[Buildroot] [PATCH 1/2] package/jasper: add patch for CVE-2023-51257

Thomas Perale thomas.perale at mind.be
Thu Sep 25 20:16:49 UTC 2025 

In reply of:
> This fixes the following vulnerability:
> 
> - CVE-2023-51257:
> 
> An invalid memory write issue in Jasper-Software Jasper v.4.1.1 and
> before allows a local attacker to execute arbitrary code.
> 
> For more information see:
>   - https://nvd.nist.gov//vuln/detail/CVE-2023-51257
>   - https://github.com/jasper-software/jasper/commit/aeef5293c978158255ad4f127089644745602f2a
> 
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>

Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks

> ---
>  package/jasper/0001-Fixes-367.patch | 46 +++++++++++++++++++++++++++++
>  package/jasper/jasper.mk            |  3 ++
>  2 files changed, 49 insertions(+)
>  create mode 100644 package/jasper/0001-Fixes-367.patch
> 
> diff --git a/package/jasper/0001-Fixes-367.patch b/package/jasper/0001-Fixes-367.patch
> new file mode 100644
> index 0000000000..11dfb5672f
> --- /dev/null
> +++ b/package/jasper/0001-Fixes-367.patch
> @@ -0,0 +1,46 @@
> +From aeef5293c978158255ad4f127089644745602f2a Mon Sep 17 00:00:00 2001
> +From: Michael Adams <mdadams at ece.uvic.ca>
> +Date: Thu, 14 Dec 2023 19:04:19 -0800
> +Subject: [PATCH] Fixes #367.
> +
> +Fixed an integer-overflow bug in the ICC profile parsing code.
> +Added another invalid image to the test set.
> +
> +CVE: CVE-2023-51257
> +Upstream: https://github.com/jasper-software/jasper/commit/aeef5293c978158255ad4f127089644745602f2a
> +Signed-off-by: Thomas Perale <thomas.perale at mind.be>
> +---
> + src/libjasper/base/jas_icc.c | 16 ++++++++++++++--
> + 1 file changed, 14 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
> +index 905b823..2d1e91e 100644
> +--- a/src/libjasper/base/jas_icc.c
> ++++ b/src/libjasper/base/jas_icc.c
> +@@ -1295,10 +1295,22 @@ static int jas_icctxt_input(jas_iccattrval_t *attrval, jas_stream_t *in,
> + {
> + 	jas_icctxt_t *txt = &attrval->data.txt;
> + 	txt->string = 0;
> +-	if (!(txt->string = jas_malloc(cnt)))
> ++	/* The string must at least contain a single null character. */
> ++	if (cnt < 1) {
> + 		goto error;
> +-	if (jas_stream_read(in, txt->string, cnt) != cnt)
> ++	}
> ++	if (!(txt->string = jas_malloc(cnt))) {
> ++		goto error;
> ++	}
> ++	if (jas_stream_read(in, txt->string, cnt) != cnt) {
> + 		goto error;
> ++	}
> ++	/* Ensure that the string is null terminated. */
> ++	if (txt->string[cnt - 1] != '\0') {
> ++		goto error;
> ++	}
> ++	/* The following line is redundant, unless we do not enforce that
> ++	  the last character must be null. */
> + 	txt->string[cnt - 1] = '\0';
> + 	if (strlen(txt->string) + 1 != cnt)
> + 		goto error;
> +-- 
> +2.39.5
> diff --git a/package/jasper/jasper.mk b/package/jasper/jasper.mk
> index 45b9c49558..dd0badbc8f 100644
> --- a/package/jasper/jasper.mk
> +++ b/package/jasper/jasper.mk
> @@ -15,6 +15,9 @@ JASPER_CONF_OPTS = \
>  	-DJAS_ENABLE_DOC=OFF \
>  	-DJAS_ENABLE_PROGRAMS=OFF
>  
> +# 0001-Fixes-367.patch
> +JASPER_IGNORE_CVES += CVE-2023-51257
> +
>  ifeq ($(BR2_STATIC_LIBS),y)
>  JASPER_CONF_OPTS += -DJAS_ENABLE_SHARED=OFF
>  endif
> -- 
> 2.39.5
> 
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

More information about the buildroot mailing list