Hello community, here is the log from the commit of package openjpeg2 for openSUSE:Factory checked in at 2020-02-06 13:05:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openjpeg2 (Old) and /work/SRC/openSUSE:Factory/.openjpeg2.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openjpeg2" Thu Feb 6 13:05:23 2020 rev:14 rq:769224 version:2.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/openjpeg2/openjpeg2.changes 2019-04-05 11:56:25.774326656 +0200 +++ /work/SRC/openSUSE:Factory/.openjpeg2.new.26092/openjpeg2.changes 2020-02-06 13:05:24.816244360 +0100 @@ -1,0 +2,14 @@ +Fri Jan 31 16:21:36 UTC 2020 - Stefan BrĂ¼ns <[email protected]> + +- Fix several security relevant bugs: + * 21399f6b7d318fcd.patch (like CVE-2018-6616, but rle4 instead + of rle8, bsc#1079845) + * 3aef207f90e937d4.patch (CVE-2019-12973, bsc#1140359) + * 4cb1f663049aab96.patch (OSS-fuzz, + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979) + * 024b8407392cb0b8.patch (CVE-2020-6851, bsc#1160782) + * 05f9b91e60debda0.patch (CVE-2020-8112, bsc#1162090) +- Use upstream pkgconfig file +- Move API documentation from devel package to devel-doc + +------------------------------------------------------------------- New: ---- 024b8407392cb0b8.patch 05f9b91e60debda0.patch 21399f6b7d318fcd.patch 3aef207f90e937d4.patch 4cb1f663049aab96.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openjpeg2.spec ++++++ --- /var/tmp/diff_new_pack.Nc5KFH/_old 2020-02-06 13:05:26.008245008 +0100 +++ /var/tmp/diff_new_pack.Nc5KFH/_new 2020-02-06 13:05:26.012245010 +0100 @@ -1,7 +1,7 @@ # # spec file for package openjpeg2 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -25,9 +25,19 @@ Summary: Opensource JPEG 2000 Codec Implementation License: BSD-2-Clause Group: Productivity/Graphics/Other -Url: http://www.openjpeg.org/ +URL: http://www.openjpeg.org/ Source0: https://github.com/uclouvain/openjpeg/archive/v%{version}.tar.gz#/openjpeg-%{version}.tar.gz Source1: baselibs.conf +# PATCH-FIX-UPSTREAM -- like CVE-2018-6616, but rle4 instead of rle8, bsc#1079845, https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcd.patch +Patch0: 21399f6b7d318fcd.patch +# PATCH-FIX-UPSTREAM -- CVE-2019-12973, bsc#1140359, https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4.patch +Patch1: 3aef207f90e937d4.patch +# PATCH-FIX-UPSTREAM -- OSS-fuzz, https://github.com/uclouvain/openjpeg/commit/4cb1f663049aab96.patch +Patch2: 4cb1f663049aab96.patch +# PATCH-FIX-UPSTREAM -- CVE-2020-6851, bsc#1160782, https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b8.patch +Patch3: 024b8407392cb0b8.patch +# PATCH-FIX-UPSTREAM -- CVE-2020-8112, bsc#1162090, https://github.com/uclouvain/openjpeg/commit/05f9b91e60debda0.patch +Patch4: 05f9b91e60debda0.patch BuildRequires: cmake > 2.8.2 BuildRequires: doxygen BuildRequires: fdupes @@ -61,6 +71,7 @@ Group: Development/Libraries/Other Requires: %{library_name} = %{version} Requires: %{name} = %{version} +Recommends: %{name}-devel-doc %description devel The OpenJPEG library is an open-source JPEG 2000 codec written in C language. @@ -70,12 +81,25 @@ This package provides the development files for %{name}. +%package devel-doc +Summary: API documentation for %{name} +Group: Documentation/HTML +Recommends: %{library_name} = %{version} +Recommends: %{name} = %{version} + +%description devel-doc +The OpenJPEG library is an open-source JPEG 2000 codec written in C language. + +This package provides the API documentation for %{name}. + %prep %setup -q -n openjpeg-%{version} +%autopatch -p1 + # do not embed timestamps into html documentation sed -i 's|^HTML_TIMESTAMP[ =].*$|HTML_TIMESTAMP = NO|' doc/Doxyfile.dox.cmake.in -# ensure no bundled libraries are used +# ensure no bundled libraries are used, but keep thirdparty/CMakeLists.txt for d in thirdparty/*; do [ -d "$d" ] && rm -rf "$d" done @@ -90,28 +114,16 @@ -DBUILD_TESTING=OFF \ -DBUILD_DOC=ON \ -DBUILD_THIRDPARTY=OFF \ - -DOPENJPEG_INSTALL_LIB_DIR=%{_lib} + -DOPENJPEG_INSTALL_LIB_DIR=%{_lib} \ + -DOPENJPEG_INSTALL_DOC_DIR=share/doc/packages/%{name}-devel-doc make %{?_smp_mflags} VERBOSE=1 all doc -cat << END > libopenjp2.pc - -Name: openjpeg -Version: %{version} -Url: %{url} -Description: Opensource JPEG 2000 Codec Implementation -Libs: -L%{_libdir} -lopenjp2 -Libs.private: -lm -Cflags: -I%{_includedir}/openjpeg-%{base_version} -END -%fdupes -s doc/html/ - %install %cmake_install - -mkdir -p %{buildroot}%{_libdir}/pkgconfig/ -install -m 644 build/libopenjp2.pc %{buildroot}%{_libdir}/pkgconfig/ -rm -rf %{buildroot}%{_datadir}/doc +rm %{buildroot}%{_defaultdocdir}/%{name}-devel-doc/LICENSE +mv %{buildroot}%{_prefix}/share/doc/html %{buildroot}%{_defaultdocdir}/%{name}-devel-doc +%fdupes %{buildroot}%{_defaultdocdir} %post -n %{library_name} -p /sbin/ldconfig @@ -119,7 +131,7 @@ %files %defattr(-,root,root,-) -%doc AUTHORS.md CHANGELOG.md NEWS.md LICENSE README.md THANKS.md +%license LICENSE %{_bindir}/opj_* %{_mandir}/man1/opj_*.1%{ext_man} @@ -129,11 +141,16 @@ %files devel %defattr(-,root,root,-) -%doc build/doc/html/ %{_includedir}/openjpeg-%{base_version}/ %{_libdir}/libopenjp2.so %{_libdir}/pkgconfig/libopenjp2.pc %{_libdir}/openjpeg-%{base_version}/ %{_mandir}/man3/libopenjp2.3%{ext_man} +%files devel-doc +%defattr(-,root,root,-) +%license LICENSE +%doc AUTHORS.md CHANGELOG.md NEWS.md README.md THANKS.md +%doc %{_defaultdocdir}/%{name}-devel-doc/html + %changelog ++++++ 024b8407392cb0b8.patch ++++++ >From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001 From: Even Rouault <[email protected]> Date: Sat, 11 Jan 2020 01:51:19 +0100 Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose coordinates are beyond INT_MAX (fixes #1228) --- src/lib/openjp2/j2k.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 14f6ff41a..922550eb1 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, l_img_comp = p_image->comps; for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { OPJ_INT32 l_h, l_w; + if (p_image->x0 > (OPJ_UINT32)INT_MAX || + p_image->y0 > (OPJ_UINT32)INT_MAX || + p_image->x1 > (OPJ_UINT32)INT_MAX || + p_image->y1 > (OPJ_UINT32)INT_MAX) { + opj_event_msg(p_manager, EVT_ERROR, + "Image coordinates above INT_MAX are not supported\n"); + return OPJ_FALSE; + } l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, (OPJ_INT32)l_img_comp->dx); ++++++ 05f9b91e60debda0.patch ++++++ >From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001 From: Even Rouault <[email protected]> Date: Thu, 30 Jan 2020 00:59:57 +0100 Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow That could lead to later assertion failures. Fixes #1231 / CVE-2020-8112 --- src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index deecc4dff..aa419030a 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; - l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; - l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; + { + OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, + (OPJ_INT32)l_pdx)) << l_pdx; + if (tmp > (OPJ_UINT32)INT_MAX) { + opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); + return OPJ_FALSE; + } + l_br_prc_x_end = (OPJ_INT32)tmp; + } + { + OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, + (OPJ_INT32)l_pdy)) << l_pdy; + if (tmp > (OPJ_UINT32)INT_MAX) { + opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); + return OPJ_FALSE; + } + l_br_prc_y_end = (OPJ_INT32)tmp; + } /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( ++++++ 21399f6b7d318fcd.patch ++++++ >From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001 From: Young Xiao <[email protected]> Date: Sat, 16 Mar 2019 19:57:27 +0800 Subject: [PATCH] convertbmp: detect invalid file dimensions early width/length dimensions read from bmp headers are not necessarily valid. For instance they may have been maliciously set to very large values with the intention to cause DoS (large memory allocation, stack overflow). In these cases we want to detect the invalid size as early as possible. This commit introduces a counter which verifies that the number of written bytes corresponds to the advertized width/length. See commit 8ee335227bbc for details. Signed-off-by: Young Xiao <[email protected]> --- src/bin/jp2/convertbmp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c index 0af52f816..ec34f535b 100644 --- a/src/bin/jp2/convertbmp.c +++ b/src/bin/jp2/convertbmp.c @@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) { - OPJ_UINT32 x, y; + OPJ_UINT32 x, y, written; OPJ_UINT8 *pix; const OPJ_UINT8 *beyond; beyond = pData + stride * height; pix = pData; - x = y = 0U; + x = y = written = 0U; while (y < height) { int c = getc(IN); if (c == EOF) { @@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; } } else { /* absolute mode */ c = getc(IN); @@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, c1 = (OPJ_UINT8)getc(IN); } *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; } if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ getc(IN); @@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, } } } /* while(y < height) */ + if (written != width * height) { + fprintf(stderr, "warning, image's actual size does not match advertized one\n"); + return OPJ_FALSE; + } return OPJ_TRUE; } ++++++ 3aef207f90e937d4.patch ++++++ >From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001 From: Young Xiao <[email protected]> Date: Sat, 16 Mar 2019 20:09:59 +0800 Subject: [PATCH] bmp_read_rle4_data(): avoid potential infinite loop --- src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c index ec34f535b..2fc4e9bc4 100644 --- a/src/bin/jp2/convertbmp.c +++ b/src/bin/jp2/convertbmp.c @@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, while (y < height) { int c = getc(IN); if (c == EOF) { - break; + return OPJ_FALSE; } if (c) { /* encoded mode */ - int j; - OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); + int j, c1_int; + OPJ_UINT8 c1; + + c1_int = getc(IN); + if (c1_int == EOF) { + return OPJ_FALSE; + } + c1 = (OPJ_UINT8)c1_int; for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { @@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, } else { /* absolute mode */ c = getc(IN); if (c == EOF) { - break; + return OPJ_FALSE; } if (c == 0x00) { /* EOL */ @@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, break; } else if (c == 0x02) { /* MOVE by dxdy */ c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } x += (OPJ_UINT32)c; c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } y += (OPJ_UINT32)c; pix = pData + y * stride + x; } else { /* 03 .. 255 : absolute mode */ @@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, for (j = 0; (j < c) && (x < width) && ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { if ((j & 1) == 0) { - c1 = (OPJ_UINT8)getc(IN); + int c1_int; + c1_int = getc(IN); + if (c1_int == EOF) { + return OPJ_FALSE; + } + c1 = (OPJ_UINT8)c1_int; } *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); written++; } if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ - getc(IN); + c = getc(IN); + if (c == EOF) { + return OPJ_FALSE; + } } } } ++++++ 4cb1f663049aab96.patch ++++++ >From 4cb1f663049aab96e122d1ff16f601d0cc0be976 Mon Sep 17 00:00:00 2001 From: Even Rouault <[email protected]> Date: Sun, 17 Nov 2019 01:18:26 +0100 Subject: [PATCH] pi.c: avoid integer overflow, resulting in later invalid access to memory in opj_t2_decode_packets(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979 --- src/lib/openjp2/pi.c | 24 ++++++++++++------------ src/lib/openjp2/pi.h | 4 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c index 4a6ed68e2..3ddb4a0c5 100644 --- a/src/lib/openjp2/pi.c +++ b/src/lib/openjp2/pi.c @@ -376,10 +376,10 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_iterator_t * pi) pi->poc.tx1 = pi->tx1; } for (pi->resno = pi->poc.resno0; pi->resno < pi->poc.resno1; pi->resno++) { - for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; - pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { - for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; - pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { + for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; + pi->y += (pi->dy - (pi->y % pi->dy))) { + for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; + pi->x += (pi->dx - (pi->x % pi->dx))) { for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) { OPJ_UINT32 levelno; OPJ_INT32 trx0, try0; @@ -508,10 +508,10 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_iterator_t * pi) pi->poc.ty1 = pi->ty1; pi->poc.tx1 = pi->tx1; } - for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; - pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { - for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; - pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { + for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; + pi->y += (pi->dy - (pi->y % pi->dy))) { + for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; + pi->x += (pi->dx - (pi->x % pi->dx))) { for (pi->compno = pi->poc.compno0; pi->compno < pi->poc.compno1; pi->compno++) { comp = &pi->comps[pi->compno]; for (pi->resno = pi->poc.resno0; @@ -639,10 +639,10 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_iterator_t * pi) pi->poc.ty1 = pi->ty1; pi->poc.tx1 = pi->tx1; } - for (pi->y = pi->poc.ty0; pi->y < pi->poc.ty1; - pi->y += (OPJ_INT32)(pi->dy - (OPJ_UINT32)(pi->y % (OPJ_INT32)pi->dy))) { - for (pi->x = pi->poc.tx0; pi->x < pi->poc.tx1; - pi->x += (OPJ_INT32)(pi->dx - (OPJ_UINT32)(pi->x % (OPJ_INT32)pi->dx))) { + for (pi->y = (OPJ_UINT32)pi->poc.ty0; pi->y < (OPJ_UINT32)pi->poc.ty1; + pi->y += (pi->dy - (pi->y % pi->dy))) { + for (pi->x = (OPJ_UINT32)pi->poc.tx0; pi->x < (OPJ_UINT32)pi->poc.tx1; + pi->x += (pi->dx - (pi->x % pi->dx))) { for (pi->resno = pi->poc.resno0; pi->resno < opj_uint_min(pi->poc.resno1, comp->numresolutions); pi->resno++) { OPJ_UINT32 levelno; diff --git a/src/lib/openjp2/pi.h b/src/lib/openjp2/pi.h index 8c0dc25c1..873802089 100644 --- a/src/lib/openjp2/pi.h +++ b/src/lib/openjp2/pi.h @@ -102,9 +102,9 @@ typedef struct opj_pi_iterator { /** Components*/ opj_pi_comp_t *comps; /** FIXME DOC*/ - OPJ_INT32 tx0, ty0, tx1, ty1; + OPJ_UINT32 tx0, ty0, tx1, ty1; /** FIXME DOC*/ - OPJ_INT32 x, y; + OPJ_UINT32 x, y; /** FIXME DOC*/ OPJ_UINT32 dx, dy; } opj_pi_iterator_t;
