diff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog --- openjpeg2-2.3.0/debian/changelog 2017-10-16 05:43:41.000000000 +0000 +++ openjpeg2-2.3.0/debian/changelog 2019-08-20 20:01:14.000000000 +0000 @@ -1,3 +1,37 @@ +openjpeg2 (2.3.0-2build0.18.04.1) bionic-security; urgency=medium + + * SECURITY UPDATE: Sync from Debian + + -- Eduardo Barretto Tue, 20 Aug 2019 17:01:14 -0300 + +openjpeg2 (2.3.0-2) unstable; urgency=high + + [ Hugo Lefeuvre ] + * CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in + jp3d/convert.c (Closes: #884738). + * CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and + pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873). + * CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c + (Closes: #910763). + * CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the + opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533). + * CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of + openjp2/t1.c (Closes: #889683). + + [ Mathieu Malaterre ] + * Add Hugo as Uploader + + -- Mathieu Malaterre Sun, 10 Mar 2019 18:34:51 +0100 + +openjpeg2 (2.3.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix "FTBFS with Java 9 due to -source/-target only": + apply patch by Markus Koschany to build with Java 9 or later. + (Closes: #873997) + + -- gregor herrmann Sun, 02 Dec 2018 18:18:22 +0100 + openjpeg2 (2.3.0-1) unstable; urgency=medium * New upstream release. Closes: #877758 diff -Nru openjpeg2-2.3.0/debian/control openjpeg2-2.3.0/debian/control --- openjpeg2-2.3.0/debian/control 2017-10-16 05:43:41.000000000 +0000 +++ openjpeg2-2.3.0/debian/control 2019-03-10 17:34:29.000000000 +0000 @@ -1,7 +1,7 @@ Source: openjpeg2 Priority: optional Maintainer: Debian PhotoTools Maintainers -Uploaders: Mathieu Malaterre +Uploaders: Mathieu Malaterre , Hugo Lefeuvre Homepage: http://www.openjpeg.org Build-Depends: cmake (>= 2.8.2), debhelper (>= 9), diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2017-17480.patch openjpeg2-2.3.0/debian/patches/CVE-2017-17480.patch --- openjpeg2-2.3.0/debian/patches/CVE-2017-17480.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.3.0/debian/patches/CVE-2017-17480.patch 2019-03-10 17:31:30.000000000 +0000 @@ -0,0 +1,29 @@ +Description: jp3d/jpwl convert: fix write stack buffer overflow + Missing buffer length formatter in fscanf call might lead to write + stack buffer overflow. +Author: Hugo Lefeuvre +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62 +--- a/src/bin/jp3d/convert.c 2017-10-05 00:23:14.000000000 +0200 ++++ b/src/bin/jp3d/convert.c 2019-03-04 12:58:37.362461916 +0100 +@@ -297,8 +297,8 @@ + fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]); + + fseek(f, 0, SEEK_SET); +- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2, +- signtmp, &prec, temp, &w, temp, &h); ++ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, ++ &endian2, signtmp, &prec, temp, &w, temp, &h); + + i = 0; + sign = '+'; +--- a/src/bin/jpwl/convert.c 2017-10-05 00:23:14.000000000 +0200 ++++ b/src/bin/jpwl/convert.c 2019-03-04 12:58:37.362461916 +0100 +@@ -1348,7 +1348,7 @@ + } + + fseek(f, 0, SEEK_SET); +- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, ++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, + &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { + fprintf(stderr, + "ERROR: Failed to read the right number of element from the fscanf() function!\n"); diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-14423.patch openjpeg2-2.3.0/debian/patches/CVE-2018-14423.patch --- openjpeg2-2.3.0/debian/patches/CVE-2018-14423.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.3.0/debian/patches/CVE-2018-14423.patch 2019-03-10 17:31:30.000000000 +0000 @@ -0,0 +1,50 @@ +Description: jp3d: avoid divisions by zero / undefined behaviour on shift +Author: Young_X +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b +--- a/src/lib/openjp3d/pi.c 2017-10-05 00:23:14.000000000 +0200 ++++ b/src/lib/openjp3d/pi.c 2019-03-04 13:10:50.383000628 +0100 +@@ -223,6 +223,14 @@ + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +@@ -329,6 +337,14 @@ + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; +@@ -432,6 +448,14 @@ + rpx = res->pdx + levelnox; + rpy = res->pdy + levelnoy; + rpz = res->pdz + levelnoz; ++ ++ /* To avoid divisions by zero / undefined behaviour on shift */ ++ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx || ++ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy || ++ rpz >= 31 || ((comp->dz << rpz) >> rpz) != comp->dz) { ++ continue; ++ } ++ + if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 && + (trx0 << levelnox) % (1 << rpx)))) { + continue; diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-18088.patch openjpeg2-2.3.0/debian/patches/CVE-2018-18088.patch --- openjpeg2-2.3.0/debian/patches/CVE-2018-18088.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.3.0/debian/patches/CVE-2018-18088.patch 2019-03-10 17:31:30.000000000 +0000 @@ -0,0 +1,24 @@ +Description: jp2: convert: fix null pointer dereference + Tile components in a JP2 image might have null data pointer by defining a + zero component size (for example using large horizontal or vertical + sampling periods). This null data pointer leads to null image component + data pointer, causing crash when dereferenced without != null check in + imagetopnm. + . + Add != null check. +Author: Hugo Lefeuvre +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2 +--- a/src/bin/jp2/convert.c 2017-10-05 00:23:14.000000000 +0200 ++++ b/src/bin/jp2/convert.c 2019-03-04 13:17:42.184753185 +0100 +@@ -2210,6 +2210,11 @@ + opj_version(), wr, hr, max); + + red = image->comps[compno].data; ++ if (!red) { ++ fclose(fdest); ++ continue; ++ } ++ + adjustR = + (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0); + diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-5785.patch openjpeg2-2.3.0/debian/patches/CVE-2018-5785.patch --- openjpeg2-2.3.0/debian/patches/CVE-2018-5785.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.3.0/debian/patches/CVE-2018-5785.patch 2019-03-10 17:31:30.000000000 +0000 @@ -0,0 +1,69 @@ +Description: convertbmp: fix issues with zero bitmasks + In the case where a BMP file declares compression 3 (BI_BITFIELDS) + with header size <= 56, all bitmask values keep their initialization + value 0. This may lead to various undefined behavior later e.g. when + doing 1 << (l_comp->prec - 1). + . + This issue does not affect files with bit count 16 because of a check + added in 16240e2 which sets default values to the color masks if they + are all 0. + . + This commit adds similar checks for the 32 bit case. + . + Also, if a BMP file declares compression 3 with header size >= 56 and + intentional 0 bitmasks, the same issue will be triggered in both the + 16 and 32 bit count case. + . + This commit adds checks to bmp_read_info_header() rejecting BMP files + with "intentional" 0 bitmasks. These checks might be removed in the + future when proper handling of zero bitmasks will be available in + openjpeg2. +Author: Hugo Lefeuvre +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975 +--- a/src/bin/jp2/convertbmp.c 2017-10-05 00:23:14.000000000 +0200 ++++ b/src/bin/jp2/convertbmp.c 2019-03-04 13:21:18.182489081 +0100 +@@ -435,16 +435,31 @@ + header->biRedMask |= (OPJ_UINT32)getc(IN) << 16; + header->biRedMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biRedMask) { ++ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask); ++ return OPJ_FALSE; ++ } ++ + header->biGreenMask = (OPJ_UINT32)getc(IN); + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8; + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16; + header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biGreenMask) { ++ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask); ++ return OPJ_FALSE; ++ } ++ + header->biBlueMask = (OPJ_UINT32)getc(IN); + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8; + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16; + header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24; + ++ if (!header->biBlueMask) { ++ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask); ++ return OPJ_FALSE; ++ } ++ + header->biAlphaMask = (OPJ_UINT32)getc(IN); + header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8; + header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16; +@@ -831,6 +846,12 @@ + bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU, + 0x00000000U); + } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */ ++ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) && ++ (Info_h.biBlueMask == 0U)) { ++ Info_h.biRedMask = 0x00FF0000U; ++ Info_h.biGreenMask = 0x0000FF00U; ++ Info_h.biBlueMask = 0x000000FFU; ++ } + bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask, + Info_h.biBlueMask, Info_h.biAlphaMask); + } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */ diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-6616.patch openjpeg2-2.3.0/debian/patches/CVE-2018-6616.patch --- openjpeg2-2.3.0/debian/patches/CVE-2018-6616.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.3.0/debian/patches/CVE-2018-6616.patch 2019-03-10 17:31:30.000000000 +0000 @@ -0,0 +1,59 @@ +Description: convertbmp: detect invalid file dimensions early + width/length dimensions read from bmp headers are not necessarily + valid. For instance they may have been maliciously set to very large + values with the intention to cause DoS (large memory allocation, stack + overflow). In these cases we want to detect the invalid size as early + as possible. + . + This commit introduces a counter which verifies that the number of + written bytes corresponds to the advertized width/length. +Author: Hugo Lefeuvre +Origin: upstream, https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3 +--- a/src/bin/jp2/convertbmp.c 2019-03-04 13:28:27.107134602 +0100 ++++ b/src/bin/jp2/convertbmp.c 2019-03-04 13:29:15.778697169 +0100 +@@ -534,14 +534,14 @@ + static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; + +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -561,6 +561,7 @@ + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = c1; ++ written++; + } + } else { + c = getc(IN); +@@ -598,6 +599,7 @@ + } + c1 = (OPJ_UINT8)c1_int; + *pix = c1; ++ written++; + } + if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ + c = getc(IN); +@@ -608,6 +610,12 @@ + } + } + }/* while() */ ++ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } ++ + return OPJ_TRUE; + } + diff -Nru openjpeg2-2.3.0/debian/patches/java9.patch openjpeg2-2.3.0/debian/patches/java9.patch --- openjpeg2-2.3.0/debian/patches/java9.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.3.0/debian/patches/java9.patch 2018-12-02 17:17:30.000000000 +0000 @@ -0,0 +1,25 @@ +From: Markus Koschany +Date: Mon, 22 Jan 2018 23:49:10 +0100 +Subject: java9 + +--- + src/bin/jpip/CMakeLists.txt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jpip/CMakeLists.txt b/src/bin/jpip/CMakeLists.txt +index 301d885..b412510 100644 +--- a/src/bin/jpip/CMakeLists.txt ++++ b/src/bin/jpip/CMakeLists.txt +@@ -61,10 +61,10 @@ find_package(Java 1.5 COMPONENTS Development) # javac, jar + + # User can override this: + if(NOT DEFINED JAVA_SOURCE_VERSION) +- set(JAVA_SOURCE_VERSION 1.5) ++ set(JAVA_SOURCE_VERSION 1.7) + endif() + if(NOT DEFINED JAVA_TARGET_VERSION) +- set(JAVA_TARGET_VERSION 1.5) ++ set(JAVA_TARGET_VERSION 1.7) + endif() + + # Only build the java viewer if dev is found: diff -Nru openjpeg2-2.3.0/debian/patches/series openjpeg2-2.3.0/debian/patches/series --- openjpeg2-2.3.0/debian/patches/series 2017-10-16 05:43:41.000000000 +0000 +++ openjpeg2-2.3.0/debian/patches/series 2019-03-10 17:31:30.000000000 +0000 @@ -1 +1,7 @@ multiarch_path.patch +java9.patch +CVE-2017-17480.patch +CVE-2018-14423.patch +CVE-2018-18088.patch +CVE-2018-5785.patch +CVE-2018-6616.patch