[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: jasper: Fixx CVE-2017-6850.
|
From: |
Efraim Flashner |
|
Subject: |
01/01: gnu: jasper: Fixx CVE-2017-6850. |
|
Date: |
Tue, 11 Apr 2017 23:41:54 -0400 (EDT) |
efraim pushed a commit to branch master
in repository guix.
commit 0eb0fe2d302028b51185b98ac55e45b483a5ea82
Author: Efraim Flashner <address@hidden>
Date: Wed Apr 12 06:19:56 2017 +0300
gnu: jasper: Fixx CVE-2017-6850.
* gnu/packages/image.scm (jasper)[source]: Add patch.
* gnu/packages/patches/jasper-CVE-2017-6850.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/image.scm | 3 +-
gnu/packages/patches/jasper-CVE-2017-6850.patch | 284 ++++++++++++++++++++++++
3 files changed, 287 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 212228d..006dbe7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -661,6 +661,7 @@ dist_patch_DATA =
\
%D%/packages/patches/id3lib-CVE-2007-4460.patch \
%D%/packages/patches/ilmbase-fix-tests.patch \
%D%/packages/patches/isl-0.11.1-aarch64-support.patch \
+ %D%/packages/patches/jasper-CVE-2017-6850.patch \
%D%/packages/patches/jbig2dec-ignore-testtest.patch \
%D%/packages/patches/jbig2dec-CVE-2016-9601.patch \
%D%/packages/patches/jq-CVE-2015-8863.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index b5b3a72..2725c16 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -905,7 +905,8 @@ convert, manipulate, filter and display a wide variety of
image formats.")
"/software/jasper-" version ".tar.gz"))
(sha256
(base32
- "1njdbxv7d4anzrd476wjww2qsi96dd8vfnp4hri0srrqxpszl92v"))))
+ "1njdbxv7d4anzrd476wjww2qsi96dd8vfnp4hri0srrqxpszl92v"))
+ (patches (search-patches "jasper-CVE-2017-6850.patch"))))
(build-system cmake-build-system)
(inputs `(("libjpeg" ,libjpeg)))
(synopsis "JPEG-2000 library")
diff --git a/gnu/packages/patches/jasper-CVE-2017-6850.patch
b/gnu/packages/patches/jasper-CVE-2017-6850.patch
new file mode 100644
index 0000000..0767276
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2017-6850.patch
@@ -0,0 +1,284 @@
+This patch is from upstream and should be fixed included in the next release
+
+From e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d Mon Sep 17 00:00:00 2001
+From: Michael Adams <address@hidden>
+Date: Sat, 4 Mar 2017 14:43:24 -0800
+Subject: [PATCH] Fixed bugs due to uninitialized data in the JP2 decoder.
+ Also, added some comments marking I/O stream interfaces that probably need to
+ be changed (in the long term) to fix integer overflow problems.
+
+---
+ src/libjasper/base/jas_stream.c | 18 +++++++++++++++++
+ src/libjasper/jp2/jp2_cod.c | 44 ++++++++++++++++++++++++++++-------------
+ 2 files changed, 48 insertions(+), 14 deletions(-)
+
+diff --git a/src/libjasper/base/jas_stream.c b/src/libjasper/base/jas_stream.c
+index 327ee57..d70408f 100644
+--- a/src/libjasper/base/jas_stream.c
++++ b/src/libjasper/base/jas_stream.c
+@@ -664,6 +664,7 @@ int jas_stream_ungetc(jas_stream_t *stream, int c)
+ return 0;
+ }
+
++/* FIXME integral type */
+ int jas_stream_read(jas_stream_t *stream, void *buf, int cnt)
+ {
+ int n;
+@@ -690,6 +691,7 @@ int jas_stream_read(jas_stream_t *stream, void *buf, int
cnt)
+ return n;
+ }
+
++/* FIXME integral type */
+ int jas_stream_write(jas_stream_t *stream, const void *buf, int cnt)
+ {
+ int n;
+@@ -742,6 +744,7 @@ int jas_stream_puts(jas_stream_t *stream, const char *s)
+ return 0;
+ }
+
++/* FIXME integral type */
+ char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize)
+ {
+ int c;
+@@ -765,6 +768,7 @@ char *jas_stream_gets(jas_stream_t *stream, char *buf, int
bufsize)
+ return buf;
+ }
+
++/* FIXME integral type */
+ int jas_stream_gobble(jas_stream_t *stream, int n)
+ {
+ int m;
+@@ -783,6 +787,7 @@ int jas_stream_gobble(jas_stream_t *stream, int n)
+ return n;
+ }
+
++/* FIXME integral type */
+ int jas_stream_pad(jas_stream_t *stream, int n, int c)
+ {
+ int m;
+@@ -885,6 +890,7 @@ long jas_stream_tell(jas_stream_t *stream)
+ * Buffer initialization code.
+
\******************************************************************************/
+
++/* FIXME integral type */
+ static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf,
+ int bufsize)
+ {
+@@ -1060,6 +1066,7 @@ static int jas_strtoopenmode(const char *s)
+ return openmode;
+ }
+
++/* FIXME integral type */
+ int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n)
+ {
+ int all;
+@@ -1085,6 +1092,7 @@ int jas_stream_copy(jas_stream_t *out, jas_stream_t *in,
int n)
+ return 0;
+ }
+
++/* FIXME integral type */
+ long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt)
+ {
+ int old;
+@@ -1094,6 +1102,7 @@ long jas_stream_setrwcount(jas_stream_t *stream, long
rwcnt)
+ return old;
+ }
+
++/* FIXME integral type */
+ int jas_stream_display(jas_stream_t *stream, FILE *fp, int n)
+ {
+ unsigned char buf[16];
+@@ -1168,6 +1177,7 @@ long jas_stream_length(jas_stream_t *stream)
+ * Memory stream object.
+
\******************************************************************************/
+
++/* FIXME integral type */
+ static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt)
+ {
+ ssize_t n;
+@@ -1209,6 +1219,7 @@ static int mem_resize(jas_stream_memobj_t *m, size_t
bufsize)
+ return 0;
+ }
+
++/* FIXME integral type */
+ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt)
+ {
+ size_t n;
+@@ -1264,6 +1275,7 @@ static int mem_write(jas_stream_obj_t *obj, char *buf,
int cnt)
+ return ret;
+ }
+
++/* FIXME integral type */
+ static long mem_seek(jas_stream_obj_t *obj, long offset, int origin)
+ {
+ jas_stream_memobj_t *m = (jas_stream_memobj_t *)obj;
+@@ -1310,6 +1322,7 @@ static int mem_close(jas_stream_obj_t *obj)
+ * File stream object.
+
\******************************************************************************/
+
++/* FIXME integral type */
+ static int file_read(jas_stream_obj_t *obj, char *buf, int cnt)
+ {
+ jas_stream_fileobj_t *fileobj;
+@@ -1318,6 +1331,7 @@ static int file_read(jas_stream_obj_t *obj, char *buf,
int cnt)
+ return read(fileobj->fd, buf, cnt);
+ }
+
++/* FIXME integral type */
+ static int file_write(jas_stream_obj_t *obj, char *buf, int cnt)
+ {
+ jas_stream_fileobj_t *fileobj;
+@@ -1326,6 +1340,7 @@ static int file_write(jas_stream_obj_t *obj, char *buf,
int cnt)
+ return write(fileobj->fd, buf, cnt);
+ }
+
++/* FIXME integral type */
+ static long file_seek(jas_stream_obj_t *obj, long offset, int origin)
+ {
+ jas_stream_fileobj_t *fileobj;
+@@ -1352,6 +1367,7 @@ static int file_close(jas_stream_obj_t *obj)
+ * Stdio file stream object.
+
\******************************************************************************/
+
++/* FIXME integral type */
+ static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt)
+ {
+ FILE *fp;
+@@ -1367,6 +1383,7 @@ static int sfile_read(jas_stream_obj_t *obj, char *buf,
int cnt)
+ return result;
+ }
+
++/* FIXME integral type */
+ static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt)
+ {
+ FILE *fp;
+@@ -1377,6 +1394,7 @@ static int sfile_write(jas_stream_obj_t *obj, char *buf,
int cnt)
+ return (n != JAS_CAST(size_t, cnt)) ? (-1) : cnt;
+ }
+
++/* FIXME integral type */
+ static long sfile_seek(jas_stream_obj_t *obj, long offset, int origin)
+ {
+ FILE *fp;
+diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
+index 7f3608a..8d98a2c 100644
+--- a/src/libjasper/jp2/jp2_cod.c
++++ b/src/libjasper/jp2/jp2_cod.c
+@@ -183,15 +183,28 @@ jp2_boxinfo_t jp2_boxinfo_unk = {
+ * Box constructor.
+
\******************************************************************************/
+
+-jp2_box_t *jp2_box_create(int type)
++jp2_box_t *jp2_box_create0()
+ {
+ jp2_box_t *box;
+- jp2_boxinfo_t *boxinfo;
+-
+ if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
+ return 0;
+ }
+ memset(box, 0, sizeof(jp2_box_t));
++ box->type = 0;
++ box->len = 0;
++ // Mark the box data as never having been constructed
++ // so that we will not errantly attempt to destroy it later.
++ box->ops = &jp2_boxinfo_unk.ops;
++ return box;
++}
++
++jp2_box_t *jp2_box_create(int type)
++{
++ jp2_box_t *box;
++ jp2_boxinfo_t *boxinfo;
++ if (!(box = jp2_box_create0())) {
++ return 0;
++ }
+ box->type = type;
+ box->len = 0;
+ if (!(boxinfo = jp2_boxinfolookup(type))) {
+@@ -248,14 +261,9 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
+ box = 0;
+ tmpstream = 0;
+
+- if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
++ if (!(box = jp2_box_create0())) {
+ goto error;
+ }
+-
+- // Mark the box data as never having been constructed
+- // so that we will not errantly attempt to destroy it later.
+- box->ops = &jp2_boxinfo_unk.ops;
+-
+ if (jp2_getuint32(in, &len) || jp2_getuint32(in, &box->type)) {
+ goto error;
+ }
+@@ -263,10 +271,12 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
+ box->info = boxinfo;
+ box->len = len;
+ JAS_DBGLOG(10, (
+- "preliminary processing of JP2 box: type=%c%s%c (0x%08x);
length=%d\n",
++ "preliminary processing of JP2 box: "
++ "type=%c%s%c (0x%08x); length=%"PRIuFAST32"\n",
+ '"', boxinfo->name, '"', box->type, box->len
+ ));
+ if (box->len == 1) {
++ JAS_DBGLOG(10, ("big length\n"));
+ if (jp2_getuint64(in, &extlen)) {
+ goto error;
+ }
+@@ -382,6 +392,7 @@ static int jp2_bpcc_getdata(jp2_box_t *box, jas_stream_t
*in)
+ {
+ jp2_bpcc_t *bpcc = &box->data.bpcc;
+ unsigned int i;
++ bpcc->bpcs = 0;
+ bpcc->numcmpts = box->datalen;
+ if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) {
+ return -1;
+@@ -462,6 +473,7 @@ static int jp2_cdef_getdata(jp2_box_t *box, jas_stream_t
*in)
+ jp2_cdef_t *cdef = &box->data.cdef;
+ jp2_cdefchan_t *chan;
+ unsigned int channo;
++ cdef->ents = 0;
+ if (jp2_getuint16(in, &cdef->numchans)) {
+ return -1;
+ }
+@@ -518,7 +530,9 @@ int jp2_box_put(jp2_box_t *box, jas_stream_t *out)
+ }
+
+ if (dataflag) {
+- if (jas_stream_copy(out, tmpstream, box->len -
JP2_BOX_HDRLEN(false))) {
++ if (jas_stream_copy(out, tmpstream, box->len -
++ JP2_BOX_HDRLEN(false))) {
++ jas_eprintf("cannot copy box data\n");
+ goto error;
+ }
+ jas_stream_close(tmpstream);
+@@ -777,6 +791,7 @@ static int jp2_cmap_getdata(jp2_box_t *box, jas_stream_t
*in)
+ jp2_cmap_t *cmap = &box->data.cmap;
+ jp2_cmapent_t *ent;
+ unsigned int i;
++ cmap->ents = 0;
+
+ cmap->numchans = (box->datalen) / 4;
+ if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) {
+@@ -835,6 +850,7 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t
*in)
+ int_fast32_t x;
+
+ pclr->lutdata = 0;
++ pclr->bpc = 0;
+
+ if (jp2_getuint16(in, &pclr->numlutents) ||
+ jp2_getuint8(in, &pclr->numchans)) {
+@@ -869,9 +885,9 @@ static int jp2_pclr_putdata(jp2_box_t *box, jas_stream_t
*out)
+ #if 0
+ jp2_pclr_t *pclr = &box->data.pclr;
+ #endif
+-/* Eliminate warning about unused variable. */
+-box = 0;
+-out = 0;
++ /* Eliminate warning about unused variable. */
++ box = 0;
++ out = 0;
+ return -1;
+ }
+