diff --git a/.gitignore b/.gitignore index 944ece6..0d90276 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openjpeg-2.3.1.tar.gz +SOURCES/openjpeg-2.4.0.tar.gz diff --git a/.openjpeg2.metadata b/.openjpeg2.metadata index 63c4d93..a80f886 100644 --- a/.openjpeg2.metadata +++ b/.openjpeg2.metadata @@ -1 +1 @@ -38321fa9730252039ad0b7f247a160a8164f5871 SOURCES/openjpeg-2.3.1.tar.gz +bbbf4dc4d9ce95286843cd39ac2febd3fd516c9d SOURCES/openjpeg-2.4.0.tar.gz diff --git a/SOURCES/openjpeg2-CVE-2021-29338.patch b/SOURCES/openjpeg2-CVE-2021-29338.patch new file mode 100644 index 0000000..49bf268 --- /dev/null +++ b/SOURCES/openjpeg2-CVE-2021-29338.patch @@ -0,0 +1,165 @@ +From efbfbbb723e100cfbcea287a30958bf678e83458 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Tue, 27 Apr 2021 09:37:40 -0600 +Subject: [PATCH] opj_{compress,decompress,dump}: fix possible buffer overflows + in path manipulation functions + +--- + src/bin/jp2/opj_compress.c | 12 ++++++------ + src/bin/jp2/opj_decompress.c | 13 ++++++------- + src/bin/jp2/opj_dump.c | 14 +++++++------- + 3 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/src/bin/jp2/opj_compress.c b/src/bin/jp2/opj_compress.c +index 6827484..d8f894c 100644 +--- a/src/bin/jp2/opj_compress.c ++++ b/src/bin/jp2/opj_compress.c +@@ -543,8 +543,8 @@ static char * get_file_name(char *name) + static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + opj_cparameters_t *parameters) + { +- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], +- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; ++ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], ++ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; + char *temp_p, temp1[OPJ_PATH_LEN] = ""; + + strcpy(image_filename, dirptr->filename[imageno]); +@@ -553,7 +553,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + if (parameters->decod_format == -1) { + return 1; + } +- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename); ++ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename); + if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile), + infilename) != 0) { + return 1; +@@ -566,7 +566,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + sprintf(temp1, ".%s", temp_p); + } + if (img_fol->set_out_format == 1) { +- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, ++ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, + img_fol->out_format); + if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), + outfilename) != 0) { +@@ -1910,9 +1910,9 @@ int main(int argc, char **argv) + num_images = get_num_images(img_fol.imgdirpath); + dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); + if (dirptr) { +- dirptr->filename_buf = (char*)malloc(num_images * OPJ_PATH_LEN * sizeof( ++ dirptr->filename_buf = (char*)calloc(num_images, OPJ_PATH_LEN * sizeof( + char)); /* Stores at max 10 image file names*/ +- dirptr->filename = (char**) malloc(num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc(num_images, sizeof(char*)); + if (!dirptr->filename_buf) { + ret = 0; + goto fin; +diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c +index 2634907..e54e54f 100644 +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -455,13 +455,13 @@ const char* path_separator = "/"; + char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + opj_decompress_parameters *parameters) + { +- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], +- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; ++ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], ++ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; + char *temp_p, temp1[OPJ_PATH_LEN] = ""; + + strcpy(image_filename, dirptr->filename[imageno]); + fprintf(stderr, "File Number %d \"%s\"\n", imageno, image_filename); +- sprintf(infilename, "%s%s%s", img_fol->imgdirpath, path_separator, ++ snprintf(infilename, OPJ_PATH_LEN * 2, "%s%s%s", img_fol->imgdirpath, path_separator, + image_filename); + parameters->decod_format = infile_format(infilename); + if (parameters->decod_format == -1) { +@@ -479,7 +479,7 @@ char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + sprintf(temp1, ".%s", temp_p); + } + if (img_fol->set_out_format == 1) { +- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, ++ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, + img_fol->out_format); + if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), + outfilename) != 0) { +@@ -1357,14 +1357,13 @@ int main(int argc, char **argv) + return EXIT_FAILURE; + } + /* Stores at max 10 image file names */ +- dirptr->filename_buf = (char*)malloc(sizeof(char) * +- (size_t)num_images * OPJ_PATH_LEN); ++ dirptr->filename_buf = calloc((size_t) num_images, sizeof(char) * OPJ_PATH_LEN); + if (!dirptr->filename_buf) { + failed = 1; + goto fin; + } + +- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); + + if (!dirptr->filename) { + failed = 1; +diff --git a/src/bin/jp2/opj_dump.c b/src/bin/jp2/opj_dump.c +index 6e15fee..4e19c61 100644 +--- a/src/bin/jp2/opj_dump.c ++++ b/src/bin/jp2/opj_dump.c +@@ -201,8 +201,8 @@ static int get_file_format(const char *filename) + static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + opj_dparameters_t *parameters) + { +- char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN], +- outfilename[OPJ_PATH_LEN], temp_ofname[OPJ_PATH_LEN]; ++ char image_filename[OPJ_PATH_LEN], infilename[OPJ_PATH_LEN * 2], ++ outfilename[OPJ_PATH_LEN * 2], temp_ofname[OPJ_PATH_LEN]; + char *temp_p, temp1[OPJ_PATH_LEN] = ""; + + strcpy(image_filename, dirptr->filename[imageno]); +@@ -211,7 +211,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + if (parameters->decod_format == -1) { + return 1; + } +- sprintf(infilename, "%s/%s", img_fol->imgdirpath, image_filename); ++ snprintf(infilename, OPJ_PATH_LEN * 2, "%s/%s", img_fol->imgdirpath, image_filename); + if (opj_strcpy_s(parameters->infile, sizeof(parameters->infile), + infilename) != 0) { + return 1; +@@ -224,7 +224,7 @@ static char get_next_file(int imageno, dircnt_t *dirptr, img_fol_t *img_fol, + sprintf(temp1, ".%s", temp_p); + } + if (img_fol->set_out_format == 1) { +- sprintf(outfilename, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, ++ snprintf(outfilename, OPJ_PATH_LEN * 2, "%s/%s.%s", img_fol->imgdirpath, temp_ofname, + img_fol->out_format); + if (opj_strcpy_s(parameters->outfile, sizeof(parameters->outfile), + outfilename) != 0) { +@@ -457,7 +457,7 @@ int main(int argc, char *argv[]) + opj_codestream_info_v2_t* cstr_info = NULL; + opj_codestream_index_t* cstr_index = NULL; + +- OPJ_INT32 num_images, imageno; ++ int num_images, imageno; + img_fol_t img_fol; + dircnt_t *dirptr = NULL; + +@@ -486,13 +486,13 @@ int main(int argc, char *argv[]) + if (!dirptr) { + return EXIT_FAILURE; + } +- dirptr->filename_buf = (char*)malloc((size_t)num_images * OPJ_PATH_LEN * sizeof( ++ dirptr->filename_buf = (char*) calloc((size_t) num_images, OPJ_PATH_LEN * sizeof( + char)); /* Stores at max 10 image file names*/ + if (!dirptr->filename_buf) { + free(dirptr); + return EXIT_FAILURE; + } +- dirptr->filename = (char**) malloc((size_t)num_images * sizeof(char*)); ++ dirptr->filename = (char**) calloc((size_t) num_images, sizeof(char*)); + + if (!dirptr->filename) { + goto fails; +-- +2.31.1 + diff --git a/SOURCES/openjpeg2-CVE-2021-3575.patch b/SOURCES/openjpeg2-CVE-2021-3575.patch new file mode 100644 index 0000000..6aaae29 --- /dev/null +++ b/SOURCES/openjpeg2-CVE-2021-3575.patch @@ -0,0 +1,35 @@ +From 409907d89878222cf9dea80f0add8f73e9383834 Mon Sep 17 00:00:00 2001 +From: Mehdi Sabwat +Date: Fri, 7 May 2021 01:50:37 +0200 +Subject: [PATCH] fix heap buffer overflow #1347 + +--- + src/bin/common/color.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/bin/common/color.c b/src/bin/common/color.c +index 27f15f1..935fa44 100644 +--- a/src/bin/common/color.c ++++ b/src/bin/common/color.c +@@ -368,12 +368,15 @@ static void sycc420_to_rgb(opj_image_t *img) + + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); + +- ++y; ++ if (*y != img->comps[0].data[loopmaxh]) ++ ++y; + ++r; + ++g; + ++b; +- ++cb; +- ++cr; ++ if (*cb != img->comps[1].data[loopmaxh]) ++ ++cb; ++ if (*cr != img->comps[2].data[loopmaxh]) ++ ++cr; + } + if (j < maxw) { + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); +-- +2.31.1 + diff --git a/SOURCES/openjpeg2_CVE-2020-6851.patch b/SOURCES/openjpeg2_CVE-2020-6851.patch deleted file mode 100644 index 4a2029b..0000000 --- a/SOURCES/openjpeg2_CVE-2020-6851.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 36dc8ffca8c085423149bb028da5688936c88c68 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 11 Jan 2020 01:51:19 +0100 -Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose - coordinates are beyond INT_MAX (fixes #1228) - ---- - src/lib/openjp2/j2k.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c -index 4169cd6..9e9a30f 100644 ---- a/src/lib/openjp2/j2k.c -+++ b/src/lib/openjp2/j2k.c -@@ -9236,6 +9236,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, - l_img_comp = p_image->comps; - for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { - OPJ_INT32 l_h, l_w; -+ if (p_image->x0 > (OPJ_UINT32)INT_MAX || -+ p_image->y0 > (OPJ_UINT32)INT_MAX || -+ p_image->x1 > (OPJ_UINT32)INT_MAX || -+ p_image->y1 > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(p_manager, EVT_ERROR, -+ "Image coordinates above INT_MAX are not supported\n"); -+ return OPJ_FALSE; -+ } - - l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, - (OPJ_INT32)l_img_comp->dx); --- -2.21.1 - diff --git a/SOURCES/openjpeg2_CVE-2020-8112.patch b/SOURCES/openjpeg2_CVE-2020-8112.patch deleted file mode 100644 index b3da355..0000000 --- a/SOURCES/openjpeg2_CVE-2020-8112.patch +++ /dev/null @@ -1,46 +0,0 @@ -From dc315cbd2d8582498c885a55ea73ecc84634168b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 30 Jan 2020 00:59:57 +0100 -Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow - -That could lead to later assertion failures. - -Fixes #1231 / CVE-2020-8112 ---- - src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c -index be3b843..647991c 100644 ---- a/src/lib/openjp2/tcd.c -+++ b/src/lib/openjp2/tcd.c -@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, - /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ - l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; - l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; -- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; -- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; -+ { -+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, -+ (OPJ_INT32)l_pdx)) << l_pdx; -+ if (tmp > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); -+ return OPJ_FALSE; -+ } -+ l_br_prc_x_end = (OPJ_INT32)tmp; -+ } -+ { -+ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, -+ (OPJ_INT32)l_pdy)) << l_pdy; -+ if (tmp > (OPJ_UINT32)INT_MAX) { -+ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); -+ return OPJ_FALSE; -+ } -+ l_br_prc_y_end = (OPJ_INT32)tmp; -+ } - /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ - - l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( --- -2.21.1 - diff --git a/SOURCES/openjpeg2_coverity.patch b/SOURCES/openjpeg2_coverity.patch index 6d323aa..39314cd 100644 --- a/SOURCES/openjpeg2_coverity.patch +++ b/SOURCES/openjpeg2_coverity.patch @@ -1,5 +1,5 @@ diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c -index 44d985f..b85e126 100644 +index 00f596e..af3f91e 100644 --- a/src/bin/jp2/convertpng.c +++ b/src/bin/jp2/convertpng.c @@ -75,10 +75,10 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params) @@ -17,10 +17,10 @@ index 44d985f..b85e126 100644 OPJ_UINT32 nr_comp; OPJ_BYTE sigbuf[8]; diff --git a/src/bin/jp2/converttif.c b/src/bin/jp2/converttif.c -index 6714d69..625c407 100644 +index 9d1037a..8d5002a 100644 --- a/src/bin/jp2/converttif.c +++ b/src/bin/jp2/converttif.c -@@ -714,7 +714,7 @@ int imagetotif(opj_image_t * image, const char *outfile) +@@ -720,7 +720,7 @@ int imagetotif(opj_image_t * image, const char *outfile) TIFFClose(tif); return 1; } @@ -29,7 +29,7 @@ index 6714d69..625c407 100644 if (rowStride != strip_size) { fprintf(stderr, "Invalid TIFF strip size\n"); TIFFClose(tif); -@@ -1277,8 +1277,6 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) +@@ -1283,8 +1283,6 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp); TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto); TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC); @@ -38,7 +38,7 @@ index 6714d69..625c407 100644 if (tiSpp == 0 || tiSpp > 4) { /* should be 1 ... 4 */ fprintf(stderr, "tiftoimage: Bad value for samples per pixel == %d.\n" -@@ -1445,7 +1443,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) +@@ -1451,7 +1449,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters) return NULL; } @@ -47,3 +47,28 @@ index 6714d69..625c407 100644 buffer32s = (OPJ_INT32 *)malloc(sizeof(OPJ_INT32) * tiWidth * tiSpp); if (buffer32s == NULL) { _TIFFfree(buf); +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 8e343ab..c13d229 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -7075,7 +7075,7 @@ static OPJ_BOOL opj_j2k_is_imf_compliant(opj_cparameters_t *parameters, + /* Validate sublevel */ + assert(sizeof(tabMaxSubLevelFromMainLevel) == + (OPJ_IMF_MAINLEVEL_MAX + 1) * sizeof(tabMaxSubLevelFromMainLevel[0])); +- if (sublevel > tabMaxSubLevelFromMainLevel[mainlevel]) { ++ if (mainlevel <= OPJ_IMF_MAINLEVEL_MAX && sublevel > tabMaxSubLevelFromMainLevel[mainlevel]) { + opj_event_msg(p_manager, EVT_WARNING, + "IMF profile require sublevel <= %d for mainlevel = %d.\n" + "-> %d is thus not compliant\n" +diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c +index 1481e16..d46bfb4 100644 +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -821,6 +821,7 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ_UINT32 tileno, + opj_event_msg(p_manager, EVT_ERROR, + "opj_t2_encode_packet(): accessing precno=%u >= %u\n", + precno, res->pw * res->ph); ++ opj_bio_destroy(bio); + return OPJ_FALSE; + } + diff --git a/SPECS/openjpeg2.spec b/SPECS/openjpeg2.spec index 6e51bb9..9f51c8e 100644 --- a/SPECS/openjpeg2.spec +++ b/SPECS/openjpeg2.spec @@ -4,8 +4,8 @@ #global optional_components 1 Name: openjpeg2 -Version: 2.3.1 -Release: 6%{?dist} +Version: 2.4.0 +Release: 4%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -23,11 +23,10 @@ Patch0: openjpeg2_opj2.patch # Fix Coverity issues Patch1: openjpeg2_coverity.patch -# Fix for CVE-2020-6851 -Patch2: openjpeg2_CVE-2020-6851.patch - -# Fix for CVE-2020-8112 -Patch3: openjpeg2_CVE-2020-8112.patch +# Fix CVE-2021-29338 +Patch2: openjpeg2-CVE-2021-29338.patch +# Fix CVE-2021-3575 +Patch3: openjpeg2-CVE-2021-3575.patch BuildRequires: cmake BuildRequires: gcc @@ -267,12 +266,12 @@ make test -C %{_target_platform} %{_mandir}/man3/libopenjp2.3* %files devel -%dir %{_includedir}/openjpeg-2.3/ -%{_includedir}/openjpeg-2.3/openjpeg.h -%{_includedir}/openjpeg-2.3/opj_config.h -%{_includedir}/openjpeg-2.3/opj_stdint.h +%dir %{_includedir}/openjpeg-2.4/ +%{_includedir}/openjpeg-2.4/openjpeg.h +%{_includedir}/openjpeg-2.4/opj_config.h +%{_includedir}/openjpeg-2.4/opj_stdint.h %{_libdir}/libopenjp2.so -%{_libdir}/openjpeg-2.3/ +%{_libdir}/openjpeg-2.4/ %{_libdir}/pkgconfig/libopenjp2.pc %files devel-docs @@ -332,6 +331,31 @@ make test -C %{_target_platform} %changelog +* Fri Jul 02 2021 Nikola Forró - 2.4.0-4 +- Fix Covscan defect + +* Wed Jun 09 2021 Nikola Forró - 2.4.0-3 +- Fix CVE-2021-3575 (#1969279) +- Fix resource leak identified by Covscan + +* Wed Jun 02 2021 Nikola Forró - 2.4.0-2 +- Fix CVE-2021-29338 (#1951332) + +* Mon Mar 01 2021 Nikola Forró - 2.4.0-1 +- Rebase to 2.4.0 +- Resolves: CVE-2018-5727 (#1538467) +- Resolves: CVE-2018-5785 (#1538556) +- Resolves: CVE-2018-20845 (#1730679) +- Resolves: CVE-2018-20847 (#1734337) +- Resolves: CVE-2019-12973 (#1739076) +- Resolves: CVE-2020-15389 (#1855115) +- Resolves: CVE-2020-27814 (#1908965) +- Resolves: CVE-2020-27823 (#1906222) +- Resolves: CVE-2020-27824 (#1906216) +- Resolves: CVE-2020-27842 (#1908165) +- Resolves: CVE-2020-27843 (#1908164) +- Resolves: CVE-2020-27845 (#1908168) + * Mon Feb 10 2020 Nikola Forró - 2.3.1-6 - Fix CVE-2020-8112 (#1801034)