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -8456,7 +8456,8 @@ static OPJ_BOOL opj_j2k_add_tlmarker(OPJ_UINT32 tileno, + if (type == J2K_MS_SOT) { + OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno; + +- if (cstr_index->tile_index[tileno].tp_index) { ++ if (cstr_index->tile_index[tileno].tp_index && ++ l_current_tile_part < cstr_index->tile_index[tileno].nb_tps) { + cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos; + } + diff --git a/SOURCES/openjpeg2-CVE-2021-3575.patch b/SOURCES/openjpeg2-CVE-2021-3575.patch index 6aaae29..01e6857 100644 --- a/SOURCES/openjpeg2-CVE-2021-3575.patch +++ b/SOURCES/openjpeg2-CVE-2021-3575.patch @@ -1,35 +1,30 @@ -From 409907d89878222cf9dea80f0add8f73e9383834 Mon Sep 17 00:00:00 2001 -From: Mehdi Sabwat -Date: Fri, 7 May 2021 01:50:37 +0200 -Subject: [PATCH] fix heap buffer overflow #1347 - ---- - src/bin/common/color.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - diff --git a/src/bin/common/color.c b/src/bin/common/color.c -index 27f15f1..935fa44 100644 +index 27f15f137..ae5d648da 100644 --- a/src/bin/common/color.c +++ b/src/bin/common/color.c -@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t *img) +@@ -358,7 +358,15 @@ static void sycc420_to_rgb(opj_image_t *img) + if (i < loopmaxh) { + size_t j; +- for (j = 0U; j < (maxw & ~(size_t)1U); j += 2U) { ++ if (offx > 0U) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ ++y; ++ ++r; ++ ++g; ++ ++b; ++ } ++ ++ for (j = 0U; j < (loopmaxw & ~(size_t)1U); j += 2U) { sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); -- ++y; -+ if (*y != img->comps[0].data[loopmaxh]) -+ ++y; - ++r; - ++g; - ++b; -- ++cb; -- ++cr; -+ if (*cb != img->comps[1].data[loopmaxh]) -+ ++cb; -+ if (*cr != img->comps[2].data[loopmaxh]) -+ ++cr; + ++y; +@@ -375,7 +383,7 @@ static void sycc420_to_rgb(opj_image_t *img) + ++cb; + ++cr; } - if (j < maxw) { +- if (j < maxw) { ++ if (j < loopmaxw) { sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); --- -2.31.1 - + } + } diff --git a/SPECS/openjpeg2.spec b/SPECS/openjpeg2.spec index 556d2c8..2ddc2a1 100644 --- a/SPECS/openjpeg2.spec +++ b/SPECS/openjpeg2.spec @@ -8,7 +8,7 @@ Name: openjpeg2 Version: 2.4.0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -24,9 +24,13 @@ Source1: data.tar.xz Patch0: openjpeg2_opj2.patch # Fix CVE-2021-29338 Patch1: openjpeg2-CVE-2021-29338.patch -# Fix CVE-2021-3575 +# Fix CVE-2021-3575 https://github.com/uclouvain/openjpeg/commit/7bd884f8750892de4f50bf4642fcfbe7011c6bdf Patch2: openjpeg2-CVE-2021-3575.patch Patch3: openjpeg2-CVE-2022-1122.patch +# https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2 for < 2.5.3 +Patch4: openjpeg2-2.5.2-cve-2024-56826.patch +# https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8 for < 2.5.3 +Patch5: openjpeg2-2.5.2-cve-2024-56827.patch BuildRequires: cmake # The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler @@ -328,6 +332,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer %changelog +* Thu Jan 23 2025 Michal Hlavinka - 2.4.0-8 +- fix two heap buffer overflows CVE-2024-56826 and CVE-2024-52827 (RHEL-72519,RHEL-72521) + * Wed Jun 15 2022 Matej Mužila - 2.4.0-7 - Fix CVE-2022-1122