Bug 234473 - graphics/openjpeg: Fix CVE-2018-6616
Summary: graphics/openjpeg: Fix CVE-2018-6616
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Sunpoet Po-Chuan Hsieh
URL:
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2018-12-28 18:40 UTC by Andres Montalban
Modified: 2019-01-24 16:19 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)
koobs: merge-quarterly?


Attachments
openjpeg.patch (3.32 KB, patch)
2018-12-28 18:40 UTC, Andres Montalban
no flags Details | Diff
vuxml update (1.53 KB, patch)
2018-12-28 18:42 UTC, Andres Montalban
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andres Montalban 2018-12-28 18:40:25 UTC
Created attachment 200585 [details]
openjpeg.patch

Hi,

I'm submiting this patch trying to clean up the vulnerabilities this package have, first some clarifications:

r477112 fixes CVE-2017-17479 and CVE-2017-17480 but is still showing as vulnerable in openjpeg-2.3.0_2 is that intended until all vulnerabilities has been fixed? If not then I have also attached a patch for vuxml.

Additionally I'm submitting a patch for CVE-2018-6616, so the only remaining vulnerability is CVE-2018-5727.

Thanks!
Comment 1 Andres Montalban 2018-12-28 18:42:11 UTC
Created attachment 200586 [details]
vuxml update
Comment 2 commit-hook freebsd_committer 2019-01-05 22:48:29 UTC
A commit references this bug:

Author: sunpoet
Date: Sat Jan  5 22:47:22 UTC 2019
New revision: 489415
URL: https://svnweb.freebsd.org/changeset/ports/489415

Log:
  Fix CVE-2018-6616

  - Bump PORTREVISION for package change

  Obtained from:	https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3
  PR:		234473
  Submitted by:	Andres Montalban <amontalban@gmail.com>

Changes:
  head/graphics/openjpeg/Makefile
  head/graphics/openjpeg/files/patch-src-bin-jp2-convertbmp.c
Comment 3 Sunpoet Po-Chuan Hsieh freebsd_committer 2019-01-05 23:25:55 UTC
I've updated the openjpeg status in vuxml entry. I guess it's enough given it's not fully fixed yet.

Committed. Thanks!
Comment 4 commit-hook freebsd_committer 2019-01-24 16:19:08 UTC
A commit references this bug:

Author: sunpoet
Date: Thu Jan 24 16:19:00 UTC 2019
New revision: 491096
URL: https://svnweb.freebsd.org/changeset/ports/491096

Log:
  MFH: r489415

  Fix CVE-2018-6616

  - Bump PORTREVISION for package change

  Obtained from:	https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3
  PR:		234473
  Submitted by:	Andres Montalban <amontalban@gmail.com>

  Approved by:	ports-secteam (delphij)

Changes:
_U  branches/2019Q1/
  branches/2019Q1/graphics/openjpeg/Makefile
  branches/2019Q1/graphics/openjpeg/files/patch-src-bin-jp2-convertbmp.c