libjpeg-turbo: patch CVE-2023-2804

Relevant links: * linked fronm NVD: * https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118 * follow-up analysis: * https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989 * picked commits fix all issues mentioned in this analysis (From OE-Core rev: ca8ede6d29c04159e85c2bdd2b635c58ec6a1484) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2023-07-23 13:09:22 +0200
committer: Steve Sakoman <steve@sakoman.com> 2023-08-02 04:47:12 -1000
commit: f24230b04bff9ea00bf6f56f05de163eabebd09e (patch)
tree: 89d2b3554393eac04adc1020ba98f844cb3d6029
parent: 6539812e238edfefc0941abeabbbebe345c0cd3b (diff)
download: poky-f24230b04bff9ea00bf6f56f05de163eabebd09e.tar.gz
3 files changed, 180 insertions, 0 deletions
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 0000000000..fd8a66bca7
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,103 @@
+From 42ce199c9cfe129e5e21afd48dfe757a6acf87c4 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+The 2-pass color quantization algorithm assumes 3-sample pixels.  RGB565
+is the only 3-component colorspace that doesn't have 3-sample pixels, so
+we need to treat it as a special case when determining whether to enable
+2-pass color quantization.  Otherwise, attempting to initialize 2-pass
+color quantization with an RGB565 output buffer could cause
+prescan_quantize() to read from uninitialized memory and subsequently
+underflow/overflow the histogram array.
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are
+specified, because none of its destination managers (image writers)
+support color quantization with RGB565.  However, prescan_quantize() was
+called before that could occur.  It is possible but very unlikely that
+these issues could have been reproduced in applications other than
+djpeg.  The issues involve the use of two features (12-bit precision and
+RGB565) that are incompatible, and they also involve the use of two
+rarely-used legacy features (RGB565 and color quantization) that don't
+make much sense when combined.
+Fixes #668
+Fixes #671
+Fixes #680
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/42ce199c9cfe129e5e21afd48dfe757a6acf87c4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md | 12 ++++++++++++
+ jdmaster.c   |  5 +++--
+ jquant2.c    |  5 +++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 1c1e6538a..f1bfb3d87 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -1,3 +1,15 @@
+2.1.6
+=====
+
+### Significant changes relative to 2.1.5.1:
+
+1. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
+overruns when attempting to decompress various specially-crafted malformed
+12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
+(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+enabled.
+
+
+ 2.1.5.1
+ =======
+ 
+diff --git a/jdmaster.c b/jdmaster.c
+index a3690bf56..a9446adfd 100644
+--- a/jdmaster.c
+++ b/jdmaster.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2002-2009 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, 2019, 2022, D. R. Commander.
+ * Copyright (C) 2009-2011, 2016, 2019, 2022-2023, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+@@ -480,7 +480,8 @@ master_selection(j_decompress_ptr cinfo)
+     if (cinfo->raw_data_out)
+       ERREXIT(cinfo, JERR_NOTIMPL);
+     /* 2-pass quantizer only works in 3-component color space. */
+-    if (cinfo->out_color_components != 3) {
+    if (cinfo->out_color_components != 3 ||
+        cinfo->out_color_space == JCS_RGB565) {
+       cinfo->enable_1pass_quant = TRUE;
+       cinfo->enable_external_quant = FALSE;
+       cinfo->enable_2pass_quant = FALSE;
+diff --git a/jquant2.c b/jquant2.c
+index 44efb18ca..1c14ef763 100644
+--- a/jquant2.c
+++ b/jquant2.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, 2020, D. R. Commander.
+ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
+   cquantize->error_limiter = NULL;
+ 
+   /* Make sure jdmaster didn't give me a case I can't handle */
+-  if (cinfo->out_color_components != 3)
+  if (cinfo->out_color_components != 3 ||
+      cinfo->out_color_space == JCS_RGB565)
+     ERREXIT(cinfo, JERR_NOTIMPL);
+ 
+   /* Allocate the histogram/inverse colormap storage */
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
new file mode 100644
index 0000000000..af955a72f6
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
+From 2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 6 Apr 2023 18:33:41 -0500
+Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
+When computing the downsampled width for a particular component,
+jpeg_crop_scanline() needs to take into account the fact that the
+libjpeg code uses a combination of IDCT scaling and upsampling to
+implement 4x2 and 2x4 upsampling with certain decompression scaling
+factors.  Failing to account for that led to incomplete upsampling of
+4x2- or 2x4-subsampled components, which caused the color converter to
+read from uninitialized memory.  With 12-bit data precision, this caused
+a buffer overrun or underrun and subsequent segfault if the
+uninitialized memory contained a value that was outside of the valid
+sample range (because the color converter uses the value as an array
+index.)
+Fixes #669
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md |  8 ++++++++
+ jdapistd.c   | 10 ++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index f1bfb3d87..0a075c3c5 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -9,6 +9,14 @@ overruns when attempting to decompress various specially-crafted malformed
+ (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+ enabled.
+ 
+2. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
+downsampled width for components with 4x2 or 2x4 subsampling factors if
+decompression scaling was enabled.  This caused the components to be upsampled
+incompletely, which caused the color converter to read from uninitialized
+memory.  With 12-bit data precision, this caused a buffer overrun or underrun
+and subsequent segfault if the sample value read from unitialized memory was
+outside of the valid sample range.
+
+ 
+ 2.1.5.1
+ =======
+diff --git a/jdapistd.c b/jdapistd.c
+index 02cd0cb93..96cded112 100644
+--- a/jdapistd.c
+++ b/jdapistd.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2010, 2015-2020, 2022, D. R. Commander.
+ * Copyright (C) 2010, 2015-2020, 2022-2023, D. R. Commander.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+@@ -236,9 +236,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
+     /* Set downsampled_width to the new output width. */
+     orig_downsampled_width = compptr->downsampled_width;
+     compptr->downsampled_width =
+-      (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
+-                                       compptr->h_samp_factor),
+-                                (long)cinfo->max_h_samp_factor);
+      (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
+                                (long)(compptr->h_samp_factor *
+                                       compptr->_DCT_scaled_size),
+                                (long)(cinfo->max_h_samp_factor *
+                                       cinfo->_min_DCT_scaled_size));
+     if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
+       reinit_upsampler = TRUE;
+ 
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb
index e086830c02..86bf471eea 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb
@@ -12,6 +12,8 @@ DEPENDS:append:x86:class-target = " nasm-native"
 SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
           file://0001-libjpeg-turbo-fix-package_qa-error.patch \
+           file://CVE-2023-2804-1.patch \
+           file://CVE-2023-2804-2.patch \
           "
 SRC_URI[sha256sum] = "2fdc3feb6e9deb17adec9bafa3321419aa19f8f4e5dea7bf8486844ca22207bf"
author	Peter Marko <peter.marko@siemens.com>	2023-07-23 13:09:22 +0200
committer	Steve Sakoman <steve@sakoman.com>	2023-08-02 04:47:12 -1000
commit	f24230b04bff9ea00bf6f56f05de163eabebd09e (patch)
tree	89d2b3554393eac04adc1020ba98f844cb3d6029
parent	6539812e238edfefc0941abeabbbebe345c0cd3b (diff)
download	poky-f24230b04bff9ea00bf6f56f05de163eabebd09e.tar.gz

diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch new file mode 100644 index 0000000000..fd8a66bca7 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,103 @@
		1	From 42ce199c9cfe129e5e21afd48dfe757a6acf87c4 Mon Sep 17 00:00:00 2001
		2	From: DRC <information@libjpeg-turbo.org>
		3	Date: Tue, 4 Apr 2023 19:06:20 -0500
		4	Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
		5
		6	The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565
		7	is the only 3-component colorspace that doesn't have 3-sample pixels, so
		8	we need to treat it as a special case when determining whether to enable
		9	2-pass color quantization. Otherwise, attempting to initialize 2-pass
		10	color quantization with an RGB565 output buffer could cause
		11	prescan_quantize() to read from uninitialized memory and subsequently
		12	underflow/overflow the histogram array.
		13
		14	djpeg is supposed to fail gracefully if both -rgb565 and -colors are
		15	specified, because none of its destination managers (image writers)
		16	support color quantization with RGB565. However, prescan_quantize() was
		17	called before that could occur. It is possible but very unlikely that
		18	these issues could have been reproduced in applications other than
		19	djpeg. The issues involve the use of two features (12-bit precision and
		20	RGB565) that are incompatible, and they also involve the use of two
		21	rarely-used legacy features (RGB565 and color quantization) that don't
		22	make much sense when combined.
		23
		24	Fixes #668
		25	Fixes #671
		26	Fixes #680
		27
		28	CVE: CVE-2023-2804
		29	Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/42ce199c9cfe129e5e21afd48dfe757a6acf87c4]
		30
		31	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		32	---
		33	ChangeLog.md \| 12 ++++++++++++
		34	jdmaster.c \| 5 +++--
		35	jquant2.c \| 5 +++--
		36	3 files changed, 18 insertions(+), 4 deletions(-)
		37
		38	diff --git a/ChangeLog.md b/ChangeLog.md
		39	index 1c1e6538a..f1bfb3d87 100644
		40	--- a/ChangeLog.md
		41	+++ b/ChangeLog.md
		42	@@ -1,3 +1,15 @@
		43	+2.1.6
		44	+=====
		45	+
		46	+### Significant changes relative to 2.1.5.1:
		47	+
		48	+1. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
		49	+overruns when attempting to decompress various specially-crafted malformed
		50	+12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
		51	+(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
		52	+enabled.
		53	+
		54	+
		55	2.1.5.1
		56	=======
		57
		58	diff --git a/jdmaster.c b/jdmaster.c
		59	index a3690bf56..a9446adfd 100644
		60	--- a/jdmaster.c
		61	+++ b/jdmaster.c
		62	@@ -5,7 +5,7 @@
		63	* Copyright (C) 1991-1997, Thomas G. Lane.
		64	* Modified 2002-2009 by Guido Vollbeding.
		65	* libjpeg-turbo Modifications:
		66	- * Copyright (C) 2009-2011, 2016, 2019, 2022, D. R. Commander.
		67	+ * Copyright (C) 2009-2011, 2016, 2019, 2022-2023, D. R. Commander.
		68	* Copyright (C) 2013, Linaro Limited.
		69	* Copyright (C) 2015, Google, Inc.
		70	* For conditions of distribution and use, see the accompanying README.ijg
		71	@@ -480,7 +480,8 @@ master_selection(j_decompress_ptr cinfo)
		72	if (cinfo->raw_data_out)
		73	ERREXIT(cinfo, JERR_NOTIMPL);
		74	/* 2-pass quantizer only works in 3-component color space. */
		75	- if (cinfo->out_color_components != 3) {
		76	+ if (cinfo->out_color_components != 3 \|\|
		77	+ cinfo->out_color_space == JCS_RGB565) {
		78	cinfo->enable_1pass_quant = TRUE;
		79	cinfo->enable_external_quant = FALSE;
		80	cinfo->enable_2pass_quant = FALSE;
		81	diff --git a/jquant2.c b/jquant2.c
		82	index 44efb18ca..1c14ef763 100644
		83	--- a/jquant2.c
		84	+++ b/jquant2.c
		85	@@ -4,7 +4,7 @@
		86	* This file was part of the Independent JPEG Group's software:
		87	* Copyright (C) 1991-1996, Thomas G. Lane.
		88	* libjpeg-turbo Modifications:
		89	- * Copyright (C) 2009, 2014-2015, 2020, D. R. Commander.
		90	+ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
		91	* For conditions of distribution and use, see the accompanying README.ijg
		92	* file.
		93	*
		94	@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
		95	cquantize->error_limiter = NULL;
		96
		97	/* Make sure jdmaster didn't give me a case I can't handle */
		98	- if (cinfo->out_color_components != 3)
		99	+ if (cinfo->out_color_components != 3 \|\|
		100	+ cinfo->out_color_space == JCS_RGB565)
		101	ERREXIT(cinfo, JERR_NOTIMPL);
		102
		103	/* Allocate the histogram/inverse colormap storage */


diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..af955a72f6 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
		1	From 2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593 Mon Sep 17 00:00:00 2001
		2	From: DRC <information@libjpeg-turbo.org>
		3	Date: Thu, 6 Apr 2023 18:33:41 -0500
		4	Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
		5
		6	When computing the downsampled width for a particular component,
		7	jpeg_crop_scanline() needs to take into account the fact that the
		8	libjpeg code uses a combination of IDCT scaling and upsampling to
		9	implement 4x2 and 2x4 upsampling with certain decompression scaling
		10	factors. Failing to account for that led to incomplete upsampling of
		11	4x2- or 2x4-subsampled components, which caused the color converter to
		12	read from uninitialized memory. With 12-bit data precision, this caused
		13	a buffer overrun or underrun and subsequent segfault if the
		14	uninitialized memory contained a value that was outside of the valid
		15	sample range (because the color converter uses the value as an array
		16	index.)
		17
		18	Fixes #669
		19
		20	CVE: CVE-2023-2804
		21	Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2e1b8a462f7f9f9bf6cd25a8516caa8203cc4593]
		22
		23	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		24	---
		25	ChangeLog.md \| 8 ++++++++
		26	jdapistd.c \| 10 ++++++----
		27	2 files changed, 14 insertions(+), 4 deletions(-)
		28
		29	diff --git a/ChangeLog.md b/ChangeLog.md
		30	index f1bfb3d87..0a075c3c5 100644
		31	--- a/ChangeLog.md
		32	+++ b/ChangeLog.md
		33	@@ -9,6 +9,14 @@ overruns when attempting to decompress various specially-crafted malformed
		34	(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
		35	enabled.
		36
		37	+2. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
		38	+downsampled width for components with 4x2 or 2x4 subsampling factors if
		39	+decompression scaling was enabled. This caused the components to be upsampled
		40	+incompletely, which caused the color converter to read from uninitialized
		41	+memory. With 12-bit data precision, this caused a buffer overrun or underrun
		42	+and subsequent segfault if the sample value read from unitialized memory was
		43	+outside of the valid sample range.
		44	+
		45
		46	2.1.5.1
		47	=======
		48	diff --git a/jdapistd.c b/jdapistd.c
		49	index 02cd0cb93..96cded112 100644
		50	--- a/jdapistd.c
		51	+++ b/jdapistd.c
		52	@@ -4,7 +4,7 @@
		53	* This file was part of the Independent JPEG Group's software:
		54	* Copyright (C) 1994-1996, Thomas G. Lane.
		55	* libjpeg-turbo Modifications:
		56	- * Copyright (C) 2010, 2015-2020, 2022, D. R. Commander.
		57	+ * Copyright (C) 2010, 2015-2020, 2022-2023, D. R. Commander.
		58	* Copyright (C) 2015, Google, Inc.
		59	* For conditions of distribution and use, see the accompanying README.ijg
		60	* file.
		61	@@ -236,9 +236,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
		62	/* Set downsampled_width to the new output width. */
		63	orig_downsampled_width = compptr->downsampled_width;
		64	compptr->downsampled_width =
		65	- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
		66	- compptr->h_samp_factor),
		67	- (long)cinfo->max_h_samp_factor);
		68	+ (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
		69	+ (long)(compptr->h_samp_factor *
		70	+ compptr->_DCT_scaled_size),
		71	+ (long)(cinfo->max_h_samp_factor *
		72	+ cinfo->_min_DCT_scaled_size));
		73	if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
		74	reinit_upsampler = TRUE;
		75


diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb index e086830c02..86bf471eea 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb
@@ -12,6 +12,8 @@ DEPENDS:append:x86:class-target = " nasm-native"
12		12
13	SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \	13	SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
14	file://0001-libjpeg-turbo-fix-package_qa-error.patch \	14	file://0001-libjpeg-turbo-fix-package_qa-error.patch \
		15	file://CVE-2023-2804-1.patch \
		16	file://CVE-2023-2804-2.patch \
15	"	17	"
16		18
17	SRC_URI[sha256sum] = "2fdc3feb6e9deb17adec9bafa3321419aa19f8f4e5dea7bf8486844ca22207bf"	19	SRC_URI[sha256sum] = "2fdc3feb6e9deb17adec9bafa3321419aa19f8f4e5dea7bf8486844ca22207bf"