diff mbox

v2: OpenJPEG security fixes (CVE-2016-{5157,7163})

Message ID 20160909180458.GA2732@jasmine
State New
Headers show

Commit Message

Leo Famulari Sept. 9, 2016, 6:04 p.m. UTC
On Fri, Sep 09, 2016 at 02:04:39AM -0400, Leo Famulari wrote:
> Two bugs disclosed in OpenJPEG, CVE-2016-5157 and CVE-2016-7163. Both
> can be used to execute arbitrary code, apparently.
> 
> CVE-2016-7163:
> http://seclists.org/oss-sec/2016/q3/442
> 
> CVE-2016-5157:
> http://seclists.org/oss-sec/2016/q3/441

My previous attempt to fix these bugs did not work. The patch for
CVE-2016-7163 was mangled in a confusing way, and the patch for
CVE-2016-5157 simply did not apply.

Here is an updated patch series.

First, it updates openjpeg to 2.1.1, which apparently has not changed
the ABI or API:
https://github.com/uclouvain/openjpeg/blob/master/NEWS.md#openjpeg-211

Then, it applies the fix for CVE-2016-7163 to openjpeg and openjpeg-2.0.

Finally, it adapts the upstream fix for CVE-2016-5157 and applies it to
openjpeg. I had to amend this commit slightly, since the diff that adds
tests for the fixed issue referred to a commit that is not yet released.

Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like
to investigate this issue separately. The only user of openjpeg-2.0 is
mupdf.
From 1d03058d95306e6ea30082f58ec2d4fd227971a9 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 9 Sep 2016 13:41:13 -0400
Subject: [PATCH 1/3] gnu: openjpeg: Update to 2.1.1.

* gnu/packages/image.scm (openjpeg): Update to 2.1.1.
[source]: Use GitHub URL and add file-name field. Remove
"openjpeg-use-after-free-fix.patch" and "openjpeg-CVE-2015-6581.patch" from
patches.
---
 gnu/packages/image.scm | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
diff mbox

Patch

diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 2a2a77e..aafe705 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -380,17 +380,17 @@  work.")
 (define-public openjpeg
   (package
     (name "openjpeg")
-    (version "2.1.0")
+    (version "2.1.1")
     (source
       (origin
         (method url-fetch)
         (uri
-         (string-append "mirror://sourceforge/openjpeg.mirror/" version "/"
-                        name "-" version ".tar.gz"))
+         (string-append "https://github.com/uclouvain/openjpeg/archive/v"
+                        version ".tar.gz"))
+        (file-name (string-append name "-" version ".tar.gz"))
         (sha256
-         (base32 "00zzm303zvv4ijzancrsb1cqbph3pgz0nky92k9qx3fq9y0vnchj"))
-        (patches (search-patches "openjpeg-use-after-free-fix.patch"
-                                 "openjpeg-CVE-2015-6581.patch"))))
+         (base32
+          "1anv0rjkbxw9kx91wvlfpb3dhppibda6kb1papny46bjzi3pzhl2"))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.