- security update

- added patches fix CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c + libjpeg-turbo-CVE-2023-2804.patch OBS-URL: https://build.opensuse.org/package/show/graphics/libjpeg-turbo?expand=0&rev=142
2023-06-02 07:32:10 +00:00 · 2023-06-02 07:32:10 +00:00 · 741902d408
commit 741902d408
parent 0cb486f602
4 changed files with 28 additions and 0 deletions
--- a/libjpeg-turbo-CVE-2023-2804.patch
+++ b/libjpeg-turbo-CVE-2023-2804.patch
@ -0,0 +1,14 @@
+Index: libjpeg-turbo-2.1.5.1/jdmaster.c
+===================================================================
+--- libjpeg-turbo-2.1.5.1.orig/jdmaster.c
+++ libjpeg-turbo-2.1.5.1/jdmaster.c
+@@ -33,6 +33,9 @@ LOCAL(boolean)
+ use_merged_upsample(j_decompress_ptr cinfo)
+ {
+ #ifdef UPSAMPLE_MERGING_SUPPORTED
+  /* Colorspace conversion is not supported with lossless JPEG images */
+  if (cinfo->master->lossless)
+    return FALSE;
+   /* Merging is the equivalent of plain box-filter upsampling */
+   if (cinfo->do_fancy_upsampling || cinfo->CCIR601_sampling)
+     return FALSE;
--- a/libjpeg-turbo.changes
+++ b/libjpeg-turbo.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Jun  2 07:31:13 UTC 2023 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c
+  + libjpeg-turbo-CVE-2023-2804.patch
+
 -------------------------------------------------------------------
 Thu May  4 11:37:31 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/libjpeg-turbo.spec
+++ b/libjpeg-turbo.spec
@ -37,6 +37,8 @@ Source1:        https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.
 Source2:        libjpeg-turbo.keyring
 Source3:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
+# CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c
+Patch2:         libjpeg-turbo-CVE-2023-2804.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  nasm
@ -100,6 +102,7 @@ files using the libjpeg library.
 %prep
 %setup -q
 %patch1
+%patch2 -p1

 %build
 MYLDFLAGS="-Wl,-z,relro,-z,now"
--- a/libjpeg62-turbo.spec
+++ b/libjpeg62-turbo.spec
@ -32,6 +32,8 @@ Source1:        https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.
 Source2:        libjpeg-turbo.keyring
 Source3:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
+# CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c
+Patch2:         libjpeg-turbo-CVE-2023-2804.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 # needed for tests as we remove the lib here
@ -73,6 +75,7 @@ files using the libjpeg library.
 %prep
 %setup -q -n libjpeg-turbo-%{srcver}
 %patch1
+%patch2 -p1

 %build
 export LDFLAGS="-Wl,-z,relro,-z,now"