summary refs log tree commit diff
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2017-09-10 22:00:35 +0300
committerEfraim Flashner <efraim@flashner.co.il>2017-09-10 22:00:35 +0300
commit338b58e0ea880f7cccbe43de21eccbf1440ac6af (patch)
treedadb43fad7b8c94519f1953901d5b8056f770556
parent224bb4b6f9fa7c14fbbaac682ec0b5d1a48c616d (diff)
downloadguix-338b58e0ea880f7cccbe43de21eccbf1440ac6af.tar.gz
gnu: openjpeg: Fix CVE-2017-14164.
* gnu/packages/image.scm (openjpeg)[source]: Add patch.
* gnu/packages/patches/openjpeg-CVE-2017-14164.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/image.scm3
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14164.patch89
3 files changed, 92 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 43eac7717a..c92b93dbd2 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -895,6 +895,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/openjpeg-CVE-2017-14041.patch		\
   %D%/packages/patches/openjpeg-CVE-2017-14151.patch		\
   %D%/packages/patches/openjpeg-CVE-2017-14152.patch		\
+  %D%/packages/patches/openjpeg-CVE-2017-14164.patch		\
   %D%/packages/patches/openldap-CVE-2017-9287.patch		\
   %D%/packages/patches/openocd-nrf52.patch			\
   %D%/packages/patches/openssl-runpath.patch			\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 3bb8de15c4..d45f08d9df 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -524,7 +524,8 @@ work.")
                                  "openjpeg-CVE-2017-14040.patch"
                                  "openjpeg-CVE-2017-14041.patch"
                                  "openjpeg-CVE-2017-14151.patch"
-                                 "openjpeg-CVE-2017-14152.patch"))))
+                                 "openjpeg-CVE-2017-14152.patch"
+                                 "openjpeg-CVE-2017-14164.patch"))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
new file mode 100644
index 0000000000..2bfc5a6a85
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
@@ -0,0 +1,89 @@
+https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
+http://openwall.com/lists/oss-security/2017/09/06/3
+
+From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 16 Aug 2017 17:09:10 +0200
+Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
+ (#991)
+
+---
+ src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
+index 54b490a8c..16915452e 100644
+--- a/src/lib/openjp2/j2k.c
++++ b/src/lib/openjp2/j2k.c
+@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+  * Writes the SOT marker (Start of tile-part)
+  *
+  * @param       p_j2k            J2K codec.
+- * @param       p_data           FIXME DOC
+- * @param       p_data_written   FIXME DOC
++ * @param       p_data           Output buffer
++ * @param       p_total_data_size Output buffer size
++ * @param       p_data_written   Number of bytes written into stream
+  * @param       p_stream         the stream to write data to.
+  * @param       p_manager        the user event manager.
+ */
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+                                   OPJ_BYTE * p_data,
++                                  OPJ_UINT32 p_total_data_size,
+                                   OPJ_UINT32 * p_data_written,
+                                   const opj_stream_private_t *p_stream,
+                                   opj_event_mgr_t * p_manager);
+@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
+ 
+ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+                                   OPJ_BYTE * p_data,
++                                  OPJ_UINT32 p_total_data_size,
+                                   OPJ_UINT32 * p_data_written,
+                                   const opj_stream_private_t *p_stream,
+                                   opj_event_mgr_t * p_manager
+@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
+     OPJ_UNUSED(p_stream);
+     OPJ_UNUSED(p_manager);
+ 
++    if (p_total_data_size < 12) {
++        opj_event_msg(p_manager, EVT_ERROR,
++                      "Not enough bytes in output buffer to write SOT marker\n");
++        return OPJ_FALSE;
++    }
++
+     opj_write_bytes(p_data, J2K_MS_SOT,
+                     2);                                 /* SOT */
+     p_data += 2;
+@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
+ 
+     l_current_nb_bytes_written = 0;
+     l_begin_data = p_data;
+-    if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++    if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
++                            &l_current_nb_bytes_written, p_stream,
+                             p_manager)) {
+         return OPJ_FALSE;
+     }
+@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+         l_part_tile_size = 0;
+         l_begin_data = p_data;
+ 
+-        if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++        if (! opj_j2k_write_sot(p_j2k, p_data,
++                                p_total_data_size,
++                                &l_current_nb_bytes_written,
++                                p_stream,
+                                 p_manager)) {
+             return OPJ_FALSE;
+         }
+@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
+             l_part_tile_size = 0;
+             l_begin_data = p_data;
+ 
+-            if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
++            if (! opj_j2k_write_sot(p_j2k, p_data,
++                                    p_total_data_size,
++                                    &l_current_nb_bytes_written, p_stream,
+                                     p_manager)) {
+                 return OPJ_FALSE;
+             }