Accepting request 727906 from graphics

- Trim conjecture, bias, and metadata repetitions from description. (forwarded request 727904 from jengelh) OBS-URL: https://build.opensuse.org/request/show/727906 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/djvulibre?expand=0&rev=37
2019-09-07 10:34:40 +00:00 · 2019-09-07 10:34:40 +00:00 · 8f0a94b973
commit 8f0a94b973
parent e1194e6123 7994d8f57d
7 changed files with 317 additions and 59 deletions
--- a/djvulibre-CVE-2019-15142.patch
+++ b/djvulibre-CVE-2019-15142.patch
@ -0,0 +1,87 @@
 Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp
 ===================================================================
 --- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp	2014-07-08 23:15:07.000000000 +0200
 +++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp	2019-09-02 13:46:28.076374501 +0200
@@ -300,36 +300,44 @@ DjVmDir::decode(const GP<ByteStream> &gs
          memcpy((char*) strings+strings_size, buffer, length);
       }
       DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
 -   
 -         // Copy names into the files
 +      int strings_size=strings.size();
 +      strings.resize(strings_size+3);
 +      memset((char*) strings+strings_size, 0, 4);
 +      
 +      // Copy names into the files
       const char * ptr=strings;
       for(pos=files_list;pos;++pos)
       {
          GP<File> file=files_list[pos];
 -
 +         if (ptr >= (const char*)strings + strings_size)
 +           G_THROW( "DjVu document is corrupted (DjVmDir)" );
          file->id=ptr;
          ptr+=file->id.length()+1;
          if (file->flags & File::HAS_NAME)
          {
 -            file->name=ptr;
 -            ptr+=file->name.length()+1;
 -         } else
 +           file->name=ptr;
 +           ptr+=file->name.length()+1;
 +         }
 +         else
          {
             file->name=file->id;
          }
          if (file->flags & File::HAS_TITLE)
          {
 -            file->title=ptr;
 -       ptr+=file->title.length()+1;
 -         } else
 -       file->title=file->id;
 -   /* msr debug:  multipage file, file->title is null.  
 +           file->title=ptr;
 +           ptr+=file->title.length()+1;
 +         }
 +         else
 +         {
 +           file->title=file->id;
 +         }
 +         /* msr debug:  multipage file, file->title is null.  
          DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
                    file->offset << ", " << file->size << ", " <<
                    file->is_page() << "\n"); */
       }
 -         // Check that there is only one file with SHARED_ANNO flag on
 +      // Check that there is only one file with SHARED_ANNO flag on
       int shared_anno_cnt=0;
       for(pos=files_list;pos;++pos)
       {
 Index: djvulibre-3.5.27/libdjvu/miniexp.cpp
 ===================================================================
 --- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp	2015-02-11 05:35:37.000000000 +0100
 +++ djvulibre-3.5.27/libdjvu/miniexp.cpp	2019-09-02 13:46:28.072374476 +0200
@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i
     {
       if (char_quoted(c, flags))
         {
 -          char buffer[10];
 +          char buffer[16]; /* 10+1 */
           static const char *tr1 = "\"\\tnrbf";
           static const char *tr2 = "\"\\\t\n\r\b\f";
           buffer[0] = buffer[1] = 0;
 Index: djvulibre-3.5.27/tools/csepdjvu.cpp
 ===================================================================
 --- djvulibre-3.5.27.orig/tools/csepdjvu.cpp	2014-07-24 23:12:05.000000000 +0200
 +++ djvulibre-3.5.27/tools/csepdjvu.cpp	2019-09-02 13:46:28.072374476 +0200
@@ -1814,7 +1814,7 @@ main(int argc, const char **argv)
                 ByteStream::create(GURL::Filename::UTF8(arg),"rb");
               BufferByteStream ibs(*fbs);
               do {
 -                char pagename[16];
 +                char pagename[20];
                 sprintf(pagename, "p%04d.djvu", ++pageno);
                 if (opts.verbose > 1)
                   DjVuPrintErrorUTF8("%s","--------------------\n");
--- a/djvulibre-CVE-2019-15143.patch
+++ b/djvulibre-CVE-2019-15143.patch
@ -0,0 +1,20 @@
 diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
 index 0e487f0..c2fdbe4 100644
 --- a/libdjvu/GBitmap.cpp
 +++ b/libdjvu/GBitmap.cpp
@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs)
   int c = 0;
   while (n >= 0)
     {
 -      bs.read(&h, 1);
 +      if (bs.read(&h, 1) <= 0)
 +        G_THROW( ByteStream::EndOfFile );
       int x = h;
       if (x >= (int)RUNOVERFLOWVALUE)
         {
 -          bs.read(&h, 1);
 +          if (bs.read(&h, 1) <= 0)
 +            G_THROW( ByteStream::EndOfFile );
           x = h + ((x - (int)RUNOVERFLOWVALUE) << 8);
         }
       if (c+x > ncolumns)
--- a/djvulibre-CVE-2019-15144.patch
+++ b/djvulibre-CVE-2019-15144.patch
@ -0,0 +1,105 @@
 diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h
 index 96b067c..0140211 100644
 --- a/libdjvu/GContainer.h
 +++ b/libdjvu/GContainer.h
@@ -550,52 +550,61 @@ public:
 template <class TYPE> void
 GArrayTemplate<TYPE>::sort(int lo, int hi)
 {
 -  if (hi <= lo)
 -    return;
 -  if (hi > hibound || lo<lobound)
 -    G_THROW( ERR_MSG("GContainer.illegal_subscript") );
   TYPE *data = (TYPE*)(*this);
 -  // Test for insertion sort
 -  if (hi <= lo + 50)
 +  while(true)
     {
 -      for (int i=lo+1; i<=hi; i++)
 +      if (hi <= lo)
 +        return;
 +      if (hi > hibound || lo<lobound)
 +        G_THROW( ERR_MSG("GContainer.illegal_subscript") );
 +      // Test for insertion sort
 +      if (hi <= lo + 50)
         {
 -          int j = i;
 -          TYPE tmp = data[i];
 -          while ((--j>=lo) && !(data[j]<=tmp))
 -            data[j+1] = data[j];
 -          data[j+1] = tmp;
 +          for (int i=lo+1; i<=hi; i++)
 +            {
 +              int j = i;
 +              TYPE tmp = data[i];
 +              while ((--j>=lo) && !(data[j]<=tmp))
 +                data[j+1] = data[j];
 +              data[j+1] = tmp;
 +            }
 +          return;
         }
 -      return;
 -    }
 -  // -- determine suitable quick-sort pivot
 -  TYPE tmp = data[lo];
 -  TYPE pivot = data[(lo+hi)/2];
 -  if (pivot <= tmp)
 -    { tmp = pivot; pivot=data[lo]; }
 -  if (data[hi] <= tmp)
 -    { pivot = tmp; }
 -  else if (data[hi] <= pivot)
 -    { pivot = data[hi]; }
 -  // -- partition set
 -  int h = hi;
 -  int l = lo;
 -  while (l < h)
 -    {
 -      while (! (pivot <= data[l])) l++;
 -      while (! (data[h] <= pivot)) h--;
 -      if (l < h)
 +      // -- determine median-of-three pivot
 +      TYPE tmp = data[lo];
 +      TYPE pivot = data[(lo+hi)/2];
 +      if (pivot <= tmp)
 +        { tmp = pivot; pivot=data[lo]; }
 +      if (data[hi] <= tmp)
 +        { pivot = tmp; }
 +      else if (data[hi] <= pivot)
 +        { pivot = data[hi]; }
 +      // -- partition set
 +      int h = hi;
 +      int l = lo;
 +      while (l < h)
         {
 -          tmp = data[l];
 -          data[l] = data[h];
 -          data[h] = tmp;
 -          l = l+1;
 -          h = h-1;
 +          while (! (pivot <= data[l])) l++;
 +          while (! (data[h] <= pivot)) h--;
 +          if (l < h)
 +            {
 +              tmp = data[l];
 +              data[l] = data[h];
 +              data[h] = tmp;
 +              l = l+1;
 +              h = h-1;
 +            }
 +        }
 +      // -- recurse, small partition first
 +      //    tail-recursion elimination
 +      if (h - lo <= hi - l) {
 +        sort(lo,h);
 +        lo = l; // sort(l,hi)
 +      } else {
 +        sort(l,hi);
 +        hi = h; // sort(lo,h)
       }
     }
 -  // -- recursively restart
 -  sort(lo, h);
 -  sort(l, hi);
 }
 template<class TYPE> inline TYPE&
--- a/djvulibre-CVE-2019-15145.patch
+++ b/djvulibre-CVE-2019-15145.patch
@ -0,0 +1,22 @@
 diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h
 index e8e0c9b..ca89a19 100644
 --- a/libdjvu/GBitmap.h
 +++ b/libdjvu/GBitmap.h
@@ -566,7 +566,7 @@ GBitmap::operator[](int row)
 {
   if (!bytes) 
     uncompress();
 -  if (row<0 || row>=nrows) {
 +  if (row<0 || row>=nrows || !bytes) {
 #ifndef NDEBUG
     if (zerosize < bytes_per_row + border)
       G_THROW( ERR_MSG("GBitmap.zero_small") );
@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const
 {
   if (!bytes) 
     ((GBitmap*)this)->uncompress();
 -  if (row<0 || row>=nrows) {
 +  if (row<0 || row>=nrows || !bytes) {
 #ifndef NDEBUG
     if (zerosize < bytes_per_row + border)
       G_THROW( ERR_MSG("GBitmap.zero_small") );
--- a/djvulibre-invalid-tiff.patch
+++ b/djvulibre-invalid-tiff.patch
@ -0,0 +1,13 @@
 diff --git a/tools/cjb2.cpp b/tools/cjb2.cpp
 index 3da3ea8..701238d 100644
 --- a/tools/cjb2.cpp
 +++ b/tools/cjb2.cpp
@@ -744,6 +744,8 @@ read_tiff(CCImage &rimg, ByteStream *bs, cjb2opts &opts)
                               readproc, writeproc, seekproc,
                               closeproc, sizeproc, 
                               mapproc, unmapproc );
 +  if (! tiff)
 +    G_THROW("Tiff image is corrupted (cannot open)");
   // bitonal
   uint16 bps = 0, spp = 0;
   TIFFGetFieldDefaulted(tiff, TIFFTAG_BITSPERSAMPLE, &bps);
--- a/djvulibre.changes
+++ b/djvulibre.changes
@ -1,3 +1,27 @@
 -------------------------------------------------------------------
 Tue Sep  3 06:21:13 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 - Trim conjecture, bias, and metadata repetitions from description.
 - Trim descriptions in subpackages for length. (Main package keeps
  the bigger one.)
 - Use some more macros and limit fdupes to the /usr volume.
 -------------------------------------------------------------------
 Mon Sep  2 12:13:57 UTC 2019 - pgajdos@suse.com
 - security update
 - added patches
  CVE-2019-15142 [bsc#1146702]
  + djvulibre-CVE-2019-15142.patch
  CVE-2019-15143 [bsc#1146569]
  + djvulibre-CVE-2019-15143.patch
  CVE-2019-15144 [bsc#1146571]
  + djvulibre-CVE-2019-15144.patch
  CVE-2019-15145 [bsc#1146572]
  + djvulibre-CVE-2019-15145.patch
  do not segfault when libtiff encounters corrupted TIFF (upstream issue #295)
  + djvulibre-invalid-tiff.patch
 -------------------------------------------------------------------
 Tue Jan  8 23:17:00 UTC 2019 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
--- a/djvulibre.spec
+++ b/djvulibre.spec
@ -1,7 +1,7 @@
 #
 # spec file for package djvulibre
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,21 +12,33 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 %define asan_build     0
 %define	libname	lib%{name}21
 Name:           djvulibre
 Version:        3.5.27
 Release:        0
-Summary:        An Open Source Implementation of DjVu
+Summary:        An Implementation of DjVu
-License:        GPL-2.0+
+License:        GPL-2.0-or-later
 Group:          Productivity/Graphics/Other
 Url:            http://djvu.sourceforge.net
 Source:         http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/djvu/djvulibre-git/ci/ff8e5b68f856a7fe17c9aa33d0f2220f4ba6b40c/
 Patch0:         reproducible.patch
 # CVE-2019-15143 [bsc#1146569]
 Patch1:         djvulibre-CVE-2019-15143.patch
 # CVE-2019-15144 [bsc#1146571]
 Patch2:         djvulibre-CVE-2019-15144.patch
 # CVE-2019-15145 [bsc#1146572]
 Patch3:         djvulibre-CVE-2019-15145.patch
 # CVE-2019-15142 [bsc#1146702]
 Patch4:         djvulibre-CVE-2019-15142.patch
 # do not segfault when libtiff encounters corrupted TIFF (upstream issue #295)
 Patch5:         djvulibre-invalid-tiff.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  hicolor-icon-theme
@ -39,91 +51,66 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
 DjVu is a Web-centric format and software platform for distributing
-documents and images. DjVuLibre is an open source (GPL) implementation
+documents and images. DjVuLibre is an implementation of DjVu,
-of DjVu, including viewers, browser plug-ins, decoders, simple
+including viewers, browser plug-ins, decoders, encoders, and
-encoders, and utilities. DjVu can advantageously replace PDF, PS, TIFF,
+utilities. DjVu can replace PDF, PS, TIFF, JPEG, and GIF for
-JPEG, and GIF for distributing scanned documents, digital documents, or
+distributing scanned documents, digital documents, or high-resolution
-high-resolution pictures. DjVu content downloads faster, displays and
+pictures. DjVu content is often smaller and consumes less client
-renders faster, looks nicer on a screen, and consumes less client
+resources than competing formats.
 resources than competing formats. DjVu images display instantly and can
 be smoothly zoomed and panned with no lengthy rerendering. DjVu is used
 by hundreds of academic, commercial, governmental, and noncommercial
 Web sites around the world.
 %package -n %{libname}
-Summary:        Libraries of Open Source Implementation of DjVu - djvulibre
+Summary:        DjVu rendering library
 Group:          Productivity/Graphics/Other
 %description -n  %{libname}
-DjVu is a Web-centric format and software platform for distributing
+DjVuLibre is an implementation of DjVu, a Web-centric format and
-documents and images. DjVuLibre is an open source (GPL) implementation
+software platform for distributing documents and images.
 of DjVu, including viewers, browser plug-ins, decoders, simple
 encoders, and utilities. DjVu can advantageously replace PDF, PS, TIFF,
 JPEG, and GIF for distributing scanned documents, digital documents, or
 high-resolution pictures. DjVu content downloads faster, displays and
 renders faster, looks nicer on a screen, and consumes less client
 resources than competing formats. DjVu images display instantly and can
 be smoothly zoomed and panned with no lengthy rerendering. DjVu is used
 by hundreds of academic, commercial, governmental, and noncommercial
 Web sites around the world.
-This package contains shared libraries
+This package contains the shared libraries.
 %package -n libdjvulibre-devel
-Summary:        Libraries of Open Source Implementation of DjVu - djvulibre
+Summary:        Headers for djvulibre libraries
 Group:          Development/Libraries/Other
 Requires:       %{libname} = %{version}
 %description -n libdjvulibre-devel
-DjVu is a Web-centric format and software platform for distributing
+DjVuLibre is an implementation of DjVu, a Web-centric format and
-documents and images. DjVuLibre is an open source (GPL) implementation
+software platform for distributing documents and images.
 of DjVu, including viewers, browser plug-ins, decoders, simple
 encoders, and utilities. DjVu can advantageously replace PDF, PS, TIFF,
 JPEG, and GIF for distributing scanned documents, digital documents, or
 high-resolution pictures. DjVu content downloads faster, displays and
 renders faster, looks nicer on a screen, and consumes less client
 resources than competing formats. DjVu images display instantly and can
 be smoothly zoomed and panned with no lengthy rerendering. DjVu is used
 by hundreds of academic, commercial, governmental, and noncommercial
 Web sites around the world.
-This package contains development files
+This package contains the development files.
 %package doc
-Summary:        Documentation for the the DjVu - djvulibre
+Summary:        Documentation for djvulibre
 Group:          Productivity/Graphics/Other
 BuildArch:      noarch
 %description doc
-DjVu is a Web-centric format and software platform for distributing
+DjVuLibre is an implementation of DjVu, a Web-centric format and
-documents and images. DjVuLibre is an open source (GPL) implementation
+software platform for distributing documents and images.
 of DjVu, including viewers, browser plug-ins, decoders, simple
 encoders, and utilities. DjVu can advantageously replace PDF, PS, TIFF,
 JPEG, and GIF for distributing scanned documents, digital documents, or
 high-resolution pictures. DjVu content downloads faster, displays and
 renders faster, looks nicer on a screen, and consumes less client
 resources than competing formats. DjVu images display instantly and can
 be smoothly zoomed and panned with no lengthy rerendering. DjVu is used
 by hundreds of academic, commercial, governmental, and noncommercial
 Web sites around the world.
-This package contains documentation
+This package contains the documentation.
 %prep
-%setup -q
+%autosetup -p1
 %patch0 -p1
 %build
-%configure
+%configure \
-
+  --disable-silent-rules
 %if %{asan_build}
 sed -i -e 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' \
       -e 's/\(^CXXFLAGS.*\)/\1 -fsanitize=address/' \
       -e 's/\(^LIBS =.*\)/\1 -lasan/' \
       Makefile */Makefile
 %endif
 make %{?_smp_mflags}
 %install
-make DESTDIR=%{buildroot} install %{?_smp_mflags}
+%make_install
 # do not ship these
 rm %{buildroot}%{_libdir}/libdjvulibre.la
-%fdupes %{buildroot}
+%fdupes %{buildroot}/%{_prefix}
 %post
 %mime_database_post