From 62173dc83a1275788e6632ec7f917b3286cd52ce6fb7c958eee545ccc53127a7 Mon Sep 17 00:00:00 2001 From: Hans-Peter Jansen Date: Tue, 7 Jan 2025 11:18:55 +0000 Subject: [PATCH] - fixes CVE-2024-56826 [bsc#1235029] OBS-URL: https://build.opensuse.org/package/show/graphics/openjpeg2?expand=0&rev=58 --- .gitattributes | 23 +++ .gitignore | 1 + baselibs.conf | 1 + openjpeg-2.5.2.tar.gz | 3 + openjpeg-2.5.3.tar.gz | 3 + openjpeg2.changes | 332 ++++++++++++++++++++++++++++++++++++++++++ openjpeg2.spec | 148 +++++++++++++++++++ 7 files changed, 511 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 baselibs.conf create mode 100644 openjpeg-2.5.2.tar.gz create mode 100644 openjpeg-2.5.3.tar.gz create mode 100644 openjpeg2.changes create mode 100644 openjpeg2.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..110021c --- /dev/null +++ b/baselibs.conf @@ -0,0 +1 @@ +libopenjp2-7 diff --git a/openjpeg-2.5.2.tar.gz b/openjpeg-2.5.2.tar.gz new file mode 100644 index 0000000..15647ab --- /dev/null +++ b/openjpeg-2.5.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:90e3896fed910c376aaf79cdd98bdfdaf98c6472efd8e1debf0a854938cbda6a +size 1871948 diff --git a/openjpeg-2.5.3.tar.gz b/openjpeg-2.5.3.tar.gz new file mode 100644 index 0000000..e15ba0b --- /dev/null +++ b/openjpeg-2.5.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:368fe0468228e767433c9ebdea82ad9d801a3ad1e4234421f352c8b06e7aa707 +size 2155188 diff --git a/openjpeg2.changes b/openjpeg2.changes new file mode 100644 index 0000000..c718ac6 --- /dev/null +++ b/openjpeg2.changes @@ -0,0 +1,332 @@ +------------------------------------------------------------------- +Mon Dec 16 11:15:35 UTC 2024 - Michael Vetter + +- Update to 2.5.3: + * No API/ABI break compared to v2.5.2 + New Features: + * Use TLM (Tile Length Marker) segments to optimize decoding #1538 + * Add AVX2 and AVX512 optimization #1552 + * Support setting enumcs for CMYK and EYCC color space #1529 + Bug fixes: + * Do not turn on 'TPsot==TNsot detection fix' when TNsot==1, and + add a OPJ_DPARAMETERS_DISABLE_TPSOT_FIX flag to disable it #1560 + * opj_j2k_setup_encoder(): set numgbits = 1 for Cinema2K #1559 + * fix: when EPH markers are specified, they are required. #1547 + * sycc422_to_rgb(): fix out-of-bounds read accesses when 2 * + width_component_1_or_2 + 1 == with_component_0 #1566 + * Avoid heap-buffer-overflow read on corrupted image in non-strict mode #1536 + * opj_j2k_read_sod(): validate opj_stream_read_data() return to + avoid potential later heap-buffer-overflow in in opj_t1_decode_cblk when disabling strict mode #1534 + * fix integer Overflow at j2k.c:9614 #1530 + * Memory leak fixes in error code path of opj_compress #1567 + * opj_j2k_decode_tiles(): avoid use of uninitialized l_current_tile_no variable #1528 + * Do not allow header length to be zero in non-zero length packet #1526 + * Fix building on OpenBSD big endian hosts #1520 + Changes in third party components: + * thirdparty/libz: update to zlib-1.3.1 #1542 + * thirdparty/libpng: update to libpng-1.6.43 #1541 + * thirdparty/libtiff: update to libtiff 4.6.0 #1540 +- fixes CVE-2024-56826 [bsc#1235029] + +------------------------------------------------------------------- +Fri Aug 16 16:59:14 UTC 2024 - Manfred Hollstein + +- Make version check for the work around reliable to not silently + match Factory/Tumbleweed. + +------------------------------------------------------------------- +Fri Aug 16 06:59:29 UTC 2024 - Manfred Hollstein + +- Work around a bug by cmake installing docs into the wrong + directory when building for openSUSE Leap 15.5 + +------------------------------------------------------------------- +Wed Feb 28 14:43:25 UTC 2024 - Michael Vetter + +- Update to 2.5.2: + * Make sure openjpeg.h includes opj_config.h #1514 + +------------------------------------------------------------------- +Tue Feb 27 06:16:30 UTC 2024 - Michael Vetter + +- Update to 2.5.1: + * CMake: drop support for cmake < 3.5 + * Several bugfixes, including #1509 for CVE-2021-3575 (bsc#1187048) + * Significant speed-up rate allocation by rate/distoratio ratio #1440 +- Set devel-doc subpackage to noarch +- Change cmake parameters (see c7bccf) + +------------------------------------------------------------------- +Wed Mar 8 14:11:29 UTC 2023 - Martin Pluskal + +- Build AVX2 enabled hwcaps library for x86_64-v3 + +------------------------------------------------------------------- +Fri Jun 3 09:59:48 UTC 2022 - Timothy Brown + +- update to 2.5.0: + * Encoder: add support for generation of TLM markers + * Decoder: add support for high throughput (HTJ2K) decoding + * Decoder: add support for partial bitstream decoding + * Bug fixes (including security fixes) + * Fix CVE-2018-16376 (bsc#1106881) + * Fix CVE-2021-29338 (bsc#1184774) + * Fix CVE-2022-1122 (bsc#1197738) + +------------------------------------------------------------------- +Mon Jan 18 23:00:45 UTC 2021 - Dirk Müller + +- update to 2.4.0: + * Encoder: add support for multithreading #1248 + * Encoder: add support for generation of PLT markers #1246 + * Encoder: single-threaded performance improvements in forward DWT for 5-3 and 9-7 (and other improvements) #1253 + * Encoder: support IMF profiles #1235 + * Many bug fixes (including security fixes) + * Fix CVE-2020-27814 (bsc#1179594) + * Fix CVE-2020-27824 (bsc#1179821) + * Fix CVE-2020-27841 (bsc#1180042) + * Fix CVE-2020-27842 (bsc#1180043) + * Fix CVE-2020-27843 (bsc#1180044) + * Fix CVE-2020-27845 (bsc#1180046) + * Fix CVE-2020-15389 (bsc#1173578) + * Fix CVE-2020-27823 (bsc#1180457) + +- drop 024b8407392cb0b8.patch, 05f9b91e60debda0.patch, + 21399f6b7d318fcd.patch, 3aef207f90e937d4.patch, + 4cb1f663049aab96.patch: upstream + +------------------------------------------------------------------- +Fri Jan 31 16:21:36 UTC 2020 - Stefan Brüns + +- Fix several security relevant bugs: + * 21399f6b7d318fcd.patch (like CVE-2018-6616, but rle4 instead + of rle8, bsc#1079845) + * 3aef207f90e937d4.patch (CVE-2019-12973, bsc#1140359) + * 4cb1f663049aab96.patch (OSS-fuzz, + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979) + * 024b8407392cb0b8.patch (CVE-2020-6851, bsc#1160782) + * 05f9b91e60debda0.patch (CVE-2020-8112, bsc#1162090) +- Use upstream pkgconfig file +- Move API documentation from devel package to devel-doc + +------------------------------------------------------------------- +Tue Apr 02 10:41:57 UTC 2019 - mvetter@suse.com + +- Update to version 2.3.1: + * Fix CVE-2018-6616 (bsr#1079845) + * Fix CVE-2018-5785 (bsc#1076967) + * Fix CVE-2018-18088 (bsc#1111638) + * Fix CVE-2018-16375 (bsc#1106882) + * Fix CVE-2018-14423 (bsc#1102016) + * Fix CVE-2018-7648 (bsc#1083901) + * Fix CVE-2018-5727 (bsc#1076314) + * Fix CVE-2018-20846 (bsc#1140205) + * Fix CVE-2018-21010 (bsc#1149789) + * Fix CVE-2018-20845 (bsc#1140130) + * For full list see ChangeLog file +- Remove install-fix.patch: upstreamed + +------------------------------------------------------------------- +Thu Feb 14 20:15:11 UTC 2019 - bjorn.lie@gmail.com + +- Change openjpeg2 Recommends in the devel package to Requires (bsc#1201799) + +------------------------------------------------------------------- +Mon Oct 23 15:04:03 UTC 2017 - idonmez@suse.com + +- Update to version 2.3.0 +- Drop upstream patches: + * 0018-tcd_get_decoded_tile_size.patch + * openjpeg2-CVE-2016-10504.patch + * openjpeg2-CVE-2016-10505.patch + * openjpeg2-CVE-2016-10506.patch + * openjpeg2-CVE-2017-12982.patch + * openjpeg2-CVE-2017-14039.patch + * openjpeg2-CVE-2017-14040.patch + * openjpeg2-CVE-2017-14041.patch + * openjpeg2-CVE-2017-14151.patch + * openjpeg2-CVE-2017-14152.patch +- Add install-fix.patch from upstream to fix library installation. + +------------------------------------------------------------------- +Tue Sep 12 20:49:00 CEST 2017 - hpj@suse.com + +- Add security fixes: + openjpeg2-CVE-2016-10504.patch (CVE-2016-10504, bsc#1056351), + openjpeg2-CVE-2016-10505.patch (CVE-2016-10505, bsc#1056363), + openjpeg2-CVE-2016-10506.patch (CVE-2016-10506, bsc#1056396), + openjpeg2-CVE-2017-12982.patch (CVE-2017-12982, bsc#1054696), + openjpeg2-CVE-2017-14039.patch (CVE-2017-14039, CVE-2017-14164, + bsc#1056622, bsc#1057511), + openjpeg2-CVE-2017-14040.patch (CVE-2017-14040, bsc#1056621), + openjpeg2-CVE-2017-14041.patch (CVE-2017-14041, bsc#1056562), + openjpeg2-CVE-2017-14151.patch (CVE-2017-14151, bsc#1057336), + openjpeg2-CVE-2017-14152.patch (CVE-2017-14152, bsc#1057335), + most of which are critical, including heap and stack overwrites, + over-reads and division by zero errors. + +------------------------------------------------------------------- +Mon Dec 19 08:42:02 UTC 2016 - normand@linux.vnet.ibm.com + +- update to version 2.1.2 + Bug fixes including security fixes among which: + CVE-2016-8332 CVE-2016-7163 + CVE-2016-5139 CVE-2016-5159 + CVE-2016-5158 (not listed but solved different way) + Huge amount of critical bugfixes + Speed improvements + No API/ABI break compared to v2.1.1/v2.1 +- some doc files now have '.md' suffix (like README.md) +- CVE-2016-5152 with new 0018-tcd_get_decoded_tile_size.patch + +------------------------------------------------------------------- +Tue Dec 8 15:13:03 UTC 2015 - p.drouand@gmail.com + +- Add a pkg-config dependency; expand pkgconfig + +------------------------------------------------------------------- +Mon Oct 19 09:20:16 UTC 2015 - schwab@suse.de + +- Re-add baselibs.conf, needed by poppler and leptonica + +------------------------------------------------------------------- +Fri Sep 4 11:54:30 UTC 2015 - mpluskal@suse.com + +- Use cmake macro +- Remove baselibs.conf (it was broken anyways for months) +- Cleanup spec file with spec-cleaner + +------------------------------------------------------------------- +Sat May 31 07:12:54 UTC 2014 - coolo@suse.com + +- pimp up the previous changelog + +------------------------------------------------------------------- +Tue May 27 15:10:53 UTC 2014 - opensuse@dstoecker.de + +- update to version 2.1.0 + +New Features: + + * Digital Cinema profiles have been fixed and updated + * New option to disable MCT if needed + * extended RAW support: it is now possible to input raw images + with subsampled color components (422, 420, etc) + * New way to deal with profiles + +API/ABI modifications: (see abi_compat_report in dev-utils/scripts) + + * Removed deprecated functions + - opj_stream_create_default_file_stream(FILE*,...) + - opj_stream_create_file_stream(FILE*,...) + - opj_stream_set_user_data (opj_stream_t* p_stream, void * p_data) + * Added + - opj_stream_create_default_file_stream(char*,...) + - opj_stream_create_file_stream(char*,...) + - opj_stream_destroy(opj_stream_t*) + - opj_stream_set_user_data (opj_stream_t* p_stream, void * p_data, + ... opj_stream_free_user_data_fn p_function) + - JPEG 2000 profiles and Part-2 extensions defined through '#define' + * Changed + - 'alpha' field added to 'opj_image_comp' structure + - 'OPJ_CLRSPC_EYCC' added to enum COLOR_SPACE + - 'OPJ_CLRSPC_CMYK' added to enum COLOR_SPACE + - 'OPJ_CODEC_JPP' and 'OPJ_CODEC_JPX' added to CODEC_FORMAT + (not yet used in use) + - 'max_cs_size' and 'rsiz' fields added to opj_cparameters_t + +Misc: + * OpenJPEG is now officialy conformant with JPEG 2000 Part-1 + and will soon become official reference software at the + JPEG committee. + * Huge amount of bug fixes. See CHANGES for details. + +------------------------------------------------------------------- +Thu May 8 14:47:36 UTC 2014 - hpj@urpla.net + +- version 2.0.1 + + - New Features: + * Digital Cinema profiles have been fixed and updated + * New option to disable MCT if needed + * extended RAW support: it is now possible to input raw images + with subsampled color components (422, 420, etc) + + - API/ABI modifications: (see abi_compat_report_2.0.1.html in dev-utils/scripts) + * No changes, API/ABI fully compatible with 2.0.0 + + - Misc: + * OpenJPEG is now officialy conformant with JPEG 2000 Part-1 + and will soon become official reference software at the + JPEG committee. + * Huge amount of bug fixes. See CHANGES for details. + +- adjust library name + +------------------------------------------------------------------- +Tue Feb 18 07:21:03 UTC 2014 - pgajdos@suse.com + +- add libopenjp2.pc (demand introduced by ImageMagick 6.8.8-5) + +------------------------------------------------------------------- +Tue Nov 26 09:48:46 UTC 2013 - gber@opensuse.org + +- remove bogus dependency on libjpeg-devel + +------------------------------------------------------------------- +Tue Nov 26 04:25:48 UTC 2013 - mrdocs@opensuse.org + +- add explicit libjpeg-devel to fix build on SLE 11 + +------------------------------------------------------------------- +Sun Nov 24 10:38:25 UTC 2013 - gber@opensuse.org + +- use pkgconfig macros +- let openjpeg2-devel only recommend openjpeg2 + +------------------------------------------------------------------- +Wed Nov 13 16:50:45 UTC 2013 - gber@opensuse.org + +- remove bogus dependency on libgeotiff-devel and depend on + libtiff-devel +- ensure no bundled libraries are used + +------------------------------------------------------------------- +Tue Nov 12 14:06:55 UTC 2013 - gber@opensuse.org + +- cleanup + - improve group, summary, description + - fix license + - fix build dependencies + - use optflags, don't mess with debug symbols + - fix library install path + - create main package containing codec tools + - build doxygen documentaion + - fix %post/un scriptlets for the libopenjp2-6 subpackage + - add baselibs + +------------------------------------------------------------------- +Wed May 8 11:56:09 UTC 2013 - behrisch@users.sourceforge.net + +- fixed make install for non suse targets + +------------------------------------------------------------------- +Sun Nov 25 14:55:50 UTC 2012 - Angelos Tzotsos + +Update to version 2.0 Final, fixed some major issues : + * support of Large JPEG2000 Files greater than 2 GBytes + * support of tile coding and decoding which allows to encode or decode only specific part of image if the file is tiled + * implements subset of the MCT part 2 + * streaming system + * improvement of the cmake build system + * adding a CDash platform to support continuous integration of the different version + * opaque pointers (opj_stream, opj_codec) have been used to simplify the API + * the library does not perform the t1 decoding of non-needed resolutions any more (increases performance) + * a lot of code has been simplified/factored in order to lower the memory consumption. + * j2k.c and jp2.c have been modified to support a simpler extension mechanism + * prefix all public and the great majority of the private symbols with opj_ to avoid conflict with external libraries + +------------------------------------------------------------------ +Mon Jan 24 00:00:00 UTC 2010 - Angelos Tzotsos + + * Initial build from SVN diff --git a/openjpeg2.spec b/openjpeg2.spec new file mode 100644 index 0000000..afdca6d --- /dev/null +++ b/openjpeg2.spec @@ -0,0 +1,148 @@ +# +# spec file for package openjpeg2 +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define library_name libopenjp2-7 +%define base_version 2.5 +Name: openjpeg2 +Version: 2.5.3 +Release: 0 +Summary: Opensource JPEG 2000 Codec Implementation +License: BSD-2-Clause +Group: Productivity/Graphics/Other +URL: https://www.openjpeg.org/ +Source0: https://github.com/uclouvain/openjpeg/archive/v%{version}.tar.gz#/openjpeg-%{version}.tar.gz +Source1: baselibs.conf +BuildRequires: cmake > 3.5 +BuildRequires: doxygen +BuildRequires: fdupes +BuildRequires: gcc-c++ +BuildRequires: libjbig-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(lcms2) +BuildRequires: pkgconfig(libjpeg) +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(libpng) +BuildRequires: pkgconfig(libtiff-4) +BuildRequires: pkgconfig(libzstd) +%{?suse_build_hwcaps_libs} + +%description +The OpenJPEG library is an open-source JPEG 2000 codec written in C language. +It has been developed in order to promote the use of JPEG 2000, the new +still-image compression standard from the Joint Photographic Experts Group +(JPEG). + +This package provides the codec executables. + +%package -n %{library_name} +Summary: Opensource JPEG 2000 Codec Implementation +Group: System/Libraries + +%description -n %{library_name} +The OpenJPEG library is an open-source JPEG 2000 codec written in C language. +It has been developed in order to promote the use of JPEG 2000, the new +still-image compression standard from the Joint Photographic Experts Group +(JPEG). + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries/Other +Requires: %{library_name} = %{version} +Requires: %{name} = %{version} +Recommends: %{name}-devel-doc + +%description devel +The OpenJPEG library is an open-source JPEG 2000 codec written in C language. +It has been developed in order to promote the use of JPEG 2000, the new +still-image compression standard from the Joint Photographic Experts Group +(JPEG). + +This package provides the development files for %{name}. + +%package devel-doc +Summary: API documentation for %{name} +Group: Documentation/HTML +Recommends: %{library_name} = %{version} +Recommends: %{name} = %{version} +BuildArch: noarch + +%description devel-doc +The OpenJPEG library is an open-source JPEG 2000 codec written in C language. + +This package provides the API documentation for %{name}. + +%prep +%autosetup -n openjpeg-%{version} -p0 + +# do not embed timestamps into html documentation +sed -i 's|^HTML_TIMESTAMP[ =].*$|HTML_TIMESTAMP = NO|' doc/Doxyfile.dox.cmake.in + +# ensure no bundled libraries are used, but keep thirdparty/CMakeLists.txt +for d in thirdparty/*; do + [ -d "$d" ] && rm -rf "$d" +done + +%build +%cmake \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_CODEC=ON \ + -DBUILD_JPIP=OFF \ + -DBUILD_JPWL=OFF \ + -DBUILD_MJ2=OFF \ + -DBUILD_TESTING=OFF \ + -DBUILD_DOC=ON \ + -DBUILD_THIRDPARTY=OFF \ + -DCMAKE_INSTALL_LIB_DIR=%{_lib} \ + -DCMAKE_INSTALL_DOC_DIR=share/doc/packages/%{name}-devel-doc + +%cmake_build all doc + +%install +%cmake_install +%if 0%{?suse_version} == 1500 && 0%{?sle_version} > 0 && 0%{?sle_version} <= 150500 +# Work around a bug by cmake installing docs into the wrong directory: +mkdir -p %{buildroot}%{_defaultdocdir} +mv %{buildroot}/usr/share/doc/openjpeg %{buildroot}%{_defaultdocdir}/%{name} +%endif +%fdupes %{buildroot}%{_defaultdocdir} + +%post -n %{library_name} -p /sbin/ldconfig +%postun -n %{library_name} -p /sbin/ldconfig + +%files +%license LICENSE +%{_bindir}/opj_* +%{_mandir}/man1/opj_*.1%{?ext_man} + +%files -n %{library_name} +%{_libdir}/libopenjp2.so.* + +%files devel +%{_includedir}/openjpeg-%{base_version}/ +%{_libdir}/libopenjp2.so +%{_libdir}/pkgconfig/libopenjp2.pc +%{_libdir}/cmake/openjpeg-2.5/ +%{_mandir}/man3/libopenjp2.3%{?ext_man} + +%files devel-doc +%license LICENSE +%doc AUTHORS.md CHANGELOG.md NEWS.md README.md THANKS.md +%dir %{_defaultdocdir}/%{name} +%doc %{_defaultdocdir}/%{name}/html + +%changelog