.gitignore

@@ -1,22 +1,2 @@
-clog
+SOURCES/jasper-2.0.14.tar.gz
-geojasper_src.zip
-jasper-1.701.0.zip
-jasper-1.900.0.zip
-jasper-1.900.1.zip
-/jasper-1.900.2.tar.gz
-/jasper-1.900.3.tar.gz
-/jasper-1.900.13.tar.gz
-/jasper-1.900.28.tar.gz
-/jasper-1.900.30.tar.gz
-/jasper-2.0.2.tar.gz
-/jasper-2.0.10.tar.gz
-/jasper-2.0.12.tar.gz
 /jasper-2.0.14.tar.gz
-/jasper-version-2.0.16.tar.gz
-/version-2.0.17.tar.gz
-/version-2.0.22.tar.gz
-/version-2.0.24.tar.gz
-/version-2.0.25.tar.gz
-/version-2.0.26.tar.gz
-/version-2.0.27.tar.gz
-/version-2.0.28.tar.gz

gating.yaml

@@ -1,6 +1,6 @@
 --- !Policy
 product_versions:
-  - rhel-9
+  - rhel-8
 decision_context: osci_compose_gate
 rules:
   - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}

jasper-2.0.14-CVE-2016-9396.patch

@@ -0,0 +1,13 @@
+diff -urNp old/src/libjasper/jpc/jpc_cs.c new/src/libjasper/jpc/jpc_cs.c
+--- old/src/libjasper/jpc/jpc_cs.c	2018-05-30 09:01:54.160406645 +0200
++++ new/src/libjasper/jpc/jpc_cs.c	2018-05-30 09:05:24.527094308 +0200
+@@ -795,6 +795,9 @@ static int jpc_cox_getcompparms(jpc_ms_t
+ 	if (compparms->numdlvls > 32) {
+ 		goto error;
+ 	}
++	if (compparms->qmfbid != JPC_COX_INS &&
++	    compparms->qmfbid != JPC_COX_RFT)
++		goto error;
+ 	compparms->numrlvls = compparms->numdlvls + 1;
+ 	if (compparms->numrlvls > JPC_MAXRLVLS) {
+ 		goto error;

jasper-2.0.14-CVE-2020-27828.patch

@@ -0,0 +1,14 @@
+diff -urNp a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
+--- a/src/libjasper/jpc/jpc_enc.c	2021-06-01 14:07:34.988061153 +0200
++++ b/src/libjasper/jpc/jpc_enc.c	2021-06-01 14:08:32.100584582 +0200
+@@ -508,6 +508,10 @@ static jpc_enc_cp_t *cp_create(const cha
+ 			break;
+ 		case OPT_MAXRLVLS:
+ 			tccp->maxrlvls = atoi(jas_tvparser_getval(tvp));
++            if(tccp->maxrlvls > JPC_MAXRLVLS) {
++				jas_eprintf("invalid number of resolution levels upper than %d\n",JPC_MAXRLVLS);
++				goto error;
++			}
+ 			break;
+ 		case OPT_SOP:
+ 			cp->tcp.csty |= JPC_COD_SOP;

jasper-2.0.14-CVE-2021-26927.patch

@@ -0,0 +1,47 @@
+diff -urNp a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
+--- a/src/libjasper/jp2/jp2_dec.c	2021-06-01 13:32:59.330396797 +0200
++++ b/src/libjasper/jp2/jp2_dec.c	2021-06-01 13:46:16.982925961 +0200
+@@ -230,7 +230,8 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	  the value specified in the code stream? */
+ 	if (dec->ihdr->data.ihdr.numcmpts != JAS_CAST(jas_uint,
+ 	  jas_image_numcmpts(dec->image))) {
+-		jas_eprintf("warning: number of components mismatch\n");
++		jas_eprintf("error: number of components mismatch (IHDR)\n");
++        goto error;
+ 	}
+ 
+ 	/* At least one component must be present. */
+@@ -253,7 +254,8 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	  with the data in the code stream? */
+ 	if ((samedtype && dec->ihdr->data.ihdr.bpc != JP2_DTYPETOBPC(dtype)) ||
+ 	  (!samedtype && dec->ihdr->data.ihdr.bpc != JP2_IHDR_BPCNULL)) {
+-		jas_eprintf("warning: component data type mismatch\n");
++		jas_eprintf("error: component data type mismatch (IHDR)\n");
++        goto error;
+ 	}
+ 
+ 	/* Is the compression type supported? */
+@@ -265,9 +267,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 	if (dec->bpcc) {
+ 		/* Is the number of components indicated in the BPCC box
+ 		  consistent with the code stream data? */
+-		if (dec->bpcc->data.bpcc.numcmpts != JAS_CAST(jas_uint, jas_image_numcmpts(
+-		  dec->image))) {
+-			jas_eprintf("warning: number of components mismatch\n");
++		if (dec->bpcc->data.bpcc.numcmpts !=
++          JAS_CAST(jas_uint, jas_image_numcmpts(dec->image))) {
++			    jas_eprintf("error: number of components mismatch (BPCC)\n");
++                goto error;
+ 		}
+ 		/* Is the component data type information indicated in the BPCC
+ 		  box consistent with the code stream data? */
+@@ -276,7 +279,8 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 			  ++i) {
+ 				if (jas_image_cmptdtype(dec->image, i) !=
+ 				  JP2_BPCTODTYPE(dec->bpcc->data.bpcc.bpcs[i])) {
+-					jas_eprintf("warning: component data type mismatch\n");
++					    jas_eprintf("error: component data type mismatch (BPCC)\n");
++                        goto error;
+ 				}
+ 			}
+ 		} else {

jasper-2.0.14-CVE-2021-3272.patch

@@ -0,0 +1,18 @@
+diff -urNp a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
+--- a/src/libjasper/jp2/jp2_dec.c	2021-06-01 13:50:54.213552191 +0200
++++ b/src/libjasper/jp2/jp2_dec.c	2021-06-01 14:02:40.016274587 +0200
+@@ -396,6 +396,14 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ 		}
+ 	}
+ 
++    /* Ensure that the number of channels being used by the decoder
++	  matches the number of image components. */
++	if (dec->numchans != jas_image_numcmpts(dec->image)) {
++		jas_eprintf("error: mismatch in number of components (%d != %d)\n",
++		  dec->numchans, jas_image_numcmpts(dec->image));
++		goto error;
++	}
++
+ 	/* Mark all components as being of unknown type. */
+ 
+ 	for (i = 0; i < JAS_CAST(jas_uint, jas_image_numcmpts(dec->image)); ++i) {

jasper-2.0.14-rpath.patch

@@ -1,12 +0,0 @@
-diff -up jasper-2.0.14/CMakeLists.txt.rpath jasper-2.0.14/CMakeLists.txt
---- jasper-2.0.14/CMakeLists.txt.rpath	2017-09-14 18:20:10.000000000 -0500
-+++ jasper-2.0.14/CMakeLists.txt	2018-07-19 09:48:53.035815377 -0500
-@@ -347,7 +347,7 @@ if (JAS_ENABLE_SHARED)
- 	# (but later on when installing)
- 	set(CMAKE_BUILD_WITH_INSTALL_RPATH FALSE) 
- 
--	set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
-+	#set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
- 
- 	# add the automatically determined parts of the RPATH
- 	# which point to directories outside the build tree to the install RPATH

jasper-2.0.17-version.patch

@@ -1,12 +0,0 @@
-diff -up jasper-version-2.0.17/CMakeLists.txt.me jasper-version-2.0.17/CMakeLists.txt
---- jasper-version-2.0.17/CMakeLists.txt.me	2020-08-27 20:41:48.442787440 +0200
-+++ jasper-version-2.0.17/CMakeLists.txt	2020-08-27 20:42:02.161966702 +0200
-@@ -17,7 +17,7 @@ include(CheckCCompilerFlag)
- # The major, minor, and micro version numbers of the project.
- set(JAS_VERSION_MAJOR 2)
- set(JAS_VERSION_MINOR 0)
--set(JAS_VERSION_PATCH 16)
-+set(JAS_VERSION_PATCH 17)
- 
- # The project version.
- set(JAS_VERSION

jasper-CVE-2021-3443.patch

@@ -1,29 +0,0 @@
-From f94e7499a8b1471a4905c4f9c9e12e60fe88264b Mon Sep 17 00:00:00 2001
-From: Michael Adams <mdadams@ece.uvic.ca>
-Date: Sat, 13 Mar 2021 20:04:58 -0800
-Subject: [PATCH] Fixes #269. Added a check for an invalid component reference
- in the JP2 decoder.
-
----
- src/libjasper/jp2/jp2_dec.c |   8 +++++++-
- 1 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
-index 2863d82..fe2e29d 100644
---- a/src/libjasper/jp2/jp2_dec.c
-+++ b/src/libjasper/jp2/jp2_dec.c
-@@ -451,7 +451,13 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr)
- 		}
- 	} else {
- 		for (i = 0; i < dec->numchans; ++i) {
--			jas_image_setcmpttype(dec->image, dec->chantocmptlut[i],
-+			unsigned compno = dec->chantocmptlut[i];
-+			if (compno >= jas_image_numcmpts(dec->image)) {
-+				jas_eprintf(
-+				  "error: invalid component reference (%d)\n", compno);
-+				goto error;
-+			}
-+			jas_image_setcmpttype(dec->image, compno,
- 			  jp2_getct(jas_image_clrspc(dec->image), 0, i + 1));
- 		}
- 	}

jasper-freeglut.patch

@@ -1,66 +0,0 @@
-diff -urNp a/build/cmake/modules/JasOpenGL.cmake b/build/cmake/modules/JasOpenGL.cmake
---- a/build/cmake/modules/JasOpenGL.cmake	2020-10-07 10:00:16.316291325 +0200
-+++ b/build/cmake/modules/JasOpenGL.cmake	2020-10-07 10:03:39.536143003 +0200
-@@ -13,19 +13,19 @@ if (JAS_ENABLE_OPENGL AND OPENGL_FOUND)
- 	set(JAS_HAVE_OPENGL 0)
- 	message("OpenGL include directory: ${OPENGL_INCLUDE_DIR}")
- 	message("OpenGL libraries: ${OPENGL_LIBRARIES}")
--	find_package(GLUT ${JAS_REQUIRED})
--	message("GLUT library found: ${GLUT_FOUND}")
--	if (GLUT_FOUND)
--		message("GLUT include directory: ${GLUT_INCLUDE_DIR}")
--		message("GLUT libraries: ${GLUT_LIBRARIES}")
--		set(CMAKE_REQUIRED_INCLUDES ${GLUT_INCLUDE_DIR})
--		check_include_files(GL/glut.h JAS_HAVE_GL_GLUT_H)
-+	find_package(FreeGLUT ${JAS_REQUIRED})
-+	message("GLUT library found: ${FreeGLUT_FOUND}")
-+	if (FreeGLUT_FOUND)
-+		message("GLUT include directory: ${FreeGLUT_INCLUDE_DIR}")
-+		message("GLUT libraries: ${FreeGLUT_LIBRARIES}")
-+		set(CMAKE_REQUIRED_INCLUDES ${FreeGLUT_INCLUDE_DIR})
-+		check_include_files(GL/freeglut.h JAS_HAVE_GL_GLUT_H)
- 		check_include_files(glut.h JAS_HAVE_GLUT_H)
- 		if (JAS_HAVE_GL_GLUT_H OR JAS_HAVE_GLUT_H)
- 			set(JAS_HAVE_OPENGL 1)
--			include_directories(${GLUT_INCLUDE_DIR} ${OPENGL_INCLUDE_DIR})
-+			include_directories(${FreeGLUT_INCLUDE_DIR} ${OPENGL_INCLUDE_DIR})
- 		else()
--			message(WARNING "The header files GL/glut.h and glut.h both appear to be missing.")
-+			message(WARNING "The header files GL/freeglut.h and glut.h both appear to be missing.")
- 			message(WARNING "Disabling OpenGL.")
- 		endif()
- 	endif()
-@@ -49,6 +49,6 @@ else()
- 	set(JAS_HAVE_OPENGL 0)
- 	set(OPENGL_INCLUDE_DIR "")
- 	set(OPENGL_LIBRARIES "")
--	set(GLUT_INCLUDE_DIR "")
-+	set(FreeGLUT_INCLUDE_DIR "")
- 	set(GLUT_LIBRARIES "")
- endif()
-diff -urNp a/src/appl/CMakeLists.txt b/src/appl/CMakeLists.txt
---- a/src/appl/CMakeLists.txt	2020-10-07 10:00:16.338291526 +0200
-+++ b/src/appl/CMakeLists.txt	2020-10-07 10:04:58.864872143 +0200
-@@ -23,8 +23,8 @@ set(man_pages "${man_pages}" imgcmp.1)
- if(JAS_HAVE_OPENGL)
- 	add_executable(jiv jiv.c)
- 	target_include_directories(jiv PUBLIC
--	  ${GLUT_INCLUDE_DIR} ${OPENGL_INCLUDE_DIR})
--	target_link_libraries(jiv libjasper ${JPEG_LIBRARIES} ${GLUT_LIBRARIES}
-+	  ${FreeGLUT_INCLUDE_DIR} ${OPENGL_INCLUDE_DIR})
-+	target_link_libraries(jiv libjasper ${JPEG_LIBRARIES} -lglut
- 	  ${OPENGL_LIBRARIES} ${MATH_LIBRARY})
- 	set(programs "${programs}" jiv)
- 	set(man_pages "${man_pages}" jiv.1)
-diff -urNp a/src/appl/jiv.c b/src/appl/jiv.c
---- a/src/appl/jiv.c	2020-10-07 10:00:16.340291544 +0200
-+++ b/src/appl/jiv.c	2020-10-07 10:05:35.319207658 +0200
-@@ -68,7 +68,7 @@
- #include <math.h>
- #include <inttypes.h>
- #if defined(JAS_HAVE_GL_GLUT_H)
--#include <GL/glut.h>
-+#include <GL/freeglut.h>
- #else
- #include <glut.h>
- #endif

jasper.spec

@@ -5,16 +5,18 @@
 
 Summary: Implementation of the JPEG-2000 standard, Part 1
 Name:    jasper
-Version: 2.0.28
+Version: 2.0.14
-Release: 3%{?dist}
+Release: 5%{?dist}
 
 License: JasPer
 URL:     http://www.ece.uvic.ca/~frodo/jasper/
-Source0: https://github.com/jasper-software/jasper/archive/version-%{version}.tar.gz
+Source0: http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{version}.tar.gz
 
-# skip hard-coded prefix/lib rpath
+
-Patch2: jasper-2.0.14-rpath.patch
+Patch1: jasper-2.0.14-CVE-2016-9396.patch
-Patch3: jasper-freeglut.patch
+Patch2: jasper-2.0.14-CVE-2021-26927.patch
+Patch3: jasper-2.0.14-CVE-2021-3272.patch
+Patch4: jasper-2.0.14-CVE-2020-27828.patch
 
 # architecture related patches
 Patch100: jasper-2.0.2-test-ppc64-disable.patch
@@ -28,10 +30,9 @@ BuildRequires: libjpeg-devel
 BuildRequires: libXmu-devel libXi-devel
 BuildRequires: pkgconfig doxygen
 BuildRequires: mesa-libGL-devel
+BuildRequires: gcc
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-BuildRequires: gcc
-BuildRequires: make
 
 %description
 This package contains an implementation of the image compression
@@ -62,12 +63,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 
 %prep
-%setup -q -n %{name}-version-%{version}
+%setup -q -n %{name}-%{version}
 
-%patch2 -p1 -b .rpath
+%patch1 -p1 -b .CVE-2016-9396
+%patch2 -p1 -b .CVE-2021-26927
+%patch3 -p1 -b .CVE-2021-3272
+%patch4 -p1 -b .CVE-2020-27828
 # Need to disable one test to be able to build it on ppc64 arch
 # At ppc64 this test just stuck (nothing happend - no exception or error)
-%patch3 -p1 -b .freeglut
 
 %if "%{_arch}" == "ppc64"
 %patch100 -p1 -b .test-ppc64-disable
@@ -81,28 +84,41 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %endif
 
 
+mkdir -p builder
+
+%cmake -G "Unix Makefiles" \
+       -H%{_builddir}/%{name}-%{version} \
+       -B%{_builddir}/%{name}-%{version}/builder
+
+
 %build
-mkdir builder
+pushd builder
-%cmake \
+make clean all
-  -DJAS_ENABLE_DOC:BOOL=OFF \
-  -B builder
-
-%make_build -C builder
 
+popd
 
 %install
-make install/fast DESTDIR=%{buildroot} -C builder
+pushd builder
+make install DESTDIR=%{buildroot}
+
+#%if "%{_arch}" != "arm" && "%{_arch}" != "i386"
+#	mv %{buildroot}/usr/lib %{buildroot}/usr/lib64
+#%endif
 
 # Unpackaged files
 rm -f doc/README
 rm -f %{buildroot}%{_libdir}/lib*.la
-
+popd
 
 %check
-make test -C builder
+pushd builder
+make test
+
+popd
 
 %ldconfig_scriptlets libs
 
+
 %files
 %{_bindir}/imgcmp
 %{_bindir}/imginfo
@@ -118,9 +134,8 @@ make test -C builder
 %{_libdir}/pkgconfig/jasper.pc
 
 %files libs
-%doc README
+%doc COPYRIGHT LICENSE README
-%license COPYRIGHT LICENSE
+%{_libdir}/libjasper.so*
-%{_libdir}/libjasper.so.4*
 
 %files utils
 %{_bindir}/jiv
@@ -128,77 +143,14 @@ make test -C builder
 
 
 %changelog
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.0.28-3
+* Tue Jun 01 2021 Josef Ridky <jridky@redhat.com> - 2.0.14-5
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Fix CVE-2021-26927 (#1933860)
-  Related: rhbz#1991688
+- Fix CVE-2021-26926 (#1922316)
+- Fix CVE-2021-3272 (#1922283)
+- Fix CVE-2020-27828 (#1905692)
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.0.28-2
+* Wed May 30 2018 Josef Ridky <jridky@redhat.com> - 2.0.14-4
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Fix CVE-2016-9396 (#1583722)
-
-* Tue Mar 30 2021 Josef Ridky <jridky@redhat.com> - 2.0.28-1
-- New upstream release 2.0.28 (#1944481)
-
-* Wed Mar 24 2021 Josef Ridky <jridky@redhat.com> - 2.0.27-1
-- New upstream release 2.0.27 (#1940455)
-
-* Tue Mar 16 2021 Josef Ridky <jridky@redhat.com> - 2.0.26-2
-- Fix CVE-2021-3443 (#1939233)
-
-* Wed Mar 10 2021 Josef Ridky <jridky@redhat.com> - 2.0.26-1
-- New upstream release 2.0.26 (#1935900)
-
-* Tue Feb 09 2021 Josef Ridky <jridky@redhat.com> - 2.0.25-1
-- New upstream release 2.0.25 (#1925996)
-
-* Thu Jan 28 2021 Josef Ridky <jridky@redhat.com> - 2.0.24-3
-- fix CVE-2021-3272 (#1921328)
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.24-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Mon Jan 25 2021 Josef Ridky <jridky@redhat.com> - 2.0.24-1
-- New upstream release 2.0.24 (#1905690)
-
-* Wed Oct 07 2020 Josef Ridky <jridky@redhat.com> - 2.0.22-1
-- New upstream release 2.0.22 (#1876161)
-
-* Thu Aug 27 2020 Than Ngo <than@redhat.com> - 2.0.17-3
-- add correct version
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.17-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Mon Jul 20 2020 Josef Ridky <jridky@redhat.com> - 2.0.17-1
-- new upstream release (2.0.17)
-- change of source URL to GitHub of Jasper
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.16-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Tue Sep 17 2019 Gwyn Ciesla <gwync@protonmail.com> - 2.0.16-1
-- New version, rebuilt for new freeglut
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.14-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.14-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Thu Jul 19 2018 Rex Dieter <rdieter@fedoraproject.org> - 2.0.14-7
-- cleanup cmake usage, move to %%build
-- %%build: explicitly disable doc generation
-- kill hard-coded rpath
-- -libs: explicit soname so bumps aren't a surprise
-- use %%license, %%make_build, 'make install/fast'
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.14-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Wed May 30 2018 Josef Ridky <jridky@redhat.com> - 2.0.14-5
-- Fix CVE-2016-9396 (#1396986)
-
-* Thu Mar 08 2018 Josef Ridky <jridky@redhat.com> - 2.0.14-4
-- Fix gcc dependency
 
 * Mon Feb 26 2018 Josef Ridky <jridky@redhat.com> - 2.0.14-3
 - Clean spec file

sources

@@ -1 +1 @@
-SHA512 (version-2.0.28.tar.gz) = 13a47efc3b3d10e0680e7cf0637a417df0920e1ca8af20f2206303d0a14753688f7e6c6b3383f6db946effca389754e5736e286ed45d5b643b422f5600223eab
+SHA512 (jasper-2.0.14.tar.gz) = 9e5cffd2e899e37ba08890e2377ddfc3c2fb13d9fe00dea6b4612e4d241a6f4327de6835809b415c41ae4bf44208cf7871c1982ff5fc04ae6bc09fd376b0afc8