From 6c4ad10a9a2112e5278d3d4b2ecbac6bd2a9e520 Mon Sep 17 00:00:00 2001 From: xingxing Date: Mon, 11 Apr 2022 15:56:56 +0800 Subject: [PATCH] fix CVE-2017-9937 (cherry picked from commit 2b54565f5499c686760fa98184848ef3e6b4d8d2) --- backport-CVE-2017-9937.patch | 54 ++++++++++++++++++++++++++++++++++++ jbigkit.spec | 10 ++++++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2017-9937.patch diff --git a/backport-CVE-2017-9937.patch b/backport-CVE-2017-9937.patch new file mode 100644 index 0000000..a1de3e4 --- /dev/null +++ b/backport-CVE-2017-9937.patch @@ -0,0 +1,54 @@ +From 535df935911c401d345cb004a2fa00eb7a727259 Mon Sep 17 00:00:00 2001 +From: wiz +Date: Mon, 3 Aug 2020 21:34:06 +0000 +Subject: [PATCH] jbigkit: fix CVE-2017-9937 using upstream commit + +See e.g. +https://gitlab.com/libtiff/libtiff/-/issues/97 + +Bump PKGREVISION. + +--- + libjbig/jbig.c | 5 +++++ + libjbig/jbig.h | 2 ++ + 2 files changed, 7 insertions(+) + +diff --git a/libjbig/jbig.c b/libjbig/jbig.c +index 751ceff..7b5b99e 100644 +--- a/libjbig/jbig.c ++++ b/libjbig/jbig.c +@@ -2051,6 +2051,7 @@ void jbg_dec_init(struct jbg_dec_state *s) + s->xmax = 4294967295UL; + s->ymax = 4294967295UL; + s->dmax = 256; ++ s->maxmem = 2000000000; /* no final image larger than 2 GB by default */ + s->s = NULL; + + return; +@@ -2640,6 +2641,10 @@ int jbg_dec_in(struct jbg_dec_state *s, unsigned char *data, size_t len, + return JBG_EIMPL | 5; + s->options = s->buffer[19]; + ++ /* will the final image require more bytes than permitted by s->maxmem? */ ++ if (s->maxmem / s->planes / s->yd / jbg_ceil_half(s->xd, 3) == 0) ++ return JBG_ENOMEM; /* increase s->maxmem if needed */ ++ + /* calculate number of stripes that will be required */ + s->stripes = jbg_stripes(s->l0, s->yd, s->d); + +diff --git a/libjbig/jbig.h b/libjbig/jbig.h +index 6799410..7a9cdf9 100644 +--- a/libjbig/jbig.h ++++ b/libjbig/jbig.h +@@ -181,6 +181,8 @@ struct jbg_dec_state { + unsigned long xmax, ymax; /* if possible abort before image gets * + * larger than this size */ + int dmax; /* abort after this layer */ ++ size_t maxmem; /* return JBG_ENOMEM if final image layer D ++ would require more than maxmem bytes */ + }; + + +-- +2.23.0 + diff --git a/jbigkit.spec b/jbigkit.spec index 0449c9e..c330e95 100644 --- a/jbigkit.spec +++ b/jbigkit.spec @@ -1,6 +1,6 @@ Name: jbigkit Version: 2.1 -Release: 17 +Release: 18 Summary: Lossless image compression library License: GPLv2+ @@ -12,6 +12,8 @@ Patch0: jbigkit-2.1-shlib.patch Patch1: jbigkit-2.0-warnings.patch Patch2: jbigkit-ldflags.patch +Patch6000: backport-CVE-2017-9937.patch + BuildRequires: gcc Requires: %{name}-libs = %{version}-%{release} @@ -79,6 +81,12 @@ make test %{_mandir}/man1/* %changelog +* Mon Apr 11 2022 xingxing - 2.1-18 +- Type:CVE +- CVE:CVE-2017-9937 +- SUG:NA +- DESC:fix CVE-2017-9937 + * Mon Feb 17 2020 hexiujun - 2.1-17 - Type:enhancement - ID:NA