[Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2
@ 2023-09-14 21:56 Fabrice Fontaine
  2023-09-15 19:30 ` Julien Olivain
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2023-09-14 21:56 UTC (permalink / raw)
  To: buildroot; +Cc: Julien Olivain, Fabrice Fontaine

Fix CVE-2023-35790: An issue was discovered in dec_patch_dictionary.cc
in libjxl before 0.8.2. An integer underflow in patch decoding can lead
to a denial of service, such as an infinite loop.

https://github.com/libjxl/libjxl/releases/tag/v0.8.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/libjxl/libjxl.hash | 2 +-
 package/libjxl/libjxl.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libjxl/libjxl.hash b/package/libjxl/libjxl.hash
index 6b4c9d8d0a..c8f98d10ea 100644
--- a/package/libjxl/libjxl.hash
+++ b/package/libjxl/libjxl.hash
@@ -1,4 +1,4 @@
 # Locally computed:
-sha256  60f43921ad3209c9e180563025eda0c0f9b1afac51a2927b9ff59fff3950dc56  libjxl-0.8.1.tar.gz
+sha256  c70916fb3ed43784eb840f82f05d390053a558e2da106e40863919238fa7b420  libjxl-0.8.2.tar.gz
 sha256  8405932022a556380c2d8c272eff154a923feb197233f348ce5f7334fb0a5ede  LICENSE
 sha256  91915f8ae056a68a3c5bdf05d9f6f78bb6903e27a8ca3a8434c9e4ac87300575  PATENTS
diff --git a/package/libjxl/libjxl.mk b/package/libjxl/libjxl.mk
index f603327bf6..47c110eb53 100644
--- a/package/libjxl/libjxl.mk
+++ b/package/libjxl/libjxl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBJXL_VERSION = 0.8.1
+LIBJXL_VERSION = 0.8.2
 LIBJXL_SITE = $(call github,libjxl,libjxl,v$(LIBJXL_VERSION))
 LIBJXL_LICENSE = BSD-3-Clause
 LIBJXL_LICENSE_FILES = LICENSE PATENTS
-- 
2.40.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2
  2023-09-14 21:56 [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2 Fabrice Fontaine
@ 2023-09-15 19:30 ` Julien Olivain
  2023-09-15 21:39   ` Yann E. MORIN
  2023-09-15 21:38 ` Yann E. MORIN
  2023-09-24 19:03 ` Peter Korsgaard
  2 siblings, 1 reply; 5+ messages in thread
From: Julien Olivain @ 2023-09-15 19:30 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Fabrice Fontaine, buildroot

Hi Fabrice,

I tested this patch on branch master at commit 3557a7b
with commands:

     support/testing/run-tests \
         -d dl -o output_folder \
         tests.package.test_libjxl
     ...
     OK

While trying with:

     utils/test-pkg -a -p libjxl
     ...
         bootlin-riscv32-glibc [17/45]: FAILED
         bootlin-riscv64-glibc [18/45]: FAILED
          bootlin-riscv64-musl [19/45]: FAILED
     ...
     45 builds, 11 skipped, 3 build failed, 0 legal-info failed, 0 
show-info failed

I had those 3 build failures. They were introduced by v0.8.1 and are
unrelated to this patch. I proposed a fix at:
https://patchwork.ozlabs.org/project/buildroot/patch/20230915192308.1432032-1-ju.o@free.fr/

and also made sure this fix works for both v0.8.1 and v0.8.2 proposed in
this patch.

On 14/09/2023 23:56, Fabrice Fontaine wrote:
> Fix CVE-2023-35790: An issue was discovered in dec_patch_dictionary.cc
> in libjxl before 0.8.2. An integer underflow in patch decoding can lead
> to a denial of service, such as an infinite loop.
> 
> https://github.com/libjxl/libjxl/releases/tag/v0.8.2
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Reviewed-by: Julien Olivain <ju.o@free.fr>
Tested-by: Julien Olivain <ju.o@free.fr>

> ---
>  package/libjxl/libjxl.hash | 2 +-
>  package/libjxl/libjxl.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/libjxl/libjxl.hash b/package/libjxl/libjxl.hash
> index 6b4c9d8d0a..c8f98d10ea 100644
> --- a/package/libjxl/libjxl.hash
> +++ b/package/libjxl/libjxl.hash
> @@ -1,4 +1,4 @@
>  # Locally computed:
> -sha256  
> 60f43921ad3209c9e180563025eda0c0f9b1afac51a2927b9ff59fff3950dc56  
> libjxl-0.8.1.tar.gz
> +sha256  
> c70916fb3ed43784eb840f82f05d390053a558e2da106e40863919238fa7b420  
> libjxl-0.8.2.tar.gz
>  sha256  
> 8405932022a556380c2d8c272eff154a923feb197233f348ce5f7334fb0a5ede  
> LICENSE
>  sha256  
> 91915f8ae056a68a3c5bdf05d9f6f78bb6903e27a8ca3a8434c9e4ac87300575  
> PATENTS
> diff --git a/package/libjxl/libjxl.mk b/package/libjxl/libjxl.mk
> index f603327bf6..47c110eb53 100644
> --- a/package/libjxl/libjxl.mk
> +++ b/package/libjxl/libjxl.mk
> @@ -4,7 +4,7 @@
>  #
>  
> ################################################################################
> 
> -LIBJXL_VERSION = 0.8.1
> +LIBJXL_VERSION = 0.8.2
>  LIBJXL_SITE = $(call github,libjxl,libjxl,v$(LIBJXL_VERSION))
>  LIBJXL_LICENSE = BSD-3-Clause
>  LIBJXL_LICENSE_FILES = LICENSE PATENTS

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2
  2023-09-14 21:56 [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2 Fabrice Fontaine
  2023-09-15 19:30 ` Julien Olivain
@ 2023-09-15 21:38 ` Yann E. MORIN
  2023-09-24 19:03 ` Peter Korsgaard
  2 siblings, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2023-09-15 21:38 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Julien Olivain, buildroot

Fabrice, All,

On 2023-09-14 23:56 +0200, Fabrice Fontaine spake thusly:
> Fix CVE-2023-35790: An issue was discovered in dec_patch_dictionary.cc
> in libjxl before 0.8.2. An integer underflow in patch decoding can lead
> to a denial of service, such as an infinite loop.
> 
> https://github.com/libjxl/libjxl/releases/tag/v0.8.2
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/libjxl/libjxl.hash | 2 +-
>  package/libjxl/libjxl.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/libjxl/libjxl.hash b/package/libjxl/libjxl.hash
> index 6b4c9d8d0a..c8f98d10ea 100644
> --- a/package/libjxl/libjxl.hash
> +++ b/package/libjxl/libjxl.hash
> @@ -1,4 +1,4 @@
>  # Locally computed:
> -sha256  60f43921ad3209c9e180563025eda0c0f9b1afac51a2927b9ff59fff3950dc56  libjxl-0.8.1.tar.gz
> +sha256  c70916fb3ed43784eb840f82f05d390053a558e2da106e40863919238fa7b420  libjxl-0.8.2.tar.gz
>  sha256  8405932022a556380c2d8c272eff154a923feb197233f348ce5f7334fb0a5ede  LICENSE
>  sha256  91915f8ae056a68a3c5bdf05d9f6f78bb6903e27a8ca3a8434c9e4ac87300575  PATENTS
> diff --git a/package/libjxl/libjxl.mk b/package/libjxl/libjxl.mk
> index f603327bf6..47c110eb53 100644
> --- a/package/libjxl/libjxl.mk
> +++ b/package/libjxl/libjxl.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBJXL_VERSION = 0.8.1
> +LIBJXL_VERSION = 0.8.2
>  LIBJXL_SITE = $(call github,libjxl,libjxl,v$(LIBJXL_VERSION))
>  LIBJXL_LICENSE = BSD-3-Clause
>  LIBJXL_LICENSE_FILES = LICENSE PATENTS
> -- 
> 2.40.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2
  2023-09-15 19:30 ` Julien Olivain
@ 2023-09-15 21:39   ` Yann E. MORIN
  0 siblings, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2023-09-15 21:39 UTC (permalink / raw)
  To: Julien Olivain; +Cc: Fabrice Fontaine, buildroot

Julien, All,

On 2023-09-15 21:30 +0200, Julien Olivain spake thusly:
> Hi Fabrice,
> 
> I tested this patch on branch master at commit 3557a7b
> with commands:
> 
>     support/testing/run-tests \
>         -d dl -o output_folder \
>         tests.package.test_libjxl
>     ...
>     OK
> 
> While trying with:
> 
>     utils/test-pkg -a -p libjxl
>     ...
>         bootlin-riscv32-glibc [17/45]: FAILED
>         bootlin-riscv64-glibc [18/45]: FAILED
>          bootlin-riscv64-musl [19/45]: FAILED
>     ...
>     45 builds, 11 skipped, 3 build failed, 0 legal-info failed, 0 show-info
> failed
> 
> I had those 3 build failures. They were introduced by v0.8.1 and are
> unrelated to this patch. I proposed a fix at:
> https://patchwork.ozlabs.org/project/buildroot/patch/20230915192308.1432032-1-ju.o@free.fr/
> 
> and also made sure this fix works for both v0.8.1 and v0.8.2 proposed in
> this patch.

Thank you! I applied your patch already!

Regards,
Yann E. MORIN.

> On 14/09/2023 23:56, Fabrice Fontaine wrote:
> >Fix CVE-2023-35790: An issue was discovered in dec_patch_dictionary.cc
> >in libjxl before 0.8.2. An integer underflow in patch decoding can lead
> >to a denial of service, such as an infinite loop.
> >
> >https://github.com/libjxl/libjxl/releases/tag/v0.8.2
> >
> >Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> 
> Reviewed-by: Julien Olivain <ju.o@free.fr>
> Tested-by: Julien Olivain <ju.o@free.fr>
> 
> >---
> > package/libjxl/libjxl.hash | 2 +-
> > package/libjxl/libjxl.mk   | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> >diff --git a/package/libjxl/libjxl.hash b/package/libjxl/libjxl.hash
> >index 6b4c9d8d0a..c8f98d10ea 100644
> >--- a/package/libjxl/libjxl.hash
> >+++ b/package/libjxl/libjxl.hash
> >@@ -1,4 +1,4 @@
> > # Locally computed:
> >-sha256  60f43921ad3209c9e180563025eda0c0f9b1afac51a2927b9ff59fff3950dc56
> >libjxl-0.8.1.tar.gz
> >+sha256  c70916fb3ed43784eb840f82f05d390053a558e2da106e40863919238fa7b420
> >libjxl-0.8.2.tar.gz
> > sha256  8405932022a556380c2d8c272eff154a923feb197233f348ce5f7334fb0a5ede
> >LICENSE
> > sha256  91915f8ae056a68a3c5bdf05d9f6f78bb6903e27a8ca3a8434c9e4ac87300575
> >PATENTS
> >diff --git a/package/libjxl/libjxl.mk b/package/libjxl/libjxl.mk
> >index f603327bf6..47c110eb53 100644
> >--- a/package/libjxl/libjxl.mk
> >+++ b/package/libjxl/libjxl.mk
> >@@ -4,7 +4,7 @@
> > #
> >################################################################################
> >
> >-LIBJXL_VERSION = 0.8.1
> >+LIBJXL_VERSION = 0.8.2
> > LIBJXL_SITE = $(call github,libjxl,libjxl,v$(LIBJXL_VERSION))
> > LIBJXL_LICENSE = BSD-3-Clause
> > LIBJXL_LICENSE_FILES = LICENSE PATENTS
> 
> Best regards,
> 
> Julien.
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2
  2023-09-14 21:56 [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2 Fabrice Fontaine
  2023-09-15 19:30 ` Julien Olivain
  2023-09-15 21:38 ` Yann E. MORIN
@ 2023-09-24 19:03 ` Peter Korsgaard
  2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2023-09-24 19:03 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: Julien Olivain, buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-35790: An issue was discovered in dec_patch_dictionary.cc
 > in libjxl before 0.8.2. An integer underflow in patch decoding can lead
 > to a denial of service, such as an infinite loop.

 > https://github.com/libjxl/libjxl/releases/tag/v0.8.2

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-09-24 19:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-14 21:56 [Buildroot] [PATCH 1/1] package/libjxl: security bump to version 0.8.2 Fabrice Fontaine
2023-09-15 19:30 ` Julien Olivain
2023-09-15 21:39   ` Yann E. MORIN
2023-09-15 21:38 ` Yann E. MORIN
2023-09-24 19:03 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox