From 040ed836d607eafc39127b225c8e303d1f7cb4ef Mon Sep 17 00:00:00 2001 From: Josef Ridky Date: Wed, 30 May 2018 09:43:40 +0200 Subject: [PATCH] Related: #1396986 - fix CVE-2016-9396 --- jasper-2.0.14-CVE-2016-9396.patch | 13 +++++++++++++ jasper.spec | 8 ++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 jasper-2.0.14-CVE-2016-9396.patch diff --git a/jasper-2.0.14-CVE-2016-9396.patch b/jasper-2.0.14-CVE-2016-9396.patch new file mode 100644 index 0000000..197ea7c --- /dev/null +++ b/jasper-2.0.14-CVE-2016-9396.patch @@ -0,0 +1,13 @@ +diff -urNp old/src/libjasper/jpc/jpc_cs.c new/src/libjasper/jpc/jpc_cs.c +--- old/src/libjasper/jpc/jpc_cs.c 2018-05-30 09:01:54.160406645 +0200 ++++ new/src/libjasper/jpc/jpc_cs.c 2018-05-30 09:05:24.527094308 +0200 +@@ -795,6 +795,9 @@ static int jpc_cox_getcompparms(jpc_ms_t + if (compparms->numdlvls > 32) { + goto error; + } ++ if (compparms->qmfbid != JPC_COX_INS && ++ compparms->qmfbid != JPC_COX_RFT) ++ goto error; + compparms->numrlvls = compparms->numdlvls + 1; + if (compparms->numrlvls > JPC_MAXRLVLS) { + goto error; diff --git a/jasper.spec b/jasper.spec index 604ce37..d248839 100644 --- a/jasper.spec +++ b/jasper.spec @@ -6,13 +6,13 @@ Summary: Implementation of the JPEG-2000 standard, Part 1 Name: jasper Version: 2.0.14 -Release: 4%{?dist} +Release: 5%{?dist} License: JasPer URL: http://www.ece.uvic.ca/~frodo/jasper/ Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.tar.gz - +Patch1: jasper-2.0.14-CVE-2016-9396.patch # architecture related patches Patch100: jasper-2.0.2-test-ppc64-disable.patch Patch101: jasper-2.0.2-test-ppc64le-disable.patch @@ -60,6 +60,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} %prep %setup -q -n %{name}-%{version} +%patch1 -p1 -b .CVE-2016-9396 # Need to disable one test to be able to build it on ppc64 arch # At ppc64 this test just stuck (nothing happend - no exception or error) @@ -134,6 +135,9 @@ popd %changelog +* Wed May 30 2018 Josef Ridky - 2.0.14-5 +- Fix CVE-2016-9396 (#1396986) + * Thu Mar 08 2018 Josef Ridky - 2.0.14-4 - Fix gcc dependency