Accepting request 909953 from graphics

- version update to 2.5.7 Patch release of 2.5 with security and build fixes: * OSS-fuzz 28051 Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer * OSS-fuzz 28155 Crash in Imf_2_5::PtrIStream::read * Fix broken symlink and pkg-config lib suffix for cmake debug builds - modified patches % 0001-Use-absolute-CMAKE_INSTALL_FULL_LIBDIR-for-libdir-in.patch (refreshed) - deleted patches - openexr-CVE-2021-3598.patch (upstreamed) - openexr-CVE-2021-3605.patch (upstreamed) OBS-URL: https://build.opensuse.org/request/show/909953 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openexr?expand=0&rev=45
2021-08-05 18:47:52 +00:00 · 2021-08-05 18:47:52 +00:00 · 6f1edef329
commit 6f1edef329
parent 8fccdb0624 b508353971
7 changed files with 45 additions and 72 deletions
--- a/0001-Use-absolute-CMAKE_INSTALL_FULL_LIBDIR-for-libdir-in.patch
+++ b/0001-Use-absolute-CMAKE_INSTALL_FULL_LIBDIR-for-libdir-in.patch
@ -19,10 +19,10 @@ Fixes https://github.com/AcademySoftwareFoundation/openexr/issues/595
 PyIlmBase/config/CMakeLists.txt | 4 ++--
 5 files changed, 6 insertions(+), 9 deletions(-)

-diff --git a/IlmBase/IlmBase.pc.in b/IlmBase/IlmBase.pc.in
-index 45fc4de..1edd055 100644
--- a/IlmBase/IlmBase.pc.in
-+++ b/IlmBase/IlmBase.pc.in
+Index: openexr-2.5.7/IlmBase/IlmBase.pc.in
+===================================================================
+--- openexr-2.5.7.orig/IlmBase/IlmBase.pc.in	2021-06-15 02:15:14.000000000 +0200
+++ openexr-2.5.7/IlmBase/IlmBase.pc.in	2021-08-03 12:26:33.419242739 +0200
@@ -4,7 +4,6 @@
 ##
 
@ -31,10 +31,10 @@ index 45fc4de..1edd055 100644
 libdir=@libdir@
 includedir=@includedir@
 libsuffix=@LIB_SUFFIX_DASH@
-diff --git a/IlmBase/config/CMakeLists.txt b/IlmBase/config/CMakeLists.txt
-index d9c5ae4..fc161b0 100644
--- a/IlmBase/config/CMakeLists.txt
-+++ b/IlmBase/config/CMakeLists.txt
+Index: openexr-2.5.7/IlmBase/config/CMakeLists.txt
+===================================================================
+--- openexr-2.5.7.orig/IlmBase/config/CMakeLists.txt	2021-08-03 12:26:33.423242767 +0200
+++ openexr-2.5.7/IlmBase/config/CMakeLists.txt	2021-08-03 12:26:47.735343624 +0200
@@ -76,8 +76,8 @@ if(ILMBASE_INSTALL_PKG_CONFIG)
   function(ilmbase_pkg_config_help pcinfile)
     set(prefix ${CMAKE_INSTALL_PREFIX})
@ -43,13 +43,13 @@ index d9c5ae4..fc161b0 100644
 -    set(includedir "\${prefix}/${CMAKE_INSTALL_INCLUDEDIR}")
 +    set(libdir "${CMAKE_INSTALL_FULL_LIBDIR}")
 +    set(includedir "${CMAKE_INSTALL_FULL_INCLUDEDIR}")
-     set(LIB_SUFFIX_DASH ${ILMBASE_LIB_SUFFIX})
+     string(TOUPPER "${CMAKE_BUILD_TYPE}" uppercase_CMAKE_BUILD_TYPE)
+     set(LIB_SUFFIX_DASH ${ILMBASE_LIB_SUFFIX}${CMAKE_${uppercase_CMAKE_BUILD_TYPE}_POSTFIX})
     if(TARGET Threads::Threads)
-       # hrm, can't use properties as they end up as generator expressions
-diff --git a/OpenEXR/OpenEXR.pc.in b/OpenEXR/OpenEXR.pc.in
-index cf72f88..4df6035 100644
--- a/OpenEXR/OpenEXR.pc.in
-+++ b/OpenEXR/OpenEXR.pc.in
+Index: openexr-2.5.7/OpenEXR/OpenEXR.pc.in
+===================================================================
+--- openexr-2.5.7.orig/OpenEXR/OpenEXR.pc.in	2021-06-15 02:15:14.000000000 +0200
+++ openexr-2.5.7/OpenEXR/OpenEXR.pc.in	2021-08-03 12:26:33.423242767 +0200
@@ -4,7 +4,6 @@
 ##
 
@ -58,11 +58,11 @@ index cf72f88..4df6035 100644
 libdir=@libdir@
 includedir=@includedir@
 OpenEXR_includedir=@includedir@/OpenEXR
-diff --git a/OpenEXR/config/CMakeLists.txt b/OpenEXR/config/CMakeLists.txt
-index b52ad0d..59f4916 100644
--- a/OpenEXR/config/CMakeLists.txt
-+++ b/OpenEXR/config/CMakeLists.txt
-@@ -72,9 +72,8 @@ if(OPENEXR_INSTALL_PKG_CONFIG)
+Index: openexr-2.5.7/OpenEXR/config/CMakeLists.txt
+===================================================================
+--- openexr-2.5.7.orig/OpenEXR/config/CMakeLists.txt	2021-08-03 12:26:33.423242767 +0200
+++ openexr-2.5.7/OpenEXR/config/CMakeLists.txt	2021-08-03 12:27:23.867598269 +0200
+@@ -74,9 +74,8 @@ if(OPENEXR_INSTALL_PKG_CONFIG)
   # use a helper function to avoid variable pollution, but pretty simple
   function(openexr_pkg_config_help pcinfile)
     set(prefix ${CMAKE_INSTALL_PREFIX})
@ -71,13 +71,13 @@ index b52ad0d..59f4916 100644
 -    set(includedir "\${prefix}/${CMAKE_INSTALL_INCLUDEDIR}")
 +    set(libdir "${CMAKE_INSTALL_FULL_LIBDIR}")
 +    set(includedir "${CMAKE_INSTALL_FULL_INCLUDEDIR}")
-     set(LIB_SUFFIX_DASH ${OPENEXR_LIB_SUFFIX})
+     string(TOUPPER "${CMAKE_BUILD_TYPE}" uppercase_CMAKE_BUILD_TYPE)
+     set(LIB_SUFFIX_DASH ${OPENEXR_LIB_SUFFIX}${CMAKE_${uppercase_CMAKE_BUILD_TYPE}_POSTFIX})
     if(TARGET Threads::Threads)
-       # hrm, can't use properties as they end up as generator expressions
-diff --git a/PyIlmBase/config/CMakeLists.txt b/PyIlmBase/config/CMakeLists.txt
-index 1872c89..a971723 100644
--- a/PyIlmBase/config/CMakeLists.txt
-+++ b/PyIlmBase/config/CMakeLists.txt
+Index: openexr-2.5.7/PyIlmBase/config/CMakeLists.txt
+===================================================================
+--- openexr-2.5.7.orig/PyIlmBase/config/CMakeLists.txt	2021-08-03 12:26:33.423242767 +0200
+++ openexr-2.5.7/PyIlmBase/config/CMakeLists.txt	2021-08-03 12:27:01.255438907 +0200
@@ -16,8 +16,8 @@ if(PYILMBASE_INSTALL_PKG_CONFIG)
   function(pyilmbase_pkg_config_help pcinfile)
     set(prefix ${CMAKE_INSTALL_PREFIX})
@ -86,9 +86,6 @@ index 1872c89..a971723 100644
 -    set(includedir ${CMAKE_INSTALL_INCLUDEDIR})
 +    set(libdir ${CMAKE_INSTALL_FULL_LIBDIR})
 +    set(includedir ${CMAKE_INSTALL_FULL_INCLUDEDIR})
-     set(LIB_SUFFIX_DASH ${OPENEXR_LIB_SUFFIX})
+     string(TOUPPER "${CMAKE_BUILD_TYPE}" uppercase_CMAKE_BUILD_TYPE)
+     set(LIB_SUFFIX_DASH ${OPENEXR_LIB_SUFFIX}${CMAKE_${uppercase_CMAKE_BUILD_TYPE}_POSTFIX})
     string(REPLACE ".in" "" pcout ${pcinfile})
-     configure_file(${pcinfile} ${CMAKE_CURRENT_BINARY_DIR}/${pcout} @ONLY)
-- 
-2.27.0
-
--- a/openexr-CVE-2021-3598.patch
+++ b/openexr-CVE-2021-3598.patch
@ -1,17 +0,0 @@
-diff --git a/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp b/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp
-index 5f0f43989..ead43c729 100644
--- a/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp
-+++ b/OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp
-@@ -647,6 +647,11 @@ LineBufferTask::execute ()
- 
-                 _lineBuffer->format = Compressor::XDR;
-                 _lineBuffer->uncompressedData = _lineBuffer->buffer;
-+
-+                if(_lineBuffer->packedDataSize!=maxBytesPerLine)
-+                {
-+                    THROW (IEX_NAMESPACE::InputExc, "Incorrect size for uncompressed data. Expected " << maxBytesPerLine << " got " << _lineBuffer->packedDataSize << " bytes");
-+                }
-             }
-         }
- 
-
--- a/openexr-CVE-2021-3605.patch
+++ b/openexr-CVE-2021-3605.patch
@ -1,15 +0,0 @@
--- a/OpenEXR/IlmImf/ImfRle.cpp
-+++ b/OpenEXR/IlmImf/ImfRle.cpp
-@@ -146,6 +146,11 @@ rleUncompress (int inLength, int maxLength, const signed char in[], char out[])
- 	    if (0 > (maxLength -= count + 1))
- 		return 0;
- 
-+        // check the input buffer is big enough to contain
-+        // byte to be duplicated
-+        if (inLength < 0)
-+          return 0;
-+
-         memset(out, *(char*)in, count+1);
-         out += count+1;
- 
-
--- a/openexr.changes
+++ b/openexr.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Aug  3 10:46:19 UTC 2021 - pgajdos@suse.com
+
+- version update to 2.5.7
+  Patch release of 2.5 with security and build fixes:
+  * OSS-fuzz 28051 Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
+  * OSS-fuzz 28155 Crash in Imf_2_5::PtrIStream::read
+  * Fix broken symlink and pkg-config lib suffix for cmake debug builds
+- modified patches
+  % 0001-Use-absolute-CMAKE_INSTALL_FULL_LIBDIR-for-libdir-in.patch (refreshed)
+- deleted patches
+  - openexr-CVE-2021-3598.patch (upstreamed)
+  - openexr-CVE-2021-3605.patch (upstreamed)
+
 -------------------------------------------------------------------
 Wed Jun 16 12:28:02 UTC 2021 - pgajdos@suse.com

--- a/openexr.spec
+++ b/openexr.spec
@ -28,7 +28,7 @@
 %define sonum 25
 %global so_suffix -2_5
 Name:           %{flavor}
-Version:        2.5.6
+Version:        2.5.7
 Release:        0
 %if "%{flavor}" == "openexr"
 Summary:        Utilities for working with HDR images in OpenEXR format
@ -44,10 +44,6 @@ URL:            http://www.openexr.com/
 Source0:        https://github.com/openexr/openexr/archive/v%{version}.tar.gz
 Source2:        baselibs.conf
 Patch1:         0001-Use-absolute-CMAKE_INSTALL_FULL_LIBDIR-for-libdir-in.patch
-# CVE-2021-3598 [bsc#1187310], Heap buffer overflow in Imf_3_1:CharPtrIO:readChars
-Patch2:         openexr-CVE-2021-3598.patch
-# CVE-2021-3605 [bsc#1187395], Heap buffer overflow in the rleUncompress function
-Patch3:         openexr-CVE-2021-3605.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  pkgconfig
@ -227,8 +223,6 @@ Group:          System/Libraries
 %prep
 %setup -q -n %{prjname}-%{version}
 %patch1 -p1
-%patch2 -p1
-%patch3 -p1

 %build
 %if "%{flavor}" == "openexr"
--- a/v2.5.6.tar.gz
+++ b/v2.5.6.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c9f4c268d91d3904b7784b7a65d1eba55334bddf391487e9f14c315fa3a362b5
-size 27540385
--- a/v2.5.7.tar.gz
+++ b/v2.5.7.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:36ecb2290cba6fc92b2ec9357f8dc0e364b4f9a90d727bf9a57c84760695272d
+size 27539574