[Buildroot] [PATCH 1/3] package/jasper: Apply fix for CVE-2018-19541
Peter Korsgaard
peter at korsgaard.com
Mon Dec 2 11:40:13 UTC 2019
>>>>> "Michael" == Michael Vetter <jubalh at iodoru.org> writes:
> Add 0001-verify-data-range-CVE-2018-19541.patch:
> We need to verify the data is in the expected range. Otherwise we get
> problems later.
> Patch was proposed upstream[1] but upstream is very inactive. Linux
> distributions use the same fix to patch their packages.
> 1: https://github.com/mdadams/jasper/pull/211
> Signed-off-by: Michael Vetter <jubalh at iodoru.org>
Please also add your signed-off-by in the individual patches as pointed
out by utils/check-package:
package/jasper/0001-verify-data-range-CVE-2018-19541.patch:0: missing Signed-off-by in the header (http://nightly.buildroot.org/#_format_and_licensing_of_the_package_patches)
> ---
> .../0001-verify-data-range-CVE-2018-19541.patch | 34 ++++++++++++++++++++++
> 1 file changed, 34 insertions(+)
> create mode 100644 package/jasper/0001-verify-data-range-CVE-2018-19541.patch
> diff --git a/package/jasper/0001-verify-data-range-CVE-2018-19541.patch b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
> new file mode 100644
> index 0000000000..95812c4006
> --- /dev/null
> +++ b/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
> @@ -0,0 +1,34 @@
> +From 24fc4d6f01d2d4c8297d1bebec02360f796e01c2 Mon Sep 17 00:00:00 2001
> +From: Michael Vetter <jubalh at iodoru.org>
> +Date: Mon, 4 Nov 2019 18:17:44 +0100
> +Subject: [PATCH] Verify range data in jp2_pclr_getdata
> +
> +This fixes CVE-2018-19541.
> +We need to verify the data is in the expected range. Otherwise we get
> +problems later.
> +
> +This is a better fix for https://github.com/mdadams/jasper/pull/199
> +which caused segfaults under certain circumstances.
> +
> +Patch by Adam Majer <adam.majer at suse.de>
> +---
> + src/libjasper/jp2/jp2_cod.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
> +index 890e6ad..0f8d804 100644
> +--- a/src/libjasper/jp2/jp2_cod.c
> ++++ b/src/libjasper/jp2/jp2_cod.c
> +@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
> + jp2_getuint8(in, &pclr->numchans)) {
> + return -1;
> + }
> ++
> ++ // verify in range data as per I.5.3.4 - Palette box
> ++ if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) {
> ++ return -1;
> ++ }
> ++
> + lutsize = pclr->numlutents * pclr->numchans;
> + if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
> + return -1;
> --
> 2.16.4
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list