Accepting request 617768 from graphics

- security update:
  * CVE-2018-1152 [bsc#1098155]
    + libjpeg-turbo-CVE-2018-1152.patch

- security update:
  * CVE-2018-11813 [bsc#1096209]
    + libjpeg-turbo-CVE-2018-11813.patch
  * remove redundant libjpeg-turbo-CVE-2017-15232.patch
    [bsc#1062937#c17]

- security update:
  * CVE-2018-1152 [bsc#1098155]
    + libjpeg-turbo-CVE-2018-1152.patch

- security update:
  * CVE-2018-11813 [bsc#1096209]
    + libjpeg-turbo-CVE-2018-11813.patch
  * remove redundant libjpeg-turbo-CVE-2017-15232.patch
    [bsc#1062937#c17]

OBS-URL: https://build.opensuse.org/request/show/617768
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libjpeg-turbo?expand=0&rev=39

libjpeg-turbo-CVE-2017-15232.patch

@@ -1,43 +0,0 @@
-Index: libjpeg-turbo-1.5.2/jdpostct.c
-===================================================================
---- libjpeg-turbo-1.5.2.orig/jdpostct.c	2017-07-07 22:31:10.000000000 +0200
-+++ libjpeg-turbo-1.5.2/jdpostct.c	2017-10-12 13:02:48.572975302 +0200
-@@ -132,6 +132,11 @@ post_process_1pass (j_decompress_ptr cin
-   my_post_ptr post = (my_post_ptr) cinfo->post;
-   JDIMENSION num_rows, max_rows;
- 
-+  /* read_and_discard_scanlines may call it with rows "available", but no buffer */
-+  if (output_buf == NULL) {
-+    return;
-+  }
-+
-   /* Fill the buffer, but not more than what we can dump out in one go. */
-   /* Note we rely on the upsampler to detect bottom of image. */
-   max_rows = out_rows_avail - *out_row_ctr;
-Index: libjpeg-turbo-1.5.2/jquant1.c
-===================================================================
---- libjpeg-turbo-1.5.2.orig/jquant1.c	2017-07-07 22:31:10.000000000 +0200
-+++ libjpeg-turbo-1.5.2/jquant1.c	2017-10-12 13:02:48.572975302 +0200
-@@ -531,6 +531,10 @@ quantize_ord_dither (j_decompress_ptr ci
-   JDIMENSION col;
-   JDIMENSION width = cinfo->output_width;
- 
-+  if (output_buf == NULL && num_rows) {
-+    ERREXIT(cinfo, JERR_BAD_PARAM);
-+  }
-+
-   for (row = 0; row < num_rows; row++) {
-     /* Initialize output values to 0 so can process components separately */
-     jzero_far((void *) output_buf[row], (size_t) (width * sizeof(JSAMPLE)));
-Index: libjpeg-turbo-1.5.2/jerror.h
-===================================================================
---- libjpeg-turbo-1.5.2.orig/jerror.h	2017-07-07 22:31:10.000000000 +0200
-+++ libjpeg-turbo-1.5.2/jerror.h	2017-10-12 13:24:01.349954012 +0200
-@@ -208,6 +208,7 @@ JMESSAGE(JERR_NO_ARITH_TABLE, "Arithmeti
- JMESSAGE(JWRN_ARITH_BAD_CODE, "Corrupt JPEG data: bad arithmetic code")
- #endif
- #endif
-+JMESSAGE(JERR_BAD_PARAM, "Bogus parameter")
- 
- #ifdef JMAKE_ENUM_LIST
- 

libjpeg-turbo-CVE-2018-1152.patch

@@ -0,0 +1,17 @@
+Index: libjpeg-turbo-1.5.3/rdbmp.c
+===================================================================
+--- libjpeg-turbo-1.5.3.orig/rdbmp.c
++++ libjpeg-turbo-1.5.3/rdbmp.c
+@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, c
+     progress->total_extra_passes++; /* count file input as separate pass */
+   }
+ 
++  /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
++     value of the JDIMENSION type.  This is only a danger with BMP files, since
++     their width and height fields are 32-bit integers. */
++  if ((unsigned long long)biWidth *
++      (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
++    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+   /* Allocate one-row buffer for returned data */
+   source->pub.buffer = (*cinfo->mem->alloc_sarray)
+     ((j_common_ptr) cinfo, JPOOL_IMAGE,

libjpeg-turbo-CVE-2018-11813.patch

@@ -0,0 +1,34 @@
+Index: libjpeg-turbo-1.5.3/rdtarga.c
+===================================================================
+--- libjpeg-turbo-1.5.3.orig/rdtarga.c	2017-12-14 05:39:01.000000000 +0100
++++ libjpeg-turbo-1.5.3/rdtarga.c	2018-06-13 09:32:33.927652164 +0200
+@@ -125,11 +125,10 @@ METHODDEF(void)
+ read_non_rle_pixel (tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file; no RLE expansion */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
++    sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
+   }
+ }
+ 
+@@ -138,7 +137,6 @@ METHODDEF(void)
+ read_rle_pixel (tga_source_ptr sinfo)
+ /* Read one Targa pixel from the input file, expanding RLE data as needed */
+ {
+-  register FILE *infile = sinfo->pub.input_file;
+   register int i;
+ 
+   /* Duplicate previously read pixel? */
+@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo)
+ 
+   /* Read next pixel */
+   for (i = 0; i < sinfo->pixel_size; i++) {
+-    sinfo->tga_pixel[i] = (U_CHAR) getc(infile);
++    sinfo->tga_pixel[i] = (U_CHAR)read_byte(sinfo);
+   }
+ }
+ 

libjpeg-turbo.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Jun 19 13:40:32 UTC 2018 - pgajdos@suse.com
+
+- security update:
+  * CVE-2018-1152 [bsc#1098155]
+    + libjpeg-turbo-CVE-2018-1152.patch
+
+-------------------------------------------------------------------
+Tue Jun 12 13:34:11 UTC 2018 - pgajdos@suse.com
+
+- security update:
+  * CVE-2018-11813 [bsc#1096209]
+    + libjpeg-turbo-CVE-2018-11813.patch
+  * remove redundant libjpeg-turbo-CVE-2017-15232.patch
+    [bsc#1062937#c17]
+
 -------------------------------------------------------------------
 Mon Dec 18 13:29:30 UTC 2017 - pgajdos@suse.com
 

libjpeg-turbo.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libjpeg-turbo
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -37,7 +37,8 @@ Source0:        http://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.t
 Source1:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
 Patch2:         libjpeg-1.4.0-ocloexec.patch
-Patch3:         libjpeg-turbo-CVE-2017-15232.patch
+Patch3:         libjpeg-turbo-CVE-2018-11813.patch
+Patch4:         libjpeg-turbo-CVE-2018-1152.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@@ -110,6 +111,7 @@ files using the libjpeg library.
 %patch1
 %patch2
 %patch3 -p1
+%patch4 -p1
 
 %build
 export LDFLAGS="-Wl,-z,relro,-z,now"

libjpeg62-turbo.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Jun 19 13:45:31 UTC 2018 - pgajdos@suse.com
+
+- security update:
+  * CVE-2018-1152 [bsc#1098155]
+    + libjpeg-turbo-CVE-2018-1152.patch
+
+-------------------------------------------------------------------
+Tue Jun 12 13:34:11 UTC 2018 - pgajdos@suse.com
+
+- security update:
+  * CVE-2018-11813 [bsc#1096209]
+    + libjpeg-turbo-CVE-2018-11813.patch
+  * remove redundant libjpeg-turbo-CVE-2017-15232.patch
+    [bsc#1062937#c17]
+
 -------------------------------------------------------------------
 Mon Dec 18 13:07:03 UTC 2017 - pgajdos@suse.com
 

libjpeg62-turbo.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libjpeg62-turbo
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -33,7 +33,8 @@ Source0:        http://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.t
 Source1:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
 Patch2:         libjpeg-1.4.0-ocloexec.patch
-Patch3:         libjpeg-turbo-CVE-2017-15232.patch
+Patch3:         libjpeg-turbo-CVE-2018-11813.patch
+Patch4:         libjpeg-turbo-CVE-2018-1152.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@@ -86,6 +87,7 @@ files using the libjpeg library.
 %patch1
 %patch2
 %patch3 -p1
+%patch4 -p1
 
 %build
 export LDFLAGS="-Wl,-z,relro,-z,now"