Fix CVE-2021-20205 (#1937387)

libjpeg-turbo-CVE-2021-20205.patch

@@ -0,0 +1,73 @@
+From 6bb9d7ea3fdc22a8a03b989e430d0f4953e59f03 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 14 Jan 2021 18:35:15 -0600
+Subject: [PATCH] cjpeg: Fix FPE when compressing 0-width GIF
+
+---
+ cderror.h | 5 ++++-
+ rdgif.c   | 8 +++++++-
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/cderror.h b/cderror.h
+index a386b69..2844346 100644
+--- a/cderror.h
++++ b/cderror.h
+@@ -1,9 +1,11 @@
+ /*
+  * cderror.h
+  *
++ * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1997, Thomas G. Lane.
+  * Modified 2009-2017 by Guido Vollbeding.
+- * This file is part of the Independent JPEG Group's software.
++ * libjpeg-turbo Modifications:
++ * Copyright (C) 2021, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -60,6 +62,7 @@ JMESSAGE(JTRC_BMP_OS2_MAPPED, "%ux%u 8-bit colormapped OS2 BMP image")
+ JMESSAGE(JERR_GIF_BUG, "GIF output got confused")
+ JMESSAGE(JERR_GIF_CODESIZE, "Bogus GIF codesize %d")
+ JMESSAGE(JERR_GIF_COLORSPACE, "GIF output must be grayscale or RGB")
++JMESSAGE(JERR_GIF_EMPTY, "Empty GIF image")
+ JMESSAGE(JERR_GIF_IMAGENOTFOUND, "Too few images in GIF file")
+ JMESSAGE(JERR_GIF_NOT, "Not a GIF file")
+ JMESSAGE(JTRC_GIF, "%ux%ux%d GIF image")
+diff --git a/rdgif.c b/rdgif.c
+index e1ea56c..8a379fe 100644
+--- a/rdgif.c
++++ b/rdgif.c
+@@ -1,9 +1,11 @@
+ /*
+  * rdgif.c
+  *
++ * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2019 by Guido Vollbeding.
+- * This file is part of the Independent JPEG Group's software.
++ * libjpeg-turbo Modifications:
++ * Copyright (C) 2021, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -404,6 +406,8 @@ start_input_gif(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     ERREXIT(cinfo, JERR_INPUT_EOF);
+   width = LM_to_uint(hdrbuf, 0);
+   height = LM_to_uint(hdrbuf, 2);
++  if (width == 0 || height == 0)
++    ERREXIT(cinfo, JERR_GIF_EMPTY);
+   /* we ignore the color resolution, sort flag, and background color index */
+   aspectRatio = UCH(hdrbuf[6]);
+   if (aspectRatio != 0 && aspectRatio != 49)
+@@ -446,6 +450,8 @@ start_input_gif(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     /* we ignore top/left position info, also sort flag */
+     width = LM_to_uint(hdrbuf, 4);
+     height = LM_to_uint(hdrbuf, 6);
++    if (width == 0 || height == 0)
++      ERREXIT(cinfo, JERR_GIF_EMPTY);
+     source->is_interlaced = (BitSet(hdrbuf[8], INTERLACE) != 0);
+ 
+     /* Read local colormap if header indicates it is present */
+-- 
+2.26.3
+

libjpeg-turbo.spec

@@ -1,6 +1,6 @@
 Name:           libjpeg-turbo
 Version:        2.0.90
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
 License:        IJG
 URL:            http://sourceforge.net/projects/libjpeg-turbo
@@ -8,6 +8,7 @@ URL:            http://sourceforge.net/projects/libjpeg-turbo
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 Patch0:         libjpeg-turbo-cmake.patch
 Patch1:         libjpeg-turbo-CET.patch
+Patch3:         libjpeg-turbo-CVE-2021-20205.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake
@@ -179,6 +180,9 @@ export LD_LIBRARY_PATH=%{buildroot}%{_libdir}
 %{_libdir}/pkgconfig/libturbojpeg.pc
 
 %changelog
+* Thu Mar 25 2021 Nikola Forró <nforro@redhat.com> - 2.0.90-2
+- Fix CVE-2021-20205 (#1937387)
+
 * Thu Jan 28 2021 Nikola Forró <nforro@redhat.com> - 2.0.90-1
 - New upstream release 2.0.90 (#1898427)