Package: openjpeg2 / 2.1.2-1.1+deb9u3

Metadata

Package Version Patches format
openjpeg2 2.1.2-1.1+deb9u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
multiarch_path.patch | (download)

cmake/OpenJPEGConfig.cmake.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 upstream did not handle multi-arch installation path
 It naively assumed the include location to be two levels above the lib
 installation.
CVE 2016 9572_CVE 2016 9573.patch | (download)

src/bin/jp2/convert.c | 59 53 + 6 - 0 !
src/bin/jp2/convertbmp.c | 29 28 + 1 - 0 !
src/bin/jp2/opj_decompress.c | 2 1 + 1 - 0 !
src/lib/openjp2/j2k.c | 11 8 + 3 - 0 !
4 files changed, 90 insertions(+), 11 deletions(-)

 [patch] changes for issues #863 and #862


c22cbd8bdf8ff2ae372f94391a4be2d322b36b41.patch | (download)

src/bin/jp2/convert.c | 10 10 + 0 - 0 !
src/lib/openjp2/image.c | 8 7 + 1 - 0 !
2 files changed, 17 insertions(+), 1 deletion(-)

 [patch] avoid heap buffer overflow in function pnmtoimage of
 convert.c, and unsigned integer overflow in opj_image_create()
 (CVE-2016-9118, #861)


3fbe71369019df0b47c7a2be4fab8c05768f2f32.patch | (download)

src/lib/openjp2/j2k.c | 4 4 + 0 - 0 !
src/lib/openjp2/tcd.c | 16 14 + 2 - 0 !
2 files changed, 18 insertions(+), 2 deletions(-)

 [patch] opj_tcd_get_decoded_tile_size(): fix potential uint32
 overflow (#854, CVE-2016-5152)

Fix derived from https://pdfium.googlesource.com/pdfium.git/+/d8cc503575463ff3d81b22dad292665f2c88911e/third_party/libopenjpeg20/0018-tcd_get_decoded_tile_size.patch

11445eddad7e7fa5b273d1c83c91011c44e5d586.patch | (download)

src/lib/openjp2/pi.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] opj_pi_update_decode_poc(): limit layno1 to the number of
 layers (CVE-2016-1626 and CVE-2016-1628, #850)

This has been recently fixed in a less elegant way per
80818c39f5bfbac37768fcee95b0ffeceaa77264

397f62c0a838e15d667ef50e27d5d011d2c79c04.patch | (download)

src/lib/openjp2/tcd.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch] fix write heap buffer overflow in opj_mqc_byteout().
 Discovered by Ke Liu of Tencent's Xuanwu LAB (#835)


CVE 2017 14039.patch | (download)

src/lib/openjp2/j2k.c | 20 16 + 4 - 0 !
1 file changed, 16 insertions(+), 4 deletions(-)

 mix of
 4241ae6fbbf1de9658764a80944dc8108f2b4154
 and
 c535531f03369623b9b833ef41952c62257b507e (partial)
2cd30c2b06ce332dede81cccad8b334cde997281.patch | (download)

src/bin/jp2/convert.c | 40 28 + 12 - 0 !
1 file changed, 28 insertions(+), 12 deletions(-)

 [patch] tgatoimage(): avoid excessive memory allocation attempt, and
 fixes unaligned load (#995)


e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch | (download)

src/bin/jp2/convert.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] pgxtoimage(): fix write stack buffer overflow (#997)


afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch | (download)

src/lib/openjp2/tcd.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch] encoder: grow buffer size in
 opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
 opj_mqc_flush (#982)


dcac91b8c72f743bda7dbfa9032356bc8110098a.patch | (download)

src/lib/openjp2/j2k.c | 24 20 + 4 - 0 !
1 file changed, 20 insertions(+), 4 deletions(-)

 [patch] opj_j2k_write_sot(): fix potential write heap buffer overflow
 (#991)


CVE 2017 17480.patch | (download)

src/bin/jp3d/convert.c | 2 1 + 1 - 0 !
src/bin/jpwl/convert.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 jp3d/jpwl convert: fix write stack buffer overflow
 Missing buffer length formatter in fscanf call might lead to write
 stack buffer overflow. Add missing formatters.
CVE 2018 18088.patch | (download)

src/bin/jp2/convert.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 jp2: convert: fix null pointer dereference
 Tile components in a JP2 image might have null data pointer by defining a
 zero component size (for example using large horizontal or vertical
 sampling periods). This null data pointer leads to null image component
 data pointer, causing crash when dereferenced without != null check in
 imagetopnm.
 .
 Add != null check.
CVE 2018 6616.patch | (download)

src/bin/jp2/convertbmp.c | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 convertbmp: detect invalid file dimensions early
 width/length dimensions read from bmp headers are not necessarily
 valid. For instance they may have been maliciously set to very large
 values with the intention to cause DoS (large memory allocation, stack
 overflow). In these cases we want to detect the invalid size as early
 as possible.
 .
 This commit introduces a counter which verifies that the number of
 written bytes corresponds to the advertized width/length.
CVE 2018 14423.patch | (download)

src/lib/openjp3d/pi.c | 24 24 + 0 - 0 !
1 file changed, 24 insertions(+)

 avoid divisions by zero / undefined behaviour on shift (cve-2018-14423)
CVE 2018 5785.patch | (download)

src/bin/jp2/convertbmp.c | 20 20 + 0 - 0 !
1 file changed, 20 insertions(+)

 convertbmp: integer overflow (cve-2018-5785)