Hello community,
here is the log from the commit of package jasper.3363 for openSUSE:12.3:Update
checked in at 2015-01-14 14:46:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/jasper.3363 (Old)
and /work/SRC/openSUSE:12.3:Update/.jasper.3363.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jasper.3363"
Changes:
--------
New Changes file:
--- /dev/null 2014-12-25 22:38:16.200041506 +0100
+++ /work/SRC/openSUSE:12.3:Update/.jasper.3363.new/jasper.changes
2015-01-14 14:46:13.000000000 +0100
@@ -0,0 +1,154 @@
+-------------------------------------------------------------------
+Mon Dec 22 15:18:42 UTC 2014 - nadvor...@suse.com
+
+- fixed CVE-2014-8137, CVE-2014-8137 (bnc#909474, bnc#909475)
+
+-------------------------------------------------------------------
+Fri Dec 5 09:51:31 UTC 2014 - nadvor...@suse.com
+
+- jasper-overflow-bnc906364.patch: fixed possible overflow CVE-2014-9029
+ (bnc#906364)
+
+-------------------------------------------------------------------
+Sat Jan 12 19:12:02 UTC 2013 - co...@suse.com
+
+- remove suse_update_config
+
+-------------------------------------------------------------------
+Sun Nov 13 09:11:33 UTC 2011 - co...@suse.com
+
+- add libtool as explicit buildrequire to avoid implicit dependency from
prjconf
+
+-------------------------------------------------------------------
+Wed Oct 5 13:58:57 UTC 2011 - u...@suse.com
+
+- cross-build fix: use %configure macro
+
+-------------------------------------------------------------------
+Mon Aug 2 08:20:13 UTC 2010 - co...@novell.com
+
+- fix baselibs.conf
+
+-------------------------------------------------------------------
+Thu Jul 29 08:54:37 UTC 2010 - co...@novell.com
+
+- do not build the highlevel image viewer in a basic library
+ (in case someone needs it, we better do a 2nd spec file)
+- follow shared library policy
+
+-------------------------------------------------------------------
+Wed Dec 16 11:16:55 CET 2009 - jeng...@medozas.de
+
+- add baselibs.conf as a source
+- enable parallel building
+
+-------------------------------------------------------------------
+Tue Jan 13 12:34:56 CET 2009 - o...@suse.de
+
+- obsolete old -XXbit packages (bnc#437293)
+
+-------------------------------------------------------------------
+Wed Nov 12 15:22:43 CET 2008 - nadvor...@suse.cz
+
+- use the last version of the patches [bnc#392410]
+
+-------------------------------------------------------------------
+Tue May 27 11:53:05 CEST 2008 - nadvor...@suse.cz
+
+- fixed multiple integer overflows [bnc#392410]
+
+-------------------------------------------------------------------
+Thu Apr 10 12:54:45 CEST 2008 - r...@suse.de
+
+- added baselibs.conf file to build xxbit packages
+ for multilib support
+
+-------------------------------------------------------------------
+Thu Apr 19 13:42:54 CEST 2007 - nadvor...@suse.cz
+
+- updated to bugfix release 1.900.1
+- created libjasper-devel subpackage
+- do not build static libs
+- added compat symlink libjasper-1.701.so.1 -> libjasper.so.1.0.0
+- fixed various crashes on malformed input [#258253]
+
+-------------------------------------------------------------------
+Mon May 22 13:49:45 CEST 2006 - pne...@suse.cz
+
+- fixed uninitialized varibale #176395
+ added -uninitialzed.patch
+
+-------------------------------------------------------------------
+Wed Jan 25 21:36:46 CET 2006 - m...@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Mon Jun 14 18:24:09 CEST 2004 - sbra...@suse.cz
+
+- Updated to version 1.701.0.
+
+-------------------------------------------------------------------
+Thu Feb 05 18:35:27 CET 2004 - sbra...@suse.cz
+
+- Updated to version 1.700.5.
+
+-------------------------------------------------------------------
+Sat Jan 10 16:16:47 CET 2004 - adr...@suse.de
+
+- add %run_ldconfig
+
+-------------------------------------------------------------------
+Thu Jul 24 12:59:07 CEST 2003 - nadvor...@suse.cz
+
+- updated to 1.700.2
+
+-------------------------------------------------------------------
+Mon May 12 01:35:59 CEST 2003 - r...@suse.de
+
+- added libstdc++-devel to neededforbuild
+
+-------------------------------------------------------------------
+Wed Oct 23 21:50:26 CEST 2002 - u...@suse.de
+
+- update -> 1.600.0 (improved support for the JP2 format, new
+ application program "jiv" (simple image viewer), improved support
+ for the PNM family of formats, numerous other minor bugs fixed)
+
+-------------------------------------------------------------------
+Sat Aug 24 17:30:26 CEST 2002 - r...@suse.de
+
+- fix doc file section for new cp behaviour
+
+-------------------------------------------------------------------
+Tue Jul 2 14:21:07 CEST 2002 - meiss...@suse.de
+
+- buildrooted, run autoreconf*
+
+-------------------------------------------------------------------
+Thu Apr 18 18:25:48 CEST 2002 - s...@suse.de
+
+- added %{_libdir} to configure for lib/lib64
+- added %{suse_update_config}
+
+-------------------------------------------------------------------
+Fri Jan 25 15:29:30 CET 2002 - u...@suse.de
+
+- update -> 1.500.4 (improved docs)
+
+-------------------------------------------------------------------
+Thu Dec 6 12:31:42 CET 2001 - u...@suse.de
+
+- update -> 1.500.3 (fixes)
+
+-------------------------------------------------------------------
+Thu Aug 16 15:25:08 CEST 2001 - u...@suse.de
+
+- build shared lib, too
+
+-------------------------------------------------------------------
+Mon Jul 30 18:49:00 CEST 2001 - u...@suse.de
+
+- initial package
+
+
New:
----
baselibs.conf
jasper-1.900.1-bug258253.patch
jasper-1.900.1-bug392410.patch
jasper-1.900.1-uninitialized.patch
jasper-1.900.1.tar.bz2
jasper-CVE-2014-8137.patch
jasper-CVE-2014-8138.patch
jasper-overflow-bnc906364.patch
jasper.changes
jasper.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jasper.spec ++++++
#
# spec file for package jasper
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: jasper
BuildRequires: gcc-c++
BuildRequires: libdrm-devel
BuildRequires: libjpeg-devel
BuildRequires: libtool
Url: http://www.ece.uvic.ca/~mdadams/jasper/
Version: 1.900.1
Release: 0
Summary: An Implementation of the JPEG-2000 Standard, Part 1
License: SUSE-Public-Domain
Group: Productivity/Graphics/Convertors
Source: %{name}-%{version}.tar.bz2
Source2: baselibs.conf
Patch: %{name}-%{version}-uninitialized.patch
Patch2: %{name}-%{version}-bug258253.patch
Patch3: %{name}-%{version}-bug392410.patch
Patch6: jasper-overflow-bnc906364.patch
Patch7: jasper-CVE-2014-8137.patch
Patch8: jasper-CVE-2014-8138.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This package contains an implementation of the image compression
standard, JPEG-2000, Part 1. It consists of tools for conversion to and
from the JP2 and JPC formats.
%package -n libjasper1
Summary: JPEG-2000 library
Group: Productivity/Graphics/Convertors
# bug437293
%ifarch ppc64
Obsoletes: libjasper-64bit
%endif
# used in <= 11.3
Obsoletes: libjasper
Provides: libjasper
#
%description -n libjasper1
This package contains libjasper, a library implementing the JPEG-2000
image compression standard Part 1.
%package -n libjasper-devel
Summary: JPEG-2000 library - files mandatory for development
Group: Development/Libraries/C and C++
# bug437293
%ifarch ppc64
Obsoletes: libjasper-devel-64bit
%endif
#
Requires: libjasper1 = %{version}
Requires: libjpeg-devel
%description -n libjasper-devel
This package contains libjasper, a library implementing the JPEG-2000
image compression standard Part 1.
%prep
%setup -q
%patch
%patch2
%patch3
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
autoreconf -i -f
export CFLAGS="$RPM_OPT_FLAGS -Wall"
%configure --prefix=/usr --enable-shared --disable-static --libdir=%{_libdir}
make %{?jobs:-j%jobs}
%install
make install DESTDIR=$RPM_BUILD_ROOT
mv doc/README doc/README.doc
rm $RPM_BUILD_ROOT/usr/bin/tmrdemo
# compatibility link, there was no interface change
ln -s libjasper.so.1.0.0 $RPM_BUILD_ROOT%{_libdir}/libjasper-1.701.so.1
%post -n libjasper1 -p /sbin/ldconfig
%postun -n libjasper1 -p /sbin/ldconfig
%files
%defattr(-,root,root)
%doc COPYRIGHT INSTALL LICENSE NEWS README doc/*
/usr/bin/imgcmp
/usr/bin/imginfo
/usr/bin/jasper
%{_mandir}/man*/*
%files -n libjasper1
%defattr(-,root,root)
%{_libdir}/libjasper*.so.*
%files -n libjasper-devel
%defattr(-,root,root)
/usr/include/jasper
%{_libdir}/libjasper.so
%{_libdir}/libjasper.la
%changelog
++++++ baselibs.conf ++++++
libjasper1
++++++ jasper-1.900.1-bug258253.patch ++++++
--- src/libjasper/jp2/jp2_cod.c
+++ src/libjasper/jp2/jp2_cod.c
@@ -247,7 +247,7 @@
box = 0;
tmpstream = 0;
- if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
+ if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
goto error;
}
box->ops = &jp2_boxinfo_unk.ops;
--- src/libjasper/jpc/jpc_cs.c
+++ src/libjasper/jpc/jpc_cs.c
@@ -982,7 +982,10 @@
compparms->numstepsizes = (len - n) / 2;
break;
}
- if (compparms->numstepsizes > 0) {
+ if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+ jpc_qcx_destroycompparms(compparms);
+ return -1;
+ } else if (compparms->numstepsizes > 0) {
compparms->stepsizes = jas_malloc(compparms->numstepsizes *
sizeof(uint_fast16_t));
assert(compparms->stepsizes);
--- src/libjasper/jpc/jpc_dec.c
+++ src/libjasper/jpc/jpc_dec.c
@@ -1204,7 +1204,7 @@
dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff,
dec->tileheight);
dec->numtiles = dec->numhtiles * dec->numvtiles;
- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t))))
{
+ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
return -1;
}
@@ -1228,7 +1228,7 @@
tile->pkthdrstreampos = 0;
tile->pptstab = 0;
tile->cp = 0;
- if (!(tile->tcomps = jas_malloc(dec->numcomps *
+ if (!(tile->tcomps = jas_calloc(dec->numcomps,
sizeof(jpc_dec_tcomp_t)))) {
return -1;
}
++++++ jasper-1.900.1-bug392410.patch ++++++
++++ 900 lines (skipped)
++++++ jasper-1.900.1-uninitialized.patch ++++++
--- src/libjasper/pnm/pnm_enc.c
+++ src/libjasper/pnm/pnm_enc.c
@@ -424,7 +424,7 @@
static int pnm_putuint(jas_stream_t *out, int wordsize, uint_fast32_t *val)
{
int n;
- uint_fast32_t tmpval;
+ uint_fast32_t tmpval=0;
int c;
n = (wordsize + 7) / 8;
++++++ jasper-CVE-2014-8137.patch ++++++
--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11
14:06:44.000000000 +0100
+++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386
+0100
@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
return 0;
error:
- jas_icccurv_destroy(attrval);
return -1;
}
@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
#endif
return 0;
error:
- jas_icctxtdesc_destroy(attrval);
return -1;
}
@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
goto error;
return 0;
error:
- if (txt->string)
- jas_free(txt->string);
return -1;
}
@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
goto error;
return 0;
error:
- jas_icclut8_destroy(attrval);
return -1;
}
@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
goto error;
return 0;
error:
- jas_icclut16_destroy(attrval);
return -1;
}
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11
14:30:54.193209780 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814
+0100
@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
case JP2_COLR_ICC:
iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
dec->colr->data.colr.iccplen);
- assert(iccprof);
+ if (!iccprof) {
+ jas_eprintf("error: failed to parse ICC profile\n");
+ goto error;
+ }
jas_iccprof_gethdr(iccprof, &icchdr);
jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
++++++ jasper-CVE-2014-8138.patch ++++++
diff -ru jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c
jasper-1.900.1/src/libjasper/jp2/jp2_cod.c
--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19
22:43:05.000000000 +0100
+++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2014-12-17 11:58:58.271398603
+0100
@@ -459,7 +459,8 @@
for (channo = 0; channo < cdef->numchans; ++channo) {
chan = &cdef->ents[channo];
if (jp2_getuint16(in, &chan->channo) || jp2_getuint16(in,
&chan->type) ||
- jp2_getuint16(in, &chan->assoc)) {
+ jp2_getuint16(in, &chan->assoc) ||
+ chan->channo >= cdef->numchans ) {
return -1;
}
}
++++++ jasper-overflow-bnc906364.patch ++++++
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27
12:45:44.000000000 +0100
+++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27
12:44:58.000000000 +0100
@@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t
jpc_coc_t *coc = &ms->parms.coc;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, coc->compno) > dec->numcomps) {
+ if (JAS_CAST(int, coc->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in COC marker segment\n");
return -1;
}
@@ -1307,7 +1307,7 @@ static int jpc_dec_process_rgn(jpc_dec_t
jpc_rgn_t *rgn = &ms->parms.rgn;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, rgn->compno) > dec->numcomps) {
+ if (JAS_CAST(int, rgn->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in RGN marker segment\n");
return -1;
}
@@ -1356,7 +1356,7 @@ static int jpc_dec_process_qcc(jpc_dec_t
jpc_qcc_t *qcc = &ms->parms.qcc;
jpc_dec_tile_t *tile;
- if (JAS_CAST(int, qcc->compno) > dec->numcomps) {
+ if (JAS_CAST(int, qcc->compno) >= dec->numcomps) {
jas_eprintf("invalid component number in QCC marker segment\n");
return -1;
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
