Control: tags 884738 + patch Control: tags 888533 + patch Control: tags 889683 + patch Control: tags 904873 + patch Control: tags 910763 + patch
Dear maintainer, Following the DSA from Luciano I started preparing a NMU for openjpeg2 fixing the same CVEs as in the DSA to avoid a regression from stretch to buster. Though I have not yet uploaded to a delayed queue, as I noticed that openjpeg2 seem to FTBFS in unstable right now. Investigating this first. Regards, Salvatore
diff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog --- openjpeg2-2.3.0/debian/changelog 2018-12-02 18:18:22.000000000 +0100 +++ openjpeg2-2.3.0/debian/changelog 2019-03-10 16:34:00.000000000 +0100 @@ -1,3 +1,19 @@ +openjpeg2 (2.3.0-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * jp3d/jpwl convert: fix write stack buffer overflow (CVE-2017-17480) + (Closes: #884738) + * jp2: convert: fix null pointer dereference (CVE-2018-18088) + (Closes: #910763) + * convertbmp: detect invalid file dimensions early (CVE-2018-6616) + (Closes: #889683) + * [JP3D] To avoid divisions by zero / undefined behaviour on shift + (CVE-2018-14423) (Closes: #904873) + * convertbmp: fix issues with zero bitmasks (CVE-2018-5785) + (Closes: #888533) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 10 Mar 2019 16:34:00 +0100 + openjpeg2 (2.3.0-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru openjpeg2-2.3.0/debian/patches/convertbmp-detect-invalid-file-dimensions-early.patch openjpeg2-2.3.0/debian/patches/convertbmp-detect-invalid-file-dimensions-early.patch --- openjpeg2-2.3.0/debian/patches/convertbmp-detect-invalid-file-dimensions-early.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/convertbmp-detect-invalid-file-dimensions-early.patch 2019-03-10 16:26:44.000000000 +0100 @@ -0,0 +1,75 @@ +From: Hugo Lefeuvre <h...@debian.org> +Date: Fri, 14 Dec 2018 04:58:40 +0100 +Subject: convertbmp: detect invalid file dimensions early +Origin: https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6616 +Bug-Debian: https://bugs.debian.org/889683 +Bug: https://github.com/uclouvain/openjpeg/issues/1059 + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +Fixes #1059 (CVE-2018-6616). +--- + src/bin/jp2/convertbmp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 85a47feaf3b9..0af52f816ba5 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, + static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; + +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = c1; ++ written++; + } + } else { + c = getc(IN); +@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + } + c1 = (OPJ_UINT8)c1_int; + *pix = c1; ++ written++; + } + if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ + c = getc(IN); +@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + } + } + }/* while() */ ++ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } ++ + return OPJ_TRUE; + } + +-- +2.11.0 + diff -Nru openjpeg2-2.3.0/debian/patches/convertbmp-fix-issues-with-zero-bitmasks.patch openjpeg2-2.3.0/debian/patches/convertbmp-fix-issues-with-zero-bitmasks.patch --- openjpeg2-2.3.0/debian/patches/convertbmp-fix-issues-with-zero-bitmasks.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/convertbmp-fix-issues-with-zero-bitmasks.patch 2019-03-10 16:29:12.000000000 +0100 @@ -0,0 +1,85 @@ +From: Hugo Lefeuvre <h...@debian.org> +Date: Sat, 22 Sep 2018 14:33:19 -0400 +Subject: convertbmp: fix issues with zero bitmasks +Origin: https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5785 +Bug-Debian: https://bugs.debian.org/888533 +Bug: https://github.com/uclouvain/openjpeg/issues/1057 + +In the case where a BMP file declares compression 3 (BI_BITFIELDS) +with header size <= 56, all bitmask values keep their initialization +value 0. This may lead to various undefined behavior later e.g. when +doing 1 << (l_comp->prec - 1). + +This issue does not affect files with bit count 16 because of a check +added in 16240e2 which sets default values to the color masks if they +are all 0. + +This commit adds similar checks for the 32 bit case. + +Also, if a BMP file declares compression 3 with header size >= 56 and +intentional 0 bitmasks, the same issue will be triggered in both the +16 and 32 bit count case. + +This commit adds checks to bmp_read_info_header() rejecting BMP files +with "intentional" 0 bitmasks. These checks might be removed in the +future when proper handling of zero bitmasks will be available in +openjpeg2. + +fixes #1057 (CVE-2018-5785) +--- + src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 084f70bb75f8..7fde99ab3ef2 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header) + header->biRedMask |= (OPJ_UINT32)getc(IN) << 16; + header->biRedMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biRedMask) { ++ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask); ++ return OPJ_FALSE; ++ } ++ + header->biGreenMask = (OPJ_UINT32)getc(IN); + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8; + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16; + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biGreenMask) { ++ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask); ++ return OPJ_FALSE; ++ } ++ + header->biBlueMask = (OPJ_UINT32)getc(IN); + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8; + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16; + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biBlueMask) { ++ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask); ++ return OPJ_FALSE; ++ } ++ + header->biAlphaMask = (OPJ_UINT32)getc(IN); + header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8; + header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16; +@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters) + bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU, + 0x00000000U); + } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */ ++ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) && ++ (Info_h.biBlueMask == 0U)) { ++ Info_h.biRedMask = 0x00FF0000U; ++ Info_h.biGreenMask = 0x0000FF00U; ++ Info_h.biBlueMask = 0x000000FFU; ++ } + bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask, + Info_h.biBlueMask, Info_h.biAlphaMask); + } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */ +-- +2.11.0 + diff -Nru openjpeg2-2.3.0/debian/patches/jp2-convert-fix-null-pointer-dereference.patch openjpeg2-2.3.0/debian/patches/jp2-convert-fix-null-pointer-dereference.patch --- openjpeg2-2.3.0/debian/patches/jp2-convert-fix-null-pointer-dereference.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/jp2-convert-fix-null-pointer-dereference.patch 2019-03-10 16:25:31.000000000 +0100 @@ -0,0 +1,40 @@ +From: Hugo Lefeuvre <h...@debian.org> +Date: Wed, 7 Nov 2018 18:48:29 +0100 +Subject: jp2: convert: fix null pointer dereference +Origin: https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18088 +Bug-Debian: https://bugs.debian.org/910763 +Bug: https://github.com/uclouvain/openjpeg/issues/1152 + +Tile components in a JP2 image might have null data pointer by defining a +zero component size (for example using large horizontal or vertical +sampling periods). This null data pointer leads to null image component +data pointer, causing crash when dereferenced without != null check in +imagetopnm. + +Add != null check. + +This commit addresses #1152 (CVE-2018-18088). +--- + src/bin/jp2/convert.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index fa02e31c5a45..e670cd82fbe7 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -2233,6 +2233,11 @@ int imagetopnm(opj_image_t * image, const char *outfile, int force_split) + opj_version(), wr, hr, max); + + red = image->comps[compno].data; ++ if (!red) { ++ fclose(fdest); ++ continue; ++ } ++ + adjustR = + (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0); + +-- +2.11.0 + diff -Nru openjpeg2-2.3.0/debian/patches/jp3d-jpwl-convert-fix-write-stack-buffer-overflow.patch openjpeg2-2.3.0/debian/patches/jp3d-jpwl-convert-fix-write-stack-buffer-overflow.patch --- openjpeg2-2.3.0/debian/patches/jp3d-jpwl-convert-fix-write-stack-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/jp3d-jpwl-convert-fix-write-stack-buffer-overflow.patch 2019-03-10 16:23:29.000000000 +0100 @@ -0,0 +1,48 @@ +From: Hugo Lefeuvre <h...@debian.org> +Date: Mon, 22 Oct 2018 16:59:41 +0200 +Subject: jp3d/jpwl convert: fix write stack buffer overflow +Origin: https://github.com/uclouvain/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17480 +Bug-Debian: https://bugs.debian.org/884738 +Bug: https://github.com/uclouvain/openjpeg/issues/1044 + +Missing buffer length formatter in fscanf call might lead to write +stack buffer overflow. + +fixes #1044 (CVE-2017-17480) +--- + src/bin/jp3d/convert.c | 4 ++-- + src/bin/jpwl/convert.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/bin/jp3d/convert.c b/src/bin/jp3d/convert.c +index 23fd70b04365..acad8f82a84f 100644 +--- a/src/bin/jp3d/convert.c ++++ b/src/bin/jp3d/convert.c +@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, opj_cparameters_t *parameters) + fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]); + + fseek(f, 0, SEEK_SET); +- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2, +- signtmp, &prec, temp, &w, temp, &h); ++ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, ++ &endian2, signtmp, &prec, temp, &w, temp, &h); + + i = 0; + sign = '+'; +diff --git a/src/bin/jpwl/convert.c b/src/bin/jpwl/convert.c +index f3bb670b0a14..73c1be72988d 100644 +--- a/src/bin/jpwl/convert.c ++++ b/src/bin/jpwl/convert.c +@@ -1349,7 +1349,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) + } + + fseek(f, 0, SEEK_SET); +- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, ++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, + &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { + fprintf(stderr, + "ERROR: Failed to read the right number of element from the fscanf() function!\n"); +-- +2.11.0 + diff -Nru openjpeg2-2.3.0/debian/patches/JP3D-To-avoid-divisions-by-zero-undefined-behaviour-.patch openjpeg2-2.3.0/debian/patches/JP3D-To-avoid-divisions-by-zero-undefined-behaviour-.patch --- openjpeg2-2.3.0/debian/patches/JP3D-To-avoid-divisions-by-zero-undefined-behaviour-.patch 1970-01-01 01:00:00.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/JP3D-To-avoid-divisions-by-zero-undefined-behaviour-.patch 2019-03-10 16:27:55.000000000 +0100 @@ -0,0 +1,66 @@ +From: Young_X <yang...@hotmail.com> +Date: Fri, 23 Nov 2018 17:15:05 +0800 +Subject: [JP3D] To avoid divisions by zero / undefined behaviour on shift + (CVE-2018-14423 +Origin: https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14423 +Bug-Debian: https://bugs.debian.org/904873 +Bug: https://github.com/uclouvain/openjpeg/issues/1123 + +Signed-off-by: Young_X <yang...@hotmail.com> +--- + src/lib/openjp3d/pi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/lib/openjp3d/pi.c b/src/lib/openjp3d/pi.c +index a03be45e7364..a58ebcc7ce64 100644 +--- a/src/lib/openjp3d/pi.c ++++ b/src/lib/openjp3d/pi.c +@@ -223,6 +223,14 @@ static bool pi_next_rpcl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +@@ -329,6 +337,14 @@ static bool pi_next_pcrl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +@@ -432,6 +448,14 @@ static bool pi_next_cprl(opj_pi_iterator_t * pi) + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +-- +2.11.0 + diff -Nru openjpeg2-2.3.0/debian/patches/series openjpeg2-2.3.0/debian/patches/series --- openjpeg2-2.3.0/debian/patches/series 2018-12-02 18:17:30.000000000 +0100 +++ openjpeg2-2.3.0/debian/patches/series 2019-03-10 16:29:30.000000000 +0100 @@ -1,2 +1,7 @@ multiarch_path.patch java9.patch +jp3d-jpwl-convert-fix-write-stack-buffer-overflow.patch +jp2-convert-fix-null-pointer-dereference.patch +convertbmp-detect-invalid-file-dimensions-early.patch +JP3D-To-avoid-divisions-by-zero-undefined-behaviour-.patch +convertbmp-fix-issues-with-zero-bitmasks.patch
