Version in base suite: 2.5.0-2 Base version: openjpeg2_2.5.0-2 Target version: openjpeg2_2.5.0-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openjpeg2/openjpeg2_2.5.0-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openjpeg2/openjpeg2_2.5.0-2+deb12u1.dsc changelog | 9 +++ patches/CVE-2021-3575.patch | 40 ++++++++++++++ patches/CVE-2023-39327.patch | 78 +++++++++++++++++++++++++++ patches/CVE-2024-56826.patch | 122 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2024-56827.patch | 25 ++++++++ patches/series | 4 + 6 files changed, 278 insertions(+) diff -Nru openjpeg2-2.5.0/debian/changelog openjpeg2-2.5.0/debian/changelog --- openjpeg2-2.5.0/debian/changelog 2023-05-26 10:16:24.000000000 +0000 +++ openjpeg2-2.5.0/debian/changelog 2025-01-24 16:41:23.000000000 +0000 @@ -1,3 +1,12 @@ +openjpeg2 (2.5.0-2+deb12u1) bookworm-security; urgency=medium + + * CVE-2021-3575 (Closes: #989775) + * CVE-2023-39327 (Closes: #1081908) + * CVE-2024-56826 (Closes: #1092675) + * CVE-2024-56827 (Closes: #1092675) + + -- Moritz Mühlenhoff Fri, 24 Jan 2025 17:47:06 +0100 + openjpeg2 (2.5.0-2) unstable; urgency=medium * Team upload. diff -Nru openjpeg2-2.5.0/debian/patches/CVE-2021-3575.patch openjpeg2-2.5.0/debian/patches/CVE-2021-3575.patch --- openjpeg2-2.5.0/debian/patches/CVE-2021-3575.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.5.0/debian/patches/CVE-2021-3575.patch 2025-01-24 16:16:47.000000000 +0000 @@ -0,0 +1,40 @@ +From 7bd884f8750892de4f50bf4642fcfbe7011c6bdf Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 18 Feb 2024 17:02:25 +0100 +Subject: [PATCH] opj_decompress: fix off-by-one read heap-buffer-overflow in + sycc420_to_rgb() when x0 and y0 are odd (CVE-2021-3575, fixes #1347) + +--- + src/bin/common/color.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/bin/common/color.c b/src/bin/common/color.c +index 27f15f137..ae5d648da 100644 +--- a/src/bin/common/color.c ++++ b/src/bin/common/color.c +@@ -358,7 +358,15 @@ static void sycc420_to_rgb(opj_image_t *img) + if (i < loopmaxh) { + size_t j; + +- for (j = 0U; j < (maxw & ~(size_t)1U); j += 2U) { ++ if (offx > 0U) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ ++y; ++ ++r; ++ ++g; ++ ++b; ++ } ++ ++ for (j = 0U; j < (loopmaxw & ~(size_t)1U); j += 2U) { + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); + + ++y; +@@ -375,7 +383,7 @@ static void sycc420_to_rgb(opj_image_t *img) + ++cb; + ++cr; + } +- if (j < maxw) { ++ if (j < loopmaxw) { + sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); + } + } diff -Nru openjpeg2-2.5.0/debian/patches/CVE-2023-39327.patch openjpeg2-2.5.0/debian/patches/CVE-2023-39327.patch --- openjpeg2-2.5.0/debian/patches/CVE-2023-39327.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.5.0/debian/patches/CVE-2023-39327.patch 2025-01-24 16:16:47.000000000 +0000 @@ -0,0 +1,78 @@ +From c58bc128b4f770e7c89bc8ba3d0273b9a3904aad Mon Sep 17 00:00:00 2001 +From: mayeut +Date: Sat, 17 Aug 2024 15:59:56 +0200 +Subject: [PATCH] fix: when EPH markers are specified, they are required. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +reference from Rec. ITU-T T.800 (06/2019): +- Table A.13 – Coding style parameter values for the Scod parameter +- Section A.8.1 Start of packet (SOP) +- Section A.8.2 End of packet header (EPH) +--- + src/lib/openjp2/t2.c | 19 +++++++++++++------ + tests/nonregression/test_suite.ctest.in | 3 +++ + 2 files changed, 16 insertions(+), 6 deletions(-) + +Index: openjpeg2-2.5.0/src/lib/openjp2/t2.c +=================================================================== +--- openjpeg2-2.5.0.orig/src/lib/openjp2/t2.c ++++ openjpeg2-2.5.0/src/lib/openjp2/t2.c +@@ -1109,6 +1109,7 @@ static OPJ_BOOL opj_t2_read_packet_heade + /* SOP markers */ + + if (p_tcp->csty & J2K_CP_CSTY_SOP) { ++ /* SOP markers are allowed (i.e. optional), just warn */ + if (p_max_length < 6) { + opj_event_msg(p_manager, EVT_WARNING, + "Not enough space for expected SOP marker\n"); +@@ -1161,12 +1162,15 @@ static OPJ_BOOL opj_t2_read_packet_heade + + /* EPH markers */ + if (p_tcp->csty & J2K_CP_CSTY_EPH) { ++ /* EPH markers are required */ + if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data - + *l_header_data_start)) < 2U) { +- opj_event_msg(p_manager, EVT_WARNING, +- "Not enough space for expected EPH marker\n"); ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Not enough space for required EPH marker\n"); ++ return OPJ_FALSE; + } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) { +- opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n"); ++ opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n"); ++ return OPJ_FALSE; + } else { + l_header_data += 2; + } +@@ -1330,12 +1334,15 @@ static OPJ_BOOL opj_t2_read_packet_heade + + /* EPH markers */ + if (p_tcp->csty & J2K_CP_CSTY_EPH) { ++ /* EPH markers are required */ + if ((*l_modified_length_ptr - (OPJ_UINT32)(l_header_data - + *l_header_data_start)) < 2U) { +- opj_event_msg(p_manager, EVT_WARNING, +- "Not enough space for expected EPH marker\n"); ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Not enough space for required EPH marker\n"); ++ return OPJ_FALSE; + } else if ((*l_header_data) != 0xff || (*(l_header_data + 1) != 0x92)) { +- opj_event_msg(p_manager, EVT_WARNING, "Expected EPH marker\n"); ++ opj_event_msg(p_manager, EVT_ERROR, "Expected EPH marker\n"); ++ return OPJ_FALSE; + } else { + l_header_data += 2; + } +Index: openjpeg2-2.5.0/tests/nonregression/test_suite.ctest.in +=================================================================== +--- openjpeg2-2.5.0.orig/tests/nonregression/test_suite.ctest.in ++++ openjpeg2-2.5.0/tests/nonregression/test_suite.ctest.in +@@ -657,3 +657,6 @@ opj_decompress -i @INPUT_NR_PATH@/htj2k/ + opj_decompress -i @INPUT_NR_PATH@/htj2k/Bretagne1_ht_lossy.j2k -o @TEMP_PATH@/Bretagne1_ht_lossy.j2k.png + opj_decompress -i @INPUT_NR_PATH@/htj2k/byte.jph -o @TEMP_PATH@/byte.jph.png + opj_decompress -i @INPUT_NR_PATH@/htj2k/byte_causal.jhc -o @TEMP_PATH@/byte_causal.jhc.png ++ ++# missing EPH Marker ++!opj_decompress -i @INPUT_NR_PATH@/issue1472-bigloop.j2k -o @TEMP_PATH@/issue1472-bigloop.raw diff -Nru openjpeg2-2.5.0/debian/patches/CVE-2024-56826.patch openjpeg2-2.5.0/debian/patches/CVE-2024-56826.patch --- openjpeg2-2.5.0/debian/patches/CVE-2024-56826.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.5.0/debian/patches/CVE-2024-56826.patch 2025-01-24 16:16:47.000000000 +0000 @@ -0,0 +1,122 @@ +From 98592ee6d6904f1b48e8207238779b89a63befa2 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 25 Nov 2024 23:11:24 +0100 +Subject: [PATCH] sycc422_to_rgb(): fix out-of-bounds read accesses when 2 * + width_component_1_or_2 + 1 == with_component_0 + +Fixes #1563 + +Also adjusts sycc420_to_rgb() for potential similar issue (amending +commit 7bd884f8750892de4f50bf4642fcfbe7011c6bdf) +--- + src/bin/common/color.c | 42 ++++++++++++++++++++++++++++++++---------- + 1 file changed, 32 insertions(+), 10 deletions(-) + +Index: openjpeg2-2.5.0/src/bin/common/color.c +=================================================================== +--- openjpeg2-2.5.0.orig/src/bin/common/color.c ++++ openjpeg2-2.5.0/src/bin/common/color.c +@@ -158,7 +158,7 @@ static void sycc422_to_rgb(opj_image_t * + { + int *d0, *d1, *d2, *r, *g, *b; + const int *y, *cb, *cr; +- size_t maxw, maxh, max, offx, loopmaxw; ++ size_t maxw, maxh, max, offx, loopmaxw, comp12w; + int offset, upb; + size_t i; + +@@ -167,6 +167,7 @@ static void sycc422_to_rgb(opj_image_t * + upb = (1 << upb) - 1; + + maxw = (size_t)img->comps[0].w; ++ comp12w = (size_t)img->comps[1].w; + maxh = (size_t)img->comps[0].h; + max = maxw * maxh; + +@@ -212,13 +213,19 @@ static void sycc422_to_rgb(opj_image_t * + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + ++y; + ++r; + ++g; + ++b; +- ++cb; +- ++cr; ++ if (j / 2 < comp12w) { ++ ++cb; ++ ++cr; ++ } + } + } + +@@ -246,7 +253,7 @@ static void sycc420_to_rgb(opj_image_t * + { + int *d0, *d1, *d2, *r, *g, *b, *nr, *ng, *nb; + const int *y, *cb, *cr, *ny; +- size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh; ++ size_t maxw, maxh, max, offx, loopmaxw, offy, loopmaxh, comp12w; + int offset, upb; + size_t i; + +@@ -255,6 +262,7 @@ static void sycc420_to_rgb(opj_image_t * + upb = (1 << upb) - 1; + + maxw = (size_t)img->comps[0].w; ++ comp12w = (size_t)img->comps[1].w; + maxh = (size_t)img->comps[0].h; + max = maxw * maxh; + +@@ -336,19 +344,29 @@ static void sycc420_to_rgb(opj_image_t * + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + ++y; + ++r; + ++g; + ++b; + +- sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *ny, 0, 0, nr, ng, nb); ++ } else { ++ sycc_to_rgb(offset, upb, *ny, *cb, *cr, nr, ng, nb); ++ } + ++ny; + ++nr; + ++ng; + ++nb; +- ++cb; +- ++cr; ++ if (j / 2 < comp12w) { ++ ++cb; ++ ++cr; ++ } + } + y += maxw; + r += maxw; +@@ -384,7 +402,11 @@ static void sycc420_to_rgb(opj_image_t * + ++cr; + } + if (j < loopmaxw) { +- sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ if (j / 2 == comp12w) { ++ sycc_to_rgb(offset, upb, *y, 0, 0, r, g, b); ++ } else { ++ sycc_to_rgb(offset, upb, *y, *cb, *cr, r, g, b); ++ } + } + } + diff -Nru openjpeg2-2.5.0/debian/patches/CVE-2024-56827.patch openjpeg2-2.5.0/debian/patches/CVE-2024-56827.patch --- openjpeg2-2.5.0/debian/patches/CVE-2024-56827.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjpeg2-2.5.0/debian/patches/CVE-2024-56827.patch 2025-01-24 16:16:47.000000000 +0000 @@ -0,0 +1,25 @@ +From e492644fbded4c820ca55b5e50e598d346e850e8 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 25 Nov 2024 22:02:54 +0100 +Subject: [PATCH] opj_j2k_add_tlmarker(): validate that current tile-part + number if smaller that total number of tile-parts + +Fixes #1564 +--- + src/lib/openjp2/j2k.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: openjpeg2-2.5.0/src/lib/openjp2/j2k.c +=================================================================== +--- openjpeg2-2.5.0.orig/src/lib/openjp2/j2k.c ++++ openjpeg2-2.5.0/src/lib/openjp2/j2k.c +@@ -8362,7 +8362,8 @@ static OPJ_BOOL opj_j2k_add_tlmarker(OPJ + if (type == J2K_MS_SOT) { + OPJ_UINT32 l_current_tile_part = cstr_index->tile_index[tileno].current_tpsno; + +- if (cstr_index->tile_index[tileno].tp_index) { ++ if (cstr_index->tile_index[tileno].tp_index && ++ l_current_tile_part < cstr_index->tile_index[tileno].nb_tps) { + cstr_index->tile_index[tileno].tp_index[l_current_tile_part].start_pos = pos; + } + diff -Nru openjpeg2-2.5.0/debian/patches/series openjpeg2-2.5.0/debian/patches/series --- openjpeg2-2.5.0/debian/patches/series 2023-05-26 10:04:04.000000000 +0000 +++ openjpeg2-2.5.0/debian/patches/series 2025-01-24 16:17:00.000000000 +0000 @@ -1,2 +1,6 @@ issue878.patch man_fix.patch +CVE-2021-3575.patch +CVE-2023-39327.patch +CVE-2024-56826.patch +CVE-2024-56827.patch