Accepting request 684675 from graphics

- updated to version 2.0.2:
  1. Fixed a regression introduced by 2.0.1[5] that prevented a runtime search
  path (rpath) from being embedded in the libjpeg-turbo shared libraries and
  executables for macOS and iOS.  This caused a fatal error of the form
  "dyld: Library not loaded" when attempting to use one of the executables,
  unless `DYLD_LIBRARY_PATH` was explicitly set to the location of the
  libjpeg-turbo shared libraries.
  2. Fixed an integer overflow and subsequent segfault (CVE-2018-20330) that
  occurred when attempting to load a BMP file with more than 1 billion pixels
  using the `tjLoadImage()` function.
  3. Fixed a buffer overrun (CVE-2018-19664) that occurred when attempting to
  decompress a specially-crafted malformed JPEG image to a 256-color BMP using
  djpeg.
  4. Fixed a floating point exception that occurred when attempting to
  decompress a specially-crafted malformed JPEG image with a specified image
  width or height of 0 using the C version of TJBench.
  5. The TurboJPEG API will now decompress 4:4:4 JPEG images with 2x1, 1x2, 3x1,
  or 1x3 luminance and chrominance sampling factors.  This is a non-standard way
  of specifying 1x subsampling (normally 4:4:4 JPEGs have 1x1 luminance and
  chrominance sampling factors), but the JPEG format and the libjpeg API both
  allow it.
  6. Fixed a regression introduced by 2.0 beta1[7] that caused djpeg to generate
  incorrect PPM images when used with the `-colors` option.
  7. Fixed an issue whereby a static build of libjpeg-turbo (a build in which
  `ENABLE_SHARED` is `0`) could not be installed using the Visual Studio IDE.
  8. Fixed a severe performance issue in the Loongson MMI SIMD extensions that
  occurred when compressing RGB images whose image rows were not 64-bit-aligned.
- modified patches
  % ctest-depends.patch (refreshed)
- deleted patches

OBS-URL: https://build.opensuse.org/request/show/684675
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libjpeg-turbo?expand=0&rev=47

ctest-depends.patch

@@ -1,13 +1,9 @@
-Index: libjpeg-turbo-2.0.0/CMakeLists.txt
+Index: libjpeg-turbo-2.0.2/CMakeLists.txt
 ===================================================================
---- libjpeg-turbo-2.0.0.orig/CMakeLists.txt
-+++ libjpeg-turbo-2.0.0/CMakeLists.txt
-@@ -997,9 +997,12 @@ foreach(libtype ${TEST_LIBTYPES})
- 
-   add_test(djpeg-${libtype}-rgb-islow-icc-cmp
-     ${MD5CMP} b06a39d730129122e85c1363ed1bbc9e testout_rgb_islow.icc)
-+  set_tests_properties(djpeg-${libtype}-rgb-islow-icc-cmp PROPERTIES
-+    DEPENDS djpeg-${libtype}-rgb-islow)
+--- libjpeg-turbo-2.0.2.orig/CMakeLists.txt	2019-03-13 12:44:05.376162889 +0100
++++ libjpeg-turbo-2.0.2/CMakeLists.txt	2019-03-13 12:45:59.156696193 +0100
+@@ -1003,7 +1003,8 @@ foreach(libtype ${TEST_LIBTYPES})
+     DEPENDS djpeg-${libtype}-rgb-islow)
  
    add_bittest(jpegtran icc "-copy;all;-icc;${TESTIMAGES}/test2.icc"
 -    testout_rgb_islow2.jpg testout_rgb_islow.jpg ${MD5_JPEG_RGB_ISLOW2})

libjpeg-turbo-2.0.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e5f86cec31df1d39596e0cca619ab1b01f99025a27dafdfc97a30f3a12f866ff
-size 2159130

libjpeg-turbo-2.0.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:acb8599fe5399af114287ee5907aea4456f8f2c1cc96d26c28aebfdf5ee82fed
+size 2159562

libjpeg-turbo-CVE-2018-19644.patch

@@ -1,17 +0,0 @@
-diff --git a/wrbmp.c b/wrbmp.c
-index 4bf81426b..239f64eb3 100644
---- a/wrbmp.c
-+++ b/wrbmp.c
-@@ -502,8 +502,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2,
-       dest->pub.put_pixel_rows = put_gray_rows;
-     else
-       dest->pub.put_pixel_rows = put_pixel_rows;
--  } else if (cinfo->out_color_space == JCS_RGB565 ||
--             cinfo->out_color_space == JCS_CMYK) {
-+  } else if (!cinfo->quantize_colors &&
-+             (cinfo->out_color_space == JCS_RGB565 ||
-+              cinfo->out_color_space == JCS_CMYK)) {
-     dest->pub.put_pixel_rows = put_pixel_rows;
-   } else {
-     ERREXIT(cinfo, JERR_BMP_COLORSPACE);
-

libjpeg-turbo-CVE-2018-20330.patch

@@ -1,33 +0,0 @@
-diff --git a/turbojpeg.c b/turbojpeg.c
-index 90a9ce6a0..3f7cd6406 100644
---- a/turbojpeg.c
-+++ b/turbojpeg.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (C)2009-2018 D. R. Commander.  All Rights Reserved.
-+ * Copyright (C)2009-2019 D. R. Commander.  All Rights Reserved.
-  *
-  * Redistribution and use in source and binary forms, with or without
-  * modification, are permitted provided that the following conditions are met:
-@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
-                                      int align, int *height, int *pixelFormat,
-                                      int flags)
- {
--  int retval = 0, tempc, pitch;
-+  int retval = 0, tempc;
-+  size_t pitch;
-   tjhandle handle = NULL;
-   tjinstance *this;
-   j_compress_ptr cinfo = NULL;
-@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
-   *pixelFormat = cs2pf[cinfo->in_color_space];
- 
-   pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
--  if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
-+  if ((unsigned long long)pitch * (unsigned long long)(*height) >
-+      (unsigned long long)((size_t)-1) ||
-+      (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
-     _throwg("tjLoadImage(): Memory allocation failure");
- 
-   if (setjmp(this->jerr.setjmp_buffer)) {
-

libjpeg-turbo.changes

@@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Wed Mar 13 12:02:57 UTC 2019 - pgajdos@suse.com
+
+- updated to version 2.0.2:
+  1. Fixed a regression introduced by 2.0.1[5] that prevented a runtime search
+  path (rpath) from being embedded in the libjpeg-turbo shared libraries and
+  executables for macOS and iOS.  This caused a fatal error of the form
+  "dyld: Library not loaded" when attempting to use one of the executables,
+  unless `DYLD_LIBRARY_PATH` was explicitly set to the location of the
+  libjpeg-turbo shared libraries.
+  2. Fixed an integer overflow and subsequent segfault (CVE-2018-20330) that
+  occurred when attempting to load a BMP file with more than 1 billion pixels
+  using the `tjLoadImage()` function.
+  3. Fixed a buffer overrun (CVE-2018-19664) that occurred when attempting to
+  decompress a specially-crafted malformed JPEG image to a 256-color BMP using
+  djpeg.
+  4. Fixed a floating point exception that occurred when attempting to
+  decompress a specially-crafted malformed JPEG image with a specified image
+  width or height of 0 using the C version of TJBench.
+  5. The TurboJPEG API will now decompress 4:4:4 JPEG images with 2x1, 1x2, 3x1,
+  or 1x3 luminance and chrominance sampling factors.  This is a non-standard way
+  of specifying 1x subsampling (normally 4:4:4 JPEGs have 1x1 luminance and
+  chrominance sampling factors), but the JPEG format and the libjpeg API both
+  allow it.
+  6. Fixed a regression introduced by 2.0 beta1[7] that caused djpeg to generate
+  incorrect PPM images when used with the `-colors` option.
+  7. Fixed an issue whereby a static build of libjpeg-turbo (a build in which
+  `ENABLE_SHARED` is `0`) could not be installed using the Visual Studio IDE.
+  8. Fixed a severe performance issue in the Loongson MMI SIMD extensions that
+  occurred when compressing RGB images whose image rows were not 64-bit-aligned.
+- modified patches
+  % ctest-depends.patch (refreshed)
+- deleted patches
+  - libjpeg-turbo-CVE-2018-19644.patch (upstreamed)
+  - libjpeg-turbo-CVE-2018-20330.patch (upstreamed)
+- added sources
+  + libjpeg-turbo-2.0.2.tar.gz.sig
+  + libjpeg-turbo.keyring
+
 -------------------------------------------------------------------
 Thu Jan 24 08:51:58 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 

libjpeg-turbo.keyring

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGiBFWuQpoRBACKZREWpZug3nddAYrt9AvxrR3dYRlQvf+gU0q7EJXGERPVF0sz
+gOofTCo7uMy+xLx47sg0wFapON1HphzwnaCK852pcKajLDoW9oXGV+KvuyAay0Ap
+T296NxgFidKYlOFS8TcI1PFbmemT56yIWBUSiEZcvJIKG8vu4CHoCSFx5wCg9N55
+TNEv0XOi9fcxBHJM8P1nSvMD/i4Ounk99EcCcbkNkxJrn2ePWE/H6JZWgy+mBzdX
+zPEGb7JrmLnoeClHzOq3PwrVCUerXNICJQnZXLUfYv37cdxSXKSP+xw9x/RzpJiq
+EdJQXrFFLPAFl6iWqi9mm9X5hStPpjVG7frqJR5ogA7frzRV0+rlunhQBhnpeSTE
+QNznA/oC29xIx6BA7jLVTbqCUqETDf9rA9jpKeJXI5cpE4neevS7EbQez70VEc9f
+BmvC4L4MU/oJk5/y1OrVDKuFG9F2nAnshL0Y02lcEvmirTG8dJskBNlAm/JbrDEx
+L0/V7wTTMERuTHGP+F7Y1hpSz+oU6rMLop7qJn9or00HcVMd7rRdVGhlIGxpYmpw
+ZWctdHVyYm8gUHJvamVjdCAoU2lnbmluZyBrZXkgZm9yIG9mZmljaWFsIGJpbmFy
+aWVzKSA8aW5mb3JtYXRpb25AbGlianBlZy10dXJiby5vcmc+iGAEExECACAFAlWu
+QpoCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCFxwROAz/eFv5IAJ9NPfuV
+c8mpjSXK+yumPN6TS6okCgCfaltKSnTBHhlvJAEVsWopAPUrj2a5Ag0EVa5CnBAI
+AIMtO9yvgD/wV/yEkLLRpVaRoM4R1SaDzVNS+Kc9iL4GzWTcNPCqXlxswqVIRKxx
+NkW7y/RO7Pem6Ew3owmrQRa1FUFLU+TLSMuTLhQl/ao+lmpn32KnPdYIyRRyaLrb
+DTYBRVGB65sZY4BzueI4m3+w02+53XVuE3tIRk9eHNF8dbYwgUMXb4+8IC5mp0ta
+4dwdLIMwwatL+iaAuAS6nCKn2eZOyO9KbF2TdWHZhOKE16I5aLa48Nfp/T7Qx3tU
+c5hH/pOg652/zZCSm7yTekUnzmngnFSiecgsN4WRtpfyxIlJYWbBO1qs6Munviu+
+a6yEdEhSSw3JGgGwciYep5MAAwUH/RIDmO6PZOn2PXgAGdLvvdnXR5im5axwW30C
+JjYqkubucqQ0Y7gFE3NsxFxRwMbnRab1yJFrWLtcTBHqa5NAaR8UjUl4vdvvDZXM
+yOznB5EkjpAhATPpCVAA6N1QnDgh/oceBAcu7KU7WEWGVI2QzOmVQ7CmxDgcehVG
+6E2DhEatFavD0LLlqlDorFpJnRoIwVOCXz2lV3lmrnP6H+2j0TZHAWnHETyAUL+P
+lOq7HCbOnnVFzAulrYrt8Ap5ZQm3BRjY+EJIMweb1ZUeReKtW2cTBqM1DQnMdqs2
+PvIyk7+A0MdAwOPvmaffBDPlu/jECK3AyQvRPMg9tcp1u6Dz6hGISQQYEQIACQUC
+Va5CnAIbDAAKCRCFxwROAz/eFhUXAKCLyoe0xNURwAjj+2q7NW7IgCuQogCgjKXm
+udv9ZKnuBluVtm+LueeyV4U=
+=B+vg
+-----END PGP PUBLIC KEY BLOCK-----

libjpeg-turbo.spec

@@ -19,7 +19,7 @@
 %define asan_build 0
 %define debug_build 0
 
-%define srcver   2.0.1
+%define srcver   2.0.2
 %define major    8
 %define minor    2
 %define micro    2
@@ -39,8 +39,6 @@ Source0:        http://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.t
 Source1:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
 Patch2:         ctest-depends.patch
-Patch3:         libjpeg-turbo-CVE-2018-19644.patch
-Patch4:         libjpeg-turbo-CVE-2018-20330.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  pkgconfig
@@ -106,8 +104,6 @@ files using the libjpeg library.
 %setup -q
 %patch1
 %patch2 -p1
-%patch4 -p1
-#%patch3 -p1
 
 %build
 MYLDFLAGS="-Wl,-z,relro,-z,now"

libjpeg62-turbo.spec

@@ -19,7 +19,7 @@
 %define major   62
 %define minor   3
 %define micro   0
-%define srcver  2.0.1
+%define srcver  2.0.2
 %define libver  %{major}.%{minor}.%{micro}
 Name:           libjpeg62-turbo
 Version:        %{srcver}
@@ -29,11 +29,11 @@ License:        BSD-3-Clause
 Group:          Productivity/Graphics/Convertors
 URL:            http://sourceforge.net/projects/libjpeg-turbo
 Source0:        http://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz
-Source1:        baselibs.conf
+Source1:        http://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.tar.gz.sig
+Source2:        libjpeg-turbo.keyring
+Source3:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
 Patch2:         ctest-depends.patch
-Patch3:         libjpeg-turbo-CVE-2018-19644.patch
-Patch4:         libjpeg-turbo-CVE-2018-20330.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 # needed for tests as we remove the lib here
@@ -78,8 +78,6 @@ files using the libjpeg library.
 %setup -q -n libjpeg-turbo-%{srcver}
 %patch1
 %patch2 -p1
-%patch4 -p1
-%patch3 -p1
 
 %build
 export LDFLAGS="-Wl,-z,relro,-z,now"