[Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541

[Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541

[Michael Vetter]

Add 0001-verify-data-range-CVE-2018-19541.patch:
We need to verify the data is in the expected range. Otherwise we get
problems later.

Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.

1: https://github.com/mdadams/jasper/pull/211
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
 .../0001-verify-data-range-CVE-2018-19541.patch    | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 package/jasper/0001-verify-data-range-CVE-2018-19541.patch

diff --git a/package/jasper/0001-verify-data-range-CVE-2018-19541.patch b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
new file mode 100644
index 0000000000..95812c4006
--- /dev/null
+++ b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
@@ -0,0 +1,34 @@
+From 24fc4d6f01d2d4c8297d1bebec02360f796e01c2 Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Mon, 4 Nov 2019 18:17:44 +0100
+Subject: [PATCH] Verify range data in jp2_pclr_getdata
+
+This fixes CVE-2018-19541.
+We need to verify the data is in the expected range. Otherwise we get
+problems later.
+
+This is a better fix for https://github.com/mdadams/jasper/pull/199
+which caused segfaults under certain circumstances.
+
+Patch by Adam Majer <adam.majer@suse.de>
+---
+ src/libjasper/jp2/jp2_cod.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
+index 890e6ad..0f8d804 100644
+--- a/src/libjasper/jp2/jp2_cod.c
++++ b/src/libjasper/jp2/jp2_cod.c
+@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
+ 	  jp2_getuint8(in, &pclr->numchans)) {
+ 		return -1;
+ 	}
++
++    // verify in range data as per I.5.3.4 - Palette box
++    if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) {
++        return -1;
++    }
++
+ 	lutsize = pclr->numlutents * pclr->numchans;
+ 	if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ 		return -1;
-- 
2.16.4

[Buildroot] [PATCH 2/3] package/jasper: Apply fix for CVE-2018-19542

[Michael Vetter]

Add 0002-check-null-in-jp2_decode.patch:

Patch was proposed upstream[1] but upstream is very inactive.
Linux distributions use the same fix to patch their packages.

1: https://github.com/mdadams/jasper/pull/200
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
 ...2-check-null-in-jp2_decode-CVE-2018-19542.patch | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch

diff --git a/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch b/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch
new file mode 100644
index 0000000000..bfe07ee786
--- /dev/null
+++ b/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch
@@ -0,0 +1,23 @@
+From fc62d1b7164ded2405fd6a0604548b34a5a77462 Mon Sep 17 00:00:00 2001
+From: Timothy Lyanguzov <timothy.lyanguzov@sap.com>
+Date: Mon, 18 Mar 2019 16:46:24 +1300
+Subject: [PATCH] Fix CVE-2018-19542: Check for NULL pointer in jp2_decode
+
+---
+ src/libjasper/jp2/jp2_dec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
+index 03b0eaf..a535c19 100644
+--- a/src/libjasper/jp2/jp2_dec.c
++++ b/src/libjasper/jp2/jp2_dec.c
+@@ -388,6 +388,9 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr)
+ 				jas_image_setcmpttype(dec->image, newcmptno, jp2_getct(jas_image_clrspc(dec->image), 0, channo + 1));
+ 				}
+ #endif
++			} else {
++				jas_eprintf("error: invalid MTYP in CMAP box\n");
++				goto error;
+ 			}
+ 		}
+ 	}
-- 
2.16.4

[Buildroot] [PATCH 3/3] package/jasper: Apply fix for CVE-2018-19540

[Michael Vetter]

Add 0003-test-asclen-CVE-2018-19540.patch:
If txtdesc->asclen is < 1, the array index of
txtdesc->ascdata will be negative which causes the heap based overflow.

Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.

1: https://github.com/mdadams/jasper/pull/198
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
 .../jasper/0003-test-asclen-CVE-2018-19540.patch   | 28 ++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 package/jasper/0003-test-asclen-CVE-2018-19540.patch

diff --git a/package/jasper/0003-test-asclen-CVE-2018-19540.patch b/package/jasper/0003-test-asclen-CVE-2018-19540.patch
new file mode 100644
index 0000000000..ea73d5d781
--- /dev/null
+++ b/package/jasper/0003-test-asclen-CVE-2018-19540.patch
@@ -0,0 +1,28 @@
+From e38454aa1a15b78c028a778fc8bfba3587e25c25 Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Fri, 15 Mar 2019 11:01:02 +0100
+Subject: [PATCH] Make sure asclen is at least 1
+
+If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.
+
+Regards CVE-2018-19540.
+Regards https://github.com/mdadams/jasper/issues/182 bug#3
+Fix by Markus Koschany <apo@debian.org>.
+From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
+---
+ src/libjasper/base/jas_icc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
+index 4607930..762c0e8 100644
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+ 	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
+ 	  JAS_CAST(int, txtdesc->asclen))
+ 		goto error;
++	if (txtdesc->asclen < 1)
++		goto error;
+ 	txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
+ 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ 	  jas_iccgetuint32(in, &txtdesc->uclen))
-- 
2.16.4

[Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541

[Peter Korsgaard]

>>>>> "Michael" == Michael Vetter <jubalh@iodoru.org> writes:

 > Add 0001-verify-data-range-CVE-2018-19541.patch:
 > We need to verify the data is in the expected range. Otherwise we get
 > problems later.

 > Patch was proposed upstream[1] but upstream is very inactive. Linux
 > distributions use the same fix to patch their packages.

 > 1: https://github.com/mdadams/jasper/pull/211
 > Signed-off-by: Michael Vetter <jubalh@iodoru.org>

Please also add your signed-off-by in the individual patches as pointed
out by utils/check-package:

package/jasper/0001-verify-data-range-CVE-2018-19541.patch:0: missing Signed-off-by in the header (http://nightly.buildroot.org/#_format_and_licensing_of_the_package_patches)

 > ---
 >  .../0001-verify-data-range-CVE-2018-19541.patch    | 34 ++++++++++++++++++++++
 >  1 file changed, 34 insertions(+)
 >  create mode 100644 package/jasper/0001-verify-data-range-CVE-2018-19541.patch

 > diff --git a/package/jasper/0001-verify-data-range-CVE-2018-19541.patch b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
 > new file mode 100644
 > index 0000000000..95812c4006
 > --- /dev/null
 > +++ b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
 > @@ -0,0 +1,34 @@
 > +From 24fc4d6f01d2d4c8297d1bebec02360f796e01c2 Mon Sep 17 00:00:00 2001
 > +From: Michael Vetter <jubalh@iodoru.org>
 > +Date: Mon, 4 Nov 2019 18:17:44 +0100
 > +Subject: [PATCH] Verify range data in jp2_pclr_getdata
 > +
 > +This fixes CVE-2018-19541.
 > +We need to verify the data is in the expected range. Otherwise we get
 > +problems later.
 > +
 > +This is a better fix for https://github.com/mdadams/jasper/pull/199
 > +which caused segfaults under certain circumstances.
 > +
 > +Patch by Adam Majer <adam.majer@suse.de>
 > +---
 > + src/libjasper/jp2/jp2_cod.c | 6 ++++++
 > + 1 file changed, 6 insertions(+)
 > +
 > +diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
 > +index 890e6ad..0f8d804 100644
 > +--- a/src/libjasper/jp2/jp2_cod.c
 > ++++ b/src/libjasper/jp2/jp2_cod.c
 > +@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
 > + 	  jp2_getuint8(in, &pclr->numchans)) {
 > + 		return -1;
 > + 	}
 > ++
 > ++    // verify in range data as per I.5.3.4 - Palette box
 > ++    if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) {
 > ++        return -1;
 > ++    }
 > ++
 > + 	lutsize = pclr->numlutents * pclr->numchans;
 > + 	if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
 > + 		return -1;
 > -- 
 > 2.16.4

 > _______________________________________________
 > buildroot mailing list
 > buildroot at busybox.net
 > http://lists.busybox.net/mailman/listinfo/buildroot

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541

[Peter Korsgaard]

>>>>> "Michael" == Michael Vetter <jubalh@iodoru.org> writes:

 > Add 0001-verify-data-range-CVE-2018-19541.patch:
 > We need to verify the data is in the expected range. Otherwise we get
 > problems later.

 > Patch was proposed upstream[1] but upstream is very inactive. Linux
 > distributions use the same fix to patch their packages.

 > 1: https://github.com/mdadams/jasper/pull/211
 > Signed-off-by: Michael Vetter <jubalh@iodoru.org>

Committed all 3 to 2019.11.x as well, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541

[Peter Korsgaard]

>>>>> "Michael" == Michael Vetter <jubalh@iodoru.org> writes:

 > Add 0001-verify-data-range-CVE-2018-19541.patch:
 > We need to verify the data is in the expected range. Otherwise we get
 > problems later.

 > Patch was proposed upstream[1] but upstream is very inactive. Linux
 > distributions use the same fix to patch their packages.

 > 1: https://github.com/mdadams/jasper/pull/211
 > Signed-off-by: Michael Vetter <jubalh@iodoru.org>

Committed to 2019.02.x and 2019.08.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541

[Peter Korsgaard]

>>>>> "Michael" == Michael Vetter <jubalh@iodoru.org> writes:

 > Add 0001-verify-data-range-CVE-2018-19541.patch:
 > We need to verify the data is in the expected range. Otherwise we get
 > problems later.

 > Patch was proposed upstream[1] but upstream is very inactive. Linux
 > distributions use the same fix to patch their packages.

 > 1: https://github.com/mdadams/jasper/pull/211
 > Signed-off-by: Michael Vetter <jubalh@iodoru.org>

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541

[Michael Vetter]

Add 0001-verify-data-range-CVE-2018-19541.patch:
We need to verify the data is in the expected range. Otherwise we get
problems later.

Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.

1: https://github.com/mdadams/jasper/pull/211
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
 .../0001-verify-data-range-CVE-2018-19541.patch    | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 package/jasper/0001-verify-data-range-CVE-2018-19541.patch

diff --git a/package/jasper/0001-verify-data-range-CVE-2018-19541.patch b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
new file mode 100644
index 0000000000..95812c4006
--- /dev/null
+++ b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
@@ -0,0 +1,35 @@
+From 24fc4d6f01d2d4c8297d1bebec02360f796e01c2 Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Mon, 4 Nov 2019 18:17:44 +0100
+Subject: [PATCH] Verify range data in jp2_pclr_getdata
+
+This fixes CVE-2018-19541.
+We need to verify the data is in the expected range. Otherwise we get
+problems later.
+
+This is a better fix for https://github.com/mdadams/jasper/pull/199
+which caused segfaults under certain circumstances.
+
+Patch by Adam Majer <adam.majer@suse.de>
+Signed-off-by: Michael Vetter <jubalh@iodoru.org>
+---
+ src/libjasper/jp2/jp2_cod.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
+index 890e6ad..0f8d804 100644
+--- a/src/libjasper/jp2/jp2_cod.c
++++ b/src/libjasper/jp2/jp2_cod.c
+@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
+ 	  jp2_getuint8(in, &pclr->numchans)) {
+ 		return -1;
+ 	}
++
++    // verify in range data as per I.5.3.4 - Palette box
++    if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) {
++        return -1;
++    }
++
+ 	lutsize = pclr->numlutents * pclr->numchans;
+ 	if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ 		return -1;
-- 
2.16.4