From 741902d408a263661eac0c12bdba444b599638f0b7556453d7886286cdf3cedb Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Fri, 2 Jun 2023 07:32:10 +0000 Subject: [PATCH 1/4] - security update - added patches fix CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c + libjpeg-turbo-CVE-2023-2804.patch OBS-URL: https://build.opensuse.org/package/show/graphics/libjpeg-turbo?expand=0&rev=142 --- libjpeg-turbo-CVE-2023-2804.patch | 14 ++++++++++++++ libjpeg-turbo.changes | 8 ++++++++ libjpeg-turbo.spec | 3 +++ libjpeg62-turbo.spec | 3 +++ 4 files changed, 28 insertions(+) create mode 100644 libjpeg-turbo-CVE-2023-2804.patch diff --git a/libjpeg-turbo-CVE-2023-2804.patch b/libjpeg-turbo-CVE-2023-2804.patch new file mode 100644 index 0000000..e779d40 --- /dev/null +++ b/libjpeg-turbo-CVE-2023-2804.patch @@ -0,0 +1,14 @@ +Index: libjpeg-turbo-2.1.5.1/jdmaster.c +=================================================================== +--- libjpeg-turbo-2.1.5.1.orig/jdmaster.c ++++ libjpeg-turbo-2.1.5.1/jdmaster.c +@@ -33,6 +33,9 @@ LOCAL(boolean) + use_merged_upsample(j_decompress_ptr cinfo) + { + #ifdef UPSAMPLE_MERGING_SUPPORTED ++ /* Colorspace conversion is not supported with lossless JPEG images */ ++ if (cinfo->master->lossless) ++ return FALSE; + /* Merging is the equivalent of plain box-filter upsampling */ + if (cinfo->do_fancy_upsampling || cinfo->CCIR601_sampling) + return FALSE; diff --git a/libjpeg-turbo.changes b/libjpeg-turbo.changes index 3f8ef4a..3da9eb9 100644 --- a/libjpeg-turbo.changes +++ b/libjpeg-turbo.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Jun 2 07:31:13 UTC 2023 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c + + libjpeg-turbo-CVE-2023-2804.patch + ------------------------------------------------------------------- Thu May 4 11:37:31 UTC 2023 - Dominique Leuenberger diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 798ed5f..76e9d27 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -37,6 +37,8 @@ Source1: https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}. Source2: libjpeg-turbo.keyring Source3: baselibs.conf Patch1: libjpeg-turbo-1.3.0-tiff-ojpeg.patch +# CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c +Patch2: libjpeg-turbo-CVE-2023-2804.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: nasm @@ -100,6 +102,7 @@ files using the libjpeg library. %prep %setup -q %patch1 +%patch2 -p1 %build MYLDFLAGS="-Wl,-z,relro,-z,now" diff --git a/libjpeg62-turbo.spec b/libjpeg62-turbo.spec index 0f8b937..389fb3b 100644 --- a/libjpeg62-turbo.spec +++ b/libjpeg62-turbo.spec @@ -32,6 +32,8 @@ Source1: https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}. Source2: libjpeg-turbo.keyring Source3: baselibs.conf Patch1: libjpeg-turbo-1.3.0-tiff-ojpeg.patch +# CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c +Patch2: libjpeg-turbo-CVE-2023-2804.patch BuildRequires: cmake BuildRequires: gcc-c++ # needed for tests as we remove the lib here @@ -73,6 +75,7 @@ files using the libjpeg library. %prep %setup -q -n libjpeg-turbo-%{srcver} %patch1 +%patch2 -p1 %build export LDFLAGS="-Wl,-z,relro,-z,now" From f8e48b34a7149be1b785acf258f2ea6f5e869ce8b91cdb07191025a04881a8fa Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Fri, 2 Jun 2023 08:12:26 +0000 Subject: [PATCH 2/4] revert last change OBS-URL: https://build.opensuse.org/package/show/graphics/libjpeg-turbo?expand=0&rev=143 --- libjpeg-turbo-CVE-2023-2804.patch | 14 -------------- libjpeg-turbo.changes | 8 -------- libjpeg-turbo.spec | 3 --- libjpeg62-turbo.spec | 3 --- 4 files changed, 28 deletions(-) delete mode 100644 libjpeg-turbo-CVE-2023-2804.patch diff --git a/libjpeg-turbo-CVE-2023-2804.patch b/libjpeg-turbo-CVE-2023-2804.patch deleted file mode 100644 index e779d40..0000000 --- a/libjpeg-turbo-CVE-2023-2804.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: libjpeg-turbo-2.1.5.1/jdmaster.c -=================================================================== ---- libjpeg-turbo-2.1.5.1.orig/jdmaster.c -+++ libjpeg-turbo-2.1.5.1/jdmaster.c -@@ -33,6 +33,9 @@ LOCAL(boolean) - use_merged_upsample(j_decompress_ptr cinfo) - { - #ifdef UPSAMPLE_MERGING_SUPPORTED -+ /* Colorspace conversion is not supported with lossless JPEG images */ -+ if (cinfo->master->lossless) -+ return FALSE; - /* Merging is the equivalent of plain box-filter upsampling */ - if (cinfo->do_fancy_upsampling || cinfo->CCIR601_sampling) - return FALSE; diff --git a/libjpeg-turbo.changes b/libjpeg-turbo.changes index 3da9eb9..3f8ef4a 100644 --- a/libjpeg-turbo.changes +++ b/libjpeg-turbo.changes @@ -1,11 +1,3 @@ -------------------------------------------------------------------- -Fri Jun 2 07:31:13 UTC 2023 - pgajdos@suse.com - -- security update -- added patches - fix CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c - + libjpeg-turbo-CVE-2023-2804.patch - ------------------------------------------------------------------- Thu May 4 11:37:31 UTC 2023 - Dominique Leuenberger diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 76e9d27..798ed5f 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -37,8 +37,6 @@ Source1: https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}. Source2: libjpeg-turbo.keyring Source3: baselibs.conf Patch1: libjpeg-turbo-1.3.0-tiff-ojpeg.patch -# CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c -Patch2: libjpeg-turbo-CVE-2023-2804.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: nasm @@ -102,7 +100,6 @@ files using the libjpeg library. %prep %setup -q %patch1 -%patch2 -p1 %build MYLDFLAGS="-Wl,-z,relro,-z,now" diff --git a/libjpeg62-turbo.spec b/libjpeg62-turbo.spec index 389fb3b..0f8b937 100644 --- a/libjpeg62-turbo.spec +++ b/libjpeg62-turbo.spec @@ -32,8 +32,6 @@ Source1: https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}. Source2: libjpeg-turbo.keyring Source3: baselibs.conf Patch1: libjpeg-turbo-1.3.0-tiff-ojpeg.patch -# CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c -Patch2: libjpeg-turbo-CVE-2023-2804.patch BuildRequires: cmake BuildRequires: gcc-c++ # needed for tests as we remove the lib here @@ -75,7 +73,6 @@ files using the libjpeg library. %prep %setup -q -n libjpeg-turbo-%{srcver} %patch1 -%patch2 -p1 %build export LDFLAGS="-Wl,-z,relro,-z,now" From 96d33f7940da2395b0b08961690d731834b423fd872d6805afa05bc42cd305a4 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Fri, 23 Jun 2023 17:40:39 +0000 Subject: [PATCH 3/4] - merge two spec files into one OBS-URL: https://build.opensuse.org/package/show/graphics/libjpeg-turbo?expand=0&rev=144 --- libjpeg-turbo-1.3.0-tiff-ojpeg.patch | 4 +- libjpeg-turbo.changes | 5 ++ libjpeg-turbo.spec | 62 +++++++++++--- libjpeg62-turbo.spec | 118 --------------------------- 4 files changed, 59 insertions(+), 130 deletions(-) delete mode 100644 libjpeg62-turbo.spec diff --git a/libjpeg-turbo-1.3.0-tiff-ojpeg.patch b/libjpeg-turbo-1.3.0-tiff-ojpeg.patch index 5a3f129..12db22a 100644 --- a/libjpeg-turbo-1.3.0-tiff-ojpeg.patch +++ b/libjpeg-turbo-1.3.0-tiff-ojpeg.patch @@ -1,5 +1,5 @@ ---- jdhuff.c -+++ jdhuff.c +--- a/jdhuff.c ++++ b/jdhuff.c @@ -649,3 +649,35 @@ entropy->dc_derived_tbls[i] = entropy->ac_derived_tbls[i] = NULL; } diff --git a/libjpeg-turbo.changes b/libjpeg-turbo.changes index 3f8ef4a..09db39e 100644 --- a/libjpeg-turbo.changes +++ b/libjpeg-turbo.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jun 23 17:39:37 UTC 2023 - pgajdos@suse.com + +- merge two spec files into one + ------------------------------------------------------------------- Thu May 4 11:37:31 UTC 2023 - Dominique Leuenberger diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 798ed5f..92fc7d8 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,5 +1,5 @@ # -# spec file for package libjpeg-turbo +# spec file # # Copyright (c) 2023 SUSE LLC # @@ -16,18 +16,31 @@ # +%global flavor @BUILD_FLAVOR@%{nil} +%if "%{flavor}" == "" +%global flavor libjpeg-turbo +%endif + %define asan_build 0 %define debug_build 0 +%define srcver 2.1.5.1 +%if "%{flavor}" == "libjpeg-turbo" %define major 8 %define minor 2 %define micro 2 -%define libver %{major}.%{minor}.%{micro} %define tmajor 0 %define tminor 2 %define tmicro 0 %define tlibver %{tmajor}.%{tminor}.%{tmicro} -Name: libjpeg-turbo -Version: 2.1.5.1 +%endif +%if "%{flavor}" == "libjpeg62-turbo" +%define major 62 +%define minor 3 +%define micro 0 +%endif +%define libver %{major}.%{minor}.%{micro} +Name: %{flavor} +Version: %{srcver} Release: 0 Summary: A SIMD-accelerated library for manipulating JPEG image files License: BSD-3-Clause @@ -41,6 +54,7 @@ BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: nasm BuildRequires: pkgconfig +%if "%{flavor}" == "libjpeg-turbo" Conflicts: jpeg%{major} Obsoletes: jpeg = 6b Obsoletes: jpeg = 8.0.1 @@ -49,18 +63,25 @@ Provides: jpeg = %{version} Obsoletes: jpeg < %{version} Provides: jpegtran = %{version} %{?suse_build_hwcaps_libs} +%endif +%if "%{flavor}" == "libjpeg62-turbo" +# needed for tests as we remove the lib here +BuildRequires: libturbojpeg0 >= 8.2.2 +Conflicts: jpeg%{major} +%endif %description The libjpeg-turbo package contains a library of functions for manipulating JPEG images. It supports architecture-specific SIMD instructions, such as SSE/SSE2/AVX2, AltiVec, NEON, MIPS DSPR2, and Loongson MMI. - +%if "%{flavor}" == "libjpeg-turbo" It also includes the following command line utilities: djpeg - decompress a JPEG file to an image file jpegtran - lossless transformation of JPEG files rdjpgcom - display text comments from a JPEG file wrjpgcom - insert text comments into a JPEG file tjbench - a JPEG decompression/compression benchmark +%endif %package -n libjpeg%{major} Version: %{libver} @@ -72,6 +93,7 @@ A library for manipulating JPEG images. It supports architecture-specific SIMD instructions, such as SSE/SSE2/AVX2, AltiVec, NEON, MIPS DSPR2, and Loongson MMI. +%if "%{flavor}" == "libjpeg-turbo" %package -n libturbojpeg%{tmajor} Version: %{version} Release: 0 @@ -81,6 +103,7 @@ Summary: A SIMD-accelerated JPEG compression/decompression library A library for manipulating JPEG images. It supports architecture-specific SIMD instructions, such as SSE/SSE2/AVX2, AltiVec, NEON, MIPS DSPR2, and Loongson MMI. +%endif %package -n libjpeg%{major}-devel Version: %{libver} @@ -98,8 +121,7 @@ necessary for compiling and linking programs which will manipulate JPEG files using the libjpeg library. %prep -%setup -q -%patch1 +%autosetup -p1 -n libjpeg-turbo-%{srcver} %build MYLDFLAGS="-Wl,-z,relro,-z,now" @@ -112,6 +134,9 @@ MYCFLAGS="$MYCFLAGS -fsanitize=address" MYCFLAGS="$MYCFLAGS -O0 -g" %endif %cmake \ +%if "%{flavor}" == "libjpeg-turbo" + -DWITH_JPEG8=ON \ +%endif %if %{debug_build} || %{asan_build} -DCMAKE_BUILD_TYPE=DEBUG \ -DCMAKE_C_FLAGS_DEBUG="$MYCFLAGS" \ @@ -121,7 +146,6 @@ MYCFLAGS="$MYCFLAGS -O0 -g" %endif -DCMAKE_SHARED_LINKER_FLAGS="$MYLDFLAGS" \ -DENABLE_STATIC=OFF \ - -DWITH_JPEG8=ON \ %ifarch s390x riscv64 -DFLOATTEST=fp-contract \ %endif @@ -148,36 +172,54 @@ export LD_LIBRARY_PATH=%{buildroot}%{_libdir}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PA %endif # Remove docs, we'll select docs manually rm -rf %{buildroot}%{_datadir}/doc/ +%if "%{flavor}" == "libjpeg62-turbo" +# Remove unwanted files +rm %{buildroot}%{_bindir}/* +rm %{buildroot}%{_mandir}/man1/* +# libjpegturbo is provided with libjpeg-turbo.spec yet +rm %{buildroot}%{_includedir}/turbojpeg.h +rm %{buildroot}%{_libdir}/libturbojpeg.so* +rm %{buildroot}%{_libdir}/pkgconfig/libturbojpeg.pc +rm -r %{buildroot}%{_libdir}/cmake +%endif %post -n libjpeg%{major} -p /sbin/ldconfig %postun -n libjpeg%{major} -p /sbin/ldconfig +%if "%{flavor}" == "libjpeg-turbo" %post -n libturbojpeg%{tmajor} -p /sbin/ldconfig %postun -n libturbojpeg%{tmajor} -p /sbin/ldconfig +%endif +%if "%{flavor}" == "libjpeg-turbo" %files %doc README.md change.log ChangeLog.md %doc usage.txt wizard.txt %{_bindir}/* %{_mandir}/man1/* +%endif %files -n libjpeg%{major} %license LICENSE.md %{_libdir}/libjpeg.so.%{libver} %{_libdir}/libjpeg.so.%{major} +%if "%{flavor}" == "libjpeg-turbo" %files -n libturbojpeg%{tmajor} %license LICENSE.md %{_libdir}/libturbojpeg.so.%{tmajor} %{_libdir}/libturbojpeg.so.%{tlibver} +%endif %files -n libjpeg%{major}-devel %{_includedir}/*.h %{_libdir}/libjpeg.so -%{_libdir}/libturbojpeg.so %{_libdir}/pkgconfig/libjpeg.pc +%doc coderules.txt jconfig.txt libjpeg.txt structure.txt tjexample.c +%if "%{flavor}" == "libjpeg-turbo" +%{_libdir}/libturbojpeg.so %{_libdir}/pkgconfig/libturbojpeg.pc %dir %{_libdir}/cmake/libjpeg-turbo %{_libdir}/cmake/libjpeg-turbo/* -%doc coderules.txt jconfig.txt libjpeg.txt structure.txt tjexample.c +%endif %changelog diff --git a/libjpeg62-turbo.spec b/libjpeg62-turbo.spec deleted file mode 100644 index 0f8b937..0000000 --- a/libjpeg62-turbo.spec +++ /dev/null @@ -1,118 +0,0 @@ -# -# spec file for package libjpeg62-turbo -# -# Copyright (c) 2023 SUSE LLC -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via https://bugs.opensuse.org/ -# - - -%define major 62 -%define minor 3 -%define micro 0 -%define libver %{major}.%{minor}.%{micro} -%define srcver 2.1.5.1 -Name: libjpeg62-turbo -Version: %{srcver} -Release: 0 -Summary: A SIMD-accelerated library for manipulating JPEG image files -License: BSD-3-Clause -URL: https://sourceforge.net/projects/libjpeg-turbo -Source0: https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz -Source1: https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz.sig -Source2: libjpeg-turbo.keyring -Source3: baselibs.conf -Patch1: libjpeg-turbo-1.3.0-tiff-ojpeg.patch -BuildRequires: cmake -BuildRequires: gcc-c++ -# needed for tests as we remove the lib here -BuildRequires: libturbojpeg0 >= 8.2.2 -BuildRequires: nasm -BuildRequires: pkgconfig -Conflicts: jpeg%{major} - -%description -The libjpeg-turbo package contains a library of functions for manipulating -JPEG images. It supports architecture-specific SIMD instructions, -such as SSE/SSE2/AVX2, AltiVec, NEON, MIPS DSPR2, and Loongson MMI. - -%package -n libjpeg%{major} -Version: %{libver} -Release: 0 -Summary: A SIMD-accelerated JPEG compression/decompression library -Obsoletes: libjpeg = 6.2.0 - -%description -n libjpeg%{major} -A library for manipulating JPEG images. It supports -architecture-specific SIMD instructions, such as SSE/SSE2/AVX2, -AltiVec, NEON, MIPS DSPR2, and Loongson MMI. - -%package -n libjpeg%{major}-devel -Version: %{libver} -Release: 0 -Summary: Development Tools for applications which will use the Libjpeg Library -Requires: libjpeg%{major} = %{version} -Conflicts: libjpeg-devel -Provides: libjpeg-devel = %{version} -Obsoletes: libjpeg-devel < %{version} - -%description -n libjpeg%{major}-devel -The libjpeg-devel package includes the header files and libraries -necessary for compiling and linking programs which will manipulate JPEG -files using the libjpeg library. - -%prep -%setup -q -n libjpeg-turbo-%{srcver} -%patch1 - -%build -export LDFLAGS="-Wl,-z,relro,-z,now" -%cmake \ - -DENABLE_STATIC=OFF \ -%ifarch s390x riscv64 - -DFLOATTEST=fp-contract \ -%endif - %{nil} -%make_build - -%check -export LD_LIBRARY_PATH=%{buildroot}%{_libdir}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} -%ctest - -%install -%cmake_install -# Remove unwanted files -rm %{buildroot}%{_bindir}/* -rm %{buildroot}%{_mandir}/man1/* -# libjpegturbo is provided with libjpeg-turbo.spec yet -rm %{buildroot}%{_includedir}/turbojpeg.h -rm %{buildroot}%{_libdir}/libturbojpeg.so* -rm %{buildroot}%{_libdir}/pkgconfig/libturbojpeg.pc -rm -r %{buildroot}%{_libdir}/cmake -# Remove docs, we'll select docs manually -rm -rf %{buildroot}%{_datadir}/doc/ - -%post -n libjpeg%{major} -p /sbin/ldconfig -%postun -n libjpeg%{major} -p /sbin/ldconfig - -%files -n libjpeg%{major} -%license LICENSE.md -%{_libdir}/libjpeg.so.%{major} -%{_libdir}/libjpeg.so.%{libver} - -%files -n libjpeg%{major}-devel -%{_includedir}/*.h -%{_libdir}/libjpeg.so -%{_libdir}/pkgconfig/libjpeg.pc -%doc coderules.txt jconfig.txt libjpeg.txt structure.txt tjexample.c - -%changelog From f1496fc12ea26acb9624509e4a1118699aa5ecee8a2811251dc31d4a07e992a3 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 27 Jun 2023 13:20:09 +0000 Subject: [PATCH 4/4] OBS-URL: https://build.opensuse.org/package/show/graphics/libjpeg-turbo?expand=0&rev=145 --- libjpeg-turbo.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 92fc7d8..b669b80 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -110,7 +110,9 @@ Version: %{libver} Release: 0 Summary: Development Tools for applications which will use the Libjpeg Library Requires: libjpeg%{major} = %{version} +%if "%{flavor}" == "libjpeg-turbo" Requires: libturbojpeg%{tmajor} = %{version} +%endif Conflicts: libjpeg-devel Provides: libjpeg-devel = %{version} Obsoletes: libjpeg-devel < %{version}