diff --git a/.gitignore b/.gitignore index 1ecad02..8019dbc 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ /libjpeg-turbo-2.0.4.tar.gz /libjpeg-turbo-2.0.5.tar.gz /libjpeg-turbo-2.0.90.tar.gz +/libjpeg-turbo-2.1.0.tar.gz diff --git a/CVE-2021-20205.patch b/CVE-2021-20205.patch deleted file mode 100644 index affcb55..0000000 --- a/CVE-2021-20205.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff -rupN --no-dereference libjpeg-turbo-2.0.90/cderror.h libjpeg-turbo-2.0.90-new/cderror.h ---- libjpeg-turbo-2.0.90/cderror.h 2020-11-25 04:56:19.000000000 +0100 -+++ libjpeg-turbo-2.0.90-new/cderror.h 2021-04-12 10:20:58.463111547 +0200 -@@ -1,9 +1,11 @@ - /* - * cderror.h - * -+ * This file was part of the Independent JPEG Group's software: - * Copyright (C) 1994-1997, Thomas G. Lane. - * Modified 2009-2017 by Guido Vollbeding. -- * This file is part of the Independent JPEG Group's software. -+ * libjpeg-turbo Modifications: -+ * Copyright (C) 2021, D. R. Commander. - * For conditions of distribution and use, see the accompanying README.ijg - * file. - * -@@ -60,6 +62,7 @@ JMESSAGE(JTRC_BMP_OS2_MAPPED, "%ux%u 8-b - JMESSAGE(JERR_GIF_BUG, "GIF output got confused") - JMESSAGE(JERR_GIF_CODESIZE, "Bogus GIF codesize %d") - JMESSAGE(JERR_GIF_COLORSPACE, "GIF output must be grayscale or RGB") -+JMESSAGE(JERR_GIF_EMPTY, "Empty GIF image") - JMESSAGE(JERR_GIF_IMAGENOTFOUND, "Too few images in GIF file") - JMESSAGE(JERR_GIF_NOT, "Not a GIF file") - JMESSAGE(JTRC_GIF, "%ux%ux%d GIF image") -diff -rupN --no-dereference libjpeg-turbo-2.0.90/ChangeLog.md libjpeg-turbo-2.0.90-new/ChangeLog.md ---- libjpeg-turbo-2.0.90/ChangeLog.md 2020-11-25 04:56:19.000000000 +0100 -+++ libjpeg-turbo-2.0.90-new/ChangeLog.md 2021-04-12 10:20:58.463111547 +0200 -@@ -140,6 +140,10 @@ been reverted. - 15. The build system can now be used to generate a universal x86-64 + Armv8 - libjpeg-turbo SDK package for both iOS and macOS. - -+4. Fixed a floating point exception that occurred when attempting to compress a -+specially-crafted malformed GIF image with a specified image width of 0 using -+cjpeg. -+ - - 2.0.6 - ===== -diff -rupN --no-dereference libjpeg-turbo-2.0.90/rdgif.c libjpeg-turbo-2.0.90-new/rdgif.c ---- libjpeg-turbo-2.0.90/rdgif.c 2020-11-25 04:56:19.000000000 +0100 -+++ libjpeg-turbo-2.0.90-new/rdgif.c 2021-04-12 10:20:58.463111547 +0200 -@@ -1,9 +1,11 @@ - /* - * rdgif.c - * -+ * This file was part of the Independent JPEG Group's software: - * Copyright (C) 1991-1997, Thomas G. Lane. - * Modified 2019 by Guido Vollbeding. -- * This file is part of the Independent JPEG Group's software. -+ * libjpeg-turbo Modifications: -+ * Copyright (C) 2021, D. R. Commander. - * For conditions of distribution and use, see the accompanying README.ijg - * file. - * -@@ -404,6 +406,8 @@ start_input_gif(j_compress_ptr cinfo, cj - ERREXIT(cinfo, JERR_INPUT_EOF); - width = LM_to_uint(hdrbuf, 0); - height = LM_to_uint(hdrbuf, 2); -+ if (width == 0 || height == 0) -+ ERREXIT(cinfo, JERR_GIF_EMPTY); - /* we ignore the color resolution, sort flag, and background color index */ - aspectRatio = UCH(hdrbuf[6]); - if (aspectRatio != 0 && aspectRatio != 49) -@@ -446,6 +450,8 @@ start_input_gif(j_compress_ptr cinfo, cj - /* we ignore top/left position info, also sort flag */ - width = LM_to_uint(hdrbuf, 4); - height = LM_to_uint(hdrbuf, 6); -+ if (width == 0 || height == 0) -+ ERREXIT(cinfo, JERR_GIF_EMPTY); - source->is_interlaced = (BitSet(hdrbuf[8], INTERLACE) != 0); - - /* Read local colormap if header indicates it is present */ diff --git a/libjpeg-turbo-match-autoconf-behavior.patch b/libjpeg-turbo-match-autoconf-behavior.patch index db1e71e..c9adc02 100644 --- a/libjpeg-turbo-match-autoconf-behavior.patch +++ b/libjpeg-turbo-match-autoconf-behavior.patch @@ -1,6 +1,6 @@ -diff -rupN --no-dereference libjpeg-turbo-2.0.90/win/jconfig.h.in libjpeg-turbo-2.0.90-new/win/jconfig.h.in ---- libjpeg-turbo-2.0.90/win/jconfig.h.in 2020-11-25 04:56:19.000000000 +0100 -+++ libjpeg-turbo-2.0.90-new/win/jconfig.h.in 2021-04-12 10:20:58.427111546 +0200 +diff -rupN --no-dereference libjpeg-turbo-2.1.0/win/jconfig.h.in libjpeg-turbo-2.1.0-new/win/jconfig.h.in +--- libjpeg-turbo-2.1.0/win/jconfig.h.in 2021-04-23 18:42:40.000000000 +0200 ++++ libjpeg-turbo-2.1.0-new/win/jconfig.h.in 2021-04-26 18:21:31.722086767 +0200 @@ -9,13 +9,13 @@ #define BITS_IN_JSAMPLE @BITS_IN_JSAMPLE@ /* use 8 or 12 */ diff --git a/mingw-libjpeg-turbo.spec b/mingw-libjpeg-turbo.spec index 59c3dff..ed41418 100644 --- a/mingw-libjpeg-turbo.spec +++ b/mingw-libjpeg-turbo.spec @@ -5,8 +5,8 @@ %global build_programs 0 Name: mingw-libjpeg-turbo -Version: 2.0.90 -Release: 2%{?dist} +Version: 2.1.0 +Release: 1%{?dist} Summary: MinGW Windows Libjpeg-turbo library License: wxWidgets @@ -17,10 +17,6 @@ Source0: http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-%{v # https://bugzilla.redhat.com/show_bug.cgi?id=843193 Patch0: libjpeg-turbo-match-autoconf-behavior.patch -# Backport patch for CVE-2021-20205 -# https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1719d12e51641cce5c77e259516649ba5ef6303c -Patch1: CVE-2021-20205.patch - BuildArch: noarch BuildRequires: mingw32-filesystem >= 95 @@ -164,6 +160,9 @@ chmod -x README.md %changelog +* Mon Apr 26 2021 Sandro Mani - 2.1.0-1 +- Update to 2.1.0 + * Mon Apr 12 2021 Sandro Mani - 2.0.90-2 - Backport patch for CVE-2021-20205 diff --git a/sources b/sources index 2d86f33..786548a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libjpeg-turbo-2.0.90.tar.gz) = e00cab142c81e90d0eaf891d44ce3dccfdfe7d61e4efe8e81c5983dc6444ca1775f555316cce17b6551afc4b9e285202f53f6d0a8561433840fda311f630bc6d +SHA512 (libjpeg-turbo-2.1.0.tar.gz) = 6632a2a71cb3a350fe4f850fe84e51e361755c373babf2b47fb164c3a9fc3fd66705639bebedd8c1b40cf6c15fd702e814425b0be5919048987bbec357828605