From 53207d3c9104094833249b474c47a7dff5f97e7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Mon, 30 Jul 2018 13:34:06 +0200 Subject: [PATCH] - New upstream release 2.0.0 (#1609439) --- libjpeg-turbo-CVE-2018-1152.patch | 39 -------------------- libjpeg-turbo-CVE-2018-11813.patch | 59 ------------------------------ libjpeg-turbo.spec | 11 +++--- sources | 2 +- 4 files changed, 6 insertions(+), 105 deletions(-) delete mode 100644 libjpeg-turbo-CVE-2018-1152.patch delete mode 100644 libjpeg-turbo-CVE-2018-11813.patch diff --git a/libjpeg-turbo-CVE-2018-1152.patch b/libjpeg-turbo-CVE-2018-1152.patch deleted file mode 100644 index f27a505..0000000 --- a/libjpeg-turbo-CVE-2018-1152.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0079f602bacb13a5b0c9f4a191ddaadd8a8fa58c Mon Sep 17 00:00:00 2001 -From: DRC -Date: Tue, 12 Jun 2018 20:27:00 -0500 -Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP - -In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound -when allocating the row buffer, because since BMP files have 32-bit -width and height fields, the value of biWidth can be up to 4294967295. -Specifically, if biWidth is 1073741824 and cinfo->input_components = 4, -then the samplesperrow argument in alloc_sarray() would wrap around to -0, and a division by zero error would occur at line 458 in jmemmgr.c. - -If biWidth is set to a higher value, then samplesperrow would wrap -around to a small number, which would likely cause a buffer overflow -(this has not been tested or verified.) ---- - rdbmp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/rdbmp.c b/rdbmp.c -index fcabbb1..a0efa93 100644 ---- a/rdbmp.c -+++ b/rdbmp.c -@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) - } - } - -+ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum -+ value of the JDIMENSION type. This is only a danger with BMP files, since -+ their width and height fields are 32-bit integers. */ -+ if ((unsigned long long)biWidth * -+ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL) -+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); - /* Allocate one-row buffer for returned data */ - source->pub.buffer = (*cinfo->mem->alloc_sarray) - ((j_common_ptr)cinfo, JPOOL_IMAGE, --- -2.17.1 - diff --git a/libjpeg-turbo-CVE-2018-11813.patch b/libjpeg-turbo-CVE-2018-11813.patch deleted file mode 100644 index a614d19..0000000 --- a/libjpeg-turbo-CVE-2018-11813.patch +++ /dev/null @@ -1,59 +0,0 @@ -From fccf53aed0093a626fca15f0d25f46fb6ed3e770 Mon Sep 17 00:00:00 2001 -From: DRC -Date: Tue, 12 Jun 2018 16:08:26 -0500 -Subject: [PATCH] Fix CVE-2018-11813 - -Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input -file (specifically, a file with a valid Targa header but incomplete pixel data) -would cause cjpeg to generate a JPEG file that was potentially thousands of -times larger than the input file. The Targa reader in cjpeg was not properly -detecting that the end of the input file had been reached prematurely, so after -all valid pixels had been read from the input, the reader injected dummy pixels -with values of 255 into the JPEG compressor until the number of pixels -specified in the Targa header had been compressed. The Targa reader in cjpeg -now behaves like the PPM reader and aborts compression if the end of the input -file is reached prematurely. Because this issue only affected cjpeg and not -the underlying library, and because it did not involve any out-of-bounds reads -or other exploitable behaviors, it was not believed to represent a security -threat. ---- - rdtarga.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/rdtarga.c b/rdtarga.c -index ecb4219..e0c6947 100644 ---- a/rdtarga.c -+++ b/rdtarga.c -@@ -126,11 +126,10 @@ METHODDEF(void) - read_non_rle_pixel(tga_source_ptr sinfo) - /* Read one Targa pixel from the input file; no RLE expansion */ - { -- register FILE *infile = sinfo->pub.input_file; - register int i; - - for (i = 0; i < sinfo->pixel_size; i++) { -- sinfo->tga_pixel[i] = (U_CHAR)getc(infile); -+ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo); - } - } - -@@ -139,7 +138,6 @@ METHODDEF(void) - read_rle_pixel(tga_source_ptr sinfo) - /* Read one Targa pixel from the input file, expanding RLE data as needed */ - { -- register FILE *infile = sinfo->pub.input_file; - register int i; - - /* Duplicate previously read pixel? */ -@@ -161,7 +159,7 @@ read_rle_pixel(tga_source_ptr sinfo) - - /* Read next pixel */ - for (i = 0; i < sinfo->pixel_size; i++) { -- sinfo->tga_pixel[i] = (U_CHAR)getc(infile); -+ sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo); - } - } - --- -2.17.1 - diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 8630458..6a257af 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,14 +1,12 @@ Name: libjpeg-turbo -Version: 1.5.90 -Release: 4%{?dist} +Version: 2.0.0 +Release: 1%{?dist} Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files License: IJG URL: http://sourceforge.net/projects/libjpeg-turbo Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Patch0: libjpeg-turbo-cmake.patch -Patch1: libjpeg-turbo-CVE-2018-11813.patch -Patch2: libjpeg-turbo-CVE-2018-1152.patch BuildRequires: gcc BuildRequires: cmake @@ -71,8 +69,6 @@ manipulate JPEG files using the TurboJPEG library. %prep %setup -q %patch0 -p1 -%patch1 -p1 -%patch2 -p1 %build %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \ @@ -172,6 +168,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags} %{_libdir}/pkgconfig/libturbojpeg.pc %changelog +* Mon Jul 30 2018 Nikola Forró - 2.0.0-1 +- New upstream release 2.0.0 (#1609439) + * Fri Jul 13 2018 Fedora Release Engineering - 1.5.90-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/sources b/sources index c1fcc6d..86499b1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libjpeg-turbo-1.5.90.tar.gz) = 6322f1013ace231fa51aa2cd2799fa526da14074cde08349c7c6f1719954aa4862d4e9b3975c0041aa93f7efce679dc782abdc5e60f92adfdf7d0c8aa2158e30 +SHA512 (libjpeg-turbo-2.0.0.tar.gz) = 220e5248e780d3c40c7842ba52937b9b0860e89164bca16ec6e2afaf99dd5d0bc706dd9320f4d2aef67ac11d4876453ef688b1efeaf93ceb42e8c25e83da2487