* [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541
@ 2019-12-02 11:59 Michael Vetter
2019-12-02 11:59 ` [Buildroot] [PATCH 2/3] package/jasper: Apply fix for CVE-2018-19542 Michael Vetter
` (4 more replies)
0 siblings, 5 replies; 11+ messages in thread
From: Michael Vetter @ 2019-12-02 11:59 UTC (permalink / raw)
To: buildroot
Add 0001-verify-data-range-CVE-2018-19541.patch:
We need to verify the data is in the expected range. Otherwise we get
problems later.
Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.
1: https://github.com/mdadams/jasper/pull/211
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
.../0001-verify-data-range-CVE-2018-19541.patch | 34 ++++++++++++++++++++++
1 file changed, 34 insertions(+)
create mode 100644 package/jasper/0001-verify-data-range-CVE-2018-19541.patch
diff --git a/package/jasper/0001-verify-data-range-CVE-2018-19541.patch b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
new file mode 100644
index 0000000000..95812c4006
--- /dev/null
+++ b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
@@ -0,0 +1,35 @@
+From 24fc4d6f01d2d4c8297d1bebec02360f796e01c2 Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Mon, 4 Nov 2019 18:17:44 +0100
+Subject: [PATCH] Verify range data in jp2_pclr_getdata
+
+This fixes CVE-2018-19541.
+We need to verify the data is in the expected range. Otherwise we get
+problems later.
+
+This is a better fix for https://github.com/mdadams/jasper/pull/199
+which caused segfaults under certain circumstances.
+
+Patch by Adam Majer <adam.majer@suse.de>
+Signed-off-by: Michael Vetter <jubalh@iodoru.org>
+---
+ src/libjasper/jp2/jp2_cod.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
+index 890e6ad..0f8d804 100644
+--- a/src/libjasper/jp2/jp2_cod.c
++++ b/src/libjasper/jp2/jp2_cod.c
+@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
+ jp2_getuint8(in, &pclr->numchans)) {
+ return -1;
+ }
++
++ // verify in range data as per I.5.3.4 - Palette box
++ if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) {
++ return -1;
++ }
++
+ lutsize = pclr->numlutents * pclr->numchans;
+ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ return -1;
--
2.16.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 2/3] package/jasper: Apply fix for CVE-2018-19542
2019-12-02 11:59 [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Michael Vetter
@ 2019-12-02 11:59 ` Michael Vetter
2019-12-02 12:42 ` Peter Korsgaard
2019-12-06 8:21 ` Peter Korsgaard
2019-12-02 11:59 ` [Buildroot] [PATCH 3/3] package/jasper: Apply fix for CVE-2018-19540 Michael Vetter
` (3 subsequent siblings)
4 siblings, 2 replies; 11+ messages in thread
From: Michael Vetter @ 2019-12-02 11:59 UTC (permalink / raw)
To: buildroot
Add 0002-check-null-in-jp2_decode.patch:
Patch was proposed upstream[1] but upstream is very inactive.
Linux distributions use the same fix to patch their packages.
1: https://github.com/mdadams/jasper/pull/200
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
...2-check-null-in-jp2_decode-CVE-2018-19542.patch | 23 ++++++++++++++++++++++
1 file changed, 23 insertions(+)
create mode 100644 package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch
diff --git a/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch b/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch
new file mode 100644
index 0000000000..bfe07ee786
--- /dev/null
+++ b/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch
@@ -0,0 +1,24 @@
+From fc62d1b7164ded2405fd6a0604548b34a5a77462 Mon Sep 17 00:00:00 2001
+From: Timothy Lyanguzov <timothy.lyanguzov@sap.com>
+Date: Mon, 18 Mar 2019 16:46:24 +1300
+Subject: [PATCH] Fix CVE-2018-19542: Check for NULL pointer in jp2_decode
+
+Signed-off-by: Michael Vetter <jubalh@iodoru.org>
+---
+ src/libjasper/jp2/jp2_dec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
+index 03b0eaf..a535c19 100644
+--- a/src/libjasper/jp2/jp2_dec.c
++++ b/src/libjasper/jp2/jp2_dec.c
+@@ -388,6 +388,9 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr)
+ jas_image_setcmpttype(dec->image, newcmptno, jp2_getct(jas_image_clrspc(dec->image), 0, channo + 1));
+ }
+ #endif
++ } else {
++ jas_eprintf("error: invalid MTYP in CMAP box\n");
++ goto error;
+ }
+ }
+ }
--
2.16.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 3/3] package/jasper: Apply fix for CVE-2018-19540
2019-12-02 11:59 [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Michael Vetter
2019-12-02 11:59 ` [Buildroot] [PATCH 2/3] package/jasper: Apply fix for CVE-2018-19542 Michael Vetter
@ 2019-12-02 11:59 ` Michael Vetter
2019-12-02 12:43 ` Peter Korsgaard
2019-12-06 8:21 ` Peter Korsgaard
2019-12-02 12:42 ` [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Peter Korsgaard
` (2 subsequent siblings)
4 siblings, 2 replies; 11+ messages in thread
From: Michael Vetter @ 2019-12-02 11:59 UTC (permalink / raw)
To: buildroot
Add 0003-test-asclen-CVE-2018-19540.patch:
If txtdesc->asclen is < 1, the array index of
txtdesc->ascdata will be negative which causes the heap based overflow.
Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.
1: https://github.com/mdadams/jasper/pull/198
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
.../jasper/0003-test-asclen-CVE-2018-19540.patch | 28 ++++++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 package/jasper/0003-test-asclen-CVE-2018-19540.patch
diff --git a/package/jasper/0003-test-asclen-CVE-2018-19540.patch b/package/jasper/0003-test-asclen-CVE-2018-19540.patch
new file mode 100644
index 0000000000..ea73d5d781
--- /dev/null
+++ b/package/jasper/0003-test-asclen-CVE-2018-19540.patch
@@ -0,0 +1,29 @@
+From e38454aa1a15b78c028a778fc8bfba3587e25c25 Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Fri, 15 Mar 2019 11:01:02 +0100
+Subject: [PATCH] Make sure asclen is at least 1
+
+If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.
+
+Regards CVE-2018-19540.
+Regards https://github.com/mdadams/jasper/issues/182 bug#3
+Fix by Markus Koschany <apo@debian.org>.
+From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
+Signed-off-by: Michael Vetter <jubalh@iodoru.org>
+---
+ src/libjasper/base/jas_icc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
+index 4607930..762c0e8 100644
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+ if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
+ JAS_CAST(int, txtdesc->asclen))
+ goto error;
++ if (txtdesc->asclen < 1)
++ goto error;
+ txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
+ if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ jas_iccgetuint32(in, &txtdesc->uclen))
--
2.16.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541
2019-12-02 11:59 [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Michael Vetter
2019-12-02 11:59 ` [Buildroot] [PATCH 2/3] package/jasper: Apply fix for CVE-2018-19542 Michael Vetter
2019-12-02 11:59 ` [Buildroot] [PATCH 3/3] package/jasper: Apply fix for CVE-2018-19540 Michael Vetter
@ 2019-12-02 12:42 ` Peter Korsgaard
2019-12-06 8:21 ` Peter Korsgaard
2019-12-06 8:58 ` Peter Korsgaard
4 siblings, 0 replies; 11+ messages in thread
From: Peter Korsgaard @ 2019-12-02 12:42 UTC (permalink / raw)
To: buildroot
>>>>> "Michael" == Michael Vetter <jubalh@iodoru.org> writes:
> Add 0001-verify-data-range-CVE-2018-19541.patch:
> We need to verify the data is in the expected range. Otherwise we get
> problems later.
> Patch was proposed upstream[1] but upstream is very inactive. Linux
> distributions use the same fix to patch their packages.
> 1: https://github.com/mdadams/jasper/pull/211
> Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541
2019-12-02 11:59 [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Michael Vetter
` (2 preceding siblings ...)
2019-12-02 12:42 ` [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Peter Korsgaard
@ 2019-12-06 8:21 ` Peter Korsgaard
2019-12-06 8:58 ` Peter Korsgaard
4 siblings, 0 replies; 11+ messages in thread
From: Peter Korsgaard @ 2019-12-06 8:21 UTC (permalink / raw)
To: buildroot
>>>>> "Michael" == Michael Vetter <jubalh@iodoru.org> writes:
> Add 0001-verify-data-range-CVE-2018-19541.patch:
> We need to verify the data is in the expected range. Otherwise we get
> problems later.
> Patch was proposed upstream[1] but upstream is very inactive. Linux
> distributions use the same fix to patch their packages.
> 1: https://github.com/mdadams/jasper/pull/211
> Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Committed to 2019.02.x and 2019.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541
2019-12-02 11:59 [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Michael Vetter
` (3 preceding siblings ...)
2019-12-06 8:21 ` Peter Korsgaard
@ 2019-12-06 8:58 ` Peter Korsgaard
4 siblings, 0 replies; 11+ messages in thread
From: Peter Korsgaard @ 2019-12-06 8:58 UTC (permalink / raw)
To: buildroot
>>>>> "Michael" == Michael Vetter <jubalh@iodoru.org> writes:
> Add 0001-verify-data-range-CVE-2018-19541.patch:
> We need to verify the data is in the expected range. Otherwise we get
> problems later.
> Patch was proposed upstream[1] but upstream is very inactive. Linux
> distributions use the same fix to patch their packages.
> 1: https://github.com/mdadams/jasper/pull/211
> Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Committed all 3 to 2019.11.x as well, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541
@ 2019-12-02 9:51 Michael Vetter
2019-12-02 9:51 ` [Buildroot] [PATCH 3/3] package/jasper: Apply fix for CVE-2018-19540 Michael Vetter
0 siblings, 1 reply; 11+ messages in thread
From: Michael Vetter @ 2019-12-02 9:51 UTC (permalink / raw)
To: buildroot
Add 0001-verify-data-range-CVE-2018-19541.patch:
We need to verify the data is in the expected range. Otherwise we get
problems later.
Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.
1: https://github.com/mdadams/jasper/pull/211
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
.../0001-verify-data-range-CVE-2018-19541.patch | 34 ++++++++++++++++++++++
1 file changed, 34 insertions(+)
create mode 100644 package/jasper/0001-verify-data-range-CVE-2018-19541.patch
diff --git a/package/jasper/0001-verify-data-range-CVE-2018-19541.patch b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
new file mode 100644
index 0000000000..95812c4006
--- /dev/null
+++ b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
@@ -0,0 +1,34 @@
+From 24fc4d6f01d2d4c8297d1bebec02360f796e01c2 Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Mon, 4 Nov 2019 18:17:44 +0100
+Subject: [PATCH] Verify range data in jp2_pclr_getdata
+
+This fixes CVE-2018-19541.
+We need to verify the data is in the expected range. Otherwise we get
+problems later.
+
+This is a better fix for https://github.com/mdadams/jasper/pull/199
+which caused segfaults under certain circumstances.
+
+Patch by Adam Majer <adam.majer@suse.de>
+---
+ src/libjasper/jp2/jp2_cod.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
+index 890e6ad..0f8d804 100644
+--- a/src/libjasper/jp2/jp2_cod.c
++++ b/src/libjasper/jp2/jp2_cod.c
+@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
+ jp2_getuint8(in, &pclr->numchans)) {
+ return -1;
+ }
++
++ // verify in range data as per I.5.3.4 - Palette box
++ if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) {
++ return -1;
++ }
++
+ lutsize = pclr->numlutents * pclr->numchans;
+ if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
+ return -1;
--
2.16.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 3/3] package/jasper: Apply fix for CVE-2018-19540
2019-12-02 9:51 Michael Vetter
@ 2019-12-02 9:51 ` Michael Vetter
0 siblings, 0 replies; 11+ messages in thread
From: Michael Vetter @ 2019-12-02 9:51 UTC (permalink / raw)
To: buildroot
Add 0003-test-asclen-CVE-2018-19540.patch:
If txtdesc->asclen is < 1, the array index of
txtdesc->ascdata will be negative which causes the heap based overflow.
Patch was proposed upstream[1] but upstream is very inactive. Linux
distributions use the same fix to patch their packages.
1: https://github.com/mdadams/jasper/pull/198
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
---
.../jasper/0003-test-asclen-CVE-2018-19540.patch | 28 ++++++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 package/jasper/0003-test-asclen-CVE-2018-19540.patch
diff --git a/package/jasper/0003-test-asclen-CVE-2018-19540.patch b/package/jasper/0003-test-asclen-CVE-2018-19540.patch
new file mode 100644
index 0000000000..ea73d5d781
--- /dev/null
+++ b/package/jasper/0003-test-asclen-CVE-2018-19540.patch
@@ -0,0 +1,28 @@
+From e38454aa1a15b78c028a778fc8bfba3587e25c25 Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Fri, 15 Mar 2019 11:01:02 +0100
+Subject: [PATCH] Make sure asclen is at least 1
+
+If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.
+
+Regards CVE-2018-19540.
+Regards https://github.com/mdadams/jasper/issues/182 bug#3
+Fix by Markus Koschany <apo@debian.org>.
+From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
+---
+ src/libjasper/base/jas_icc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
+index 4607930..762c0e8 100644
+--- a/src/libjasper/base/jas_icc.c
++++ b/src/libjasper/base/jas_icc.c
+@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+ if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
+ JAS_CAST(int, txtdesc->asclen))
+ goto error;
++ if (txtdesc->asclen < 1)
++ goto error;
+ txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
+ if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ jas_iccgetuint32(in, &txtdesc->uclen))
--
2.16.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-12-06 8:58 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-02 11:59 [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Michael Vetter
2019-12-02 11:59 ` [Buildroot] [PATCH 2/3] package/jasper: Apply fix for CVE-2018-19542 Michael Vetter
2019-12-02 12:42 ` Peter Korsgaard
2019-12-06 8:21 ` Peter Korsgaard
2019-12-02 11:59 ` [Buildroot] [PATCH 3/3] package/jasper: Apply fix for CVE-2018-19540 Michael Vetter
2019-12-02 12:43 ` Peter Korsgaard
2019-12-06 8:21 ` Peter Korsgaard
2019-12-02 12:42 ` [Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541 Peter Korsgaard
2019-12-06 8:21 ` Peter Korsgaard
2019-12-06 8:58 ` Peter Korsgaard
-- strict thread matches above, loose matches on Subject: below --
2019-12-02 9:51 Michael Vetter
2019-12-02 9:51 ` [Buildroot] [PATCH 3/3] package/jasper: Apply fix for CVE-2018-19540 Michael Vetter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.