Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2026-03-06 18:16:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.561 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jasper" Fri Mar 6 18:16:11 2026 rev:37 rq:1336791 version:4.2.9 Changes: -------- --- /work/SRC/openSUSE:Factory/jasper/jasper.changes 2025-08-15 21:52:45.209849026 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new.561/jasper.changes 2026-03-06 18:16:16.726386740 +0100 @@ -1,0 +2,7 @@ +Thu Mar 5 17:06:27 UTC 2026 - Michael Vetter <[email protected]> + +- Update to 4.2.9: + * Fix a bug in the JP2 encoder that caused incorrect handling of + opacity components in some cases. (#392) + +------------------------------------------------------------------- Old: ---- version-4.2.8.tar.gz New: ---- version-4.2.9.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jasper.spec ++++++ --- /var/tmp/diff_new_pack.y4Pa83/_old 2026-03-06 18:16:17.638424772 +0100 +++ /var/tmp/diff_new_pack.y4Pa83/_new 2026-03-06 18:16:17.638424772 +0100 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %global __builddir obs_build Name: jasper -Version: 4.2.8 +Version: 4.2.9 Release: 0 Summary: An Implementation of the JPEG-2000 Standard, Part 1 License: JasPer-2.0 ++++++ version-4.2.8.tar.gz -> version-4.2.9.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/CMakeLists.txt new/jasper-version-4.2.9/CMakeLists.txt --- old/jasper-version-4.2.8/CMakeLists.txt 2025-08-06 05:55:34.000000000 +0200 +++ new/jasper-version-4.2.9/CMakeLists.txt 2026-03-05 16:38:42.000000000 +0100 @@ -12,7 +12,7 @@ # The major, minor, and micro version numbers of the project. set(JAS_VERSION_MAJOR 4) set(JAS_VERSION_MINOR 2) -set(JAS_VERSION_PATCH 8) +set(JAS_VERSION_PATCH 9) # The shared library versioning information. # Guidelines on how to change this information can be found below. @@ -382,6 +382,8 @@ add_c_compile_options(/wd4996) # allow some kinds of narrowing conversions add_c_compile_options(/wd4267) + # ~ zero extending to type of greater size + add_c_compile_options(/wd4319) if(JAS_STRICT) # Treat all compiler warnings as errors. add_c_compile_options(/WX) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/NEWS.txt new/jasper-version-4.2.9/NEWS.txt --- old/jasper-version-4.2.8/NEWS.txt 2025-08-06 05:55:34.000000000 +0200 +++ new/jasper-version-4.2.9/NEWS.txt 2026-03-05 16:38:42.000000000 +0100 @@ -1,20 +1,26 @@ +4.2.9 (2026-03-05) +================== + +* Fixed a bug in the JP2 encoder that caused incorrect handling of + opacity components in some cases. + 4.2.8 (2025-08-05) ================== * Fixed a bug in the JPC decoder that could cause bad memory accesses - if the debug level is set sufficiently high (#402, #403). + if the debug level is set sufficiently high (#402, #403) (CVE-2025-8837). 4.2.7 (2025-08-02) ================== * Added some missing range checking on several coding parameters in the - JPC encoder (#401). + JPC encoder (#401) (CVE-2025-8836). 4.2.6 (2025-08-02) ================== * Added a check for a missing color component in the jas_image_chclrspc - function (#400). + function (#400) (CVE-2025-8835). * Fixed a minor build problem related to the use of -Wstrict-prototypes with Clang. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/build/cmake/modules/JasPerConfig.cmake.in new/jasper-version-4.2.9/build/cmake/modules/JasPerConfig.cmake.in --- old/jasper-version-4.2.8/build/cmake/modules/JasPerConfig.cmake.in 2025-08-06 05:55:34.000000000 +0200 +++ new/jasper-version-4.2.9/build/cmake/modules/JasPerConfig.cmake.in 2026-03-05 16:38:42.000000000 +0100 @@ -1,5 +1,14 @@ @PACKAGE_INIT@ -set(JasPer_FOUND TRUE) +INCLUDE(CMakeFindDependencyMacro) -include("${CMAKE_CURRENT_LIST_DIR}/JasPerTargets.cmake") +# Ensure that the JPEG::JPEG imported target is defined (if appropriate). +IF(@JAS_INCLUDE_JPG_CODEC@) + FIND_DEPENDENCY(JPEG) +ENDIF() + +# Mark the JasPer library as found. +SET(JasPer_FOUND TRUE) + +# Include the exported targets. +INCLUDE("${CMAKE_CURRENT_LIST_DIR}/JasPerTargets.cmake") Binary files old/jasper-version-4.2.8/data/test/good/392-rgba.jp2 and new/jasper-version-4.2.9/data/test/good/392-rgba.jp2 differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/src/libjasper/CMakeLists.txt new/jasper-version-4.2.9/src/libjasper/CMakeLists.txt --- old/jasper-version-4.2.8/src/libjasper/CMakeLists.txt 2025-08-06 05:55:34.000000000 +0200 +++ new/jasper-version-4.2.9/src/libjasper/CMakeLists.txt 2026-03-05 16:38:42.000000000 +0100 @@ -168,16 +168,6 @@ ${libjasper_ras_sources} ) -if(JAS_ENABLE_CMAKE_PACKAGE_CONFIG) - install(TARGETS libjasper - EXPORT JasPerTargets - ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR} - LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} - RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} - INCLUDES DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} - ) -endif() - # The JasPer include directories in the source and build tree must be included # before any other directories that may contain the include directory for an # already installed version of the JasPer library. @@ -226,6 +216,17 @@ NO_EXPORT_MACRO_NAME JAS_LOCAL ) +if(JAS_ENABLE_CMAKE_PACKAGE_CONFIG) + #install(TARGETS libjasper ${JAS_LIBJPEG_TARGET} + install(TARGETS libjasper + EXPORT JasPerTargets + ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR} + LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} + RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} + INCLUDES DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} + ) +endif() + install(TARGETS libjasper RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/src/libjasper/base/jas_stream.c new/jasper-version-4.2.9/src/libjasper/base/jas_stream.c --- old/jasper-version-4.2.8/src/libjasper/base/jas_stream.c 2025-08-06 05:55:34.000000000 +0200 +++ new/jasper-version-4.2.9/src/libjasper/base/jas_stream.c 2026-03-05 16:38:42.000000000 +0100 @@ -707,11 +707,22 @@ { char *bufptr = buf; + /* + TODO/NOTE: + Changing the return type from unsigned to size_t would break ABI. + So, to avoid the possibility that n (which is of type size_t) could + overflow the return value (which is of type unsigned) we add the + following check. + */ + if (cnt > UINT_MAX) { + return 0; + } + const size_t n = jas_stream_read(stream, bufptr, cnt); /* Put the characters read back onto the stream. */ - for (size_t i = n; i-- > 0;) { - if (jas_stream_ungetc(stream, bufptr[i]) == EOF) { + for (size_t i = n; i > 0; --i) { + if (jas_stream_ungetc(stream, bufptr[i - 1]) == EOF) { return 0; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/src/libjasper/jp2/jp2_cod.c new/jasper-version-4.2.9/src/libjasper/jp2/jp2_cod.c --- old/jasper-version-4.2.8/src/libjasper/jp2/jp2_cod.c 2025-08-06 05:55:34.000000000 +0200 +++ new/jasper-version-4.2.9/src/libjasper/jp2/jp2_cod.c 2026-03-05 16:38:42.000000000 +0100 @@ -483,7 +483,7 @@ return -1; } #endif - if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(uint_fast8_t)))) { + if (!(colr->iccp = jas_alloc2(colr->iccplen, sizeof(jas_uchar)))) { return -1; } if (jas_stream_read(in, colr->iccp, colr->iccplen) != colr->iccplen) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/src/libjasper/jp2/jp2_cod.h new/jasper-version-4.2.9/src/libjasper/jp2/jp2_cod.h --- old/jasper-version-4.2.8/src/libjasper/jp2/jp2_cod.h 2025-08-06 05:55:34.000000000 +0200 +++ new/jasper-version-4.2.9/src/libjasper/jp2/jp2_cod.h 2026-03-05 16:38:42.000000000 +0100 @@ -177,7 +177,7 @@ uint_fast8_t pri; uint_fast8_t approx; uint_fast32_t csid; - uint_fast8_t *iccp; + jas_uchar *iccp; size_t iccplen; /* XXX - Someday we ought to add ICC profile data here. */ } jp2_colr_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/src/libjasper/jp2/jp2_enc.c new/jasper-version-4.2.9/src/libjasper/jp2/jp2_enc.c --- old/jasper-version-4.2.8/src/libjasper/jp2/jp2_enc.c 2025-08-06 05:55:34.000000000 +0200 +++ new/jasper-version-4.2.9/src/libjasper/jp2/jp2_enc.c 2026-03-05 16:38:42.000000000 +0100 @@ -297,7 +297,7 @@ needcdef = 1; switch (jas_clrspc_fam(jas_image_clrspc(image))) { case JAS_CLRSPC_FAM_RGB: - if (jas_image_numcmpts(image) >= 3 && + if (jas_image_numcmpts(image) == 3 && jas_image_cmpttype(image, 0) == JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_R) && jas_image_cmpttype(image, 1) == @@ -307,7 +307,7 @@ needcdef = 0; break; case JAS_CLRSPC_FAM_YCBCR: - if (jas_image_numcmpts(image) >= 3 && + if (jas_image_numcmpts(image) == 3 && jas_image_cmpttype(image, 0) == JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_YCBCR_Y) && jas_image_cmpttype(image, 1) == @@ -317,7 +317,7 @@ needcdef = 0; break; case JAS_CLRSPC_FAM_GRAY: - if (jas_image_numcmpts(image) >= 1 && + if (jas_image_numcmpts(image) == 1 && jas_image_cmpttype(image, 0) == JAS_IMAGE_CT_COLOR(JAS_IMAGE_CT_GRAY_Y)) needcdef = 0; @@ -341,7 +341,8 @@ for (unsigned i = 0; i < jas_image_numcmpts(image); ++i) { cdefchanent = &cdef->ents[i]; cdefchanent->channo = i; - typeasoc = jp2_gettypeasoc(jas_image_clrspc(image), jas_image_cmpttype(image, i)); + typeasoc = jp2_gettypeasoc(jas_image_clrspc(image), + jas_image_cmpttype(image, i)); cdefchanent->type = typeasoc >> 16; cdefchanent->assoc = typeasoc & 0x7fff; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/test/src/CMakeLists.txt new/jasper-version-4.2.9/test/src/CMakeLists.txt --- old/jasper-version-4.2.8/test/src/CMakeLists.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/jasper-version-4.2.9/test/src/CMakeLists.txt 2026-03-05 16:38:42.000000000 +0100 @@ -0,0 +1,10 @@ +cmake_minimum_required(VERSION 3.20) + +project(test_app LANGUAGES C) + +find_package(JasPer CONFIG REQUIRED) + +add_executable(app app.c) +target_link_libraries(app JasPer::libjasper) + +install(CODE "message(STATUS \"Dummy install target executed.\")") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-4.2.8/test/src/app.c new/jasper-version-4.2.9/test/src/app.c --- old/jasper-version-4.2.8/test/src/app.c 1970-01-01 01:00:00.000000000 +0100 +++ new/jasper-version-4.2.9/test/src/app.c 2026-03-05 16:38:42.000000000 +0100 @@ -0,0 +1,28 @@ +/******************************************************************************\ +* Includes. +\******************************************************************************/ + +#include <stdlib.h> +#include <stdio.h> + +#include <jasper/jasper.h> + +/******************************************************************************\ +* Some dummy code. +\******************************************************************************/ + +int main(int argc, char **argv) +{ + jas_conf_clear(); + if (jas_init_library()) { + fprintf(stderr, "cannot initialize JasPer library\n"); + return EXIT_FAILURE; + } + if (jas_init_thread()) { + fprintf(stderr, "cannot initialize thread\n"); + return EXIT_FAILURE; + } + jas_cleanup_thread(); + jas_cleanup_library(); + return 0; +}
