Hello community, here is the log from the commit of package jasper.3361 for openSUSE:13.1:Update checked in at 2015-01-14 14:45:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/jasper.3361 (Old) and /work/SRC/openSUSE:13.1:Update/.jasper.3361.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jasper.3361" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.jasper.3361.new/jasper.changes 2015-01-14 14:45:36.000000000 +0100 @@ -0,0 +1,165 @@ +------------------------------------------------------------------- +Mon Dec 22 15:18:07 UTC 2014 - nadvor...@suse.com + +- fixed CVE-2014-8137, CVE-2014-8137 (bnc#909474, bnc#909475) + +------------------------------------------------------------------- +Fri Dec 5 09:52:28 UTC 2014 - nadvor...@suse.com + +- jasper-overflow-bnc906364.patch: fixed possible overflow CVE-2014-9029 + (bnc#906364) + +------------------------------------------------------------------- +Wed Sep 11 08:01:48 UTC 2013 - pgaj...@suse.com + +- added no-undef-true-false.patch to fix [bnc#839584] + +------------------------------------------------------------------- +Thu Mar 28 10:34:19 UTC 2013 - mmeis...@suse.com + +- Added url as source. + Please see http://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Sat Jan 12 19:12:02 UTC 2013 - co...@suse.com + +- remove suse_update_config + +------------------------------------------------------------------- +Sun Nov 13 09:11:33 UTC 2011 - co...@suse.com + +- add libtool as explicit buildrequire to avoid implicit dependency from prjconf + +------------------------------------------------------------------- +Wed Oct 5 13:58:57 UTC 2011 - u...@suse.com + +- cross-build fix: use %configure macro + +------------------------------------------------------------------- +Mon Aug 2 08:20:13 UTC 2010 - co...@novell.com + +- fix baselibs.conf + +------------------------------------------------------------------- +Thu Jul 29 08:54:37 UTC 2010 - co...@novell.com + +- do not build the highlevel image viewer in a basic library + (in case someone needs it, we better do a 2nd spec file) +- follow shared library policy + +------------------------------------------------------------------- +Wed Dec 16 11:16:55 CET 2009 - jeng...@medozas.de + +- add baselibs.conf as a source +- enable parallel building + +------------------------------------------------------------------- +Tue Jan 13 12:34:56 CET 2009 - o...@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Wed Nov 12 15:22:43 CET 2008 - nadvor...@suse.cz + +- use the last version of the patches [bnc#392410] + +------------------------------------------------------------------- +Tue May 27 11:53:05 CEST 2008 - nadvor...@suse.cz + +- fixed multiple integer overflows [bnc#392410] + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - r...@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Apr 19 13:42:54 CEST 2007 - nadvor...@suse.cz + +- updated to bugfix release 1.900.1 +- created libjasper-devel subpackage +- do not build static libs +- added compat symlink libjasper-1.701.so.1 -> libjasper.so.1.0.0 +- fixed various crashes on malformed input [#258253] + +------------------------------------------------------------------- +Mon May 22 13:49:45 CEST 2006 - pne...@suse.cz + +- fixed uninitialized varibale #176395 + added -uninitialzed.patch + +------------------------------------------------------------------- +Wed Jan 25 21:36:46 CET 2006 - m...@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jun 14 18:24:09 CEST 2004 - sbra...@suse.cz + +- Updated to version 1.701.0. + +------------------------------------------------------------------- +Thu Feb 05 18:35:27 CET 2004 - sbra...@suse.cz + +- Updated to version 1.700.5. + +------------------------------------------------------------------- +Sat Jan 10 16:16:47 CET 2004 - adr...@suse.de + +- add %run_ldconfig + +------------------------------------------------------------------- +Thu Jul 24 12:59:07 CEST 2003 - nadvor...@suse.cz + +- updated to 1.700.2 + +------------------------------------------------------------------- +Mon May 12 01:35:59 CEST 2003 - r...@suse.de + +- added libstdc++-devel to neededforbuild + +------------------------------------------------------------------- +Wed Oct 23 21:50:26 CEST 2002 - u...@suse.de + +- update -> 1.600.0 (improved support for the JP2 format, new + application program "jiv" (simple image viewer), improved support + for the PNM family of formats, numerous other minor bugs fixed) + +------------------------------------------------------------------- +Sat Aug 24 17:30:26 CEST 2002 - r...@suse.de + +- fix doc file section for new cp behaviour + +------------------------------------------------------------------- +Tue Jul 2 14:21:07 CEST 2002 - meiss...@suse.de + +- buildrooted, run autoreconf* + +------------------------------------------------------------------- +Thu Apr 18 18:25:48 CEST 2002 - s...@suse.de + +- added %{_libdir} to configure for lib/lib64 +- added %{suse_update_config} + +------------------------------------------------------------------- +Fri Jan 25 15:29:30 CET 2002 - u...@suse.de + +- update -> 1.500.4 (improved docs) + +------------------------------------------------------------------- +Thu Dec 6 12:31:42 CET 2001 - u...@suse.de + +- update -> 1.500.3 (fixes) + +------------------------------------------------------------------- +Thu Aug 16 15:25:08 CEST 2001 - u...@suse.de + +- build shared lib, too + +------------------------------------------------------------------- +Mon Jul 30 18:49:00 CEST 2001 - u...@suse.de + +- initial package + + New: ---- baselibs.conf jasper-1.900.1-bug258253.patch jasper-1.900.1-bug392410.patch jasper-1.900.1-no-undef-true-false.patch jasper-1.900.1-uninitialized.patch jasper-1.900.1.zip jasper-CVE-2014-8137.patch jasper-CVE-2014-8138.patch jasper-overflow-bnc906364.patch jasper.changes jasper.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jasper.spec ++++++ # # spec file for package jasper # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: jasper BuildRequires: gcc-c++ BuildRequires: libdrm-devel BuildRequires: libjpeg-devel BuildRequires: libtool BuildRequires: unzip Url: http://www.ece.uvic.ca/~mdadams/jasper/ Version: 1.900.1 Release: 0 Summary: An Implementation of the JPEG-2000 Standard, Part 1 License: SUSE-Public-Domain Group: Productivity/Graphics/Convertors Source: http://www.ece.uvic.ca/~frodo/jasper/software/%{name}-%{version}.zip Source2: baselibs.conf Patch: %{name}-%{version}-uninitialized.patch Patch2: %{name}-%{version}-bug258253.patch Patch3: %{name}-%{version}-bug392410.patch Patch4: %{name}-%{version}-no-undef-true-false.patch Patch5: jasper-overflow-bnc906364.patch Patch6: jasper-CVE-2014-8137.patch Patch7: jasper-CVE-2014-8138.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package contains an implementation of the image compression standard, JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. %package -n libjasper1 Summary: JPEG-2000 library Group: Productivity/Graphics/Convertors # bug437293 %ifarch ppc64 Obsoletes: libjasper-64bit %endif # used in <= 11.3 Obsoletes: libjasper Provides: libjasper # %description -n libjasper1 This package contains libjasper, a library implementing the JPEG-2000 image compression standard Part 1. %package -n libjasper-devel Summary: JPEG-2000 library - files mandatory for development Group: Development/Libraries/C and C++ # bug437293 %ifarch ppc64 Obsoletes: libjasper-devel-64bit %endif # Requires: libjasper1 = %{version} Requires: libjpeg-devel %description -n libjasper-devel This package contains libjasper, a library implementing the JPEG-2000 image compression standard Part 1. %prep %setup -q %patch %patch2 %patch3 %patch4 %patch5 -p1 %patch6 -p1 %patch7 -p1 %build autoreconf -i -f export CFLAGS="$RPM_OPT_FLAGS -Wall" %configure --prefix=/usr --enable-shared --disable-static --libdir=%{_libdir} make %{?jobs:-j%jobs} %install make install DESTDIR=$RPM_BUILD_ROOT mv doc/README doc/README.doc rm $RPM_BUILD_ROOT/usr/bin/tmrdemo # compatibility link, there was no interface change ln -s libjasper.so.1.0.0 $RPM_BUILD_ROOT%{_libdir}/libjasper-1.701.so.1 %post -n libjasper1 -p /sbin/ldconfig %postun -n libjasper1 -p /sbin/ldconfig %files %defattr(-,root,root) %doc COPYRIGHT INSTALL LICENSE NEWS README doc/* /usr/bin/imgcmp /usr/bin/imginfo /usr/bin/jasper %{_mandir}/man*/* %files -n libjasper1 %defattr(-,root,root) %{_libdir}/libjasper*.so.* %files -n libjasper-devel %defattr(-,root,root) /usr/include/jasper %{_libdir}/libjasper.so %{_libdir}/libjasper.la %changelog ++++++ baselibs.conf ++++++ libjasper1 ++++++ jasper-1.900.1-bug258253.patch ++++++ --- src/libjasper/jp2/jp2_cod.c +++ src/libjasper/jp2/jp2_cod.c @@ -247,7 +247,7 @@ box = 0; tmpstream = 0; - if (!(box = jas_malloc(sizeof(jp2_box_t)))) { + if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) { goto error; } box->ops = &jp2_boxinfo_unk.ops; --- src/libjasper/jpc/jpc_cs.c +++ src/libjasper/jpc/jpc_cs.c @@ -982,7 +982,10 @@ compparms->numstepsizes = (len - n) / 2; break; } - if (compparms->numstepsizes > 0) { + if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { + jpc_qcx_destroycompparms(compparms); + return -1; + } else if (compparms->numstepsizes > 0) { compparms->stepsizes = jas_malloc(compparms->numstepsizes * sizeof(uint_fast16_t)); assert(compparms->stepsizes); --- src/libjasper/jpc/jpc_dec.c +++ src/libjasper/jpc/jpc_dec.c @@ -1204,7 +1204,7 @@ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); dec->numtiles = dec->numhtiles * dec->numvtiles; - if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { + if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) { return -1; } @@ -1228,7 +1228,7 @@ tile->pkthdrstreampos = 0; tile->pptstab = 0; tile->cp = 0; - if (!(tile->tcomps = jas_malloc(dec->numcomps * + if (!(tile->tcomps = jas_calloc(dec->numcomps, sizeof(jpc_dec_tcomp_t)))) { return -1; } ++++++ jasper-1.900.1-bug392410.patch ++++++ ++++ 900 lines (skipped) ++++++ jasper-1.900.1-no-undef-true-false.patch ++++++ Index: src/libjasper/include/jasper/jas_types.h =================================================================== --- src/libjasper/include/jasper/jas_types.h +++ src/libjasper/include/jasper/jas_types.h @@ -93,8 +93,6 @@ #endif #if defined(HAVE_STDLIB_H) -#undef false -#undef true #include <stdlib.h> #endif #if defined(HAVE_STDDEF_H) ++++++ jasper-1.900.1-uninitialized.patch ++++++ --- src/libjasper/pnm/pnm_enc.c +++ src/libjasper/pnm/pnm_enc.c @@ -424,7 +424,7 @@ static int pnm_putuint(jas_stream_t *out, int wordsize, uint_fast32_t *val) { int n; - uint_fast32_t tmpval; + uint_fast32_t tmpval=0; int c; n = (wordsize + 7) / 8; ++++++ jasper-CVE-2014-8137.patch ++++++ --- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100 +++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100 @@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr return 0; error: - jas_icccurv_destroy(attrval); return -1; } @@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca #endif return 0; error: - jas_icctxtdesc_destroy(attrval); return -1; } @@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv goto error; return 0; error: - if (txt->string) - jas_free(txt->string); return -1; } @@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr goto error; return 0; error: - jas_icclut8_destroy(attrval); return -1; } @@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt goto error; return 0; error: - jas_icclut16_destroy(attrval); return -1; } --- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100 +++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100 @@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in case JP2_COLR_ICC: iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, dec->colr->data.colr.iccplen); - assert(iccprof); + if (!iccprof) { + jas_eprintf("error: failed to parse ICC profile\n"); + goto error; + } jas_iccprof_gethdr(iccprof, &icchdr); jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); ++++++ jasper-CVE-2014-8138.patch ++++++ diff -ru jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1/src/libjasper/jp2/jp2_cod.c --- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.000000000 +0100 +++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2014-12-17 11:58:58.271398603 +0100 @@ -459,7 +459,8 @@ for (channo = 0; channo < cdef->numchans; ++channo) { chan = &cdef->ents[channo]; if (jp2_getuint16(in, &chan->channo) || jp2_getuint16(in, &chan->type) || - jp2_getuint16(in, &chan->assoc)) { + jp2_getuint16(in, &chan->assoc) || + chan->channo >= cdef->numchans ) { return -1; } } ++++++ jasper-overflow-bnc906364.patch ++++++ --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:45:44.000000000 +0100 +++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:44:58.000000000 +0100 @@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t jpc_coc_t *coc = &ms->parms.coc; jpc_dec_tile_t *tile; - if (JAS_CAST(int, coc->compno) > dec->numcomps) { + if (JAS_CAST(int, coc->compno) >= dec->numcomps) { jas_eprintf("invalid component number in COC marker segment\n"); return -1; } @@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t jpc_rgn_t *rgn = &ms->parms.rgn; jpc_dec_tile_t *tile; - if (JAS_CAST(int, rgn->compno) > dec->numcomps) { + if (JAS_CAST(int, rgn->compno) >= dec->numcomps) { jas_eprintf("invalid component number in RGN marker segment\n"); return -1; } @@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t jpc_qcc_t *qcc = &ms->parms.qcc; jpc_dec_tile_t *tile; - if (JAS_CAST(int, qcc->compno) > dec->numcomps) { + if (JAS_CAST(int, qcc->compno) >= dec->numcomps) { jas_eprintf("invalid component number in QCC marker segment\n"); return -1; } -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org