16 changed files with 11 additions and 70 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
 SOURCES/libjpeg-turbo-1.5.3.tar.gz
 /libjpeg-turbo-1.5.3.tar.gz
--- a/.libjpeg-turbo.metadata
+++ b/.libjpeg-turbo.metadata
@ -0,0 +1 @@
 87ebf4cab2bb27fcb8e7ccb18ec4eb680e1f2c2d SOURCES/libjpeg-turbo-1.5.3.tar.gz
--- a/SOURCES/libjpeg-turbo-CET.patch
+++ b/SOURCES/libjpeg-turbo-CET.patch
--- a/SOURCES/libjpeg-turbo-CVE-2018-1152.patch
+++ b/SOURCES/libjpeg-turbo-CVE-2018-1152.patch
--- a/SOURCES/libjpeg-turbo-CVE-2018-11813.patch
+++ b/SOURCES/libjpeg-turbo-CVE-2018-11813.patch
--- a/SOURCES/libjpeg-turbo-CVE-2018-14498.patch
+++ b/SOURCES/libjpeg-turbo-CVE-2018-14498.patch
--- a/SOURCES/libjpeg-turbo-CVE-2020-17541.patch
+++ b/SOURCES/libjpeg-turbo-CVE-2020-17541.patch
--- a/SOURCES/libjpeg-turbo-coverity.patch
+++ b/SOURCES/libjpeg-turbo-coverity.patch
--- a/SOURCES/libjpeg-turbo-header-files.patch
+++ b/SOURCES/libjpeg-turbo-header-files.patch
--- a/SOURCES/libjpeg-turbo-honor-naflags.patch
+++ b/SOURCES/libjpeg-turbo-honor-naflags.patch
--- a/SOURCES/libjpeg-turbo14-noinst.patch
+++ b/SOURCES/libjpeg-turbo14-noinst.patch
--- a/SPECS/libjpeg-turbo.spec
+++ b/SPECS/libjpeg-turbo.spec
@ -1,6 +1,6 @@
 Name:           libjpeg-turbo
 Version:        1.5.3
-Release:        14%{?dist}
+Release:        12%{?dist}
 Summary:        A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
 License:        IJG
 URL:            http://sourceforge.net/projects/libjpeg-turbo
@ -15,11 +15,6 @@ Patch5:         libjpeg-turbo-coverity.patch
 Patch6:         libjpeg-turbo-CET.patch
 Patch7:         libjpeg-turbo-CVE-2018-14498.patch
 Patch8:         libjpeg-turbo-CVE-2020-17541.patch
 # from upstream, for < 2.0.5, RHEL-87364
 # https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a
 # https://github.com/libjpeg-turbo/libjpeg-turbo/commit/dd830b3ffe30a76fbe8c1f13ebc7483c9ff792e5
 Patch9:         libjpeg-turbo-CVE-2020-13790pre.patch
 Patch10:        libjpeg-turbo-CVE-2020-13790.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -81,17 +76,15 @@ manipulate JPEG files using the TurboJPEG library.
 %prep
 %setup -q
-%patch -P 0 -p1 -b .noinst
+%patch0 -p1 -b .noinst
-%patch -P 1 -p1 -b .header-files
+%patch1 -p1 -b .header-files
-%patch -P 2 -p1 -b .CVE-2018-11813
+%patch2 -p1 -b .CVE-2018-11813
-%patch -P 3 -p1 -b .CVE-2018-1152
+%patch3 -p1 -b .CVE-2018-1152
-%patch -P 4 -p1 -b .honor-naflags
+%patch4 -p1 -b .honor-naflags
-%patch -P 5 -p1 -b .coverity
+%patch5 -p1 -b .coverity
-%patch -P 6 -p1 -b .CET
+%patch6 -p1 -b .CET
-%patch -P 7 -p1 -b .CVE-2018-14498
+%patch7 -p1 -b .CVE-2018-14498
-%patch -P 8 -p1 -b .CVE-2020-17541
+%patch8 -p1 -b .CVE-2020-17541
 %patch -P 9 -p2 -b .CVE-2020-13790pre
 %patch -P 10 -p2 -b .CVE-2020-13790
 %build
 autoreconf -vif
@ -195,12 +188,6 @@ make test %{?_smp_mflags}
 %{_libdir}/pkgconfig/libturbojpeg.pc
 %changelog
 * Tue May 06 2025 Michal Hlavinka <mhlavink@redhat.com> - 1.5.3-14
 - updated previous fix (RHEL-87364)
 * Tue Apr 22 2025 Michal Hlavinka <mhlavink@redhat.com> - 1.5.3-13
 - fix CVE-2020-13790: heap-based buffer over-read in get_rgb_row (RHEL-87364)
 * Thu Jul 15 2021 Nikola Forró <nforro@redhat.com> - 1.5.3-12
 - Add missing license file (#1982572)
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-8
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
--- a/libjpeg-turbo-CVE-2020-13790.patch
+++ b/libjpeg-turbo-CVE-2020-13790.patch
@ -1,22 +0,0 @@
 diff -up libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c.CVE-2020-13790 libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c
 --- libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c.CVE-2020-13790	2025-05-07 12:07:29.982772307 +0200
 +++ libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c	2025-05-07 12:11:13.911892476 +0200
@@ -55,6 +55,9 @@ typedef char U_CHAR;
 #endif
 #endif /* HAVE_UNSIGNED_CHAR */
 +#ifndef MAX
 +#define MAX(a, b)       ((a) > (b) ? (a) : (b))
 +#endif
 #define ReadOK(file,buffer,len) (JFREAD(file,buffer,len) == ((size_t) (len)))
@@ -424,7 +427,7 @@ start_input_ppm (j_compress_ptr cinfo, c
     /* On 16-bit-int machines we have to be careful of maxval = 65535 */
     source->rescale = (JSAMPLE *)
       (*cinfo->mem->alloc_small) ((j_common_ptr) cinfo, JPOOL_IMAGE,
 -                                  (size_t) (((long) maxval + 1L) *
 +                                  (size_t)(((long)MAX(maxval, 255) + 1L) *
                                             sizeof(JSAMPLE)));
     half_maxval = maxval / 2;
     for (val = 0; val <= (long) maxval; val++) {
--- a/libjpeg-turbo-CVE-2020-13790pre.patch
+++ b/libjpeg-turbo-CVE-2020-13790pre.patch
@ -1,17 +0,0 @@
 diff -up libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c.CVE-2020-13790p2of3 libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c
 --- libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c.CVE-2020-13790p2of3	2025-05-06 17:38:26.175241021 +0200
 +++ libjpeg-turbo-1.5.3-build/libjpeg-turbo-1.5.3/rdppm.c	2025-05-06 17:38:26.177038002 +0200
@@ -116,11 +116,10 @@ read_pbm_integer (j_compress_ptr cinfo,
   while ((ch = pbm_getc(infile)) >= '0' && ch <= '9') {
     val *= 10;
     val += ch - '0';
 +    if (val > maxval)
 +      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
   }
 -  if (val > maxval)
 -    ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
 -
   return val;
 }
--- a/1
+++ b/1
@ -1 +0,0 @@
 SHA512 (libjpeg-turbo-1.5.3.tar.gz) = b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202
`@ -1,2 +1 @@`
	`SOURCES/libjpeg-turbo-1.5.3.tar.gz`	`SOURCES/libjpeg-turbo-1.5.3.tar.gz`
	`/libjpeg-turbo-1.5.3.tar.gz`
		`@ -0,0 +1 @@`
							`87ebf4cab2bb27fcb8e7ccb18ec4eb680e1f2c2d SOURCES/libjpeg-turbo-1.5.3.tar.gz`
		`@ -1 +0,0 @@`
			`SHA512 (libjpeg-turbo-1.5.3.tar.gz) = b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202`