Backport patch for CVE-2020-27814

2020-11-28 23:32:44 +01:00 · 2020-11-28 23:32:44 +01:00 · f7e0d8451b
commit f7e0d8451b
parent 7f15b4831d
5 changed files with 33 additions and 35 deletions
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -8,7 +8,7 @@

 Name:           openjpeg2
 Version:        2.3.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        C-Library for JPEG 2000

 # windirent.h is MIT, the rest is BSD
@ -28,6 +28,9 @@ Patch1:         openjpeg2_CVE-2020-6851.patch
 # Backport patch for CVE 2020-8112
 # https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074
 Patch2:         openjpeg2_CVE-2020-8112.patch
+# Backport patch for CVE-2020-27814
+# https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc
+Patch3:         openjpeg2_CVE-2020-27814.patch


 BuildRequires:  cmake
@ -330,6 +333,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer


 %changelog
+* Sat Nov 28 2020 Sandro Mani <manisandro@gmail.com> - 2.3.1-8
+- Backport patch for CVE-2020-27814
+
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

--- a/openjpeg2_CVE-2020-27814.patch
+++ b/openjpeg2_CVE-2020-27814.patch
@ -0,0 +1,16 @@
+diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/tcd.c openjpeg-2.3.1-new/src/lib/openjp2/tcd.c
+--- openjpeg-2.3.1/src/lib/openjp2/tcd.c	2020-11-28 23:29:38.701863373 +0100
+++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c	2020-11-28 23:29:38.704863383 +0100
+@@ -1235,9 +1235,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_a
+ 
+     /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
+     /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
+    /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */
+    /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */
+     /* TODO: is there a theoretical upper-bound for the compressed code */
+     /* block size ? */
+-    l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+    l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
+                                    (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
+ 
+     if (l_data_size > p_code_block->data_size) {
--- a/openjpeg2_CVE-2020-6851.patch
+++ b/openjpeg2_CVE-2020-6851.patch
@ -1,18 +1,7 @@
-From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 11 Jan 2020 01:51:19 +0100
-Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose
- coordinates are beyond INT_MAX (fixes #1228)
-
---
- src/lib/openjp2/j2k.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index 14f6ff41a..922550eb1 100644
--- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image,
+diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/j2k.c openjpeg-2.3.1-new/src/lib/openjp2/j2k.c
+--- openjpeg-2.3.1/src/lib/openjp2/j2k.c	2019-04-02 14:45:15.000000000 +0200
+++ openjpeg-2.3.1-new/src/lib/openjp2/j2k.c	2020-11-28 23:29:38.618863089 +0100
+@@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dim
     l_img_comp = p_image->comps;
     for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) {
         OPJ_INT32 l_h, l_w;
--- a/openjpeg2_CVE-2020-8112.patch
+++ b/openjpeg2_CVE-2020-8112.patch
@ -1,20 +1,7 @@
-From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 30 Jan 2020 00:59:57 +0100
-Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow
-
-That could lead to later assertion failures.
-
-Fixes #1231 / CVE-2020-8112
---
- src/lib/openjp2/tcd.c | 20 ++++++++++++++++++--
- 1 file changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
-index deecc4dff..aa419030a 100644
--- a/src/lib/openjp2/tcd.c
-+++ b/src/lib/openjp2/tcd.c
-@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no,
+diff -rupN --no-dereference openjpeg-2.3.1/src/lib/openjp2/tcd.c openjpeg-2.3.1-new/src/lib/openjp2/tcd.c
+--- openjpeg-2.3.1/src/lib/openjp2/tcd.c	2019-04-02 14:45:15.000000000 +0200
+++ openjpeg-2.3.1-new/src/lib/openjp2/tcd.c	2020-11-28 23:29:38.662863239 +0100
+@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile
             /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000)  */
             l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx;
             l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy;
--- a/openjpeg2_opj2.patch
+++ b/openjpeg2_opj2.patch
@ -1,6 +1,6 @@
-diff -rupN openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt
+diff -rupN --no-dereference openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt
 --- openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt	2019-04-02 14:45:15.000000000 +0200
-+++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt	2019-04-02 16:14:13.726252297 +0200
+++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt	2020-11-28 23:29:38.576862946 +0100
@@ -44,6 +44,8 @@ endif()
 # Loop over all executables:
 foreach(exe opj_decompress opj_compress opj_dump)