Version in base suite: 2.3.0-2

Base version: openjpeg2_2.3.0-2
Target version: openjpeg2_2.3.0-2+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openjpeg2/openjpeg2_2.3.0-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openjpeg2/openjpeg2_2.3.0-2+deb10u1.dsc

 changelog                    |   11 +++++++++++
 patches/CVE-2018-20847.patch |   40 ++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2018-21010.patch |   26 ++++++++++++++++++++++++++
 patches/series               |    2 ++
 4 files changed, 79 insertions(+)

diff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog
--- openjpeg2-2.3.0/debian/changelog	2019-03-10 17:34:51.000000000 +0000
+++ openjpeg2-2.3.0/debian/changelog	2019-10-17 12:48:09.000000000 +0000
@@ -1,3 +1,14 @@
+openjpeg2 (2.3.0-2+deb10u1) buster; urgency=high
+
+  * Backport security fixes:
+  * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile
+    (Closes: #939553).
+  * CVE-2018-20847: improper computation of values in the function
+    opj_get_encoding_parameters, leading to an integer overflow
+    (Closes: #931294).
+
+ -- Hugo Lefeuvre <hle@debian.org>  Thu, 17 Oct 2019 14:48:09 +0200
+
 openjpeg2 (2.3.0-2) unstable; urgency=high
 
   [ Hugo Lefeuvre ]
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch	1970-01-01 00:00:00.000000000 +0000
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch	2019-10-17 12:48:09.000000000 +0000
@@ -0,0 +1,40 @@
+Description: fix integer overflow in opj_get_encoding_parameters
+ This bug is known at three places in the source code:
+ opj_get_all_encoding_parameters() and opj_tcd_init_tile() in pi.c and tcd.c
+ (both fixed _before_ the release of 2.1.2), and opj_get_encoding_parameters()
+ in pi.c. This patch addresses the issue in opj_get_encoding_parameters().
+Author: Young_X <YangX92@hotmail.com>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/c58df149900df862
+--- a/src/lib/openjp2/pi.c	2019-10-17 14:41:15.997977749 +0200
++++ b/src/lib/openjp2/pi.c	2019-10-17 14:43:46.276679721 +0200
+@@ -748,6 +748,9 @@
+     /* position in x and y of tile */
+     OPJ_UINT32 p, q;
+ 
++    /* non-corrected (in regard to image offset) tile offset */
++    OPJ_UINT32 l_tx0, l_ty0;
++
+     /* preconditions */
+     assert(p_cp != 00);
+     assert(p_image != 00);
+@@ -763,14 +766,12 @@
+     q = p_tileno / p_cp->tw;
+ 
+     /* find extent of tile */
+-    *p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx),
+-                         (OPJ_INT32)p_image->x0);
+-    *p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx),
+-                         (OPJ_INT32)p_image->x1);
+-    *p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy),
+-                         (OPJ_INT32)p_image->y0);
+-    *p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy),
+-                         (OPJ_INT32)p_image->y1);
++    l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 so won't overflow */
++    *p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0);
++    *p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), p_image->x1);
++    l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 so won't overflow */
++    *p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0);
++    *p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), p_image->y1);
+ 
+     /* max precision is 0 (can only grow) */
+     *p_max_prec = 0;
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch	1970-01-01 00:00:00.000000000 +0000
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch	2019-10-17 12:48:09.000000000 +0000
@@ -0,0 +1,26 @@
+Description: color_apply_icc_profile: avoid potential heap buffer overflow 
+ This patch addresses CVE-2018-21010. It differs slightly from upstream's
+ patch in that we avoid whitespace refactoring and complex nested ifs.
+Author: Even Rouault <even.rouault@spatialys.com>, Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c9
+--- a/src/bin/common/color.c	2019-10-17 14:33:21.021771909 +0200
++++ b/src/bin/common/color.c	2019-10-17 14:34:39.397137223 +0200
+@@ -597,6 +597,18 @@
+     }
+ 
+     if (image->numcomps > 2) { /* RGB, RGBA */
++
++	if (!(image->comps[0].w == image->comps[1].w &&
++	      image->comps[0].w == image->comps[2].w) ||
++	    !(image->comps[0].h == image->comps[1].h &&
++	      image->comps[0].h == image->comps[2].h))
++	{
++		fprintf(stderr,
++		"[ERROR] Image components should have the same width and height\n");
++		cmsDeleteTransform(transform);
++		return;
++	}
++
+         if (prec <= 8) {
+             unsigned char *inbuf, *outbuf, *in, *out;
+ 
diff -Nru openjpeg2-2.3.0/debian/patches/series openjpeg2-2.3.0/debian/patches/series
--- openjpeg2-2.3.0/debian/patches/series	2019-03-10 17:31:30.000000000 +0000
+++ openjpeg2-2.3.0/debian/patches/series	2019-10-17 12:48:09.000000000 +0000
@@ -5,3 +5,5 @@
 CVE-2018-18088.patch
 CVE-2018-5785.patch
 CVE-2018-6616.patch
+CVE-2018-21010.patch
+CVE-2018-20847.patch