Hello community, here is the log from the commit of package netpbm for openSUSE:Factory checked in at 2018-07-04 23:51:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netpbm (Old) and /work/SRC/openSUSE:Factory/.netpbm.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netpbm" Wed Jul 4 23:51:59 2018 rev:63 rq:619410 version:10.82.2 Changes: -------- --- /work/SRC/openSUSE:Factory/netpbm/netpbm.changes 2018-01-02 16:33:09.069221524 +0100 +++ /work/SRC/openSUSE:Factory/.netpbm.new/netpbm.changes 2018-07-04 23:53:25.844004713 +0200 @@ -1,0 +2,50 @@ +Wed Jun 27 14:04:30 UTC 2018 - [email protected] + +- security update + * CVE-2018-8975 [bsc#1086777] + + netpbm-CVE-2018-8975.patch + +------------------------------------------------------------------- +Wed Jun 27 11:38:22 UTC 2018 - [email protected] + +- updated to 10.82.2 + * Pngtopam: Fix bogus warning of non-square pixels when image does + not contain pixel resolution information. Introduced in Netpbm + 10.48 (September 2009) + * ilbmtoppm: Fix bug: may fail with bogus error message about an + invalid CLUT chunk if image has a CLUT chunk. Introduced after + Netpbm 10.26 (January 2005) and at or before Netpbm 10.35 + (August 2006). + * pbmtext: Add -wchar. + * pbmtext: Add -text-dump option. + * ppmhist: Add color summary to top of output, (except with + -noheader). + * pnmremap: Add -randomseed. + * pnmquant: Add -norandom, -randomseed. + * pamtogif: Add -noclear option. + * giftopnm: Check "data width" value from GIF image properly: + can't be bigger than 11, because the minimum code size is one + more than the data width and the maximum code size is 12. (Note + that GIF spec prohibits anything more than 8). + * pnmpsnr: Add -targetX options. + * ppmrainbow: Add "ppmrainbow: " to error messages, like other + programs. + * ppmrainbow: improve error message. + * g3topbm: Fix bug - produces invalid empty PBM image if input + image is empty. + * ppmpat: Fix bug - crash or junk output with -camo or -anticamo + and no -color. Introduced in Netpbm 10.78 (March 2017). + * mrftopbm: Fix bug - wrong error messages or output when input + invalidly short. Always broken (mrftopbm was new in Netpbm + 10.18 (September 2003). + * sldtoppm: -lib and -dir don't work - always says slide not + found. Broken in Netpbm 10.63 (June 2013). + * sldtoppm: fix bug: says AutoCAD slide file isn't an AutoCAD + slide file. Broken after Netpbm 10.26 (January 2005), but no + later than 10.35 (August 2006). + * sldtoppm: fix bug: wild memory accesses, weird messages when + invalid input file has unterminated strings. +- refreshed netpbm-security-code.patch +- fixed prepare-src-tarball update script + +------------------------------------------------------------------- Old: ---- netpbm-10.80.1-documentation.tar.bz2 netpbm-10.80.1-nohpcdtoppm-noppmtompeg.tar.bz2 New: ---- netpbm-10.82.2-documentation.tar.bz2 netpbm-10.82.2-nohpcdtoppm-noppmtompeg.tar.bz2 netpbm-CVE-2018-8975.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netpbm.spec ++++++ --- /var/tmp/diff_new_pack.X9cBqu/_old 2018-07-04 23:53:26.804003653 +0200 +++ /var/tmp/diff_new_pack.X9cBqu/_new 2018-07-04 23:53:26.804003653 +0200 @@ -1,7 +1,7 @@ # # spec file for package netpbm # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,13 @@ %define libmaj 11 -%define libmin 80 +%define libmin 82 %define libver %{libmaj}.%{libmin} Name: netpbm -Version: 10.80.1 +Version: 10.82.2 Release: 0 Summary: A Powerful Graphics Conversion Package -License: BSD-3-Clause AND GPL-2.0+ AND IJG AND MIT AND SUSE-Public-Domain +License: BSD-3-Clause AND GPL-2.0-or-later AND IJG AND MIT AND SUSE-Public-Domain Group: Productivity/Graphics/Convertors Url: http://netpbm.sourceforge.net/ Source: netpbm-%{version}-nohpcdtoppm-noppmtompeg.tar.bz2 @@ -37,6 +37,7 @@ Patch5: %{name}-security-scripts.patch Patch6: %{name}-gcc-warnings.patch Patch7: makeman-py3.patch +Patch8: netpbm-CVE-2018-8975.patch BuildRequires: flex BuildRequires: libjasper-devel BuildRequires: libjpeg-devel @@ -89,6 +90,7 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 mkdir pnmtopalm # for %%doc pnmtopalm cp -p converter/other/pnmtopalm/{LICENSE,README} pnmtopalm ++++++ netpbm-10.80.1-documentation.tar.bz2 -> netpbm-10.82.2-documentation.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/netpbm/netpbm-10.80.1-documentation.tar.bz2 /work/SRC/openSUSE:Factory/.netpbm.new/netpbm-10.82.2-documentation.tar.bz2 differ: char 11, line 1 ++++++ netpbm-10.80.1-nohpcdtoppm-noppmtompeg.tar.bz2 -> netpbm-10.82.2-nohpcdtoppm-noppmtompeg.tar.bz2 ++++++ ++++ 10451 lines of diff (skipped) ++++++ netpbm-CVE-2018-8975.patch ++++++ Index: netpbm-10.82.2/editor/pbmmask.c =================================================================== --- netpbm-10.82.2.orig/editor/pbmmask.c 2018-06-27 13:03:00.431710863 +0200 +++ netpbm-10.82.2/editor/pbmmask.c 2018-06-27 15:45:40.194531538 +0200 @@ -144,6 +144,12 @@ main(int argc, char * argv[]) { bits = pbm_readpbm( ifp, &cols, &rows ); pm_close( ifp ); + if (cols <= 0 || rows <= 0) + { + pm_error("invalid width or height"); + free(bits); + return 0; + } mask = pbm_allocarray( cols, rows ); /* Clear out the mask. */ ++++++ netpbm-security-code.patch ++++++ ++++ 1234 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/netpbm/netpbm-security-code.patch ++++ and /work/SRC/openSUSE:Factory/.netpbm.new/netpbm-security-code.patch ++++++ prepare-src-tarball ++++++ --- /var/tmp/diff_new_pack.X9cBqu/_old 2018-07-04 23:53:27.848002500 +0200 +++ /var/tmp/diff_new_pack.X9cBqu/_new 2018-07-04 23:53:27.852002495 +0200 @@ -7,7 +7,7 @@ rm -rf REMOVE mkdir REMOVE cd REMOVE -svn checkout http://netpbm.svn.sourceforge.net/svnroot/netpbm/advanced netpbm +svn checkout https://svn.code.sf.net/p/netpbm/code/advanced/ netpbm VER=`echo \`cut -f2 -d= netpbm*/version.mk \`|sed -e "s| |.|g"` mv netpbm* netpbm-$VER
