Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2016-10-28 10:42:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jasper" Changes: -------- --- /work/SRC/openSUSE:Factory/jasper/jasper.changes 2016-02-07 09:22:36.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2016-10-28 10:42:57.000000000 +0200 @@ -1,0 +2,204 @@ +Wed Oct 26 14:18:40 UTC 2016 - [email protected] + +- Updated to bugfix release 1.900.14 + * Security fixes + + bsc#941919, CVE-2015-5203 + + bsc#1006591, CVE-2016-8880 + + bsc#1006593, CVE-2016-8881 + + bsc#1006597, CVE-2016-8882 + + bsc#1006598, CVE-2016-8883 + + bsc#1007009, CVE-2016-8884, CVE-2016-8885 + + bsc#1006599, CVE-2016-8886 + + bsc#1006836, bsc#1006839, CVE-2016-8887 + * Changes + + Add another data file for testing (Michael Adams) + + Ensure that not all tiles lie outside the image area (Michael + Adams) + + Added a note on sanitizer options (Michael Adams) + + Added a simple test script (Michael Adams) + + Added an --enable-memory-limit configure option (Michael + Adams) + + Manually merged and edited a few changes from Bob Friesenhahn + (GraphicsMagick Maintainer) for Windows (Michael Adams) + + Added some new mostly small image files (many of which are + corrupt/invalid) that are useful for testing purposes + (Michael Adams) + + The debugging function jpc_dec_dump did not consider the case + that a band can have a null data pointer (when a band + contains no samples). This caused a null pointer to be + dereferenced (Michael Adams) + + Changed the JPC bitstream code to more gracefully handle a + request for a larger sized integer than what can be handled + (i.e., return with an error instead of failing an assert). + (Michael Adams) + + The component domains must be the same for the ICT/RCT in the + JPC codec. This was previously enforced with an assertion. + Now, it is handled in a more graceful manner (Michael Adams) + + Fixed a few bugs in the RAS encoder and decoder where errors + were tested with assertions instead of being gracefully + handled (Michael Adams) + +------------------------------------------------------------------- +Mon Oct 24 06:50:38 UTC 2016 - [email protected] + +- Updated to bugfix release 1.900.13 + * Changes + + Fixed another problem with incorrect cleanup of JP2 box data + upon error. (Michael Adams) + + Fixed another integer overflow problem. (Michael Adams) + + Replaced the remaining left and right shifts in the QMFB/MCT + code that can result in undefined behavior (due to shifting + negative values) with call to inline functions. + These functions collect all of the undefined behavior in one + place and also allow code sanitizers to ignore this ugliness + (via function attributes). (Michael Adams) + + Fixed a bug in the row/column split operations for QMFBs. + (Michael Adams) + + Made the PNM decoder more gracefully handle the not-fully- + supported feature of signed sample data. (Michael Adams) + + The PNM decoder did not gracefully handle an invalid magic + number in the PNM header. (Michael Adams) + + Fixed a MIF decoder bug. (Michael Adams) + + The imginfo command did not correctly handle an image with + zero components. (Michael Adams) + + Fixed an integer overflow problem. (Michael Adams) + + A new experimental memory allocator has been introduced. The + allocator is experimental in the sense that its API is not + considered stable and the allocator may change or disappear + entirely in future versions of the code. This new allocator + tracks how much memory is being used by jas_malloc and friends. + A maximum upper bound on the memory usage can be set via the + experimental API provided and a default value can be set at + build time as well. Such functionality may be useful in + run-time environments where the user wants to be able to limit + the amount of memory used by JasPer. This allocator is not + used by default. (Michael Adams) + + Changed the configure setup so that if GCC is used warnings + and pedantic errors are enabled. (Michael Adams) + + Fixed a bug that resulted in the destruction of JP2 box data + that had never been constructed in the first place. (Michael + Adams) + + The memory stream interface allows for a buffer size of zero. + The case of a zero-sized buffer was not handled correctly, as + it could lead to a double free (bsc#1005242, CVE-2016-8693). + (Michael Adams) + + Fixed a small memory leak for CRG marker segments. (Michael + Adams) + + Fixed a problem with a null pointer dereference in the BMP + decoder. (Michael Adams) + + Introduced jas_fast32_asl, jas_fast32_asr, and friends in + order to pull all undefined behavior for left and right shift + of (negative) integers into a small number of places and + provide a means to have UBSAN ignore this ugliness. (Michael + Adams) + + Fixed an integral type promotion problem by adding a JAS_CAST. + Modified the jpc_tsfb_synthesize function so that it will be a + noop for an empty sequence (in order to avoid dereferencing a + null pointer). (Michael Adams) + + Added some extra debugging log messages for memory + allocation/deallocation. (Michael Adams) + + The RCT and ICT require at least three components. Previously, + this was enforced with an assertion. Now, the assertion has + been replaced with a proper error check. (Michael Adams) + + The member (pi) in tiles was not properly initialized. This is + now corrected. Also, each tile is now only cleaned up once. + (Michael Adams) + + Initialize uninitialized variable. (Michael Adams) + + Added some options to configure for enabling various code + sanitizers. (Michael Adams) + + Added some range checks on parameters in some JPC marker + segments. (Michael Adams) + + Fixed potential integer overflow problem. (Michael Adams) + + Added some functions for safe integer arithmetic (for size_t) + in jas_math.h. (Michael Adams) + + Fixed some indentation issues. (Michael Adams) + + Converted a few raw mallocs to use jas_alloc2. Added code in + the jas_* memory allocation/deallocation functions to generate + debugging log messages. Only disable JAS_DBGLOG message if + NDEBUG is defined. (Michael Adams) + + Added more error/log messages for debugging in the JPEG + decoder. (Michael Adams) + + Added some extra log messages for debugging. Added check of + value returned by jas_matrix_create. (Michael Adams) + + Applied fix for VPATH builds (Michael Adams) + + Did some configure.ac cleanup (Michael Adams) + + Fixed 'inline' for older version of Visual Studio. (dirk) + + Fix a potential double fclose of a FILE* in the JPEG decoder. + (Michael Adams) + + Changed jas_types.h to assume that header files required by + the C99 standard are present. (Michael Adams) + + Incorporated changes from patch + jasper-1.900.3-libjasper-stepsizes-overflow.patch (Michael + Adams) + + Incorporated changes from patch + jasper-1.900.3-CVE-2011-4516-CVE-2011-4517-CERT-VU-887409.patch + (Michael Adams) + + Incorporated changes from patch + jasper-1.900.3-Coverity-RESOURCE_LEAK.patch (Michael Adams) + + Incorporated patch jasper-1.900.3-Coverity-NULL_RETURNS.patch + (Michael Adams) + + Fixed memory leak in jiv. (Michael Adams) + + Fixed a sanitizer failure in the BMP codec (bsc#1005084, + CVE-2016-8690). Also, added a --debug-level command line + option to the imginfo command for debugging purposes. + (Michael Adams) + + Added some missing type casts to ensure promotion to the + correct unsigned type to avoid undefined behavior (and stop + warnings from USAN). (Michael Adams) + + Fixed a linking problem with newer versions of GCC. (Michael + Adams) + + Changed --enable-debug configure option to enable some GCC + sanitizers. (Michael Adams) + + Added range check on XRsiz and YRsiz fields of SIZ marker + segment (bsc#1005090, CVE-2016-8691, CVE-2016-8692). (Michael + Adams) + + At many places in the code, jas_malloc or jas_recalloc was + being invoked with the size argument being computed in a + manner that would not allow integer overflow to be detected. + Now, these places in the code have been modified to use + special-purpose memory allocation functions (e.g., jas_alloc2, + jas_alloc3, jas_realloc2) that check for overflow. + (Michael Adams) + + Add fixes for CVE-2014-8137. (Michael Adams) + + Added fix for CVE-2016-2089. (Michael Adams) + + Moved abort into default case of switch statement. (Michael + Adams) + + Remove auto-generated file aclocal.m4 from repository. + (Michael Adams) + + Removed HAVE_VLA stuff from various configuration and build + files. Also, changed a few INCLUDES to AM_CPPFLAGS in automake + files (since INCLUDES is deprecated). (Michael Adams) + + 1.701.0-GL (Richard Hughes) + + pkgconfig (Richard Hughes) + + Coverity-UNREACHABLE (Richard Hughes) + + CVE-2016-1867 (Richard Hughes) + + CVE-2014-9029 (Richard Hughes) + + CVE-2014-8158 (Richard Hughes) + + CVE-2014-8157 (Richard Hughes) + + CVE-2014-8138 (Richard Hughes) + + CVE-2015-5221 (Richard Hughes) + + CVE-2016-2116 (Richard Hughes) + + Coverity-FORWARD_NULL (Richard Hughes) + + jpc_dec.c (Richard Hughes) + + Coverity-CHECKED_RETURN (Richard Hughes) + + CVE-2016-1577 (Richard Hughes) + + Coverity-UNUSED_VALUE (Richard Hughes) + + Coverity-BAD_SIZEOF (Richard Hughes) + + CVE-2008-3522 (Richard Hughes) +- Removed patches: + * jasper-1.900.1-bug258253.patch + * jasper-1.900.1-bug392410.patch + * jasper-1.900.1-no-undef-true-false.patch + * jasper-1.900.1-bug725758.patch + * jasper-overflow-bnc906364.patch + * jasper-CVE-2014-8137.patch + * jasper-CVE-2014-8138.patch + * jasper-CVE-2014-8157.patch + * jasper-CVE-2014-8158.patch ++++ 7 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/jasper/jasper.changes ++++ and /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes Old: ---- jasper-1.900.1-bug258253.patch jasper-1.900.1-bug392410.patch jasper-1.900.1-bug725758.patch jasper-1.900.1-no-undef-true-false.patch jasper-1.900.1.zip jasper-CVE-2014-8137.patch jasper-CVE-2014-8138.patch jasper-CVE-2014-8157.patch jasper-CVE-2014-8158.patch jasper-CVE-2016-1867.patch jasper-CVE-2016-2089.patch jasper-jpc_dec.patch jasper-overflow-bnc906364.patch New: ---- jasper-1.900.14.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jasper.spec ++++++ --- /var/tmp/diff_new_pack.o471YF/_old 2016-10-28 10:42:58.000000000 +0200 +++ /var/tmp/diff_new_pack.o471YF/_new 2016-10-28 10:42:58.000000000 +0200 @@ -20,30 +20,16 @@ BuildRequires: gcc-c++ BuildRequires: libdrm-devel BuildRequires: libjpeg-devel -BuildRequires: libtool BuildRequires: unzip Url: http://www.ece.uvic.ca/~mdadams/jasper/ -Version: 1.900.1 +Version: 1.900.14 Release: 0 Summary: An Implementation of the JPEG-2000 Standard, Part 1 License: SUSE-Public-Domain Group: Productivity/Graphics/Convertors -Source: http://www.ece.uvic.ca/~frodo/jasper/software/%{name}-%{version}.zip +Source: %{name}-%{version}.tar.bz2 Source2: baselibs.conf -Patch: %{name}-%{version}-uninitialized.patch -Patch2: %{name}-%{version}-bug258253.patch -Patch3: %{name}-%{version}-bug392410.patch -Patch4: %{name}-%{version}-no-undef-true-false.patch -Patch5: jasper-1.900.1-bug725758.patch -Patch6: jasper-overflow-bnc906364.patch -Patch7: jasper-CVE-2014-8137.patch -Patch8: jasper-CVE-2014-8138.patch -Patch9: jasper-CVE-2014-8157.patch -Patch10: jasper-CVE-2014-8158.patch -# PATCH-FIX-UPSTREAM jasper-jpc_dec.patch deb#469786 [email protected] -- Fix failure when manipulating images with 4 component color using reversible color translation (patch taken from Fedora) -Patch11: jasper-jpc_dec.patch -Patch12: jasper-CVE-2016-1867.patch -Patch13: jasper-CVE-2016-2089.patch +Patch: jasper-1.900.1-uninitialized.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -53,8 +39,8 @@ %package -n libjasper1 Summary: JPEG-2000 library -Group: Productivity/Graphics/Convertors # bug437293 +Group: Productivity/Graphics/Convertors %ifarch ppc64 Obsoletes: libjasper-64bit %endif @@ -69,8 +55,8 @@ %package -n libjasper-devel Summary: JPEG-2000 library - files mandatory for development -Group: Development/Libraries/C and C++ # bug437293 +Group: Development/Libraries/C and C++ %ifarch ppc64 Obsoletes: libjasper-devel-64bit %endif @@ -85,22 +71,9 @@ %prep %setup -q %patch -%patch2 -%patch3 -%patch4 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 %build -autoreconf -i -f -export CFLAGS="$RPM_OPT_FLAGS -Wall" +export CFLAGS="$RPM_OPT_FLAGS -Wall -std=c99" %configure --prefix=/usr --enable-shared --disable-static --libdir=%{_libdir} make %{?jobs:-j%jobs} @@ -132,5 +105,6 @@ /usr/include/jasper %{_libdir}/libjasper.so %{_libdir}/libjasper.la +%{_libdir}/pkgconfig/jasper.pc %changelog
