From 97c7ba7a077da6e6ef1ccce511e1a76d55d493bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0abata?= Date: Thu, 15 Oct 2020 22:20:13 +0200 Subject: [PATCH] RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/openjpeg2#7f15b4831d3f21e01de2192760d3ce1617701351 --- .gitignore | 9 + openjpeg2.spec | 475 ++++++++++++++++++++++++++++++++++ openjpeg2_CVE-2020-6851.patch | 29 +++ openjpeg2_CVE-2020-8112.patch | 43 +++ openjpeg2_opj2.patch | 12 + sources | 1 + 6 files changed, 569 insertions(+) create mode 100644 openjpeg2.spec create mode 100644 openjpeg2_CVE-2020-6851.patch create mode 100644 openjpeg2_CVE-2020-8112.patch create mode 100644 openjpeg2_opj2.patch create mode 100644 sources diff --git a/.gitignore b/.gitignore index e69de29..516d268 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,9 @@ +/openjpeg-2.0.0-svn20140403.tar.gz +/openjpeg-2.0.0.tar.gz +/openjpeg-2.1.0.tar.gz +/version.2.1.tar.gz +/openjpeg-2.1.1.tar.gz +/openjpeg-2.1.2.tar.gz +/openjpeg-2.2.0.tar.gz +/openjpeg-2.3.0.tar.gz +/openjpeg-2.3.1.tar.gz diff --git a/openjpeg2.spec b/openjpeg2.spec new file mode 100644 index 0000000..0d4837c --- /dev/null +++ b/openjpeg2.spec @@ -0,0 +1,475 @@ +# Conformance tests disabled by default since it requires 1 GB of test data +#global runcheck 1 + +#global optional_components 1 + +# https://bugzilla.redhat.com/show_bug.cgi?id=1751749 +%global _target_platform %{_vendor}-%{_target_os} + +Name: openjpeg2 +Version: 2.3.1 +Release: 7%{?dist} +Summary: C-Library for JPEG 2000 + +# windirent.h is MIT, the rest is BSD +License: BSD and MIT +URL: https://github.com/uclouvain/openjpeg +Source0: https://github.com/uclouvain/openjpeg/archive/v%{version}/openjpeg-%{version}.tar.gz +%if 0%{?runcheck} +# git clone git@github.com:uclouvain/openjpeg-data.git +Source1: data.tar.xz +%endif + +# Rename tool names to avoid conflicts with openjpeg-1.x +Patch0: openjpeg2_opj2.patch +# Backport patch for CVE 2020-6851 +# https://github.com/uclouvain/openjpeg/issues/1228 +Patch1: openjpeg2_CVE-2020-6851.patch +# Backport patch for CVE 2020-8112 +# https://github.com/uclouvain/openjpeg/pull/1232/commits/05f9b91e60debda0e83977e5e63b2e66486f7074 +Patch2: openjpeg2_CVE-2020-8112.patch + + +BuildRequires: cmake +# The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler +BuildRequires: gcc-c++ +BuildRequires: make +BuildRequires: zlib-devel +BuildRequires: libpng-devel +BuildRequires: libtiff-devel +BuildRequires: lcms2-devel +BuildRequires: doxygen + +%if 0%{?optional_components} +BuildRequires: java-devel +BuildRequires: xerces-j2 +%endif + +%description +The OpenJPEG library is an open-source JPEG 2000 library developed in order to +promote the use of JPEG 2000. + +This package contains +* JPEG 2000 codec compliant with the Part 1 of the standard (Class-1 Profile-1 + compliance). +* JP2 (JPEG 2000 standard Part 2 - Handling of JP2 boxes and extended multiple + component transforms for multispectral and hyperspectral imagery) + + +%package devel +Summary: Development files for OpenJPEG 2 +Requires: %{name}%{?_isa} = %{version}-%{release} +# OpenJPEGTargets.cmake refers to the tools +Requires: %{name}-tools%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for developing +applications that use OpenJPEG 2. + + +%package devel-docs +Summary: Developer documentation for OpenJPEG 2 +BuildArch: noarch + +%description devel-docs +The %{name}-devel-docs package contains documentation files for developing +applications that use OpenJPEG 2. + + +%package tools +Summary: OpenJPEG 2 command line tools +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +Command line tools for JPEG 2000 file manipulation, using OpenJPEG2: + * opj2_compress + * opj2_decompress + * opj2_dump + +%if 0%{?optional_components} +##### MJ2 ##### + +%package mj2 +Summary: OpenJPEG2 MJ2 module +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description mj2 +The OpenJPEG library is an open-source JPEG 2000 library developed in order to +promote the use of JPEG 2000. + +This package contains the MJ2 module (JPEG 2000 standard Part 3) + + +%package mj2-devel +Summary: Development files for OpenJPEG2 MJ2 module +Requires: %{name}-devel%{?_isa} = %{version}-%{release} +Requires: %{name}-mj2%{?_isa} = %{version}-%{release} + +%description mj2-devel +Development files for OpenJPEG2 MJ2 module + + +%package mj2-tools +Summary: OpenJPEG2 MJ2 module command line tools +Requires: %{name}-mj2%{?_isa} = %{version}-%{release} + +%description mj2-tools +OpenJPEG2 MJ2 module command line tools + +##### JPWL ##### + +%package jpwl +Summary: OpenJPEG2 JPWL module +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description jpwl +The OpenJPEG library is an open-source JPEG 2000 library developed in order to +promote the use of JPEG 2000. + +This package contains the JPWL (JPEG 2000 standard Part 11 - Jpeg 2000 Wireless) + + +%package jpwl-devel +Summary: Development files for OpenJPEG2 JPWL module +Requires: %{name}-devel%{?_isa} = %{version}-%{release} +Requires: %{name}-jpwl%{?_isa} = %{version}-%{release} + +%description jpwl-devel +Development files for OpenJPEG2 JPWL module + + +%package jpwl-tools +Summary: OpenJPEG2 JPWL module command line tools +Requires: %{name}-jpwl%{?_isa} = %{version}-%{release} + +%description jpwl-tools +OpenJPEG2 JPWL module command line tools + +##### JPIP ##### + +%package jpip +Summary: OpenJPEG2 JPIP module +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description jpip +The OpenJPEG library is an open-source JPEG 2000 library developed in order to +promote the use of JPEG 2000. + +This package contains the JPWL (JPEG 2000 standard Part 9 - Jpeg 2000 Interactive Protocol) + + +%package jpip-devel +Summary: Development files for OpenJPEG2 JPIP module +Requires: %{name}-devel%{?_isa} = %{version}-%{release} +Requires: %{name}-jpwl%{?_isa} = %{version}-%{release} + +%description jpip-devel +Development files for OpenJPEG2 JPIP module + + +%package jpip-tools +Summary: OpenJPEG2 JPIP module command line tools +Requires: %{name}-jpip%{?_isa} = %{version}-%{release} +Requires: jpackage-utils +Requires: java + +%description jpip-tools +OpenJPEG2 JPIP module command line tools + +##### JP3D ##### + +%package jp3d +Summary: OpenJPEG2 JP3D module +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description jp3d +The OpenJPEG library is an open-source JPEG 2000 library developed in order to +promote the use of JPEG 2000. + +This package contains the JP3D (JPEG 2000 standard Part 10 - Jpeg 2000 3D) + + +%package jp3d-devel +Summary: Development files for OpenJPEG2 JP3D module +Requires: %{name}-devel%{?_isa} = %{version}-%{release} +Requires: %{name}-jp3d%{?_isa} = %{version}-%{release} + +%description jp3d-devel +Development files for OpenJPEG2 JP3D module + + +%package jp3d-tools +Summary: OpenJPEG2 JP3D module command line tools +Requires: %{name}-jp3d%{?_isa} = %{version}-%{release} + +%description jp3d-tools +OpenJPEG2 JP3D module command line tools +%endif + + +%prep +%autosetup -p1 -n openjpeg-%{version} %{?runcheck:-a 1} + +# Remove all third party libraries just to be sure +find thirdparty/ -mindepth 1 -maxdepth 1 -type d -exec rm -rf {} \; + + +%build +# TODO: Consider +# -DBUILD_JPIP_SERVER=ON -DBUILD_JAVA=ON +%cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DOPENJPEG_INSTALL_LIB_DIR=%{_lib} \ + %{?optional_components:-DBUILD_MJ2=ON -DBUILD_JPWL=ON -DBUILD_JPIP=ON -DBUILD_JP3D=ON} \ + -DBUILD_DOC=ON \ + -DBUILD_STATIC_LIBS=OFF \ + -DBUILD_SHARED_LIBS=ON \ + %{?runcheck:-DBUILD_TESTING:BOOL=ON -DOPJ_DATA_ROOT=$PWD/../data} + +%cmake_build + + +%install +%cmake_install + +mv %{buildroot}%{_mandir}/man1/opj_compress.1 %{buildroot}%{_mandir}/man1/opj2_compress.1 +mv %{buildroot}%{_mandir}/man1/opj_decompress.1 %{buildroot}%{_mandir}/man1/opj2_decompress.1 +mv %{buildroot}%{_mandir}/man1/opj_dump.1 %{buildroot}%{_mandir}/man1/opj2_dump.1 + +# Docs are installed through %%doc +rm -rf %{buildroot}%{_datadir}/doc/ + +%if 0%{?optional_components} +# Move the jar to the correct place +mkdir -p %{buildroot}%{_javadir} +mv %{buildroot}%{_datadir}/opj_jpip_viewer.jar %{buildroot}%{_javadir}/opj2_jpip_viewer.jar +cat > %{buildroot}%{_bindir}/opj2_jpip_viewer < - 2.3.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Feb 13 2020 Sandro Mani - 2.3.1-6 +- Backport patch for CVE 2020-8112 + +* Wed Jan 29 2020 Fedora Release Engineering - 2.3.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 17 2020 Sandro Mani - 2.3.1-4 +- Backport patch for CVE 2020-6851 + +* Wed Oct 02 2019 Sandro Mani - 2.3.1-3 +- Fix unbundling 3rd party libraries (#1757822) + +* Thu Jul 25 2019 Fedora Release Engineering - 2.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Apr 02 2019 Sandro Mani - 2.3.1-1 +- Update to 2.3.1 + +* Fri Feb 01 2019 Fedora Release Engineering - 2.3.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Dec 20 2018 Sandro Mani - 2.3.0-10 +- Backport patches for CVE-2018-18088, CVE-2018-6616 + +* Thu Oct 04 2018 Sandro Mani - 2.3.0-9 +- Backport patch for CVE-2018-5785 (#1537758) + +* Fri Jul 13 2018 Fedora Release Engineering - 2.3.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Mar 07 2018 Sandro Mani - 2.3.0-7 +- BR: gcc-c++ + +* Mon Feb 19 2018 Sandro Mani - 2.3.0-6 +- Add missing BR: gcc, make + +* Thu Feb 08 2018 Fedora Release Engineering - 2.3.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 2.3.0-4 +- Switch to %%ldconfig_scriptlets + +* Mon Dec 25 2017 Sandro Mani - 2.3.0-3 +- Rename tool names at cmake level to ensure OpenJPEGTargets.cmake refers to the renamed files + +* Mon Dec 25 2017 Sandro Mani - 2.3.0-2 +- Use BUILD_STATIC_LIBS=OFF instead of deleting the static library after build + +* Thu Oct 05 2017 Sandro Mani - 2.3.0-1 +- Update to 2.3.0 + +* Thu Sep 07 2017 Sandro Mani - 2.2.0-4 +- Backport fix for CVE-2017-14039 + +* Thu Aug 31 2017 Sandro Mani - 2.2.0-3 +- Backport more security fixes, including for CVE-2017-14041 and CVE-2017-14040 + +* Thu Aug 31 2017 Sandro Mani - 2.2.0-2 +- Backport patch for CVE-2017-12982 + +* Thu Aug 10 2017 Sandro Mani - 2.2.0-1 +- Update to 2.2.0 + +* Thu Aug 03 2017 Fedora Release Engineering - 2.1.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.1.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 2.1.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat Dec 17 2016 Sandro Mani - 2.1.2-3 +- Add patch for CVE-2016-9580 (#1405128) and CVE-2016-9581 (#1405135) + +* Thu Dec 08 2016 Sandro Mani - 2.1.2-2 +- Add patch for CVE-2016-9572 (#1402714) and CVE-2016-9573 (#1402711) + +* Wed Sep 28 2016 Sandro Mani - 2.1.2-1 +- Update to 2.1.2 +- Fixes: CVE-2016-7445 + +* Fri Sep 09 2016 Sandro Mani - 2.1.1-3 +- Backport: Add sanity check for tile coordinates (#1374337) + +* Fri Sep 09 2016 Sandro Mani - 2.1.1-2 +- Backport fixes for CVE-2016-7163 + +* Wed Jul 06 2016 Sandro Mani - 2.1.1-1 +- Update to 2.1.1 +- Fixes: CVE-2016-3183, CVE-2016-3181, CVE-2016-3182, CVE-2016-4796, CVE-2016-4797, CVE-2015-8871 + +* Thu Feb 04 2016 Fedora Release Engineering - 2.1.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Oct 01 2015 Sandro Mani - 2.1.0-7 +- Backport fix for possible double-free (#1267983) + +* Tue Sep 15 2015 Sandro Mani - 2.1.0-6 +- Backport fix for use after free vulnerability (#1263359) + +* Thu Jun 25 2015 Sandro Mani - 2.1.0-5 +- Add openjpeg2_bigendian.patch (#1232739) + +* Wed Jun 17 2015 Fedora Release Engineering - 2.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 2.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 2.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue May 27 2014 Sandro Mani - 2.1.0-1 +- Update to 2.1.0 + +* Wed Apr 16 2014 Sandro Mani - 2.0.0-5 +- Switch to official 2.0 release and backport pkg-config patch + +* Thu Apr 10 2014 Sandro Mani - 2.0.0-4.svn20140403 +- Replace define with global +- Fix #define optional_components 1S typo +- Fix %%(pwd) -> $PWD for test data +- Added some BR for optional components +- Include opj2_jpip_viewer.jar in %%files + +* Wed Apr 09 2014 Sandro Mani - 2.0.0-3.svn20140403 +- Fix source url +- Fix mixed tabs and spaces +- Fix description too long + +* Wed Apr 09 2014 Sandro Mani - 2.0.0-2.svn20140403 +- Remove thirdparty libraries folder in prep +- Own %%{_libdir}/openjpeg-2.0/ +- Fix Requires +- Add missing ldconfig +- Add possibility to run conformance tests if desired + +* Thu Apr 03 2014 Sandro Mani - 2.0.0-1.svn20140403 +- Initial package diff --git a/openjpeg2_CVE-2020-6851.patch b/openjpeg2_CVE-2020-6851.patch new file mode 100644 index 0000000..9a70291 --- /dev/null +++ b/openjpeg2_CVE-2020-6851.patch @@ -0,0 +1,29 @@ +From 024b8407392cb0b82b04b58ed256094ed5799e04 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 11 Jan 2020 01:51:19 +0100 +Subject: [PATCH] opj_j2k_update_image_dimensions(): reject images whose + coordinates are beyond INT_MAX (fixes #1228) + +--- + src/lib/openjp2/j2k.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 14f6ff41a..922550eb1 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -9221,6 +9221,14 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, + l_img_comp = p_image->comps; + for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { + OPJ_INT32 l_h, l_w; ++ if (p_image->x0 > (OPJ_UINT32)INT_MAX || ++ p_image->y0 > (OPJ_UINT32)INT_MAX || ++ p_image->x1 > (OPJ_UINT32)INT_MAX || ++ p_image->y1 > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Image coordinates above INT_MAX are not supported\n"); ++ return OPJ_FALSE; ++ } + + l_img_comp->x0 = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)p_image->x0, + (OPJ_INT32)l_img_comp->dx); diff --git a/openjpeg2_CVE-2020-8112.patch b/openjpeg2_CVE-2020-8112.patch new file mode 100644 index 0000000..95cb809 --- /dev/null +++ b/openjpeg2_CVE-2020-8112.patch @@ -0,0 +1,43 @@ +From 05f9b91e60debda0e83977e5e63b2e66486f7074 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 30 Jan 2020 00:59:57 +0100 +Subject: [PATCH] opj_tcd_init_tile(): avoid integer overflow + +That could lead to later assertion failures. + +Fixes #1231 / CVE-2020-8112 +--- + src/lib/openjp2/tcd.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +index deecc4dff..aa419030a 100644 +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -905,8 +905,24 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, + /* p. 64, B.6, ISO/IEC FDIS15444-1 : 2000 (18 august 2000) */ + l_tl_prc_x_start = opj_int_floordivpow2(l_res->x0, (OPJ_INT32)l_pdx) << l_pdx; + l_tl_prc_y_start = opj_int_floordivpow2(l_res->y0, (OPJ_INT32)l_pdy) << l_pdy; +- l_br_prc_x_end = opj_int_ceildivpow2(l_res->x1, (OPJ_INT32)l_pdx) << l_pdx; +- l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->x1, ++ (OPJ_INT32)l_pdx)) << l_pdx; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_x_end = (OPJ_INT32)tmp; ++ } ++ { ++ OPJ_UINT32 tmp = ((OPJ_UINT32)opj_int_ceildivpow2(l_res->y1, ++ (OPJ_INT32)l_pdy)) << l_pdy; ++ if (tmp > (OPJ_UINT32)INT_MAX) { ++ opj_event_msg(manager, EVT_ERROR, "Integer overflow\n"); ++ return OPJ_FALSE; ++ } ++ l_br_prc_y_end = (OPJ_INT32)tmp; ++ } + /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ + + l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)(( diff --git a/openjpeg2_opj2.patch b/openjpeg2_opj2.patch new file mode 100644 index 0000000..4a531ad --- /dev/null +++ b/openjpeg2_opj2.patch @@ -0,0 +1,12 @@ +diff -rupN openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt +--- openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt 2019-04-02 14:45:15.000000000 +0200 ++++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt 2019-04-02 16:14:13.726252297 +0200 +@@ -44,6 +44,8 @@ endif() + # Loop over all executables: + foreach(exe opj_decompress opj_compress opj_dump) + add_executable(${exe} ${exe}.c ${common_SRCS}) ++ string(REPLACE "opj_" "opj2_" exe2 ${exe}) ++ set_target_properties(${exe} PROPERTIES OUTPUT_NAME ${exe2}) + if(NOT ${CMAKE_VERSION} VERSION_LESS "2.8.12") + target_compile_options(${exe} PRIVATE ${OPENJP2_COMPILE_OPTIONS}) + endif() diff --git a/sources b/sources new file mode 100644 index 0000000..955316f --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (openjpeg-2.3.1.tar.gz) = 339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03