Hello community,
here is the log from the commit of package jasper for openSUSE:Factory checked in at 2018-04-05 15:27:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jasper (Old)
and /work/SRC/openSUSE:Factory/.jasper.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jasper"
Thu Apr 5 15:27:19 2018 rev:40 rq:593093 version:2.0.14
Changes:
--------
--- /work/SRC/openSUSE:Factory/jasper/jasper.changes 2017-07-17 09:02:00.289283406 +0200
+++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2018-04-05 15:27:26.141275522 +0200
@@ -1,0 +2,38 @@
+Thu Mar 29 14:40:02 UTC 2018 - fstrba@suse.com
+
+- Added patch:
+ * jasper-CVE-2018-9055.patch
+ + fix CVE-2018-9055, bsc#1087020: jasper: denial of service via
+ a reachable assertion in the function jpc_firstone in
+ libjasper/jpc/jpc_math.c.
+
+-------------------------------------------------------------------
+Thu Mar 29 08:12:30 UTC 2018 - fstrba@suse.com
+
+- Upgrade to 2.0.14
+ * Soname and package name change libjasper1 to libjasper4
+ * Security fixes:
+ + CVE-2016-9557 jasper: Signed integer overflow in jas_image.c
+- Removed patches:
+ * jasper-1.900.1-uninitialized.patch
+ + not needed any more
+ * jasper-CVE-2016-10251.patch
+ * jasper-CVE-2016-8654.patch
+ * jasper-CVE-2016-9262.patch
+ * jasper-CVE-2016-9395.patch
+ * jasper-CVE-2016-9560.patch
+ * jasper-CVE-2016-9583.patch
+ * jasper-CVE-2016-9591.patch
+ * jasper-CVE-2016-9600.patch
+ * jasper-CVE-2017-1000050.patch
+ * jasper-CVE-2017-5498.patch
+ * jasper-CVE-2017-6850.patch
+ + Fixed upstream
+- Added patches:
+ * 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch
+ + fix assertion failure JPC_NOMINALGAIN() which can be caused
+ by a crafted JP2 file.
+ * 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch
+ + allow JasPer to be build with CMake 2.x as well as CMake 3.x.
+
+-------------------------------------------------------------------
Old:
----
jasper-1.900.1-uninitialized.patch
jasper-1.900.14.tar.bz2
jasper-CVE-2016-10251.patch
jasper-CVE-2016-8654.patch
jasper-CVE-2016-9262.patch
jasper-CVE-2016-9395.patch
jasper-CVE-2016-9560.patch
jasper-CVE-2016-9583.patch
jasper-CVE-2016-9591.patch
jasper-CVE-2016-9600.patch
jasper-CVE-2017-1000050.patch
jasper-CVE-2017-5498.patch
jasper-CVE-2017-6850.patch
New:
----
0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch
0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch
jasper-2.0.14.tar.gz
jasper-CVE-2018-9055.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jasper.spec ++++++
--- /var/tmp/diff_new_pack.HuoFlL/_old 2018-04-05 15:27:26.733254125 +0200
+++ /var/tmp/diff_new_pack.HuoFlL/_new 2018-04-05 15:27:26.737253980 +0200
@@ -1,7 +1,7 @@
#
# spec file for package jasper
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,35 +17,30 @@
Name: jasper
-Version: 1.900.14
+Version: 2.0.14
Release: 0
Summary: An Implementation of the JPEG-2000 Standard, Part 1
License: SUSE-Public-Domain
Group: Productivity/Graphics/Convertors
Url: http://www.ece.uvic.ca/~mdadams/jasper/
-Source: %{name}-%{version}.tar.bz2
+Source: %{name}-%{version}.tar.gz
Source2: baselibs.conf
-Patch0: jasper-1.900.1-uninitialized.patch
-Patch1: jasper-CVE-2016-8654.patch
-Patch2: jasper-CVE-2016-9395.patch
-Patch3: jasper-CVE-2016-9398.patch
-Patch4: jasper-CVE-2016-9560.patch
-Patch5: jasper-CVE-2016-9591.patch
-Patch6: jasper-CVE-2016-10251.patch
-Patch7: jasper-CVE-2017-5498.patch
-Patch8: jasper-CVE-2016-9600.patch
-Patch9: jasper-CVE-2016-9583.patch
-Patch10: jasper-CVE-2017-6850.patch
-Patch11: jasper-CVE-2017-1000050.patch
-Patch12: jasper-CVE-2016-9262.patch
-BuildRequires: autoconf
-BuildRequires: automake
+Patch1: jasper-CVE-2016-9398.patch
+Patch2: 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch
+Patch3: 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch
+Patch4: jasper-CVE-2018-9055.patch
+BuildRequires: Mesa-libGL-devel
+BuildRequires: cmake
+BuildRequires: doxygen
+BuildRequires: fdupes
+BuildRequires: freeglut-devel
BuildRequires: gcc-c++
+BuildRequires: glu-devel
+BuildRequires: libXi-devel
+BuildRequires: libXmu-devel
BuildRequires: libdrm-devel
BuildRequires: libjpeg-devel
-BuildRequires: libtool
BuildRequires: pkgconfig
-BuildRequires: unzip
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -53,7 +48,7 @@
standard, JPEG-2000, Part 1. It consists of tools for conversion to and
from the JP2 and JPC formats.
-%package -n libjasper1
+%package -n libjasper4
Summary: JPEG-2000 library
# bug437293
# used in <= 11.3
@@ -65,7 +60,7 @@
%endif
#
-%description -n libjasper1
+%description -n libjasper4
This package contains libjasper, a library implementing the JPEG-2000
image compression standard Part 1.
@@ -74,7 +69,7 @@
# bug437293
#
Group: Development/Libraries/C and C++
-Requires: libjasper1 = %{version}
+Requires: libjasper4 = %{version}
Requires: libjpeg-devel
%ifarch ppc64
Obsoletes: libjasper-devel-64bit
@@ -86,55 +81,34 @@
%prep
%setup -q
-%patch0
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
%build
-libtoolize --force --copy --install
-autoreconf -fi
export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE"
-%configure --prefix="%{_prefix}" --enable-shared --disable-static --libdir=%{_libdir}
+%cmake -DCMAKE_INSTALL_DOCDIR=%{_docdir}/%{name}
make %{?_smp_mflags}
-#
-# Sanity check
-# With some CFLAGS sets, uint, ulong and ushort are not visible and jas_config.h
-# refefines system types. It can trigger build failures after
-# #include
From e8369be3348c56fa931613c5a70a3492042e52a4 Mon Sep 17 00:00:00 2001 From: Michael Adams
Date: Sat, 9 Dec 2017 10:24:05 -0800 Subject: [PATCH] Added a fix from nrusch to allow JasPer to be build with CMake 2.x as well as CMake 3.x.
--- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index c432ba2..578e54d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,6 +1,6 @@ cmake_minimum_required (VERSION 2.8.11) -project(JasPer LANGUAGES C) +project(JasPer C) set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_SOURCE_DIR}/build/cmake/modules/") -- 2.16.2 ++++++ 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch ++++++
From a10536d5f7f3164b0a1f1ae3e533f4a12ca6f543 Mon Sep 17 00:00:00 2001 From: Max Kellermann
Date: Fri, 6 Oct 2017 19:15:22 +0200 Subject: [PATCH] jpc_cs: reject all but JPC_COX_INS and JPC_COX_RFT
Fixes assertion failure JPC_NOMINALGAIN() which can be caused by a
crafted JP2 file.
Closes #50, #142
---
src/libjasper/jpc/jpc_cs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c
index f863b69..cec0c75 100644
--- a/src/libjasper/jpc/jpc_cs.c
+++ b/src/libjasper/jpc/jpc_cs.c
@@ -795,6 +795,9 @@ static int jpc_cox_getcompparms(jpc_ms_t *ms, jpc_cstate_t *cstate,
if (compparms->numdlvls > 32) {
goto error;
}
+ if (compparms->qmfbid != JPC_COX_INS &&
+ compparms->qmfbid != JPC_COX_RFT)
+ goto error;
compparms->numrlvls = compparms->numdlvls + 1;
if (compparms->numrlvls > JPC_MAXRLVLS) {
goto error;
--
2.16.2
++++++ baselibs.conf ++++++
--- /var/tmp/diff_new_pack.HuoFlL/_old 2018-04-05 15:27:26.797251811 +0200
+++ /var/tmp/diff_new_pack.HuoFlL/_new 2018-04-05 15:27:26.797251811 +0200
@@ -1,3 +1,3 @@
-libjasper1
+libjasper4
obsoletes "libjasper-<targettype>"
provides "libjasper-<targettype>"
++++++ jasper-CVE-2016-10251.patch -> jasper-CVE-2018-9055.patch ++++++
--- /work/SRC/openSUSE:Factory/jasper/jasper-CVE-2016-10251.patch 2017-03-18 20:49:35.430038839 +0100
+++ /work/SRC/openSUSE:Factory/.jasper.new/jasper-CVE-2018-9055.patch 2018-04-05 15:27:26.117276390 +0200
@@ -1,87 +1,60 @@
---- jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c 2017-03-16 09:23:44.445202359 +0100
-+++ jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c 2017-03-16 09:25:00.433202141 +0100
-@@ -432,18 +432,18 @@
- &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
- ++pi->picomp) {
- pirlvl = pi->picomp->pirlvls;
-- pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
-- pi->picomp->numrlvls - 1));
-- pi->ystep = pi->picomp->vsamp * (1 << (pirlvl->prcheightexpn +
-- pi->picomp->numrlvls - 1));
-+ pi->xstep = pi->picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) <<
-+ (pirlvl->prcwidthexpn + pi->picomp->numrlvls - 1));
-+ pi->ystep = pi->picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) <<
-+ (pirlvl->prcheightexpn + pi->picomp->numrlvls - 1));
- for (rlvlno = 1, pirlvl = &pi->picomp->pirlvls[1];
- rlvlno < pi->picomp->numrlvls; ++rlvlno, ++pirlvl) {
-- pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp * (1 <<
-- (pirlvl->prcwidthexpn + pi->picomp->numrlvls -
-- rlvlno - 1)));
-- pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp * (1 <<
-- (pirlvl->prcheightexpn + pi->picomp->numrlvls -
-- rlvlno - 1)));
-+ pi->xstep = JAS_MIN(pi->xstep, pi->picomp->hsamp *
-+ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcwidthexpn +
-+ pi->picomp->numrlvls - rlvlno - 1)));
-+ pi->ystep = JAS_MIN(pi->ystep, pi->picomp->vsamp *
-+ (JAS_CAST(uint_fast32_t, 1) << (pirlvl->prcheightexpn +
-+ pi->picomp->numrlvls - rlvlno - 1)));
- }
- for (pi->y = pi->ystart; pi->y < pi->yend;
- pi->y += pi->ystep - (pi->y % pi->ystep)) {
---- jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.h 2017-03-16 09:23:44.445202359 +0100
-+++ jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.h 2017-03-16 09:25:00.433202141 +0100
-@@ -129,10 +129,10 @@
- jpc_pirlvl_t *pirlvls;
-
- /* The horizontal sampling period. */
-- int hsamp;
-+ uint_fast32_t hsamp;
-
- /* The vertical sampling period. */
-- int vsamp;
-+ uint_fast32_t vsamp;
-
- } jpc_picomp_t;
-
-@@ -171,32 +171,32 @@
- int lyrno;
-
- /* The x-coordinate of the current position. */
-- int x;
-+ uint_fast32_t x;
-
- /* The y-coordinate of the current position. */
-- int y;
-+ uint_fast32_t y;
-
- /* The horizontal step size. */
-- int xstep;
-+ uint_fast32_t xstep;
-
- /* The vertical step size. */
-- int ystep;
-+ uint_fast32_t ystep;
-
- /* The x-coordinate of the top-left corner of the tile on the reference
- grid. */
-- int xstart;
-+ uint_fast32_t xstart;
-
- /* The y-coordinate of the top-left corner of the tile on the reference
- grid. */
-- int ystart;
-+ uint_fast32_t ystart;
-
- /* The x-coordinate of the bottom-right corner of the tile on the
- reference grid (plus one). */
-- int xend;
-+ uint_fast32_t xend;
-
- /* The y-coordinate of the bottom-right corner of the tile on the
- reference grid (plus one). */
-- int yend;
-+ uint_fast32_t yend;
-
- /* The current progression change. */
- jpc_pchg_t *pchg;
+From a7cfb760db46d2405dd180bc7c302f6311e605a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fridrich=20=C5=A0trba?=