X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-oi0-f68.google.com (mail-oi0-f68.google.com [209.85.218.68]) by lists.alpinelinux.org (Postfix) with ESMTP id 876405C429F for ; Thu, 29 Sep 2016 01:22:36 +0000 (GMT) Received: by mail-oi0-f68.google.com with SMTP id x203so745312oia.3 for ; Wed, 28 Sep 2016 18:22:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id; bh=NpNf+oo6e21z00MqlQUbpAPj6t0wUwutAbzc8feWR4s=; b=nAe/boRAcxtGiUWsVZoeEMe3GBZTKA1bcGprxr5WE8ph1n2s4qd6rek/xXJiEFvJh4 ykHPPLO92iDUN/XMR29cc06kSeuj+LSUOEvhrUDSn1ABNZEEk80pDt4XeCNkarQrPkwS xOhwbJP3M9jmI3W4IdtZtIe09LnBAtuVvg1/3NXz8/Garn0nSxCBBs6+DKuKcuoCwabZ aCJyG4i9P8CtMS86y1iiTSMIUuLEPT+sDcinRv2WYiz6BXi/q8tWsCbHlIm0fVz2Xhbs z/U3/aFU/9ZLmhx3czgQXPoqYJSPvb9Xn78nF0DTk4wEUHgFseFLMWmq3NwA+wD82Sws M2+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id; bh=NpNf+oo6e21z00MqlQUbpAPj6t0wUwutAbzc8feWR4s=; b=FlrTgjqVBIL3J+xK+mHOc+KkPPBMEGuskdk+cccaoEvVoBBixLCVwZd3tJQVVz54VH MgQkNytlP24g/0FxAZH3TO7g6ngIwE1XnRdIiBGWbp0CxIO10+O368Hy0AWxtBdtgqYc y9tAi52HywpE5fuTTFYx1T9iaLEUpgXTJyku0KLn5NDhBaiv9A6Y20fhefneVy/ggA0D 76sO6iPCV9ZrPqWdnatygruhmTbx6AE09EoheMxvT1eRHZnE9huo8lJWwqdaZU16AwAo sZllA5tIE0CyNZ1Xw8x5v3kUDEwG/cOZXzmcwWVWMTbMXn7BFBDH18Sr3EypkcHHmQGc nG6g== X-Gm-Message-State: AA6/9Rknr2I67tGnKeFTXPwc1HwK7pV5W4aWfNqjfiQGnBAcc8Y1915QdtRXdFYgrzFRtQ== X-Received: by 10.157.45.134 with SMTP id g6mr298387otb.88.1475112155834; Wed, 28 Sep 2016 18:22:35 -0700 (PDT) Received: from alp.my.domain ([2600:8807:c246:be00:9eb7:dff:feb2:27a1]) by smtp.gmail.com with ESMTPSA id s8sm3308247ots.38.2016.09.28.18.22.34 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Sep 2016 18:22:35 -0700 (PDT) From: Daniel Sabogal To: alpine-aports@lists.alpinelinux.org Subject: [alpine-aports] [PATCH] main/openjpeg: security upgrade to 2.1.2 Date: Wed, 28 Sep 2016 21:22:33 -0400 Message-Id: <20160929012233.9110-1-dsabogalcc@gmail.com> X-Mailer: git-send-email 2.10.0 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2016-7163 is fixed in this release https://github.com/uclouvain/openjpeg/blob/openjpeg-2.1/CHANGELOG.md --- main/openjpeg/APKBUILD | 26 ++++++++------------------ main/openjpeg/CVE-2016-7163-1.patch | 33 --------------------------------- main/openjpeg/CVE-2016-7163-2.patch | 26 -------------------------- 3 files changed, 8 insertions(+), 77 deletions(-) delete mode 100644 main/openjpeg/CVE-2016-7163-1.patch delete mode 100644 main/openjpeg/CVE-2016-7163-2.patch diff --git a/main/openjpeg/APKBUILD b/main/openjpeg/APKBUILD index c3aaa51..732fd22 100644 --- a/main/openjpeg/APKBUILD +++ b/main/openjpeg/APKBUILD @@ -1,21 +1,17 @@ # Contributor: William Pitcock # Maintainer: Francesco Colista pkgname=openjpeg -pkgver=2.1.1 -pkgrel=1 +pkgver=2.1.2 +pkgrel=0 pkgdesc="Open-source implementation of JPEG2000 image codec" url="http://www.openjpeg.org/" arch="all" license="BSD" depends="" -depends_dev="" -makedepends="$depends_dev libpng-dev tiff-dev lcms-dev doxygen cmake" -install="" +makedepends="libpng-dev tiff-dev lcms-dev doxygen cmake" subpackages="$pkgname-dev $pkgname-tools" -source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz - CVE-2016-7163-1.patch - CVE-2016-7163-2.patch" -builddir="${srcdir}/$pkgname-$pkgver" +source="$pkgname-$pkgver.tar.gz::https://github.com/uclouvain/openjpeg/archive/v$pkgver.tar.gz" +builddir="$srcdir/$pkgname-$pkgver" # secfixes: # 2.1.1-r1: @@ -43,12 +39,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="0cc4b2aee0a9b6e9e21b7abcd201a3ec openjpeg-2.1.1.tar.gz -0c0e55bc80b5cd6b163fbc041e4e7aae CVE-2016-7163-1.patch -4edb6725ac44bd254f385a78ad4faa98 CVE-2016-7163-2.patch" -sha256sums="82c27f47fc7219e2ed5537ac69545bf15ed8c6ba8e6e1e529f89f7356506dbaa openjpeg-2.1.1.tar.gz -65137ddd802e36893a52362da56de1b75c15c338f22e1c378c21288529008189 CVE-2016-7163-1.patch -a36c73da751049410e94a9f4e56bce572ef5005ec8637401da9c02be0253d0ce CVE-2016-7163-2.patch" -sha512sums="c7c5cd95a3b8bc643207fecdfbffd45c3d91e48196455ae42061862aebcd558c3e508c39513285b8ebb4f57b7316116d15cc74c0b9cc3e31c2a7b70d3e5e2cdd openjpeg-2.1.1.tar.gz -3ab55487147464caf428c28f2a8585983a3a203bba731d83411b0bb0bfb8765992874aa42de3fddd8be5245897224f292c9853dc6103c5e16a3aa5bc1737b5be CVE-2016-7163-1.patch -d091d6ccbdbc7a2e2308815c5448f94a8d7f854c04c137d99f49bb26d142b790008388b730d9d83891842211ec56f1833a954e3bdfa3130ce7dcc1021a15c87e CVE-2016-7163-2.patch" +md5sums="40a7bfdcc66280b3c1402a0eb1a27624 openjpeg-2.1.2.tar.gz" +sha256sums="4ce77b6ef538ef090d9bde1d5eeff8b3069ab56c4906f083475517c2c023dfa7 openjpeg-2.1.2.tar.gz" +sha512sums="411067e33c8e4da9921d0281e932a4ac2af592cf822bfad828daea9e2b9c414859455bcec6d912ce76460ea462fa4cbd94a401333bda5716ec017d18b8e5942c openjpeg-2.1.2.tar.gz" diff --git a/main/openjpeg/CVE-2016-7163-1.patch b/main/openjpeg/CVE-2016-7163-1.patch deleted file mode 100644 index c7d277a..0000000 --- a/main/openjpeg/CVE-2016-7163-1.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c16bc057ba3f125051c9966cf1f5b68a05681de4 Mon Sep 17 00:00:00 2001 -From: trylab -Date: Tue, 6 Sep 2016 13:55:49 +0800 -Subject: [PATCH] Fix an integer overflow issue (#809) - -Prevent an integer overflow issue in function opj_pi_create_decode of -pi.c. ---- - src/lib/openjp2/pi.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c -index cffad66..36e2ff0 100644 ---- a/src/lib/openjp2/pi.c -+++ b/src/lib/openjp2/pi.c -@@ -1237,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, - l_current_pi = l_pi; - - /* memory allocation for include */ -- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); -+ /* prevent an integer overflow issue */ -+ l_current_pi->include = 00; -+ if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U))) -+ { -+ l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); -+ } -+ - if - (!l_current_pi->include) - { --- -2.10.0 - diff --git a/main/openjpeg/CVE-2016-7163-2.patch b/main/openjpeg/CVE-2016-7163-2.patch deleted file mode 100644 index 71af3d7..0000000 --- a/main/openjpeg/CVE-2016-7163-2.patch +++ /dev/null @@ -1,26 +0,0 @@ -From ef01f18dfc6780b776d0674ed3e7415c6ef54d24 Mon Sep 17 00:00:00 2001 -From: Matthieu Darbois -Date: Thu, 8 Sep 2016 07:34:46 +0200 -Subject: [PATCH] Cast to size_t before multiplication - -Need to cast to size_t before multiplication otherwise overflow check is useless. ---- - src/lib/openjp2/pi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c -index 36e2ff0..809b33d 100644 ---- a/src/lib/openjp2/pi.c -+++ b/src/lib/openjp2/pi.c -@@ -1241,7 +1241,7 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, - l_current_pi->include = 00; - if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U))) - { -- l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); -+ l_current_pi->include = (OPJ_INT16*) opj_calloc((size_t)(l_tcp->numlayers + 1U) * l_step_l, sizeof(OPJ_INT16)); - } - - if --- -2.10.0 - -- 2.10.0 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---