diff options
author | Peter Marko <peter.marko@siemens.com> | 2023-07-23 13:44:14 +0200 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-08-16 03:55:12 -1000 |
commit | 762bfb5fc5036c8fbea8d345a587a12e8b4eb908 (patch) | |
tree | 2ce2919ce1a7eb2345c53b7cb8b05d5d109b0aba /meta/recipes-graphics | |
parent | dcc4dbf46374d8acbd6aade1d338681b48f15d1f (diff) | |
download | poky-762bfb5fc5036c8fbea8d345a587a12e8b4eb908.tar.gz |
libjpeg-turbo: patch CVE-2023-2804
Relevant links:
* linked fronm NVD:
* https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
* https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
* picked commits fix all issues mentioned in this analysis
(From OE-Core rev: cb3c7efd313f758e9bade93b72527bc5dc470085)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r-- | meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch | 97 | ||||
-rw-r--r-- | meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch | 75 | ||||
-rw-r--r-- | meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb | 2 |
3 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch new file mode 100644 index 0000000000..6668f6e41d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001 | ||
2 | From: DRC <information@libjpeg-turbo.org> | ||
3 | Date: Tue, 4 Apr 2023 19:06:20 -0500 | ||
4 | Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565 | ||
5 | |||
6 | The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565 | ||
7 | is the only 3-component colorspace that doesn't have 3-sample pixels, so | ||
8 | we need to treat it as a special case when determining whether to enable | ||
9 | 2-pass color quantization. Otherwise, attempting to initialize 2-pass | ||
10 | color quantization with an RGB565 output buffer could cause | ||
11 | prescan_quantize() to read from uninitialized memory and subsequently | ||
12 | underflow/overflow the histogram array. | ||
13 | |||
14 | djpeg is supposed to fail gracefully if both -rgb565 and -colors are | ||
15 | specified, because none of its destination managers (image writers) | ||
16 | support color quantization with RGB565. However, prescan_quantize() was | ||
17 | called before that could occur. It is possible but very unlikely that | ||
18 | these issues could have been reproduced in applications other than | ||
19 | djpeg. The issues involve the use of two features (12-bit precision and | ||
20 | RGB565) that are incompatible, and they also involve the use of two | ||
21 | rarely-used legacy features (RGB565 and color quantization) that don't | ||
22 | make much sense when combined. | ||
23 | |||
24 | Fixes #668 | ||
25 | Fixes #671 | ||
26 | Fixes #680 | ||
27 | |||
28 | CVE: CVE-2023-2804 | ||
29 | Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d] | ||
30 | |||
31 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
32 | --- | ||
33 | ChangeLog.md | 6 ++++++ | ||
34 | jdmaster.c | 5 +++-- | ||
35 | jquant2.c | 5 +++-- | ||
36 | 3 files changed, 12 insertions(+), 4 deletions(-) | ||
37 | |||
38 | diff --git a/ChangeLog.md b/ChangeLog.md | ||
39 | index e605abe73..de0c4d0dd 100644 | ||
40 | --- a/ChangeLog.md | ||
41 | +++ b/ChangeLog.md | ||
42 | @@ -1,3 +1,9 @@ quality values. | ||
43 | +9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer | ||
44 | +overruns when attempting to decompress various specially-crafted malformed | ||
45 | +12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg | ||
46 | +(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion | ||
47 | +enabled. | ||
48 | + | ||
49 | 2.0.4 | ||
50 | ===== | ||
51 | |||
52 | diff --git a/jdmaster.c b/jdmaster.c | ||
53 | index b20906438..8d8ef9956 100644 | ||
54 | --- a/jdmaster.c | ||
55 | +++ b/jdmaster.c | ||
56 | @@ -5,7 +5,7 @@ | ||
57 | * Copyright (C) 1991-1997, Thomas G. Lane. | ||
58 | * Modified 2002-2009 by Guido Vollbeding. | ||
59 | * libjpeg-turbo Modifications: | ||
60 | - * Copyright (C) 2009-2011, 2016, D. R. Commander. | ||
61 | + * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander. | ||
62 | * Copyright (C) 2013, Linaro Limited. | ||
63 | * Copyright (C) 2015, Google, Inc. | ||
64 | * For conditions of distribution and use, see the accompanying README.ijg | ||
65 | @@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo) | ||
66 | if (cinfo->raw_data_out) | ||
67 | ERREXIT(cinfo, JERR_NOTIMPL); | ||
68 | /* 2-pass quantizer only works in 3-component color space. */ | ||
69 | - if (cinfo->out_color_components != 3) { | ||
70 | + if (cinfo->out_color_components != 3 || | ||
71 | + cinfo->out_color_space == JCS_RGB565) { | ||
72 | cinfo->enable_1pass_quant = TRUE; | ||
73 | cinfo->enable_external_quant = FALSE; | ||
74 | cinfo->enable_2pass_quant = FALSE; | ||
75 | diff --git a/jquant2.c b/jquant2.c | ||
76 | index 6570613bb..c760380fb 100644 | ||
77 | --- a/jquant2.c | ||
78 | +++ b/jquant2.c | ||
79 | @@ -4,7 +4,7 @@ | ||
80 | * This file was part of the Independent JPEG Group's software: | ||
81 | * Copyright (C) 1991-1996, Thomas G. Lane. | ||
82 | * libjpeg-turbo Modifications: | ||
83 | - * Copyright (C) 2009, 2014-2015, D. R. Commander. | ||
84 | + * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander. | ||
85 | * For conditions of distribution and use, see the accompanying README.ijg | ||
86 | * file. | ||
87 | * | ||
88 | @@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo) | ||
89 | cquantize->error_limiter = NULL; | ||
90 | |||
91 | /* Make sure jdmaster didn't give me a case I can't handle */ | ||
92 | - if (cinfo->out_color_components != 3) | ||
93 | + if (cinfo->out_color_components != 3 || | ||
94 | + cinfo->out_color_space == JCS_RGB565) | ||
95 | ERREXIT(cinfo, JERR_NOTIMPL); | ||
96 | |||
97 | /* Allocate the histogram/inverse colormap storage */ | ||
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..bcba0b513d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001 | ||
2 | From: DRC <information@libjpeg-turbo.org> | ||
3 | Date: Thu, 6 Apr 2023 18:33:41 -0500 | ||
4 | Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp | ||
5 | |||
6 | When computing the downsampled width for a particular component, | ||
7 | jpeg_crop_scanline() needs to take into account the fact that the | ||
8 | libjpeg code uses a combination of IDCT scaling and upsampling to | ||
9 | implement 4x2 and 2x4 upsampling with certain decompression scaling | ||
10 | factors. Failing to account for that led to incomplete upsampling of | ||
11 | 4x2- or 2x4-subsampled components, which caused the color converter to | ||
12 | read from uninitialized memory. With 12-bit data precision, this caused | ||
13 | a buffer overrun or underrun and subsequent segfault if the | ||
14 | uninitialized memory contained a value that was outside of the valid | ||
15 | sample range (because the color converter uses the value as an array | ||
16 | index.) | ||
17 | |||
18 | Fixes #669 | ||
19 | |||
20 | CVE: CVE-2023-2804 | ||
21 | Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001] | ||
22 | |||
23 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
24 | --- | ||
25 | ChangeLog.md | 8 ++++++++ | ||
26 | jdapistd.c | 10 ++++++---- | ||
27 | 2 files changed, 14 insertions(+), 4 deletions(-) | ||
28 | |||
29 | diff --git a/ChangeLog.md b/ChangeLog.md | ||
30 | index de0c4d0dd..159bd1610 100644 | ||
31 | --- a/ChangeLog.md | ||
32 | +++ b/ChangeLog.md | ||
33 | @@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed | ||
34 | (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion | ||
35 | enabled. | ||
36 | |||
37 | +10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the | ||
38 | +downsampled width for components with 4x2 or 2x4 subsampling factors if | ||
39 | +decompression scaling was enabled. This caused the components to be upsampled | ||
40 | +incompletely, which caused the color converter to read from uninitialized | ||
41 | +memory. With 12-bit data precision, this caused a buffer overrun or underrun | ||
42 | +and subsequent segfault if the sample value read from unitialized memory was | ||
43 | +outside of the valid sample range. | ||
44 | + | ||
45 | 2.0.4 | ||
46 | ===== | ||
47 | |||
48 | diff --git a/jdapistd.c b/jdapistd.c | ||
49 | index 628626254..eb577928c 100644 | ||
50 | --- a/jdapistd.c | ||
51 | +++ b/jdapistd.c | ||
52 | @@ -4,7 +4,7 @@ | ||
53 | * This file was part of the Independent JPEG Group's software: | ||
54 | * Copyright (C) 1994-1996, Thomas G. Lane. | ||
55 | * libjpeg-turbo Modifications: | ||
56 | - * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander. | ||
57 | + * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander. | ||
58 | * Copyright (C) 2015, Google, Inc. | ||
59 | * For conditions of distribution and use, see the accompanying README.ijg | ||
60 | * file. | ||
61 | @@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset, | ||
62 | /* Set downsampled_width to the new output width. */ | ||
63 | orig_downsampled_width = compptr->downsampled_width; | ||
64 | compptr->downsampled_width = | ||
65 | - (JDIMENSION)jdiv_round_up((long)(cinfo->output_width * | ||
66 | - compptr->h_samp_factor), | ||
67 | - (long)cinfo->max_h_samp_factor); | ||
68 | + (JDIMENSION)jdiv_round_up((long)cinfo->output_width * | ||
69 | + (long)(compptr->h_samp_factor * | ||
70 | + compptr->_DCT_scaled_size), | ||
71 | + (long)(cinfo->max_h_samp_factor * | ||
72 | + cinfo->_min_DCT_scaled_size)); | ||
73 | if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2) | ||
74 | reinit_upsampler = TRUE; | ||
75 | |||
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb index 630b20300f..fda425c219 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb | |||
@@ -16,6 +16,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ | |||
16 | file://CVE-2021-46822.patch \ | 16 | file://CVE-2021-46822.patch \ |
17 | file://CVE-2020-35538-1.patch \ | 17 | file://CVE-2020-35538-1.patch \ |
18 | file://CVE-2020-35538-2.patch \ | 18 | file://CVE-2020-35538-2.patch \ |
19 | file://CVE-2023-2804-1.patch \ | ||
20 | file://CVE-2023-2804-2.patch \ | ||
19 | " | 21 | " |
20 | 22 | ||
21 | SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" | 23 | SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" |