From 985b73b871df35bfb163c3a180691ac7b8aa55bd Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 10 Jun 2020 12:13:22 -0500 Subject: user/libjpeg-turbo: [CVE] patch CVE-2020-13790 (#298) --- user/libjpeg-turbo/APKBUILD | 11 ++++++++--- user/libjpeg-turbo/CVE-2020-13790.patch | 35 +++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 user/libjpeg-turbo/CVE-2020-13790.patch diff --git a/user/libjpeg-turbo/APKBUILD b/user/libjpeg-turbo/APKBUILD index ad4a4076a..00b4ec314 100644 --- a/user/libjpeg-turbo/APKBUILD +++ b/user/libjpeg-turbo/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=libjpeg-turbo pkgver=2.0.4 -pkgrel=0 +pkgrel=1 pkgdesc="Accelerated JPEG compression and decompression library" url="https://libjpeg-turbo.org/" arch="all" @@ -10,7 +10,9 @@ license="IJG AND BSD-3-Clause AND Zlib" depends="" makedepends="cmake" subpackages="$pkgname-doc $pkgname-dev $pkgname-utils" -source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz" +source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz + CVE-2020-13790.patch + " case "$CTARGET_ARCH" in pmmx | x86 | x86_64) makedepends="$makedepends nasm" ;; @@ -19,6 +21,8 @@ esac # secfixes: # 2.0.3-r0: # - CVE-2019-2201 +# 2.0.4-r1: +# - CVE-2020-13790 build() { if [ "$CBUILD" != "$CHOST" ]; then @@ -51,4 +55,5 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="708c2e7418d9ed5abca313e2ff5a08f8176d79cad2127573cda6036583c201973db4cfb0eafc0fc8f57ecc7b000d2b4af95980de54de5a0aed45969e993a5bf9 libjpeg-turbo-2.0.4.tar.gz" +sha512sums="708c2e7418d9ed5abca313e2ff5a08f8176d79cad2127573cda6036583c201973db4cfb0eafc0fc8f57ecc7b000d2b4af95980de54de5a0aed45969e993a5bf9 libjpeg-turbo-2.0.4.tar.gz +83752558d0cf60508a9ccd55505b91f4faa22277537916629a045b2aaa0cb3649e2f90b0df26d389687dc4aba78bdf76e64fc5e5eb324a65026ec86cd95dbe6a CVE-2020-13790.patch" diff --git a/user/libjpeg-turbo/CVE-2020-13790.patch b/user/libjpeg-turbo/CVE-2020-13790.patch new file mode 100644 index 000000000..aaeec0c9c --- /dev/null +++ b/user/libjpeg-turbo/CVE-2020-13790.patch @@ -0,0 +1,35 @@ +From 3de15e0c344d11d4b90f4a47136467053eb2d09a Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 2 Jun 2020 14:15:37 -0500 +Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM + +This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to +include binary PPM files with maximum values < 255, thus preventing a +malformed binary PPM input file with those specifications from +triggering an overrun of the rescale array and potentially crashing +cjpeg, TJBench, or any program that uses the tjLoadImage() function. + +Fixes #433 + +diff --git a/rdppm.c b/rdppm.c +index 87bc33090..a8507b902 100644 +--- a/rdppm.c ++++ b/rdppm.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1991-1997, Thomas G. Lane. + * Modified 2009 by Bill Allombert, Guido Vollbeding. + * libjpeg-turbo Modifications: +- * Copyright (C) 2015-2017, D. R. Commander. ++ * Copyright (C) 2015-2017, 2020, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + /* On 16-bit-int machines we have to be careful of maxval = 65535 */ + source->rescale = (JSAMPLE *) + (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, +- (size_t)(((long)maxval + 1L) * ++ (size_t)(((long)MAX(maxval, 255) + 1L) * + sizeof(JSAMPLE))); + half_maxval = maxval / 2; + for (val = 0; val <= (long)maxval; val++) { -- cgit v1.2.3-70-g09d2