Accepting request 1136025 from home:dirkmueller:Factory

- update to 3.0.1 (bsc#1211542, CVE-2023-2804): * The x86-64 SIMD functions now use a standard stack frame, prologue, and epilogue so that debuggers and profilers can reliably capture backtraces from within the functions. * Fixed two minor issues in the interblock smoothing algorithm that caused mathematical (but not necessarily perceptible) edge block errors when decompressing progressive JPEG images exactly two MCU blocks in width or that use vertical chrominance subsampling. * The TurboJPEG API now supports 4:4:1 (transposed 4:1:1) chrominance subsampling, which allows losslessly transposed or rotated 4:1:1 JPEG images to be losslessly cropped, partially decompressed, or decompressed to planar YUV images. * Fixed various segfaults and buffer overruns (CVE-2023-2804) * that occurred when attempting to decompress various specially-crafted malformed 12-bit-per-component and 16-bit-per-component lossless JPEG images using color quantization or merged chroma upsampling/color conversion. The underlying cause of these issues was that the color quantization and merged chroma upsampling/color conversion algorithms were not designed with lossless decompression in mind. Since libjpeg-turbo explicitly does not support color conversion when compressing or decompressing lossless JPEG images, merged chroma upsampling/color conversion never should have been enabled for such images. Color quantization is a legacy feature that serves little or no purpose with lossless JPEG images, so it is also now disabled when decompressing such images. (As a result, djpeg can no longer decompress a lossless JPEG image into a GIF image.) * Fixed an oversight in 1.4 beta1[8] that caused various OBS-URL: https://build.opensuse.org/request/show/1136025 OBS-URL: https://build.opensuse.org/package/show/graphics/libjpeg-turbo?expand=0&rev=149
2024-01-02 11:29:38 +00:00 · 2024-01-02 11:29:38 +00:00 · 3b2538be6e
commit 3b2538be6e
parent fe426f1c9c
6 changed files with 184 additions and 82 deletions
--- a/libjpeg-turbo-2.1.5.1.tar.gz
+++ b/libjpeg-turbo-2.1.5.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2fdc3feb6e9deb17adec9bafa3321419aa19f8f4e5dea7bf8486844ca22207bf
-size 2264936
--- a/libjpeg-turbo-2.1.5.1.tar.gz.sig
+++ b/libjpeg-turbo-2.1.5.1.tar.gz.sig
--- a/libjpeg-turbo-3.0.1.tar.gz
+++ b/libjpeg-turbo-3.0.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:22429507714ae147b3acacd299e82099fce5d9f456882fc28e252e4579ba2a75
+size 2800900
--- a/libjpeg-turbo-3.0.1.tar.gz.sig
+++ b/libjpeg-turbo-3.0.1.tar.gz.sig
--- a/libjpeg-turbo.changes
+++ b/libjpeg-turbo.changes
@ -1,3 +1,78 @@
+-------------------------------------------------------------------
+Mon Jan  1 20:58:26 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.0.1 (bsc#1211542, CVE-2023-2804):
+  * The x86-64 SIMD functions now use a standard stack frame,
+    prologue, and epilogue so that debuggers and profilers can
+    reliably capture backtraces from within the functions.
+  * Fixed two minor issues in the interblock smoothing algorithm
+    that caused mathematical (but not necessarily perceptible)
+    edge block errors when decompressing progressive JPEG images
+    exactly two MCU blocks in width or that use vertical
+    chrominance subsampling.
+  * The TurboJPEG API now supports 4:4:1 (transposed 4:1:1)
+    chrominance subsampling, which allows losslessly transposed or
+    rotated 4:1:1 JPEG images to be losslessly cropped, partially
+    decompressed, or decompressed to planar YUV images.
+  * Fixed various segfaults and buffer overruns (CVE-2023-2804)
+  * that occurred when attempting to decompress various
+    specially-crafted malformed 12-bit-per-component and
+    16-bit-per-component lossless JPEG images using color
+    quantization or merged chroma upsampling/color conversion.  The
+    underlying cause of these issues was that the color
+    quantization and merged chroma upsampling/color conversion
+    algorithms were not designed with lossless decompression
+    in mind.  Since libjpeg-turbo explicitly does not support color
+    conversion when compressing or decompressing lossless JPEG
+    images, merged chroma upsampling/color conversion never should
+    have been enabled for such images.  Color quantization is a
+    legacy feature that serves little or no purpose with lossless
+    JPEG images, so it is also now disabled when decompressing such
+    images.  (As a result, djpeg can no longer decompress a
+    lossless JPEG image into a GIF image.)
+  * Fixed an oversight in 1.4 beta1[8] that caused various
+    segfaults and buffer overruns when attempting to decompress
+    various specially-crafted malformed 12-bit-per-component JPEG
+    images using djpeg with both color quantization and RGB565
+    color conversion enabled.
+  * Fixed an issue whereby `jpeg_crop_scanline()` sometimes
+    miscalculated the downsampled width for components with 4x2 or
+    2x4 subsampling factors if decompression scaling was enabled.
+    This caused the components to be upsampled incompletely, which
+    caused the color converter to read from uninitialized memory.
+    With 12-bit data precision, this caused a buffer overrun or
+    underrun and subsequent segfault if the sample value read from
+    uninitialized memory was outside of the valid sample range.
+  * Fixed a long-standing issue whereby the `tj3Transform()`
+    function, when used with the `TJXOP_TRANSPOSE`,
+    `TJXOP_TRANSVERSE`, `TJXOP_ROT90`, or `TJXOP_ROT270` transform
+    operation and without automatic JPEG destination buffer
+    (re)allocation or lossless cropping, computed the worst-case
+    transformed JPEG image size based on the source image
+    dimensions rather than the transformed image dimensions.  If a
+    calling program allocated the JPEG destination buffer based on
+    the transformed image dimensions, as the API documentation
+    instructs, and attempted to transform a specially-crafted
+    4:2:2, 4:4:0, 4:1:1, or 4:4:1 JPEG source image containing a
+    large amount of metadata, the issue caused `tj3Transform()` to
+    overflow the JPEG destination buffer rather than fail
+    gracefully.  The issue could be worked around by setting
+    `TJXOPT_COPYNONE`.  Note that, irrespective of this issue,
+    `tj3Transform()` cannot reliably transform JPEG source images
+    that contain a large amount of metadata unless automatic JPEG
+    destination buffer (re)allocation is used or `TJXOPT_COPYNONE`
+    is set.
+  * Significantly sped up the computation of optimal Huffman
+    tables. This speeds up the compression of tiny images by as
+    much as 2x and provides a noticeable speedup for images as
+    large as 256x256 when using optimal Huffman tables.
+  * All deprecated fields, constructors, and methods in the
+    TurboJPEG Java API have been removed.
+  * Arithmetic entropy coding is now supported with
+    12-bit-per-component JPEG images.
+  * Overhauled the TurboJPEG API to address long-standing
+    limitations and to make the API more extensible and intuitive.
+
 -------------------------------------------------------------------
 Fri Jun 23 17:39:37 UTC 2023 - pgajdos@suse.com

@ -55,6 +130,31 @@ Sat Dec 24 12:04:53 UTC 2022 - Dirk Stoecker <opensuse@dstoecker.de>

 - Add explicit provides for jpegtran, so it can be installed easier

+-------------------------------------------------------------------
+Wed Aug 17 19:01:13 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.1.4:
+  * The `tjDecompressHeader3()` function in the TurboJPEG C API and the
+    `TJDecompressor.setSourceImage()` method in the TurboJPEG Java API now accept
+    "abbreviated table specification" (AKA "tables-only") datastreams, which can be
+    used to prime the decompressor with quantization and Huffman tables that can be
+    used when decompressing subsequent "abbreviated image" datastreams.
+  * libjpeg-turbo now performs run-time detection of AltiVec instructions on
+    OS X/PowerPC systems if AltiVec instructions are not enabled at compile time.
+    This allows both AltiVec-equipped (PowerPC G4 and G5) and non-AltiVec-equipped
+    (PowerPC G3) CPUs to be supported using the same build of libjpeg-turbo.
+  * Fixed an error ("Bogus virtual array access") that occurred when attempting
+    to decompress a progressive JPEG image with a height less than or equal to one
+    iMCU (8 * the vertical sampling factor) using buffered-image mode with
+    interblock smoothing enabled.
+  * Fixed two issues that prevented partial image decompression from working
+    properly with buffered-image mode:
+       - Attempting to call `jpeg_crop_scanline()` after
+  `jpeg_start_decompress()` but before `jpeg_start_output()` resulted in an error
+  ("Improper call to JPEG library in state 207".)
+       - Attempting to use `jpeg_skip_scanlines()` resulted in an error ("Bogus
+  virtual array access") under certain circumstances.
+
 -------------------------------------------------------------------
 Mon Aug 15 18:07:30 UTC 2022 - Tom Mbrt <tom.mbrt@googlemail.com>

--- a/libjpeg-turbo.spec
+++ b/libjpeg-turbo.spec
@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -23,19 +23,19 @@

 %define asan_build 0
 %define debug_build 0
-%define srcver 2.1.5.1
+%define srcver 3.0.1
 %if "%{flavor}" == "libjpeg-turbo"
 %define major    8
-%define minor    2
+%define minor    3
 %define micro    2
 %define tmajor   0
-%define tminor   2
+%define tminor   3
 %define tmicro   0
 %define tlibver  %{tmajor}.%{tminor}.%{tmicro}
 %endif
 %if "%{flavor}" == "libjpeg62-turbo"
 %define major   62
-%define minor   3
+%define minor   4
 %define micro   0
 %endif
 %define libver   %{major}.%{minor}.%{micro}
@ -44,9 +44,9 @@ Version:        %{srcver}
 Release:        0
 Summary:        A SIMD-accelerated library for manipulating JPEG image files
 License:        BSD-3-Clause
-URL:            https://sourceforge.net/projects/libjpeg-turbo
-Source0:        https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz
-Source1:        https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz.sig
+URL:            https://libjpeg-turbo.org/
+Source0:        https://github.com/libjpeg-turbo/libjpeg-turbo/releases/download/%{version}/libjpeg-turbo-%{version}.tar.gz
+Source1:        https://github.com/libjpeg-turbo/libjpeg-turbo/releases/download/%{version}/libjpeg-turbo-%{version}.tar.gz.sig
 Source2:        libjpeg-turbo.keyring
 Source3:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
@ -145,6 +145,8 @@ MYCFLAGS="$MYCFLAGS -O0 -g"
 %endif
 %ifarch armv6l armv6hl
    -DWITH_SIMD=FALSE \
+%else
+    -DREQUIRE_SIMD=TRUE \
 %endif
    -DCMAKE_SHARED_LINKER_FLAGS="$MYLDFLAGS" \
    -DENABLE_STATIC=OFF \