[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/02: gnu: openjpeg: Fix CVE-2017-14164.
|
From: |
Efraim Flashner |
|
Subject: |
02/02: gnu: openjpeg: Fix CVE-2017-14164. |
|
Date: |
Sun, 10 Sep 2017 15:01:45 -0400 (EDT) |
efraim pushed a commit to branch master
in repository guix.
commit 338b58e0ea880f7cccbe43de21eccbf1440ac6af
Author: Efraim Flashner <address@hidden>
Date: Sun Sep 10 22:00:35 2017 +0300
gnu: openjpeg: Fix CVE-2017-14164.
* gnu/packages/image.scm (openjpeg)[source]: Add patch.
* gnu/packages/patches/openjpeg-CVE-2017-14164.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/image.scm | 3 +-
gnu/packages/patches/openjpeg-CVE-2017-14164.patch | 89 ++++++++++++++++++++++
3 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 43eac77..c92b93d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -895,6 +895,7 @@ dist_patch_DATA =
\
%D%/packages/patches/openjpeg-CVE-2017-14041.patch \
%D%/packages/patches/openjpeg-CVE-2017-14151.patch \
%D%/packages/patches/openjpeg-CVE-2017-14152.patch \
+ %D%/packages/patches/openjpeg-CVE-2017-14164.patch \
%D%/packages/patches/openldap-CVE-2017-9287.patch \
%D%/packages/patches/openocd-nrf52.patch \
%D%/packages/patches/openssl-runpath.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 3bb8de1..d45f08d 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -524,7 +524,8 @@ work.")
"openjpeg-CVE-2017-14040.patch"
"openjpeg-CVE-2017-14041.patch"
"openjpeg-CVE-2017-14151.patch"
- "openjpeg-CVE-2017-14152.patch"))))
+ "openjpeg-CVE-2017-14152.patch"
+ "openjpeg-CVE-2017-14164.patch"))))
(build-system cmake-build-system)
(arguments
;; Trying to run `$ make check' results in a no rule fault.
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
new file mode 100644
index 0000000..2bfc5a6
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
@@ -0,0 +1,89 @@
+https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
+http://openwall.com/lists/oss-security/2017/09/06/3
+
+From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
+From: Even Rouault <address@hidden>
+Date: Wed, 16 Aug 2017 17:09:10 +0200
+Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
+ (#991)
+
+---
+ src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 54b490a8c..16915452e 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+ * Writes the SOT marker (Start of tile-part)
+ *
+ * @param p_j2k J2K codec.
+- * @param p_data FIXME DOC
+- * @param p_data_written FIXME DOC
++ * @param p_data Output buffer
++ * @param p_total_data_size Output buffer size
++ * @param p_data_written Number of bytes written into stream
+ * @param p_stream the stream to write data to.
+ * @param p_manager the user event manager.
+ */
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_BYTE * p_data,
++ OPJ_UINT32 p_total_data_size,
+ OPJ_UINT32 * p_data_written,
+ const opj_stream_private_t *p_stream,
+ opj_event_mgr_t * p_manager);
+@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_BYTE * p_data,
++ OPJ_UINT32 p_total_data_size,
+ OPJ_UINT32 * p_data_written,
+ const opj_stream_private_t *p_stream,
+ opj_event_mgr_t * p_manager
+@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+ OPJ_UNUSED(p_stream);
+ OPJ_UNUSED(p_manager);
+
++ if (p_total_data_size < 12) {
++ opj_event_msg(p_manager, EVT_ERROR,
++ "Not enough bytes in output buffer to write SOT
marker\n");
++ return OPJ_FALSE;
++ }
++
+ opj_write_bytes(p_data, J2K_MS_SOT,
+ 2); /* SOT */
+ p_data += 2;
+@@ -11480,7 +11489,8 @@ static OPJ_BOOL
opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
+
+ l_current_nb_bytes_written = 0;
+ l_begin_data = p_data;
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written,
p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
++ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }
+@@ -11572,7 +11582,10 @@ static OPJ_BOOL
opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+ l_part_tile_size = 0;
+ l_begin_data = p_data;
+
+- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written,
p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data,
++ p_total_data_size,
++ &l_current_nb_bytes_written,
++ p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }
+@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t
*p_j2k,
+ l_part_tile_size = 0;
+ l_begin_data = p_data;
+
+- if (! opj_j2k_write_sot(p_j2k, p_data,
&l_current_nb_bytes_written, p_stream,
++ if (! opj_j2k_write_sot(p_j2k, p_data,
++ p_total_data_size,
++ &l_current_nb_bytes_written, p_stream,
+ p_manager)) {
+ return OPJ_FALSE;
+ }