import UBI libjpeg-turbo-2.0.90-7.el9

2024-04-30 15:27:45 +00:00 · 2024-04-30 15:27:45 +00:00 · e95bb34380
commit e95bb34380
parent bf189a3951
2 changed files with 62 additions and 2 deletions
--- a/SOURCES/libjpeg-turbo-2.0.90-cve-2021-29390.patch
+++ b/SOURCES/libjpeg-turbo-2.0.90-cve-2021-29390.patch
@ -0,0 +1,56 @@
+From caf7c8978025eb0cc307bfeffdad46a16d47dad9 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Wed, 25 Nov 2020 14:55:55 -0600
+Subject: [PATCH] Fix buffer overrun with certain narrow prog JPEGs
+
+Regression introduced by 6d91e950c871103a11bac2f10c63bf998796c719
+
+last_block_column in decompress_smooth_data() can be 0 if, for instance,
+decompressing a 4:4:4 image of width 8 or less or a 4:2:2 or 4:2:0 image
+of width 16 or less.  Since last_block_column is an unsigned int,
+subtracting 1 from it produced 0xFFFFFFFF, the test in line 590 passed,
+and we attempted to access blocks from a second block column that didn't
+actually exist.
+
+Closes #476
+
+(cherry picked from commit ccaba5d7894ecfb5a8f11e48d3f86e1f14d5a469)
+---
+ ChangeLog.md | 10 ++++++++++
+ jdcoefct.c   |  2 +-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 6eb06f0e..9084bee0 100644
+--- a/ChangeLog.md
+++ b/ChangeLog.md
+@@ -1,3 +1,13 @@
+2.1 post-beta
+=============
+
+### Significant changes relative to 2.1 beta1
+
+1. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
+decompress certain progressive JPEG images with one or more component planes of
+width 8 or less caused a buffer overrun.
+
+
+ 2.0.90 (2.1 beta1)
+ ==================
+ 
+diff --git a/jdcoefct.c b/jdcoefct.c
+index 699a4809..a3c6d4e8 100644
+--- a/jdcoefct.c
+++ b/jdcoefct.c
+@@ -587,7 +587,7 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
+           DC19 = (int)next_block_row[1][0];
+           DC24 = (int)next_next_block_row[1][0];
+         }
+-        if (block_num < last_block_column - 1) {
+        if (block_num + 1 < last_block_column) {
+           DC05 = (int)prev_prev_block_row[2][0];
+           DC10 = (int)prev_block_row[2][0];
+           DC15 = (int)buffer_ptr[2][0];
+-- 
+2.41.0
+
--- a/SPECS/libjpeg-turbo.spec
+++ b/SPECS/libjpeg-turbo.spec
@ -1,6 +1,6 @@
 Name:           libjpeg-turbo
 Version:        2.0.90
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
 License:        IJG
 URL:            http://sourceforge.net/projects/libjpeg-turbo
@ -11,6 +11,7 @@ Patch1:         libjpeg-turbo-CET.patch
 Patch3:         libjpeg-turbo-CVE-2021-20205.patch
 Patch4:         libjpeg-turbo-CVE-2021-37972.patch
 Patch5:         libjpeg-turbo-CVE-2021-46822.patch
+Patch6:         libjpeg-turbo-2.0.90-cve-2021-29390.patch

 BuildRequires:  gcc
 BuildRequires:  cmake
@ -86,7 +87,6 @@ export LDFLAGS="$RPM_LD_FLAGS -Wl,-z,ibt -Wl,-z,shstk"
         -DFLOATTEST:STRING="fp-contract" \
 %endif
         -DENABLE_STATIC:BOOL=NO
-
 %cmake_build

 %install
@ -182,6 +182,10 @@ export LD_LIBRARY_PATH=%{buildroot}%{_libdir}
 %{_libdir}/pkgconfig/libturbojpeg.pc

 %changelog
+* Tue Jan 09 2024 Matej Mužila <mmuzila@redhat.com> - 2.0.90.7
+- Fix CVE-2021-29390
+- Resolves: RHEL-5413
+
 * Thu Jul 21 2022 Matej Mužila <mmuzila@redhat.com> - 2.0.90-6
 - Fix CVE-2021-46822
 - Resolves: CVE-2021-46822