Hello community, here is the log from the commit of package openjpeg for openSUSE:Factory checked in at 2012-07-12 10:49:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openjpeg (Old) and /work/SRC/openSUSE:Factory/.openjpeg.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openjpeg", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/openjpeg/openjpeg.changes 2012-06-29 10:42:34.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openjpeg.new/openjpeg.changes 2012-07-12 10:49:49.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Jul 11 18:08:54 UTC 2012 - [email protected] + +- Added a patch (heap_buffer_overflow_fix.patch) to fix heap-based buffer + overflow when processing JPEG2000 images - (CVE-2012-3358), (bnc#770649). + +------------------------------------------------------------------- New: ---- heap_buffer_overflow_fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openjpeg.spec ++++++ --- /var/tmp/diff_new_pack.yvawMh/_old 2012-07-12 10:49:51.000000000 +0200 +++ /var/tmp/diff_new_pack.yvawMh/_new 2012-07-12 10:49:51.000000000 +0200 @@ -34,6 +34,8 @@ Patch3: openjpeg-1.5.0-pkgconfig_includedir.patch # PATCH-FIX-UPSTREAM heap_corruption_fix.patch CVE-2009-5030 bnc#757260 [email protected] -- Fix heap corruption when processing certain Gray16 TIFF images (http://code.google.com/p/openjpeg/source/detail?r=1703) Patch4: heap_corruption_fix.patch +# PATCH-FIX-UPSTREAM heap_buffer_overflow_fix.patch CVE-2012-3358 bnc#770649 [email protected] -- Fix heap-based buffer overflow when processing JPEG2000 images (http://code.google.com/p/openjpeg/source/detail?r=1727) +Patch5: heap_buffer_overflow_fix.patch BuildRequires: cmake BuildRequires: doxygen BuildRequires: liblcms2-devel @@ -72,6 +74,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Remove build time references so build-compare can do its work sed -i "s/HTML_TIMESTAMP = YES/HTML_TIMESTAMP = NO/g" doc/Doxyfile.dox.cmake.in ++++++ heap_buffer_overflow_fix.patch ++++++ --- openjpeg-1.5.0/libopenjpeg/j2k.c 2012-07-11 20:58:56.750305572 +0300 +++ openjpeg-1.5.0/libopenjpeg/j2k.c.r1727 2012-07-11 20:56:20.576415007 +0300 @@ -1279,7 +1279,7 @@ static int backup_tileno = 0; /* tileno is negative or larger than the number of tiles!!! */ - if ((tileno < 0) || (tileno > (cp->tw * cp->th))) { + if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) { opj_event_msg(j2k->cinfo, EVT_ERROR, "JPWL: bad tile number (%d out of a maximum of %d)\n", tileno, (cp->tw * cp->th)); @@ -1296,8 +1296,18 @@ /* keep your private count of tiles */ backup_tileno++; - }; + } + else #endif /* USE_JPWL */ + { + /* tileno is negative or larger than the number of tiles!!! */ + if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad tile number (%d out of a maximum of %d)\n", + tileno, (cp->tw * cp->th)); + return; + } + } if (cp->tileno_size == 0) { cp->tileno[cp->tileno_size] = tileno; @@ -1335,8 +1345,18 @@ totlen); } - }; + } + else #endif /* USE_JPWL */ + { + /* totlen is negative or larger than the bytes left!!! */ + if ((totlen < 0) || (totlen > (cio_numbytesleft(cio) + 8))) { + opj_event_msg(j2k->cinfo, EVT_ERROR, + "JPWL: bad tile byte size (%d bytes against %d bytes left)\n", + totlen, cio_numbytesleft(cio) + 8); + return; + } + } if (!totlen) totlen = cio_numbytesleft(cio) + 8; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
