diff --git a/.openjpeg2.metadata b/.openjpeg2.metadata new file mode 100644 index 0000000..a96f135 --- /dev/null +++ b/.openjpeg2.metadata @@ -0,0 +1 @@ +bbbf4dc4d9ce95286843cd39ac2febd3fd516c9d openjpeg-2.4.0.tar.gz diff --git a/openjpeg2-CVE-2022-1122.patch b/openjpeg2-CVE-2022-1122.patch new file mode 100644 index 0000000..28c1835 --- /dev/null +++ b/openjpeg2-CVE-2022-1122.patch @@ -0,0 +1,26 @@ +From 0afbdcf3e6d0d2bd2e16a0c4d513ee3cf86e460d Mon Sep 17 00:00:00 2001 +From: xiaoxiaoafeifei +Date: Wed, 14 Jul 2021 09:35:13 +0800 +Subject: [PATCH] Fix segfault in src/bin/jp2/opj_decompress.c due to + uninitialized pointer (fixes #1368) (#1369) + +--- + src/bin/jp2/opj_decompress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c +index 0e028735..18ead672 100644 +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -1356,7 +1356,7 @@ int main(int argc, char **argv) + int it_image; + num_images = get_num_images(img_fol.imgdirpath); + +- dirptr = (dircnt_t*)malloc(sizeof(dircnt_t)); ++ dirptr = (dircnt_t*)calloc(1, sizeof(dircnt_t)); + if (!dirptr) { + destroy_parameters(¶meters); + return EXIT_FAILURE; +-- +2.34.1 + diff --git a/openjpeg2.spec b/openjpeg2.spec index 6da6089..556d2c8 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -8,7 +8,7 @@ Name: openjpeg2 Version: 2.4.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -26,7 +26,7 @@ Patch0: openjpeg2_opj2.patch Patch1: openjpeg2-CVE-2021-29338.patch # Fix CVE-2021-3575 Patch2: openjpeg2-CVE-2021-3575.patch - +Patch3: openjpeg2-CVE-2022-1122.patch BuildRequires: cmake # The library itself is C only, but there is some optional C++ stuff, hence the project is not marked as C-only in cmake and hence cmake looks for a c++ compiler @@ -328,6 +328,9 @@ chmod +x %{buildroot}%{_bindir}/opj2_jpip_viewer %changelog +* Wed Jun 15 2022 Matej Mužila - 2.4.0-7 +- Fix CVE-2022-1122 + * Mon Aug 09 2021 Mohan Boddu - 2.4.0-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688