commit 385203909d3ecbe69467b9b08d5849e9484d2409c4bc5ad5032dfed296f5ca9c Author: Adrian Schröter Date: Fri May 3 13:54:44 2024 +0200 Sync from SUSE:SLFO:Main jasper revision ba6e2b359ea6abfc61291e13ab464e1c diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..88ffa59 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1 @@ +libjasper7 diff --git a/jasper.changes b/jasper.changes new file mode 100644 index 0000000..479d50f --- /dev/null +++ b/jasper.changes @@ -0,0 +1,976 @@ +------------------------------------------------------------------- +Tue Feb 20 05:47:05 UTC 2024 - Michael Vetter + +- Update to 4.2.1: + * Fix a build problem for the DJGPP/MS-DOS environment (#372). + +------------------------------------------------------------------- +Tue Feb 6 07:05:20 UTC 2024 - Michael Vetter + +- Update to 4.2.0: + * Add the JAS_PACKAGING option to the CMake build in an attempt to allow + easier control over rpath settings by packagers of JasPer. + * Remove a number of obsolete scripts. + * Make some cosmetic changes to the code for the JPC codec in order + to improve readability (#371). + * Fix a portability bug related to threads/atomics. + * Replace some lingering uses of strtok in the JPC coder with jas_strtok, + since the use of strtok is problematic in multithreading contexts. + +------------------------------------------------------------------- +Thu Jan 11 15:45:02 UTC 2024 - Michael Vetter + +- Update to 4.1.2: + * Fix invalid memory write bug (#367) bsc#1218802 (CVE-2023-51257). + * Fix missing range check in the JPC encoder (#368). + +------------------------------------------------------------------- +Wed Nov 29 09:29:34 UTC 2023 - Michael Vetter + +- Update to 4.1.1: + * Disallow in-source builds by default #364 + * Fix a potential integer overflow problem in the + jas_get_total_mem_size function (for the Windows platform) #363 + +------------------------------------------------------------------- +Sun Nov 5 13:14:59 UTC 2023 - Michael Vetter + +- Update to 4.1.0: + * Add support for building several JasPer application programs for + WebAssembly target with WASI support. + +------------------------------------------------------------------- +Sun Nov 5 13:14:39 UTC 2023 - Michael Vetter + +- Update to 4.0.1: + * Fix integer overflow bug in PNM decoder (#353). + * Fix a few minor build issues. + +------------------------------------------------------------------- +Sun Nov 6 09:19:20 UTC 2022 - Michael Vetter + +- Update to 4.0.0: + * Improve static linking (##336). + * Fix path relocation in mingw environment (#335). + * Improve logging and build scripts. + * Improve JPEG-2000 conformance test results. + * Enable PIC by default. + * Fix memory leaks in function cmdopts_parse (#332) (CVE-2022-2963). + * imgcmp: + + Add quiet (-q) option. + + Add debug-level option. + + Fix memory leak. + imginfo: + + Add quiet (-q) option. + * Fix bug in parsing PGX header. + * Fix integer overflow bug (#345) (CVE-2022-40755). +- Remove jasper-CVE-2022-2963.patch + +------------------------------------------------------------------- +Fri Sep 16 11:34:42 UTC 2022 - Michael Vetter + +- security update: + * CVE-2022-2963 [bsc#1202642] + + jasper-CVE-2022-2963.patch + +------------------------------------------------------------------- +Thu Jul 14 07:24:38 UTC 2022 - Michael Vetter + +- Update to 3.0.6: + * Fix bug in manual deployment script. + +------------------------------------------------------------------- +Thu Jun 23 14:09:05 UTC 2022 - Michael Vetter + +- Update to 3.0.5: + * Fix a minor build issue (#328). + +------------------------------------------------------------------- +Fri Jun 3 12:41:24 UTC 2022 - Michael Vetter + +- Update to 3.0.4: + * Eliminate some bogus calls to abort. + * Fix a typo in jas_safeui64_div (#323). + * Add some additional logging messages. + * Fix the source of a potential compiler warning (#321). + +------------------------------------------------------------------- +Wed Mar 16 16:59:29 UTC 2022 - Michael Vetter + +- Update to 3.0.3: + * Fix some portability issues in a few scripts. + +------------------------------------------------------------------- +Mon Feb 14 16:26:36 UTC 2022 - Wolfgang Bauer + +- Add back missing Requires to the devel package + +------------------------------------------------------------------- +Mon Feb 14 15:12:38 UTC 2022 - Michael Vetter + +- Update to 3.0.2: + * Fix a build issue that occurs when a cross-compiler is + used (e.g., #319). + +------------------------------------------------------------------- +Sat Feb 12 21:16:30 UTC 2022 - Michael Vetter + +- Update to 3.0.1: + * Fix some build/portability issues (e.g., #317, #318). +- Drop jasper-cmake-warnings.patch: contained in upstream release + +------------------------------------------------------------------- +Mon Feb 7 15:45:25 UTC 2022 - Michael Vetter + +- Update to 3.0.0: + * Introducing some API changes please refer to the "News" section + of the JasPer manuel: https://jasper-software.github.io/jasper-manual + * Greatly improve documentation. + * Add support for multithreading. + * Add some customization points in the library, such as the + memory allocator and error logging function. + * Add improved memory usage tracking and limiting. + * Add experimental partial encoding/decoding support for the + HEIC format. + * Fix some longstanding issues in the JasPer I/O streams API. + * Fix many bugs (e.g., #305, #307, #308, #309, #312, #314, and + many others not associated with any issue numbers). +- Remove jasper-freeglut.patch: not needed anymore +- Add jasper-cmake-warnings.patch: fix cmake warnings +- Remove legacy provides/obsoletes related to sle11 and bsc#437293 + +------------------------------------------------------------------- +Sun Jan 30 13:42:36 UTC 2022 - Carsten Ziepke + +- Add jasper-freeglut.patch, fixes freeglut detection and linking +- Run spec-cleaner +- Change license from SUSE-Public-Domain to JasPer-2.0 +- Cleanup docdir, only package the html and pdf docs and not + the sources + +------------------------------------------------------------------- +Mon Aug 16 07:04:10 UTC 2021 - Michael Vetter + +- Update to 2.0.33: + * Fix a JP2/JPC decoder bug (#291) + * Fix a build issue impacting some platforms (#296) + +------------------------------------------------------------------- +Mon Apr 19 11:38:47 UTC 2021 - Michael Vetter + +- Update to 2.0.32: + * Between 2.0.29 and 2.0.32 were only experiments with + GitHub Actions + +------------------------------------------------------------------- +Mon Apr 19 11:38:25 UTC 2021 - Michael Vetter + +- Update to 2.0.29: + * Loosen some overly tight restrictions on JP2 codestreams, + which caused some valid codestreams to be rejected. (#289) + +------------------------------------------------------------------- +Mon Mar 29 17:09:03 UTC 2021 - Michael Vetter + +- Update to 2.0.28: + * Fix potential null pointer dereference in the JP2/JPC decoder. + (#269) (CVE-2021-3443) bsc#1184798 + * Fix ignoring of JAS_STREAM_FILEOBJ_NOCLOSE at stream close time. + (#286) + * Fix integral type sizing problem in JP2 codec. (#284) + + +------------------------------------------------------------------- +Thu Mar 18 11:28:45 UTC 2021 - Michael Vetter + +- Update to 2.0.27: + * Check for an image containing no samples in the PGX + decoder. (#271, #272, #273, #274, #275, #276, #281) + * Check for dimensions of zero in the JPC and JPEG decoders. + * Fix an arguably incorrect type for an integer literal + in the PGX decoder. (#270) + * Check for an invalid component reference in the + JP2 decoder. (#269) + * Check on integer size in JP2 decoder. (#278) + +------------------------------------------------------------------- +Fri Mar 5 15:42:31 UTC 2021 - Michael Vetter + +- Update to 2.0.26: + * Fix JP2 decoder bug that can cause a null pointer dereference + for some invalid CDEF boxes. (#268) (CVE-2021-3467) bsc#1184757 + +------------------------------------------------------------------- +Mon Feb 8 09:02:13 UTC 2021 - Michael Vetter + +- Update to 2.0.25: + * Fix memory-related bugs in the JPEG-2000 codec resulting from + attempting to decode invalid code streams. (#264, #265) + This fix is associated with CVE-2021-26926 bsc#1182105 and + bsc#1182104 CVE-2021-26927. + * Fix wrong return value under some compilers (#260) + * Fix bsc#1181483 CVE-2021-3272 heap buffer overflow + in jp2_decode (#259) + +------------------------------------------------------------------- +Mon Jan 4 09:15:44 UTC 2021 - Michael Vetter + +- Update to 2.0.24: + * Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH + for easier access to the JasPer version. + * Fixes stack overflow bug on Windows, where variable-length + arrays are not available. (#256) + +------------------------------------------------------------------- +Tue Dec 8 07:45:28 UTC 2020 - Michael Vetter + +- Update to 2.0.23: + * Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c (#252) + bsc#1179748 + +------------------------------------------------------------------- +Tue Oct 6 07:16:41 UTC 2020 - Michael Vetter + +- Update to 2.0.22: + * Update manual + * Remove JPEG dummy codec + * Fix test suite build failure regarding disabled MIF codec (#249) + * Fix OpenGL/glut detection (#247) +- Remove jasper-2.0.21-glut.patch: upstreamed + +------------------------------------------------------------------- +Wed Sep 23 07:40:22 UTC 2020 - Michael Vetter + +- Add jasper-2.0.21-glut.patch: Fix glut.h detection + See https://github.com/jasper-software/jasper/issues/247 + +------------------------------------------------------------------- +Tue Sep 22 12:10:54 UTC 2020 - Michael Vetter + +- Update to 2.0.21: + * Fix ZDI-15-529 + https://github.com/jasper-software/jasper/pull/245 + * Fix CVE-2018-19541 in decoder + https://github.com/jasper-software/jasper/pull/244 + +------------------------------------------------------------------- +Mon Sep 7 08:15:35 UTC 2020 - Michael Vetter + +- Update to 2.0.20: + * Fixed several ISO/IEC 15444-4 conformance bugs + * Fixed new variant of CVE-2016-9398 + * Disabled the MIF codec by default for security reasons (but it is still + included in the library); + in a future release, the MIF codec may also be excluded from the + library by default + * Added documentation for the I/O streams library API + * Improved adherance to specification +- Move to GitHub repo https://github.com/jasper-software/jasper +- Update URL to https://jasper-software.github.io/jasper + +------------------------------------------------------------------- +Tue Jul 28 09:39:46 UTC 2020 - Michael Vetter + +- Update to 2.0.19: + * CVE-2021-27845 bsc#1188437 + https://github.com/mdadams/jasper/issues/194 (part 1) + * Fix CVE-2018-9154 + https://github.com/jasper-software/jasper/issues/215 + https://github.com/jasper-software/jasper/issues/166 + https://github.com/jasper-software/jasper/issues/175 + https://github.com/jasper-maint/jasper/issues/8 + * Fix CVE-2018-19541 + https://github.com/jasper-software/jasper/pull/199 + https://github.com/jasper-maint/jasper/issues/6 + * Fix CVE-2016-9399 bsc#1010980, CVE-2017-13751 + https://github.com/jasper-maint/jasper/issues/1 + * Fix CVE-2018-19540 + https://github.com/jasper-software/jasper/issues/182 + https://github.com/jasper-maint/jasper/issues/22 + * Fix CVE-2018-9055 + https://github.com/jasper-maint/jasper/issues/9 + * Fix CVE-2017-13748 + https://github.com/jasper-software/jasper/issues/168 + * Fix CVE-2017-5503 bsc#1020456, CVE-2017-5504 bsc#1020458, CVE-2017-5505 bsc#1020460 + https://github.com/jasper-maint/jasper/issues/3 + https://github.com/jasper-maint/jasper/issues/4 + https://github.com/jasper-maint/jasper/issues/5 + https://github.com/jasper-software/jasper/issues/88 + https://github.com/jasper-software/jasper/issues/89 + https://github.com/jasper-software/jasper/issues/90 + * Fix CVE-2018-9252 bsc#1088278 + https://github.com/jasper-maint/jasper/issues/16 + * Fix CVE-2018-19139 bsc#1115637 + https://github.com/jasper-maint/jasper/issues/14 + * Fix CVE-2018-19543 bsc#1117328, CVE-2017-9782 bsc#1045450 + https://github.com/jasper-maint/jasper/issues/13 + https://github.com/jasper-maint/jasper/issues/18 + https://github.com/jasper-software/jasper/issues/140 + https://github.com/jasper-software/jasper/issues/182 + * Fix CVE-2018-20570 bsc#1120807 + https://github.com/jasper-maint/jasper/issues/11 + https://github.com/jasper-software/jasper/issues/191 + * Fix CVE-2018-20622 bsc#1120805 + https://github.com/jasper-maint/jasper/issues/12 + https://github.com/jasper-software/jasper/issues/193 + * Fix CVE-2016-9398 bsc#1010979 + https://github.com/jasper-maint/jasper/issues/10 + * Fix CVE-2017-14132 bsc#1057152 + https://github.com/jasper-maint/jasper/issues/17 + * Fix CVE-2017-5499 bsc#1020451 + https://github.com/jasper-maint/jasper/issues/2 + https://github.com/jasper-software/jasper/issues/63 + * Fix CVE-2018-18873 bsc#1114498 + https://github.com/jasper-maint/jasper/issues/15 + https://github.com/jasper-software/jasper/issues/184 + * Fix https://github.com/jasper-software/jasper/issues/207 + * Fix https://github.com/jasper-software/jasper/issues/194 part 1 + * Fix CVE-2017-13750 + https://github.com/jasper-software/jasper/issues/165 + https://github.com/jasper-software/jasper/issues/174 + * New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table + * Fix various memory leaks + * Plenty of code cleanups, and performance improvements +- Remove because contained in upstream: + * jasper-CVE-2016-9398.patch + * jasper-CVE-2018-19540.patch + * jasper-CVE-2018-19541.patch + * jasper-CVE-2018-19542.patch + * jasper-CVE-2018-9055.patch + * jasper-CVE-2018-9154.patch + +------------------------------------------------------------------- +Tue Mar 17 12:38:11 UTC 2020 - Michael Vetter + +- bsc#1092115 CVE-2018-9154: Fix possible denial of service + Add jasper-CVE-2018-9154.patch: dont abort in jpc_dec_process_sot() + +------------------------------------------------------------------- +Mon Nov 4 17:10:14 UTC 2019 - Michael Vetter + +- bsc#1117507 CVE-2018-19541: Properly fix heap based overread + in jas_image_depalettize. Original fix caused segfaults. + Update jasper-CVE-2018-19541.patch + +------------------------------------------------------------------- +Thu Jun 6 07:43:02 UTC 2019 - mvetter@suse.com + +- bsc#1117508 CVE-2018-19540: Fix heap based overflow in jas_icctxtdesc_input + Add jasper-CVE-2018-19540.patch: Make sure asclen is at least 1 +- bsc#1117507 CVE-2018-19541: Fix heap based overread in jas_image_depalettize + Add jasper-CVE-2018-19541.patch: Check number of lutents + +------------------------------------------------------------------- +Mon Mar 25 10:23:40 UTC 2019 - mvetter@suse.com + +- Update to 2.0.16: + * Fix assertion failure JPC_NOMINALGAIN (CVE-2016-9396) (#50) bsc#1010783 + * Fix build on Windows 10 (#162) + * Improve README + * Fix build with CMake 2.x + * Add missing dereference operators (#178, #157) + * Check data in jas_image (CVE-2018-19539) (#196) +- Remove because contained in new release: + * jasper-CVE-2018-19539.patch + * 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch + * Remove 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch +- Run spec-cleaner + +------------------------------------------------------------------- +Thu Mar 21 09:38:27 UTC 2019 - Michael Vetter + +- bsc#1117505 CVE-2018-19542: + * Add jasper-CVE-2018-19542.patch + +------------------------------------------------------------------- +Tue Mar 12 16:35:04 UTC 2019 - mvetter@suse.com + +- bsc#1117511 CVE-2018-19539: + * Add jasper-CVE-2018-19539.patch + +------------------------------------------------------------------- +Thu Mar 29 14:40:02 UTC 2018 - fstrba@suse.com + +- Added patch: + * jasper-CVE-2018-9055.patch + + fix CVE-2018-9055, bsc#1087020: jasper: denial of service via + a reachable assertion in the function jpc_firstone in + libjasper/jpc/jpc_math.c. + +------------------------------------------------------------------- +Thu Mar 29 08:12:30 UTC 2018 - fstrba@suse.com + +- Upgrade to 2.0.14 + * Soname and package name change libjasper1 to libjasper4 + * Security fixes: + + CVE-2016-9557 jasper: Signed integer overflow in jas_image.c +- Removed patches: + * jasper-1.900.1-uninitialized.patch + + not needed any more + * jasper-CVE-2016-10251.patch + * jasper-CVE-2016-8654.patch + * jasper-CVE-2016-9262.patch + * jasper-CVE-2016-9395.patch + * jasper-CVE-2016-9560.patch + * jasper-CVE-2016-9583.patch + * jasper-CVE-2016-9591.patch + * jasper-CVE-2016-9600.patch + * jasper-CVE-2017-1000050.patch + * jasper-CVE-2017-5498.patch + * jasper-CVE-2017-6850.patch + + Fixed upstream +- Added patches: + * 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch + + fix assertion failure JPC_NOMINALGAIN() which can be caused + by a crafted JP2 file. + * 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch + + allow JasPer to be build with CMake 2.x as well as CMake 3.x. + +------------------------------------------------------------------- +Wed Jul 12 07:43:06 UTC 2017 - fstrba@suse.com + +- Other bugs fixed by existing patches: + * jasper-CVE-2016-9395.patch + - bsc#1010756, CVE-2016-9394: assertion in jas_matrix_t + *jas_seq2d_create(int, int, int, int): Assertion + `xstart <= xend && ystart <= yend' + - bsc#1010757, CVE-2016-9392: pc_dec.c:1637: void + calcstepsizes(uint_fast16_t, int, uint_fast16_t *): + Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - + ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))' + failed. + - bsc#1010766, CVE-2016-9393: jpc_t2cod.c:297: int + jpc_pi_nextrpcl(jpc_pi_t *): Assertion + `pi->prcno pirlvl->numprcs' failed. + - bsc#1010977, CVE-2016-9395: jas_seq.c:90: jas_matrix_t + *jas_seq2d_create(int, int, int, int): Assertion `xstart + <= xend && ystart <= yend' failed. +- Other bugs fixed in current version: + * bsc#1010774, CVE-2016-9390: jas_seq.c:90: jas_matrix_t + *jas_seq2d_create(int, int, int, int): Assertion `xstart <= + xend && ystart <= yend' failed. + * bsc#1010782, CVE-2016-9391: jpc_bs.c:197: long + jpc_bitstream_getbits(jpc_bitstream_t *, int): Assertion + `n >= 0 && n < 32' failed. + * bsc#1010968, CVE-2016-9389: Assertion `((c1)->numcols_) == + numcols && ((c2)->numcols_) == numcols' failed. + * bsc#1010975, CVE-2016-9388: ras_dec.c:330: int + ras_getcmap(jas_stream_t *, ras_hdr_t *, ras_cmap_t *): + Assertion `numcolors <= 256' failed. + * bsc#1010960, CVE-2016-9387: jas_seq.c:90: jas_matrix<= yend' + failed. + +------------------------------------------------------------------- +Tue Jul 11 10:45:59 UTC 2017 - fstrba@suse.com + +- Added patch: + * jasper-CVE-2016-9262.patch + + Fix for Multiple overflow vulnerabilities leading to use + after free (bsc#1009994, CVE-2016-9262) + +------------------------------------------------------------------- +Tue Jul 11 09:02:39 UTC 2017 - fstrba@suse.com + +- Added patch: + * jasper-CVE-2017-1000050.patch + + Upstream fix for NULL Pointer Dereference jp2_encode + (bsc#1047958, CVE-2017-1000050) + +------------------------------------------------------------------- +Thu Mar 30 09:51:07 UTC 2017 - fstrba@suse.com + +- Modified patch: + * jasper-CVE-2016-9583.patch + + integrate upstream change + 99a50593254d1b53002719bbecfc946c84b23d27, which fixed a null + pointer dereferencing crash. + +------------------------------------------------------------------- +Wed Mar 22 09:30:41 UTC 2017 - fstrba@suse.com + +- Added patches: + * jasper-CVE-2016-9583.patch + - Out of bounds heap read in jpc_pi_nextpcrl() (bsc#1015400, + CVE-2016-9583) + * jasper-CVE-2017-6850.patch + - NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) + (bsc#1021868, CVE-2017-6850) + +------------------------------------------------------------------- +Fri Mar 17 08:25:35 UTC 2017 - fstrba@suse.com + +- Added patches: + * jasper-CVE-2017-5498.patch + - Upstream changes putting braces and belts around + CVE-2017-5498, bsc#1020353, left-shift undefined behaviour + * jasper-CVE-2016-9600.patch + - Upstream fix for "Null Pointer Dereference due to missing + check for UNKNOWN color space in JP2 encoder" (CVE-2016-9600, + bsc#1018088) + +------------------------------------------------------------------- +Thu Mar 16 08:28:31 UTC 2017 - fstrba@suse.com + +- Added patch: + * jasper-CVE-2016-10251.patch + - Upstream fix for bsc#1029497, CVE-2016-10251: Use of + uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c) + +------------------------------------------------------------------- +Mon Mar 6 14:19:57 CET 2017 - sbrabec@suse.com + +- Add -D_BSD_SOURCE to fix redefinition of system types in + jas_config.h and breakage in ppc64le, s390 and s390x + (bsc#1028070). + +------------------------------------------------------------------- +Wed Dec 21 08:53:09 UTC 2016 - fstrba@suse.com + +- Added patch: + * jasper-CVE-2016-9591.patch + - Fix for bsc#1015993, CVE-2016-9591: Use-after-free on heap in + jas_matrix_destroy + +------------------------------------------------------------------- +Tue Dec 13 11:58:42 UTC 2016 - fstrba@suse.com + +- Added patches: + * jasper-CVE-2016-8654.patch + - Upstream fix for bsc#1012530, CVE-2016-8654: Heap-based + buffer overflow in QMFB code in JPC codec + * jasper-CVE-2016-9395.patch + - Upstream fix for bsc#1010977, CVE-2016-9395: jas_seq.c:90: + jas_matrix_t *jas_seq2d_create(int, int, int, int): Assertion + 'xstart <= xend && ystart <= yend' failed + * jasper-CVE-2016-9398.patch + - Fix for bsc#1010979, CVE-2016-9398: jpc_math.c:94: int + jpc_floorlog2(int): Assertion 'x > 0' failed + * jasper-CVE-2016-9560.patch + - Upstream fix for bsc#1011830, CVE-2016-9560: stack-based + buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c) + +------------------------------------------------------------------- +Fri Oct 28 11:55:35 UTC 2016 - jengelh@inai.de + +- Update summaries. Use %_smp_mflags for parallel build. + +------------------------------------------------------------------- +Wed Oct 26 14:18:40 UTC 2016 - fstrba@suse.com + +- Updated to bugfix release 1.900.14 + * Security fixes + + bsc#941919, CVE-2015-5203 + + bsc#1006591, CVE-2016-8880 + + bsc#1006593, CVE-2016-8881 + + bsc#1006597, CVE-2016-8882 + + bsc#1006598, CVE-2016-8883 + + bsc#1007009, CVE-2016-8884, CVE-2016-8885 + + bsc#1006599, CVE-2016-8886 + + bsc#1006836, bsc#1006839, CVE-2016-8887 + * Changes + + Add another data file for testing (Michael Adams) + + Ensure that not all tiles lie outside the image area (Michael + Adams) + + Added a note on sanitizer options (Michael Adams) + + Added a simple test script (Michael Adams) + + Added an --enable-memory-limit configure option (Michael + Adams) + + Manually merged and edited a few changes from Bob Friesenhahn + (GraphicsMagick Maintainer) for Windows (Michael Adams) + + Added some new mostly small image files (many of which are + corrupt/invalid) that are useful for testing purposes + (Michael Adams) + + The debugging function jpc_dec_dump did not consider the case + that a band can have a null data pointer (when a band + contains no samples). This caused a null pointer to be + dereferenced (Michael Adams) + + Changed the JPC bitstream code to more gracefully handle a + request for a larger sized integer than what can be handled + (i.e., return with an error instead of failing an assert). + (Michael Adams) + + The component domains must be the same for the ICT/RCT in the + JPC codec. This was previously enforced with an assertion. + Now, it is handled in a more graceful manner (Michael Adams) + + Fixed a few bugs in the RAS encoder and decoder where errors + were tested with assertions instead of being gracefully + handled (Michael Adams) + +------------------------------------------------------------------- +Mon Oct 24 06:50:38 UTC 2016 - fstrba@suse.com + +- Updated to bugfix release 1.900.13 + * Changes + + Fixed another problem with incorrect cleanup of JP2 box data + upon error. (Michael Adams) + + Fixed another integer overflow problem. (Michael Adams) + + Replaced the remaining left and right shifts in the QMFB/MCT + code that can result in undefined behavior (due to shifting + negative values) with call to inline functions. + These functions collect all of the undefined behavior in one + place and also allow code sanitizers to ignore this ugliness + (via function attributes). (Michael Adams) + + Fixed a bug in the row/column split operations for QMFBs. + (Michael Adams) + + Made the PNM decoder more gracefully handle the not-fully- + supported feature of signed sample data. (Michael Adams) + + The PNM decoder did not gracefully handle an invalid magic + number in the PNM header. (Michael Adams) + + Fixed a MIF decoder bug. (Michael Adams) + + The imginfo command did not correctly handle an image with + zero components. (Michael Adams) + + Fixed an integer overflow problem. (Michael Adams) + + A new experimental memory allocator has been introduced. The + allocator is experimental in the sense that its API is not + considered stable and the allocator may change or disappear + entirely in future versions of the code. This new allocator + tracks how much memory is being used by jas_malloc and friends. + A maximum upper bound on the memory usage can be set via the + experimental API provided and a default value can be set at + build time as well. Such functionality may be useful in + run-time environments where the user wants to be able to limit + the amount of memory used by JasPer. This allocator is not + used by default. (Michael Adams) + + Changed the configure setup so that if GCC is used warnings + and pedantic errors are enabled. (Michael Adams) + + Fixed a bug that resulted in the destruction of JP2 box data + that had never been constructed in the first place. (Michael + Adams) + + The memory stream interface allows for a buffer size of zero. + The case of a zero-sized buffer was not handled correctly, as + it could lead to a double free (bsc#1005242, CVE-2016-8693). + (Michael Adams) + + Fixed a small memory leak for CRG marker segments. (Michael + Adams) + + Fixed a problem with a null pointer dereference in the BMP + decoder. (Michael Adams) + + Introduced jas_fast32_asl, jas_fast32_asr, and friends in + order to pull all undefined behavior for left and right shift + of (negative) integers into a small number of places and + provide a means to have UBSAN ignore this ugliness. (Michael + Adams) + + Fixed an integral type promotion problem by adding a JAS_CAST. + Modified the jpc_tsfb_synthesize function so that it will be a + noop for an empty sequence (in order to avoid dereferencing a + null pointer). (Michael Adams) + + Added some extra debugging log messages for memory + allocation/deallocation. (Michael Adams) + + The RCT and ICT require at least three components. Previously, + this was enforced with an assertion. Now, the assertion has + been replaced with a proper error check. (Michael Adams) + + The member (pi) in tiles was not properly initialized. This is + now corrected. Also, each tile is now only cleaned up once. + (Michael Adams) + + Initialize uninitialized variable. (Michael Adams) + + Added some options to configure for enabling various code + sanitizers. (Michael Adams) + + Added some range checks on parameters in some JPC marker + segments. (Michael Adams) + + Fixed potential integer overflow problem. (Michael Adams) + + Added some functions for safe integer arithmetic (for size_t) + in jas_math.h. (Michael Adams) + + Fixed some indentation issues. (Michael Adams) + + Converted a few raw mallocs to use jas_alloc2. Added code in + the jas_* memory allocation/deallocation functions to generate + debugging log messages. Only disable JAS_DBGLOG message if + NDEBUG is defined. (Michael Adams) + + Added more error/log messages for debugging in the JPEG + decoder. (Michael Adams) + + Added some extra log messages for debugging. Added check of + value returned by jas_matrix_create. (Michael Adams) + + Applied fix for VPATH builds (Michael Adams) + + Did some configure.ac cleanup (Michael Adams) + + Fixed 'inline' for older version of Visual Studio. (dirk) + + Fix a potential double fclose of a FILE* in the JPEG decoder. + (Michael Adams) + + Changed jas_types.h to assume that header files required by + the C99 standard are present. (Michael Adams) + + Incorporated changes from patch + jasper-1.900.3-libjasper-stepsizes-overflow.patch (Michael + Adams) + + Incorporated changes from patch + jasper-1.900.3-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch + (Michael Adams) + + Incorporated changes from patch + jasper-1.900.3-Coverity-RESOURCE_LEAK.patch (Michael Adams) + + Incorporated patch jasper-1.900.3-Coverity-NULL_RETURNS.patch + (Michael Adams) + + Fixed memory leak in jiv. (Michael Adams) + + Fixed a sanitizer failure in the BMP codec (bsc#1005084, + CVE-2016-8690). Also, added a --debug-level command line + option to the imginfo command for debugging purposes. + (Michael Adams) + + Added some missing type casts to ensure promotion to the + correct unsigned type to avoid undefined behavior (and stop + warnings from USAN). (Michael Adams) + + Fixed a linking problem with newer versions of GCC. (Michael + Adams) + + Changed --enable-debug configure option to enable some GCC + sanitizers. (Michael Adams) + + Added range check on XRsiz and YRsiz fields of SIZ marker + segment (bsc#1005090, CVE-2016-8691, CVE-2016-8692). (Michael + Adams) + + At many places in the code, jas_malloc or jas_recalloc was + being invoked with the size argument being computed in a + manner that would not allow integer overflow to be detected. + Now, these places in the code have been modified to use + special-purpose memory allocation functions (e.g., jas_alloc2, + jas_alloc3, jas_realloc2) that check for overflow. + (Michael Adams) + + Add fixes for CVE-2014-8137. (Michael Adams) + + Added fix for CVE-2016-2089. (Michael Adams) + + Moved abort into default case of switch statement. (Michael + Adams) + + Remove auto-generated file aclocal.m4 from repository. + (Michael Adams) + + Removed HAVE_VLA stuff from various configuration and build + files. Also, changed a few INCLUDES to AM_CPPFLAGS in automake + files (since INCLUDES is deprecated). (Michael Adams) + + 1.701.0-GL (Richard Hughes) + + pkgconfig (Richard Hughes) + + Coverity-UNREACHABLE (Richard Hughes) + + CVE-2016-1867 (Richard Hughes) + + CVE-2014-9029 (Richard Hughes) + + CVE-2014-8158 (Richard Hughes) + + CVE-2014-8157 (Richard Hughes) + + CVE-2014-8138 (Richard Hughes) + + CVE-2015-5221 (Richard Hughes) + + CVE-2016-2116 (Richard Hughes) + + Coverity-FORWARD_NULL (Richard Hughes) + + jpc_dec.c (Richard Hughes) + + Coverity-CHECKED_RETURN (Richard Hughes) + + CVE-2016-1577 (Richard Hughes) + + Coverity-UNUSED_VALUE (Richard Hughes) + + Coverity-BAD_SIZEOF (Richard Hughes) + + CVE-2008-3522 (Richard Hughes) +- Removed patches: + * jasper-1.900.1-bug258253.patch + * jasper-1.900.1-bug392410.patch + * jasper-1.900.1-no-undef-true-false.patch + * jasper-1.900.1-bug725758.patch + * jasper-overflow-bnc906364.patch + * jasper-CVE-2014-8137.patch + * jasper-CVE-2014-8138.patch + * jasper-CVE-2014-8157.patch + * jasper-CVE-2014-8158.patch + * jasper-jpc_dec.patch + * jasper-CVE-2016-1867.patch + * jasper-CVE-2016-2089.patch + + Fixed upstream +- Force -std=c99, since the upstream sources assume C99 + +------------------------------------------------------------------- +Tue Feb 2 07:48:21 UTC 2016 - fstrba@suse.com + +- Modified patch + * jasper-CVE-2016-2089.patch + + Use the new version of patch from + https://bugzilla.redhat.com/show_bug.cgi?id=1302636 + with more targetted checks. +- Version the Obsoletes/Provides so that the package does not + obsolete itself + +------------------------------------------------------------------- +Thu Jan 28 14:59:27 UTC 2016 - fstrba@suse.com + +- Add jasper-CVE-2016-2089.patch + * CVE-2016-2089: invalid read in the JasPer's jas_matrix_clip() + function (bsc#963983) + +------------------------------------------------------------------- +Thu Jan 14 13:55:04 UTC 2016 - fstrba@suse.com + +- Add jasper-CVE-2016-1867.patch + * CVE-2016-1867: Out-of-bounds Read in the JasPer's + jpc_pi_nextcprl() function (bsc#961886) + +------------------------------------------------------------------- +Sun Jul 12 09:03:19 UTC 2015 - badshah400@gmail.com + +- Add jasper-jpc_dec.patch to fix failure when manipulating images + with 4 component color using reversible color translation + (deb#469786); patch taken from Fedora. + +------------------------------------------------------------------- +Fri Jan 23 14:25:53 UTC 2015 - nadvornik@suse.com + +- fixed CVE-2014-8157, CVE-2014-8158 (bnc#911837) + + jasper-CVE-2014-8157.patch + + jasper-CVE-2014-8158.patch + +------------------------------------------------------------------- +Fri Dec 19 10:31:14 UTC 2014 - nadvornik@suse.com + +- fixed CVE-2014-8137, CVE-2014-8138 (bnc#909474, bnc#909475) + + jasper-CVE-2014-8137.patch + + jasper-CVE-2014-8138.patch + +------------------------------------------------------------------- +Fri Dec 5 09:56:39 UTC 2014 - nadvornik@suse.com + +- fixed possible overflow CVE-2014-9029 (bnc#906364) + + jasper-overflow-bnc906364.patch + +------------------------------------------------------------------- +Thu Jun 12 11:06:02 UTC 2014 - nadvornik@suse.com + +- added obsoletes and provides of libjasper-32bit (bnc#881716) + +------------------------------------------------------------------- +Wed Mar 5 15:26:47 UTC 2014 - nadvornik@suse.com + +- fixed possible overflow (bnc#725758, bnc#830803) + +------------------------------------------------------------------- +Wed Sep 11 08:01:48 UTC 2013 - pgajdos@suse.com + +- added no-undef-true-false.patch to fix [bnc#839584] + +------------------------------------------------------------------- +Thu Mar 28 10:34:19 UTC 2013 - mmeister@suse.com + +- Added url as source. + Please see http://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Sat Jan 12 19:12:02 UTC 2013 - coolo@suse.com + +- remove suse_update_config + +------------------------------------------------------------------- +Sun Nov 13 09:11:33 UTC 2011 - coolo@suse.com + +- add libtool as explicit buildrequire to avoid implicit dependency from prjconf + +------------------------------------------------------------------- +Wed Oct 5 13:58:57 UTC 2011 - uli@suse.com + +- cross-build fix: use %configure macro + +------------------------------------------------------------------- +Mon Aug 2 08:20:13 UTC 2010 - coolo@novell.com + +- fix baselibs.conf + +------------------------------------------------------------------- +Thu Jul 29 08:54:37 UTC 2010 - coolo@novell.com + +- do not build the highlevel image viewer in a basic library + (in case someone needs it, we better do a 2nd spec file) +- follow shared library policy + +------------------------------------------------------------------- +Wed Dec 16 11:16:55 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source +- enable parallel building + +------------------------------------------------------------------- +Tue Jan 13 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Wed Nov 12 15:22:43 CET 2008 - nadvornik@suse.cz + +- use the last version of the patches [bnc#392410] + +------------------------------------------------------------------- +Tue May 27 11:53:05 CEST 2008 - nadvornik@suse.cz + +- fixed multiple integer overflows [bnc#392410] + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Apr 19 13:42:54 CEST 2007 - nadvornik@suse.cz + +- updated to bugfix release 1.900.1 +- created libjasper-devel subpackage +- do not build static libs +- added compat symlink libjasper-1.701.so.1 -> libjasper.so.1.0.0 +- fixed various crashes on malformed input [#258253] + +------------------------------------------------------------------- +Mon May 22 13:49:45 CEST 2006 - pnemec@suse.cz + +- fixed uninitialized varibale #176395 + added -uninitialzed.patch + +------------------------------------------------------------------- +Wed Jan 25 21:36:46 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jun 14 18:24:09 CEST 2004 - sbrabec@suse.cz + +- Updated to version 1.701.0. + +------------------------------------------------------------------- +Thu Feb 05 18:35:27 CET 2004 - sbrabec@suse.cz + +- Updated to version 1.700.5. + +------------------------------------------------------------------- +Sat Jan 10 16:16:47 CET 2004 - adrian@suse.de + +- add %run_ldconfig + +------------------------------------------------------------------- +Thu Jul 24 12:59:07 CEST 2003 - nadvornik@suse.cz + +- updated to 1.700.2 + +------------------------------------------------------------------- +Mon May 12 01:35:59 CEST 2003 - ro@suse.de + +- added libstdc++-devel to neededforbuild + +------------------------------------------------------------------- +Wed Oct 23 21:50:26 CEST 2002 - uli@suse.de + +- update -> 1.600.0 (improved support for the JP2 format, new + application program "jiv" (simple image viewer), improved support + for the PNM family of formats, numerous other minor bugs fixed) + +------------------------------------------------------------------- +Sat Aug 24 17:30:26 CEST 2002 - ro@suse.de + +- fix doc file section for new cp behaviour + +------------------------------------------------------------------- +Tue Jul 2 14:21:07 CEST 2002 - meissner@suse.de + +- buildrooted, run autoreconf* + +------------------------------------------------------------------- +Thu Apr 18 18:25:48 CEST 2002 - sf@suse.de + +- added %{_libdir} to configure for lib/lib64 +- added %{suse_update_config} + +------------------------------------------------------------------- +Fri Jan 25 15:29:30 CET 2002 - uli@suse.de + +- update -> 1.500.4 (improved docs) + +------------------------------------------------------------------- +Thu Dec 6 12:31:42 CET 2001 - uli@suse.de + +- update -> 1.500.3 (fixes) + +------------------------------------------------------------------- +Thu Aug 16 15:25:08 CEST 2001 - uli@suse.de + +- build shared lib, too + +------------------------------------------------------------------- +Mon Jul 30 18:49:00 CEST 2001 - uli@suse.de + +- initial package + + diff --git a/jasper.spec b/jasper.spec new file mode 100644 index 0000000..b1ecd68 --- /dev/null +++ b/jasper.spec @@ -0,0 +1,103 @@ +# +# spec file for package jasper +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# the tarball has a `build` directory of its own +%global __builddir obs_build + +Name: jasper +Version: 4.2.1 +Release: 0 +Summary: An Implementation of the JPEG-2000 Standard, Part 1 +License: JasPer-2.0 +Group: Productivity/Graphics/Convertors +URL: https://jasper-software.github.io/jasper +Source: https://github.com/jasper-software/jasper/archive/version-%{version}.tar.gz +Source1: baselibs.conf +BuildRequires: Mesa-libGL-devel +BuildRequires: cmake >= 3.20 +BuildRequires: doxygen +BuildRequires: fdupes +BuildRequires: freeglut-devel +BuildRequires: gcc-c++ +BuildRequires: glu-devel +BuildRequires: libXi-devel +BuildRequires: libXmu-devel +BuildRequires: libdrm-devel +BuildRequires: libjpeg-devel +BuildRequires: pkgconfig + +%description +This package contains an implementation of the image compression +standard, JPEG-2000, Part 1. It consists of tools for conversion to and +from the JP2 and JPC formats. + +%package -n libjasper7 +Summary: JPEG-2000 library +Group: Productivity/Graphics/Convertors + +%description -n libjasper7 +This package contains libjasper, a library implementing the JPEG-2000 +image compression standard Part 1. + +%package -n libjasper-devel +Summary: Development files for libjasper, a JPEG-2000 library +Group: Productivity/Graphics/Convertors +Requires: libjasper7 = %{version} +Requires: libjpeg-devel + +%description -n libjasper-devel +This package contains libjasper, a library implementing the JPEG-2000 +image compression standard Part 1. + +%prep +%setup -q -n %{name}-version-%{version} + +%build +export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE" +%cmake -DCMAKE_INSTALL_DOCDIR=%{_docdir}/%{name} -DALLOW_IN_SOURCE_BUILD=ON +%make_build + +%install +%cmake_install + +%fdupes -s %{buildroot}/%{_docdir}/%{name} + +%post -n libjasper7 -p /sbin/ldconfig +%postun -n libjasper7 -p /sbin/ldconfig + +%files +%license LICENSE.txt +%doc COPYRIGHT.txt NEWS.txt README.md +%doc %{_docdir}/jasper/*.pdf +%dir %{_docdir}/jasper/html +%doc %{_docdir}/jasper/html/* +%{_bindir}/imgcmp +%{_bindir}/imginfo +%{_bindir}/jasper +%{_bindir}/jiv +%{_mandir}/man*/* + +%files -n libjasper7 +%{_libdir}/libjasper*.so.* + +%files -n libjasper-devel +%{_includedir}/jasper +%{_libdir}/libjasper.so +%{_libdir}/pkgconfig/jasper.pc + +%changelog diff --git a/version-4.2.1.tar.gz b/version-4.2.1.tar.gz new file mode 100644 index 0000000..f91dffb --- /dev/null +++ b/version-4.2.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:970002b774b91edd9d2dedf76d0b8d5a88af28e0c6d603cc51988311a99a869f +size 1980798