Accepting request 533647 from graphics
- security update: * CVE-2017-15232 [bsc#1062937] + libjpeg-turbo-CVE-2017-15232.patch - Update to version 1.5.2 + Fixed several memory leaks in the TurboJPEG API library that could occur if the library was built with certain compilers and optimization levels. + The libjpeg-turbo memory manager will now honor the max_memory_to_use structure member in jpeg_memory_mgr, which can be set to the maximum amount of memory (in bytes) that libjpeg-turbo should use during decompression or multi-pass (including progressive) compression. This limit can also be set using the JPEGMEM environment variable or using the -maxmemory switch in cjpeg/djpeg/jpegtran. + TJBench will now run each benchmark for 1 second prior to starting the timer, in order to improve the consistency of the results. Furthermore, the -warmup option is now used to specify the amount of warmup time rather than the number of warmup iterations. + Fixed an error (short jump is out of range) that occurred when assembling the 32-bit x86 SIMD extensions with NASM versions prior to 2.04. + Fixed a regression introduced by 1.5 beta1[11] that prevented the Java version of TJBench from outputting any reference images (the -nowrite switch was accidentally enabled by default.) libjpeg-turbo should now build and run with full AltiVec SIMD acceleration on PowerPC-based AmigaOS 4 and OpenBSD systems. - security update: OBS-URL: https://build.opensuse.org/request/show/533647 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libjpeg-turbo?expand=0&rev=37
This commit is contained in:
commit
cf17e60e04
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:41429d3d253017433f66e3d472b8c7d998491d2f41caa7306b8d9a6f2a2c666c
|
||||
size 1650647
|
3
libjpeg-turbo-1.5.2.tar.gz
Normal file
3
libjpeg-turbo-1.5.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9098943b270388727ae61de82adec73cf9f0dbb240b3bc8b172595ebf405b528
|
||||
size 1657235
|
43
libjpeg-turbo-CVE-2017-15232.patch
Normal file
43
libjpeg-turbo-CVE-2017-15232.patch
Normal file
@ -0,0 +1,43 @@
|
||||
Index: libjpeg-turbo-1.5.2/jdpostct.c
|
||||
===================================================================
|
||||
--- libjpeg-turbo-1.5.2.orig/jdpostct.c 2017-07-07 22:31:10.000000000 +0200
|
||||
+++ libjpeg-turbo-1.5.2/jdpostct.c 2017-10-12 13:02:48.572975302 +0200
|
||||
@@ -132,6 +132,11 @@ post_process_1pass (j_decompress_ptr cin
|
||||
my_post_ptr post = (my_post_ptr) cinfo->post;
|
||||
JDIMENSION num_rows, max_rows;
|
||||
|
||||
+ /* read_and_discard_scanlines may call it with rows "available", but no buffer */
|
||||
+ if (output_buf == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* Fill the buffer, but not more than what we can dump out in one go. */
|
||||
/* Note we rely on the upsampler to detect bottom of image. */
|
||||
max_rows = out_rows_avail - *out_row_ctr;
|
||||
Index: libjpeg-turbo-1.5.2/jquant1.c
|
||||
===================================================================
|
||||
--- libjpeg-turbo-1.5.2.orig/jquant1.c 2017-07-07 22:31:10.000000000 +0200
|
||||
+++ libjpeg-turbo-1.5.2/jquant1.c 2017-10-12 13:02:48.572975302 +0200
|
||||
@@ -531,6 +531,10 @@ quantize_ord_dither (j_decompress_ptr ci
|
||||
JDIMENSION col;
|
||||
JDIMENSION width = cinfo->output_width;
|
||||
|
||||
+ if (output_buf == NULL && num_rows) {
|
||||
+ ERREXIT(cinfo, JERR_BAD_PARAM);
|
||||
+ }
|
||||
+
|
||||
for (row = 0; row < num_rows; row++) {
|
||||
/* Initialize output values to 0 so can process components separately */
|
||||
jzero_far((void *) output_buf[row], (size_t) (width * sizeof(JSAMPLE)));
|
||||
Index: libjpeg-turbo-1.5.2/jerror.h
|
||||
===================================================================
|
||||
--- libjpeg-turbo-1.5.2.orig/jerror.h 2017-07-07 22:31:10.000000000 +0200
|
||||
+++ libjpeg-turbo-1.5.2/jerror.h 2017-10-12 13:24:01.349954012 +0200
|
||||
@@ -208,6 +208,7 @@ JMESSAGE(JERR_NO_ARITH_TABLE, "Arithmeti
|
||||
JMESSAGE(JWRN_ARITH_BAD_CODE, "Corrupt JPEG data: bad arithmetic code")
|
||||
#endif
|
||||
#endif
|
||||
+JMESSAGE(JERR_BAD_PARAM, "Bogus parameter")
|
||||
|
||||
#ifdef JMAKE_ENUM_LIST
|
||||
|
@ -1,3 +1,38 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 12 10:59:03 UTC 2017 - pgajdos@suse.com
|
||||
|
||||
- security update:
|
||||
* CVE-2017-15232 [bsc#1062937]
|
||||
+ libjpeg-turbo-CVE-2017-15232.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 12 10:22:05 UTC 2017 - pgajdos@suse.com
|
||||
|
||||
- Update to version 1.5.2
|
||||
+ Fixed several memory leaks in the TurboJPEG API library that
|
||||
could occur if the library was built with certain compilers
|
||||
and optimization levels.
|
||||
+ The libjpeg-turbo memory manager will now honor the
|
||||
max_memory_to_use structure member in jpeg_memory_mgr,
|
||||
which can be set to the maximum amount of memory (in bytes)
|
||||
that libjpeg-turbo should use during decompression or
|
||||
multi-pass (including progressive) compression. This limit
|
||||
can also be set using the JPEGMEM environment variable or
|
||||
using the -maxmemory switch in cjpeg/djpeg/jpegtran.
|
||||
+ TJBench will now run each benchmark for 1 second prior to
|
||||
starting the timer, in order to improve the consistency of
|
||||
the results. Furthermore, the -warmup option is now used to
|
||||
specify the amount of warmup time rather than the number of
|
||||
warmup iterations.
|
||||
+ Fixed an error (short jump is out of range) that occurred
|
||||
when assembling the 32-bit x86 SIMD extensions with NASM
|
||||
versions prior to 2.04.
|
||||
+ Fixed a regression introduced by 1.5 beta1[11] that prevented
|
||||
the Java version of TJBench from outputting any reference images
|
||||
(the -nowrite switch was accidentally enabled by default.)
|
||||
libjpeg-turbo should now build and run with full AltiVec SIMD
|
||||
acceleration on PowerPC-based AmigaOS 4 and OpenBSD systems.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 18 10:07:00 UTC 2017 - bwiedemann@suse.com
|
||||
|
||||
|
@ -16,7 +16,7 @@
|
||||
#
|
||||
|
||||
|
||||
%define srcver 1.5.1
|
||||
%define srcver 1.5.2
|
||||
%define major 8
|
||||
%define minor 1
|
||||
%define micro 2
|
||||
@ -37,6 +37,7 @@ Source0: http://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.t
|
||||
Source1: baselibs.conf
|
||||
Patch1: libjpeg-turbo-1.3.0-tiff-ojpeg.patch
|
||||
Patch2: libjpeg-1.4.0-ocloexec.patch
|
||||
Patch3: libjpeg-turbo-CVE-2017-15232.patch
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pkgconfig
|
||||
@ -108,6 +109,7 @@ files using the libjpeg library.
|
||||
%setup -q
|
||||
%patch1
|
||||
%patch2
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
export LDFLAGS="-Wl,-z,relro,-z,now"
|
||||
|
@ -1,3 +1,38 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 12 10:59:03 UTC 2017 - pgajdos@suse.com
|
||||
|
||||
- security update:
|
||||
* CVE-2017-15232 [bsc#1062937]
|
||||
+ libjpeg-turbo-CVE-2017-15232.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 12 10:22:05 UTC 2017 - pgajdos@suse.com
|
||||
|
||||
- Update to version 1.5.2
|
||||
+ Fixed several memory leaks in the TurboJPEG API library that
|
||||
could occur if the library was built with certain compilers
|
||||
and optimization levels.
|
||||
+ The libjpeg-turbo memory manager will now honor the
|
||||
max_memory_to_use structure member in jpeg_memory_mgr,
|
||||
which can be set to the maximum amount of memory (in bytes)
|
||||
that libjpeg-turbo should use during decompression or
|
||||
multi-pass (including progressive) compression. This limit
|
||||
can also be set using the JPEGMEM environment variable or
|
||||
using the -maxmemory switch in cjpeg/djpeg/jpegtran.
|
||||
+ TJBench will now run each benchmark for 1 second prior to
|
||||
starting the timer, in order to improve the consistency of
|
||||
the results. Furthermore, the -warmup option is now used to
|
||||
specify the amount of warmup time rather than the number of
|
||||
warmup iterations.
|
||||
+ Fixed an error (short jump is out of range) that occurred
|
||||
when assembling the 32-bit x86 SIMD extensions with NASM
|
||||
versions prior to 2.04.
|
||||
+ Fixed a regression introduced by 1.5 beta1[11] that prevented
|
||||
the Java version of TJBench from outputting any reference images
|
||||
(the -nowrite switch was accidentally enabled by default.)
|
||||
libjpeg-turbo should now build and run with full AltiVec SIMD
|
||||
acceleration on PowerPC-based AmigaOS 4 and OpenBSD systems.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 15 10:50:53 UTC 2017 - jbohac@suse.com
|
||||
|
||||
|
@ -19,7 +19,7 @@
|
||||
%define major 62
|
||||
%define minor 2
|
||||
%define micro 0
|
||||
%define srcver 1.5.1
|
||||
%define srcver 1.5.2
|
||||
%define libver %{major}.%{minor}.%{micro}
|
||||
|
||||
Name: libjpeg62-turbo
|
||||
@ -33,6 +33,7 @@ Source0: http://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.t
|
||||
Source1: baselibs.conf
|
||||
Patch1: libjpeg-turbo-1.3.0-tiff-ojpeg.patch
|
||||
Patch2: libjpeg-1.4.0-ocloexec.patch
|
||||
Patch3: libjpeg-turbo-CVE-2017-15232.patch
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pkgconfig
|
||||
@ -84,6 +85,7 @@ files using the libjpeg library.
|
||||
%setup -q -n libjpeg-turbo-%{srcver}
|
||||
%patch1
|
||||
%patch2
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
export LDFLAGS="-Wl,-z,relro,-z,now"
|
||||
|
Loading…
Reference in New Issue
Block a user