* [Buildroot] [PATCH] package/openjpeg: add patch to fix CVE-2025-54874
@ 2025-08-19 13:39 Thomas Perale via buildroot
2025-08-20 14:45 ` Peter Korsgaard
2025-08-21 19:21 ` Thomas Perale via buildroot
0 siblings, 2 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-19 13:39 UTC (permalink / raw)
To: buildroot; +Cc: Angelo Compagnucci, Olivier Schonken
Fixes the following vulnerability:
- CVE-2025-54874
OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and
earlier, a call to opj_jp2_read_header may lead to OOB heap memory
write when the data stream p_stream is too short and p_image is not
initialized.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-54874
- https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
| 41 +++++++++++++++++++
package/openjpeg/openjpeg.mk | 3 ++
2 files changed, 44 insertions(+)
create mode 100644 package/openjpeg/0001-check-for-error-after-parsing-header.patch
--git a/package/openjpeg/0001-check-for-error-after-parsing-header.patch b/package/openjpeg/0001-check-for-error-after-parsing-header.patch
new file mode 100644
index 0000000000..9a02fbf3d4
--- /dev/null
+++ b/package/openjpeg/0001-check-for-error-after-parsing-header.patch
@@ -0,0 +1,41 @@
+From f809b80c67717c152a5ad30bf06774f00da4fd2d Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Thu, 16 Jan 2025 02:13:43 +0100
+Subject: [PATCH] opj_jp2_read_header: Check for error after parsing header.
+
+Consider the case where the caller has not set the p_image
+pointer to NULL before calling opj_read_header().
+
+If opj_j2k_read_header_procedure() fails while obtaining the rest
+of the marker segment when calling opj_stream_read_data() because
+the data stream is too short, then opj_j2k_read_header() will
+never have the chance to initialize p_image, leaving it
+uninitialized.
+
+opj_jp2_read_header() will check the p_image value whether
+opj_j2k_read_header() suceeded or failed. This may be detected as
+an error in valgrind or ASAN.
+
+The fix is to check whether opj_j2k_read_header() suceeded before
+using the output argument p_image.
+
+Upstream: https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d
+CVE: CVE-2025-54874
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/lib/openjp2/jp2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
+index 4df055a54..da5063186 100644
+--- a/src/lib/openjp2/jp2.c
++++ b/src/lib/openjp2/jp2.c
+@@ -2873,7 +2873,7 @@ OPJ_BOOL opj_jp2_read_header(opj_stream_private_t *p_stream,
+ p_image,
+ p_manager);
+
+- if (p_image && *p_image) {
++ if (ret && p_image && *p_image) {
+ /* Set Image Color Space */
+ if (jp2->enumcs == 16) {
+ (*p_image)->color_space = OPJ_CLRSPC_SRGB;
diff --git a/package/openjpeg/openjpeg.mk b/package/openjpeg/openjpeg.mk
index 275659cd3c..7b1352c222 100644
--- a/package/openjpeg/openjpeg.mk
+++ b/package/openjpeg/openjpeg.mk
@@ -11,6 +11,9 @@ OPENJPEG_LICENSE_FILES = LICENSE
OPENJPEG_CPE_ID_VENDOR = uclouvain
OPENJPEG_INSTALL_STAGING = YES
+# 0001-check-for-error-after-parsing-header.patch
+OPENJPEG_IGNORE_CVES += CVE-2025-54874
+
OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_LIBPNG),libpng)
OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_TIFF),tiff)
--
2.50.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/openjpeg: add patch to fix CVE-2025-54874
2025-08-19 13:39 [Buildroot] [PATCH] package/openjpeg: add patch to fix CVE-2025-54874 Thomas Perale via buildroot
@ 2025-08-20 14:45 ` Peter Korsgaard
2025-08-21 19:21 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2025-08-20 14:45 UTC (permalink / raw)
To: Thomas Perale via buildroot
Cc: Thomas Perale, Angelo Compagnucci, Olivier Schonken
>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:
> Fixes the following vulnerability:
> - CVE-2025-54874
> OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and
> earlier, a call to opj_jp2_read_header may lead to OOB heap memory
> write when the data stream p_stream is too short and p_image is not
> initialized.
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2025-54874
> - https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/openjpeg: add patch to fix CVE-2025-54874
2025-08-19 13:39 [Buildroot] [PATCH] package/openjpeg: add patch to fix CVE-2025-54874 Thomas Perale via buildroot
2025-08-20 14:45 ` Peter Korsgaard
@ 2025-08-21 19:21 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-21 19:21 UTC (permalink / raw)
To: Thomas Perale; +Cc: buildroot
In reply of:
> Fixes the following vulnerability:
>
> - CVE-2025-54874
>
> OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and
> earlier, a call to opj_jp2_read_header may lead to OOB heap memory
> write when the data stream p_stream is too short and p_image is not
> initialized.
>
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2025-54874
> - https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Applied to 2025.02.x & 2025.05.x. Thanks
> ---
> ...check-for-error-after-parsing-header.patch | 41 +++++++++++++++++++
> package/openjpeg/openjpeg.mk | 3 ++
> 2 files changed, 44 insertions(+)
> create mode 100644 package/openjpeg/0001-check-for-error-after-parsing-header.patch
>
> diff --git a/package/openjpeg/0001-check-for-error-after-parsing-header.patch b/package/openjpeg/0001-check-for-error-after-parsing-header.patch
> new file mode 100644
> index 0000000000..9a02fbf3d4
> --- /dev/null
> +++ b/package/openjpeg/0001-check-for-error-after-parsing-header.patch
> @@ -0,0 +1,41 @@
> +From f809b80c67717c152a5ad30bf06774f00da4fd2d Mon Sep 17 00:00:00 2001
> +From: Sebastian Rasmussen <sebras@gmail.com>
> +Date: Thu, 16 Jan 2025 02:13:43 +0100
> +Subject: [PATCH] opj_jp2_read_header: Check for error after parsing header.
> +
> +Consider the case where the caller has not set the p_image
> +pointer to NULL before calling opj_read_header().
> +
> +If opj_j2k_read_header_procedure() fails while obtaining the rest
> +of the marker segment when calling opj_stream_read_data() because
> +the data stream is too short, then opj_j2k_read_header() will
> +never have the chance to initialize p_image, leaving it
> +uninitialized.
> +
> +opj_jp2_read_header() will check the p_image value whether
> +opj_j2k_read_header() suceeded or failed. This may be detected as
> +an error in valgrind or ASAN.
> +
> +The fix is to check whether opj_j2k_read_header() suceeded before
> +using the output argument p_image.
> +
> +Upstream: https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d
> +CVE: CVE-2025-54874
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + src/lib/openjp2/jp2.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
> +index 4df055a54..da5063186 100644
> +--- a/src/lib/openjp2/jp2.c
> ++++ b/src/lib/openjp2/jp2.c
> +@@ -2873,7 +2873,7 @@ OPJ_BOOL opj_jp2_read_header(opj_stream_private_t *p_stream,
> + p_image,
> + p_manager);
> +
> +- if (p_image && *p_image) {
> ++ if (ret && p_image && *p_image) {
> + /* Set Image Color Space */
> + if (jp2->enumcs == 16) {
> + (*p_image)->color_space = OPJ_CLRSPC_SRGB;
> diff --git a/package/openjpeg/openjpeg.mk b/package/openjpeg/openjpeg.mk
> index 275659cd3c..7b1352c222 100644
> --- a/package/openjpeg/openjpeg.mk
> +++ b/package/openjpeg/openjpeg.mk
> @@ -11,6 +11,9 @@ OPENJPEG_LICENSE_FILES = LICENSE
> OPENJPEG_CPE_ID_VENDOR = uclouvain
> OPENJPEG_INSTALL_STAGING = YES
>
> +# 0001-check-for-error-after-parsing-header.patch
> +OPENJPEG_IGNORE_CVES += CVE-2025-54874
> +
> OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
> OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_LIBPNG),libpng)
> OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_TIFF),tiff)
> --
> 2.50.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-08-21 19:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-19 13:39 [Buildroot] [PATCH] package/openjpeg: add patch to fix CVE-2025-54874 Thomas Perale via buildroot
2025-08-20 14:45 ` Peter Korsgaard
2025-08-21 19:21 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox