Backport patches for CVE-2018-18088, CVE-2018-6616

2018-12-20 11:06:52 +01:00 · 2018-12-20 11:06:52 +01:00 · ff37dbcc50
commit ff37dbcc50
parent 96f9a2d067
3 changed files with 101 additions and 1 deletions
--- a/CVE-2018-18088.patch
+++ b/CVE-2018-18088.patch
@ -0,0 +1,41 @@
+diff -rupN openjpeg-2.3.0/src/bin/jp2/convert.c openjpeg-2.3.0-new/src/bin/jp2/convert.c
+--- openjpeg-2.3.0/src/bin/jp2/convert.c	2017-10-05 00:23:14.000000000 +0200
+++ openjpeg-2.3.0-new/src/bin/jp2/convert.c	2018-12-20 10:51:16.454336033 +0100
+@@ -2210,6 +2210,11 @@ int imagetopnm(opj_image_t * image, cons
+                 opj_version(), wr, hr, max);
+ 
+         red = image->comps[compno].data;
+        if (!red) {
+            fclose(fdest);
+            continue;
+        }
+
+         adjustR =
+             (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0);
+ 
+diff -rupN openjpeg-2.3.0/src/bin/jp3d/convert.c openjpeg-2.3.0-new/src/bin/jp3d/convert.c
+--- openjpeg-2.3.0/src/bin/jp3d/convert.c	2017-10-05 00:23:14.000000000 +0200
+++ openjpeg-2.3.0-new/src/bin/jp3d/convert.c	2018-12-20 10:51:16.453336036 +0100
+@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath,
+         fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]);
+ 
+         fseek(f, 0, SEEK_SET);
+-        fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2,
+-               signtmp, &prec, temp, &w, temp, &h);
+        fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+               &endian2, signtmp, &prec, temp, &w, temp, &h);
+ 
+         i = 0;
+         sign = '+';
+diff -rupN openjpeg-2.3.0/src/bin/jpwl/convert.c openjpeg-2.3.0-new/src/bin/jpwl/convert.c
+--- openjpeg-2.3.0/src/bin/jpwl/convert.c	2017-10-05 00:23:14.000000000 +0200
+++ openjpeg-2.3.0-new/src/bin/jpwl/convert.c	2018-12-20 10:51:16.453336036 +0100
+@@ -1348,7 +1348,7 @@ opj_image_t* pgxtoimage(const char *file
+     }
+ 
+     fseek(f, 0, SEEK_SET);
+-    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
+    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
+                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
+         fprintf(stderr,
+                 "ERROR: Failed to read the right number of element from the fscanf() function!\n");
--- a/CVE-2018-6616.patch
+++ b/CVE-2018-6616.patch
@ -0,0 +1,49 @@
+diff -rupN openjpeg-2.3.0/src/bin/jp2/convertbmp.c openjpeg-2.3.0-new/src/bin/jp2/convertbmp.c
+--- openjpeg-2.3.0/src/bin/jp2/convertbmp.c	2018-12-20 10:51:16.451336040 +0100
+++ openjpeg-2.3.0-new/src/bin/jp2/convertbmp.c	2018-12-20 10:51:16.491335949 +0100
+@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE*
+ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
+                                    OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
+ {
+-    OPJ_UINT32 x, y;
+    OPJ_UINT32 x, y, written;
+     OPJ_UINT8 *pix;
+     const OPJ_UINT8 *beyond;
+ 
+     beyond = pData + stride * height;
+     pix = pData;
+ 
+-    x = y = 0U;
+    x = y = written = 0U;
+     while (y < height) {
+         int c = getc(IN);
+         if (c == EOF) {
+@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
+             for (j = 0; (j < c) && (x < width) &&
+                     ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
+                 *pix = c1;
+                written++;
+             }
+         } else {
+             c = getc(IN);
+@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
+                     }
+                     c1 = (OPJ_UINT8)c1_int;
+                     *pix = c1;
+                    written++;
+                 }
+                 if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
+                     c = getc(IN);
+@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
+             }
+         }
+     }/* while() */
+
+    if (written != width * height) {
+        fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+        return OPJ_FALSE;
+    }
+
+     return OPJ_TRUE;
+ }
+ 
--- a/openjpeg2.spec
+++ b/openjpeg2.spec
@ -5,7 +5,7 @@

 Name:           openjpeg2
 Version:        2.3.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        C-Library for JPEG 2000

 # windirent.h is MIT, the rest is BSD
@ -26,6 +26,13 @@ Patch2:         openjpeg2_opj2.patch
 # Backport patch for CVE-2018-5785
 # https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975
 Patch3:         CVE-2018-5785.patch
+# Backport patch for CVE-2018-18088
+# https://github.com/uclouvain/openjpeg/commit/92023cd6c377e0384a7725949b25655d4d94dced
+Patch4:         CVE-2018-18088.patch
+# Backport patch for CVE-2018-6616
+# https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3
+Patch5:         CVE-2018-6616.patch
+

 BuildRequires:  cmake
 # The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler
@ -331,6 +338,9 @@ make test -C %{_target_platform}


 %changelog
+* Thu Dec 20 2018 Sandro Mani <manisandro@gmail.com> - 2.3.0-10
+- Backport patches for CVE-2018-18088, CVE-2018-6616
+
 * Thu Oct 04 2018 Sandro Mani <manisandro@gmail.com> - 2.3.0-9
 - Backport patch for CVE-2018-5785 (#1537758)