diff --git a/libjpeg-turbo-CVE-2020-13790.patch b/libjpeg-turbo-CVE-2020-13790.patch deleted file mode 100644 index 7b5487d..0000000 --- a/libjpeg-turbo-CVE-2020-13790.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a224e4dfd34823a4d993dcb97819bdcee8471676 Mon Sep 17 00:00:00 2001 -From: DRC -Date: Tue, 2 Jun 2020 14:15:37 -0500 -Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM - -This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to -include binary PPM files with maximum values < 255, thus preventing a -malformed binary PPM input file with those specifications from -triggering an overrun of the rescale array and potentially crashing -cjpeg, TJBench, or any program that uses the tjLoadImage() function. - -Fixes #433 ---- - rdppm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rdppm.c b/rdppm.c -index 87bc330..71dd146 100644 ---- a/rdppm.c -+++ b/rdppm.c -@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) - /* On 16-bit-int machines we have to be careful of maxval = 65535 */ - source->rescale = (JSAMPLE *) - (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, -- (size_t)(((long)maxval + 1L) * -+ (size_t)(((long)MAX(maxval, 255) + 1L) * - sizeof(JSAMPLE))); - half_maxval = maxval / 2; - for (val = 0; val <= (long)maxval; val++) { --- -2.26.2 - diff --git a/libjpeg-turbo-cmake.patch b/libjpeg-turbo-cmake.patch index 3ac8ca9..732257f 100644 --- a/libjpeg-turbo-cmake.patch +++ b/libjpeg-turbo-cmake.patch @@ -1,8 +1,8 @@ diff --git a/CMakeLists.txt b/CMakeLists.txt -index 28fd443..52f9a8c 100644 +index 8656d7a..7b2932f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -1337,7 +1337,7 @@ set(EXE ${CMAKE_EXECUTABLE_SUFFIX}) +@@ -1366,7 +1366,7 @@ set(EXE ${CMAKE_EXECUTABLE_SUFFIX}) if(WITH_TURBOJPEG) if(ENABLE_SHARED) @@ -11,7 +11,7 @@ index 28fd443..52f9a8c 100644 ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR} LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}) -@@ -1350,15 +1350,6 @@ if(WITH_TURBOJPEG) +@@ -1379,15 +1379,6 @@ if(WITH_TURBOJPEG) if(ENABLE_STATIC) install(TARGETS turbojpeg-static ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}) @@ -27,7 +27,7 @@ index 28fd443..52f9a8c 100644 endif() install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/turbojpeg.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}) -@@ -1383,18 +1374,6 @@ endif() +@@ -1412,18 +1403,6 @@ endif() install(TARGETS rdjpgcom wrjpgcom RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}) @@ -46,7 +46,7 @@ index 28fd443..52f9a8c 100644 if(UNIX OR MINGW) install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/cjpeg.1 ${CMAKE_CURRENT_SOURCE_DIR}/djpeg.1 ${CMAKE_CURRENT_SOURCE_DIR}/jpegtran.1 -@@ -1408,7 +1387,7 @@ install(FILES ${CMAKE_CURRENT_BINARY_DIR}/pkgscripts/libjpeg.pc +@@ -1437,7 +1416,7 @@ install(FILES ${CMAKE_CURRENT_BINARY_DIR}/pkgscripts/libjpeg.pc install(FILES ${CMAKE_CURRENT_BINARY_DIR}/jconfig.h ${CMAKE_CURRENT_SOURCE_DIR}/jerror.h ${CMAKE_CURRENT_SOURCE_DIR}/jmorecfg.h diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index de595ed..39715dd 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,6 +1,6 @@ Name: libjpeg-turbo -Version: 2.0.4 -Release: 3%{?dist} +Version: 2.0.5 +Release: 1%{?dist} Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files License: IJG URL: http://sourceforge.net/projects/libjpeg-turbo @@ -8,7 +8,6 @@ URL: http://sourceforge.net/projects/libjpeg-turbo Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Patch0: libjpeg-turbo-cmake.patch Patch1: libjpeg-turbo-CET.patch -Patch2: libjpeg-turbo-CVE-2020-13790.patch BuildRequires: gcc BuildRequires: cmake @@ -72,7 +71,6 @@ manipulate JPEG files using the TurboJPEG library. %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 %build # NASM object files are missing GNU Property note for Intel CET, @@ -178,6 +176,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags} %{_libdir}/pkgconfig/libturbojpeg.pc %changelog +* Fri Jul 03 2020 Nikola Forró - 2.0.5-1 +- New upstream release 2.0.5 (#1850293) + * Tue Jun 16 2020 Nikola Forró - 2.0.4-3 - Fix CVE-2020-13790 (#1847159) diff --git a/sources b/sources index d59ca0b..de45df5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libjpeg-turbo-2.0.4.tar.gz) = 708c2e7418d9ed5abca313e2ff5a08f8176d79cad2127573cda6036583c201973db4cfb0eafc0fc8f57ecc7b000d2b4af95980de54de5a0aed45969e993a5bf9 +SHA512 (libjpeg-turbo-2.0.5.tar.gz) = 5bf9ecf069b43783ff24365febf36dda69ccb92d6397efec6069b2b4f359bfd7b87934a6ce4311873220fccc73acabdacef5ce0604b79209eb1912e8ba478555