Attached is security patches for openjpeg2 from stretch. In particular: CVE-2019-6988 - skipped, no upstream fix.
CVE-2020-27814 - applied, both patches. 2nd patch applied by hand. CVE-2020-27823 - applied, by hand. CVE-2020-27824 - applied, by hand. Patch applies cleanly, but nop without patching the opj_dwt_getnorm_real also (existing function does the same thing), which I did. CVE-2020-27841 - applied, by hand. As far as I can tell most of the upstream patch is simply passing around the manager object, which is required for better error messages. I only applied the bits that look like they have a security impact, without the error messages. CVE-2020-27842 - skipped, no upstream fix. CVE-2020-27843 - skipped, no upstream fix. CVE-2020-27844 - skipped. Upstream patch replaces assert with if. Not sure how this helps. Unless maybe assert is a nop. In any case, can't find the code. Suspect we are not vulnerable. CVE-2020-27845 - applied, by hand, error messages removed. I note that this package doesn't seem to run tests on build. Which makes me a bit nervous. It does come with tests, but so far my attempts to run these tests have not been successful. -- Brian May <[email protected]>
diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.1.2/debian/changelog --- openjpeg2-2.1.2/debian/changelog 2020-07-11 01:34:00.000000000 +1000 +++ openjpeg2-2.1.2/debian/changelog 2021-02-04 08:18:38.000000000 +1100 @@ -1,3 +1,18 @@ +openjpeg2 (2.1.2-1.1+deb9u6) stretch-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2020-27814: A heap-buffer overflow in the way openjpeg2 + handled certain PNG format files. + * Fix CVE-2020-27823: Wrong computation of x1,y1 if -d option is used, + resulting in heap buffer overflow. + * Fix CVE-2020-27824: avoid global buffer overflow on irreversible conversion when + too many decomposition levels are specified. + * Fix CVE-2020-27841: crafted input to be processed by the openjpeg encoder + could cause an out-of-bounds read. + * Fix CVE-2020-27845: crafted input can cause out-of-bounds-read. + + -- Brian May <[email protected]> Thu, 04 Feb 2021 08:18:38 +1100 + openjpeg2 (2.1.2-1.1+deb9u5) stretch-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch --- openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch 1970-01-01 10:00:00.000000000 +1000 +++ openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch 2021-02-04 08:18:20.000000000 +1100 @@ -0,0 +1,28 @@ +From 15cf3d95814dc931ca0ecb132f81cb152e051bae Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Mon, 23 Nov 2020 18:14:02 +0100 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +--- + src/lib/openjp2/tcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: openjpeg2-2.1.2/src/lib/openjp2/tcd.c +=================================================================== +--- openjpeg2-2.1.2.orig/src/lib/openjp2/tcd.c ++++ openjpeg2-2.1.2/src/lib/openjp2/tcd.c +@@ -1107,9 +1107,12 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + + /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ ++ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ ++ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch --- openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch 1970-01-01 10:00:00.000000000 +1000 +++ openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch 2021-02-04 08:18:38.000000000 +1100 @@ -0,0 +1,25 @@ +From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Mon, 30 Nov 2020 22:31:51 +0100 +Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is + used, that would result in a heap buffer overflow (fixes #1284) + +--- + src/bin/jp2/convertpng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: openjpeg2-2.1.2/src/bin/jp2/convertpng.c +=================================================================== +--- openjpeg2-2.1.2.orig/src/bin/jp2/convertpng.c ++++ openjpeg2-2.1.2/src/bin/jp2/convertpng.c +@@ -216,8 +216,8 @@ opj_image_t *pngtoimage(const char *read + if(image == NULL) goto fin; + image->x0 = (OPJ_UINT32)params->image_offset_x0; + image->y0 = (OPJ_UINT32)params->image_offset_y0; +- image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32)params->subsampling_dx + 1 + image->x0); +- image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)params->subsampling_dy + 1 + image->y0); ++ image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32)params->subsampling_dx + 1); ++ image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32)params->subsampling_dy + 1); + + row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32)); + if(row32s == NULL) goto fin; diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27824.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27824.patch --- openjpeg2-2.1.2/debian/patches/CVE-2020-27824.patch 1970-01-01 10:00:00.000000000 +1000 +++ openjpeg2-2.1.2/debian/patches/CVE-2020-27824.patch 2021-02-04 08:18:38.000000000 +1100 @@ -0,0 +1,38 @@ +From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Mon, 30 Nov 2020 22:37:07 +0100 +Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible + conversion when too many decomposition levels are specified (fixes #1286) + +--- + src/lib/openjp2/dwt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openjpeg2-2.1.2/src/lib/openjp2/dwt.c +=================================================================== +--- openjpeg2-2.1.2.orig/src/lib/openjp2/dwt.c ++++ openjpeg2-2.1.2/src/lib/openjp2/dwt.c +@@ -525,6 +525,14 @@ OPJ_UINT32 opj_dwt_getgain_real(OPJ_UINT + /* Get norm of 9-7 wavelet. */ + /* </summary> */ + OPJ_FLOAT64 opj_dwt_getnorm_real(OPJ_UINT32 level, OPJ_UINT32 orient) { ++ /* FIXME ! This is just a band-aid to avoid a buffer overflow */ ++ /* but the array should really be extended up to 33 resolution levels */ ++ /* See https://github.com/uclouvain/openjpeg/issues/493 */ ++ if (orient == 0 && level >= 10) { ++ level = 9; ++ } else if (orient > 0 && level >= 9) { ++ level = 8; ++ } + return opj_dwt_norms_real[orient][level]; + } + +@@ -542,7 +550,7 @@ void opj_dwt_calc_explicit_stepsizes(opj + if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) { + stepsize = 1.0; + } else { +- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level]; ++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient); + stepsize = (1 << (gain)) / norm; + } + opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0), (OPJ_INT32)(prec + gain), &tccp->stepsizes[bandno]); diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27841.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27841.patch --- openjpeg2-2.1.2/debian/patches/CVE-2020-27841.patch 1970-01-01 10:00:00.000000000 +1000 +++ openjpeg2-2.1.2/debian/patches/CVE-2020-27841.patch 2021-02-04 08:18:38.000000000 +1100 @@ -0,0 +1,40 @@ +From 00383e162ae2f8fc951f5745bf1011771acb8dce Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Wed, 2 Dec 2020 14:02:17 +0100 +Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs + https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836) + +--- + src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++--------------- + src/lib/openjp2/pi.h | 10 +++++++-- + src/lib/openjp2/t2.c | 4 ++-- + 3 files changed, 42 insertions(+), 21 deletions(-) + +Index: openjpeg2-2.1.2/src/lib/openjp2/pi.c +=================================================================== +--- openjpeg2-2.1.2.orig/src/lib/openjp2/pi.c ++++ openjpeg2-2.1.2/src/lib/openjp2/pi.c +@@ -408,6 +408,11 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -500,6 +505,11 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27844.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27844.patch --- openjpeg2-2.1.2/debian/patches/CVE-2020-27844.patch 1970-01-01 10:00:00.000000000 +1000 +++ openjpeg2-2.1.2/debian/patches/CVE-2020-27844.patch 2021-02-04 08:18:38.000000000 +1100 @@ -0,0 +1,30 @@ +From 73fdf28342e4594019af26eb6a347a34eceb6296 Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Wed, 2 Dec 2020 14:10:16 +0100 +Subject: [PATCH] opj_j2k_write_sod(): avoid potential heap buffer overflow + (fixes #1299) (probably master only) + +--- + src/lib/openjp2/j2k.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 78d459259..8e343ab2e 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -4806,8 +4806,13 @@ static OPJ_BOOL opj_j2k_write_sod(opj_j2k_t *p_j2k, + } + } + +- assert(l_remaining_data > +- p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT); ++ if (l_remaining_data < ++ p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Not enough bytes in output buffer to write SOD marker\n"); ++ opj_tcd_marker_info_destroy(marker_info); ++ return OPJ_FALSE; ++ } + l_remaining_data -= p_j2k->m_specific_param.m_encoder.m_reserved_bytes_for_PLT; + + if (! opj_tcd_encode_tile(p_tile_coder, p_j2k->m_current_tile_number, diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27845.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27845.patch --- openjpeg2-2.1.2/debian/patches/CVE-2020-27845.patch 1970-01-01 10:00:00.000000000 +1000 +++ openjpeg2-2.1.2/debian/patches/CVE-2020-27845.patch 2021-02-04 08:18:38.000000000 +1100 @@ -0,0 +1,51 @@ +From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Fri, 4 Dec 2020 20:45:25 +0100 +Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302) + +--- + src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +Index: openjpeg2-2.1.2/src/lib/openjp2/pi.c +=================================================================== +--- openjpeg2-2.1.2.orig/src/lib/openjp2/pi.c ++++ openjpeg2-2.1.2/src/lib/openjp2/pi.c +@@ -234,7 +234,12 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + opj_pi_comp_t *comp = NULL; + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; +- ++ ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -275,6 +280,11 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -314,6 +324,11 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + goto LABEL_SKIP; + } else { diff -Nru openjpeg2-2.1.2/debian/patches/series openjpeg2-2.1.2/debian/patches/series --- openjpeg2-2.1.2/debian/patches/series 2020-07-11 01:34:00.000000000 +1000 +++ openjpeg2-2.1.2/debian/patches/series 2021-02-04 08:18:38.000000000 +1100 @@ -23,3 +23,8 @@ CVE-2020-8112.patch CVE-2020-6851.patch CVE-2019-12973.patch +CVE-2020-27814.patch +CVE-2020-27823.patch +CVE-2020-27824.patch +CVE-2020-27841.patch +CVE-2020-27845.patch
