commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2020-10-06 17:10:07 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.4249 (New) Package is "jasper" Tue Oct 6 17:10:07 2020 rev:3 rq:839698 version:2.0.22 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2020-09-23 18:46:46.913673559 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new.4249/jasper.changes 2020-10-06 17:12:47.513614424 +0200 @@ -1,0 +2,10 @@ +Tue Oct 6 07:16:41 UTC 2020 - Michael Vetter + +- Update to 2.0.22: + * Update manual + * Remove JPEG dummy codec + * Fix test suite build failure regarding disabled MIF codec (#249) + * Fix OpenGL/glut detection (#247) +- Remove jasper-2.0.21-glut.patch: upstreamed + +--- Old: jasper-2.0.21-glut.patch version-2.0.21.tar.gz New: version-2.0.22.tar.gz Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.y2Mo88/_old 2020-10-06 17:12:50.821617281 +0200 +++ /var/tmp/diff_new_pack.y2Mo88/_new 2020-10-06 17:12:50.825617284 +0200 @@ -17,7 +17,7 @@ Name: jasper -Version:2.0.21 +Version:2.0.22 Release:0 Summary:An Implementation of the JPEG-2000 Standard, Part 1 License:SUSE-Public-Domain @@ -25,8 +25,6 @@ URL:https://jasper-software.github.io/jasper Source: https://github.com/jasper-software/jasper/archive/version-%{version}.tar.gz Source2:baselibs.conf -# https://github.com/jasper-software/jasper/issues/247 -Patch0: jasper-2.0.21-glut.patch BuildRequires: Mesa-libGL-devel BuildRequires: cmake BuildRequires: doxygen @@ -78,7 +76,6 @@ %prep %setup -q -n %{name}-version-%{version} -%patch0 -p1 %build export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE" ++ version-2.0.21.tar.gz -> version-2.0.22.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.21/CMakeLists.txt new/jasper-version-2.0.22/CMakeLists.txt --- old/jasper-version-2.0.21/CMakeLists.txt2020-09-20 20:55:35.0 +0200 +++ new/jasper-version-2.0.22/CMakeLists.txt2020-10-05 18:41:38.0 +0200 @@ -17,7 +17,7 @@ # The major, minor, and micro version numbers of the project. set(JAS_VERSION_MAJOR 2) set(JAS_VERSION_MINOR 0) -set(JAS_VERSION_PATCH 21) +set(JAS_VERSION_PATCH 22) # The project version. set(JAS_VERSION @@ -79,8 +79,6 @@ include(CTest) include(Sanitizers) -include(JasOpenGL) - cmake_policy(SET CMP0012 NEW) @@ -205,6 +203,8 @@ # Perform plaform checks. +include(JasOpenGL) + find_program(BASH_PROGRAM bash) check_include_files(fcntl.h JAS_HAVE_FCNTL_H) @@ -266,6 +266,9 @@ set(JPEG_INCLUDE_DIR "") set(JPEG_LIBRARIES "") endif() +if (NOT JAS_HAVE_LIBJPEG) + set(JAS_INCLUDE_JPG_CODEC 0) +endif() # Check for the Math library. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jasper-version-2.0.21/NEWS new/jasper-version-2.0.22/NEWS --- old/jasper-version-2.0.21/NEWS 2020-09-20 20:55:35.0 +0200 +++ new/jasper-version-2.0.22/NEWS 2020-10-05 18:41:38.0 +0200 @@ -1,23 +1,25 @@ 2.0.21 (2020-09-20) === -* fixed ZDI-15-529 +* Fix ZDI-15-529 + https://github.com/jasper-software/jasper/pull/245 -* fixed CVE-2018-19541 +* Fix CVE-2018-19541 in decoder + https://github.com/jasper-software/jasper/pull/244 2.0.20 (2020-09-05) === -* fixed several ISO/IEC 15444-4 conformance bugs +* Fix several ISO/IEC 15444-4 conformance bugs -* fixed new variant of CVE-2016-9398 +* Fix new variant of CVE-2016-9398 -* disabled the MIF codec by default for security reasons (but it is still +* Disable the MIF codec by default for security reasons (but it is still included in the library); in a future release, the MIF codec may also be excluded from the library by default -* added documentation for the I/O streams library API +* Add documentation for the I/O streams library API 2.0.19 (2020-07-11) === @@ -28,7 +30,7 @@ https://github.com/jasper-software/jasper/issues/175 https://github.com/jasper-maint/jasper/issues/8 -* Fix CVE-2018-19541 +* Fix CVE-2018-19541 in encoder https://github.com/jasper-software/jasper/pull/199 https://github.com/jasper-m
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2020-09-23 18:45:15 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.4249 (New) Package is "jasper" Wed Sep 23 18:45:15 2020 rev:2 rq:836230 version:2.0.21 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2020-07-28 17:28:07.070093946 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new.4249/jasper.changes 2020-09-23 18:46:46.913673559 +0200 @@ -1,0 +2,30 @@ +Wed Sep 23 07:40:22 UTC 2020 - Michael Vetter + +- Add jasper-2.0.21-glut.patch: Fix glut.h detection + See https://github.com/jasper-software/jasper/issues/247 + +--- +Tue Sep 22 12:10:54 UTC 2020 - Michael Vetter + +- Update to 2.0.21: + * Fix ZDI-15-529 +https://github.com/jasper-software/jasper/pull/245 + * Fix CVE-2018-19541 in decoder +https://github.com/jasper-software/jasper/pull/244 + +--- +Mon Sep 7 08:15:35 UTC 2020 - Michael Vetter + +- Update to 2.0.20: + * Fixed several ISO/IEC 15444-4 conformance bugs + * Fixed new variant of CVE-2016-9398 + * Disabled the MIF codec by default for security reasons (but it is still +included in the library); +in a future release, the MIF codec may also be excluded from the +library by default + * Added documentation for the I/O streams library API + * Improved adherance to specification +- Move to GitHub repo https://github.com/jasper-software/jasper +- Update URL to https://jasper-software.github.io/jasper + +--- Old: version-2.0.19.tar.gz New: jasper-2.0.21-glut.patch version-2.0.21.tar.gz Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.8WRHTQ/_old 2020-09-23 18:46:59.017684695 +0200 +++ /var/tmp/diff_new_pack.8WRHTQ/_new 2020-09-23 18:46:59.017684695 +0200 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,14 +17,16 @@ Name: jasper -Version:2.0.19 +Version:2.0.21 Release:0 Summary:An Implementation of the JPEG-2000 Standard, Part 1 License:SUSE-Public-Domain Group: Productivity/Graphics/Convertors -URL:http://www.ece.uvic.ca/~mdadams/jasper/ -Source: https://github.com/mdadams/jasper/archive/version-%{version}.tar.gz +URL:https://jasper-software.github.io/jasper +Source: https://github.com/jasper-software/jasper/archive/version-%{version}.tar.gz Source2:baselibs.conf +# https://github.com/jasper-software/jasper/issues/247 +Patch0: jasper-2.0.21-glut.patch BuildRequires: Mesa-libGL-devel BuildRequires: cmake BuildRequires: doxygen @@ -76,6 +78,7 @@ %prep %setup -q -n %{name}-version-%{version} +%patch0 -p1 %build export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE" ++ jasper-2.0.21-glut.patch ++ >From 059bcac469a06767179771aebbbe65dacd676111 Mon Sep 17 00:00:00 2001 From: Michael Adams Date: Tue, 22 Sep 2020 07:46:26 -0700 Subject: [PATCH] Moved the point at which the JasPer OpenGL cmake module is included in the top-level CMakeLists.txt file so that the main JasPer config header is generated correctly and all of the initialization required for this module is performed prior to its inclusion. --- CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 20dbd8a..adf45ca 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -79,8 +79,6 @@ include(CheckCSourceCompiles) include(CTest) include(Sanitizers) -include(JasOpenGL) - cmake_policy(SET CMP0012 NEW) @@ -205,6 +203,8 @@ endif() # Perform plaform checks. +include(JasOpenGL) + find_program(BASH_PROGRAM bash) check_include_files(fcntl.h JAS_HAVE_FCNTL_H) ++ version-2.0.19.tar.gz -> version-2.0.21.tar.gz ++ 15151 lines of diff (skipped)
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2019-11-06 15:19:28 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.2990 (New) Package is "jasper" Wed Nov 6 15:19:28 2019 rev:45 rq:745234 version:2.0.16 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2019-06-13 22:36:34.672318311 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new.2990/jasper.changes 2019-11-06 15:19:30.541374390 +0100 @@ -1,0 +2,7 @@ +Mon Nov 4 17:10:14 UTC 2019 - Michael Vetter + +- bsc#1117507 CVE-2018-19541: Properly fix heap based overread + in jas_image_depalettize. Original fix caused segfaults. + Update jasper-CVE-2018-19541.patch + +--- Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.JCTyjf/_old 2019-11-06 15:19:32.141375965 +0100 +++ /var/tmp/diff_new_pack.JCTyjf/_new 2019-11-06 15:19:32.145375969 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # ++ jasper-CVE-2018-19541.patch ++ --- /var/tmp/diff_new_pack.JCTyjf/_old 2019-11-06 15:19:32.189376013 +0100 +++ /var/tmp/diff_new_pack.JCTyjf/_new 2019-11-06 15:19:32.189376013 +0100 @@ -1,15 +1,17 @@ -Index: jasper-version-2.0.16/src/libjasper/base/jas_image.c +Index: jasper-version-2.0.16/src/libjasper/jp2/jp2_cod.c === jasper-version-2.0.16.orig/src/libjasper/base/jas_image.c -+++ jasper-version-2.0.16/src/libjasper/base/jas_image.c -@@ -979,6 +979,10 @@ int jas_image_depalettize(jas_image_t *i - cmptparms.prec = JAS_IMAGE_CDT_GETPREC(dtype); - cmptparms.sgnd = JAS_IMAGE_CDT_GETSGND(dtype); - -+ if (numlutents < 1) { +--- jasper-version-2.0.16.orig/src/libjasper/jp2/jp2_cod.c jasper-version-2.0.16/src/libjasper/jp2/jp2_cod.c +@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *b + jp2_getuint8(in, &pclr->numchans)) { + return -1; + } ++ ++ // verify in range data as per I.5.3.4 - Palette box ++ if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) { + return -1; + } -+ - if (jas_image_addcmpt(image, newcmptno, &cmptparms)) { ++ + lutsize = pclr->numlutents * pclr->numchans; + if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t { return -1; - }
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2019-06-13 22:36:33 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.4811 (New) Package is "jasper" Thu Jun 13 22:36:33 2019 rev:44 rq:708034 version:2.0.16 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2019-03-27 16:13:44.451631780 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new.4811/jasper.changes 2019-06-13 22:36:34.672318311 +0200 @@ -1,0 +2,8 @@ +Thu Jun 6 07:43:02 UTC 2019 - mvet...@suse.com + +- bsc#1117508 CVE-2018-19540: Fix heap based overflow in jas_icctxtdesc_input + Add jasper-CVE-2018-19540.patch: Make sure asclen is at least 1 +- bsc#1117507 CVE-2018-19541: Fix heap based overread in jas_image_depalettize + Add jasper-CVE-2018-19541.patch: Check number of lutents + +--- New: jasper-CVE-2018-19540.patch jasper-CVE-2018-19541.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.aNYCVZ/_old 2019-06-13 22:36:36.376317757 +0200 +++ /var/tmp/diff_new_pack.aNYCVZ/_new 2019-06-13 22:36:36.412317745 +0200 @@ -30,6 +30,10 @@ Patch4: jasper-CVE-2018-9055.patch # https://github.com/mdadams/jasper/pull/200 Patch6: jasper-CVE-2018-19542.patch +# https://github.com/mdadams/jasper/pull/198 +Patch7: jasper-CVE-2018-19540.patch +# https://github.com/mdadams/jasper/pull/199 +Patch8: jasper-CVE-2018-19541.patch BuildRequires: Mesa-libGL-devel BuildRequires: cmake BuildRequires: doxygen @@ -84,6 +88,8 @@ %patch1 -p1 %patch4 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE" ++ jasper-CVE-2018-19540.patch ++ Index: jasper-version-2.0.16/src/libjasper/base/jas_icc.c === --- jasper-version-2.0.16.orig/src/libjasper/base/jas_icc.c +++ jasper-version-2.0.16/src/libjasper/base/jas_icc.c @@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_icca if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) != JAS_CAST(int, txtdesc->asclen)) goto error; + if (txtdesc->asclen < 1) + goto error; txtdesc->ascdata[txtdesc->asclen - 1] = '\0'; if (jas_iccgetuint32(in, &txtdesc->uclangcode) || jas_iccgetuint32(in, &txtdesc->uclen)) ++ jasper-CVE-2018-19541.patch ++ Index: jasper-version-2.0.16/src/libjasper/base/jas_image.c === --- jasper-version-2.0.16.orig/src/libjasper/base/jas_image.c +++ jasper-version-2.0.16/src/libjasper/base/jas_image.c @@ -979,6 +979,10 @@ int jas_image_depalettize(jas_image_t *i cmptparms.prec = JAS_IMAGE_CDT_GETPREC(dtype); cmptparms.sgnd = JAS_IMAGE_CDT_GETSGND(dtype); + if (numlutents < 1) { + return -1; + } + if (jas_image_addcmpt(image, newcmptno, &cmptparms)) { return -1; }
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2019-03-27 16:13:43 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.25356 (New) Package is "jasper" Wed Mar 27 16:13:43 2019 rev:43 rq:688203 version:2.0.16 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2019-03-22 14:52:18.114135392 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new.25356/jasper.changes 2019-03-27 16:13:44.451631780 +0100 @@ -1,0 +2,16 @@ +Mon Mar 25 10:23:40 UTC 2019 - mvet...@suse.com + +- Update to 2.0.16: + * Fix assertion failure JPC_NOMINALGAIN (CVE-2016-9396) (#50) + * Fix build on Windows 10 (#162) + * Improve README + * Fix build with CMake 2.x + * Add missing dereference operators (#178, #157) + * Check data in jas_image (CVE-2018-19539) (#196) +- Remove because contained in new release: + * jasper-CVE-2018-19539.patch + * 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch + * Remove 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch +- Run spec-cleaner + +--- Old: 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch jasper-2.0.14.tar.gz jasper-CVE-2018-19539.patch New: version-2.0.16.tar.gz Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.lC0gpy/_old 2019-03-27 16:13:45.563631496 +0100 +++ /var/tmp/diff_new_pack.lC0gpy/_new 2019-03-27 16:13:45.567631495 +0100 @@ -12,25 +12,22 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: jasper -Version:2.0.14 +Version:2.0.16 Release:0 Summary:An Implementation of the JPEG-2000 Standard, Part 1 License:SUSE-Public-Domain Group: Productivity/Graphics/Convertors -Url:http://www.ece.uvic.ca/~mdadams/jasper/ -Source: %{name}-%{version}.tar.gz +URL:http://www.ece.uvic.ca/~mdadams/jasper/ +Source: https://github.com/mdadams/jasper/archive/version-%{version}.tar.gz Source2:baselibs.conf Patch1: jasper-CVE-2016-9398.patch -Patch2: 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch -Patch3: 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch +# https://github.com/mdadams/jasper/pull/204 Patch4: jasper-CVE-2018-9055.patch -# https://github.com/mdadams/jasper/pull/196 -Patch5: jasper-CVE-2018-19539.patch # https://github.com/mdadams/jasper/pull/200 Patch6: jasper-CVE-2018-19542.patch BuildRequires: Mesa-libGL-devel @@ -45,7 +42,6 @@ BuildRequires: libdrm-devel BuildRequires: libjpeg-devel BuildRequires: pkgconfig -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package contains an implementation of the image compression @@ -84,12 +80,9 @@ image compression standard Part 1. %prep -%setup -q +%setup -q -n %{name}-version-%{version} %patch1 -p1 -%patch2 -p1 -%patch3 -p1 %patch4 -p1 -%patch5 -p1 %patch6 -p1 %build @@ -106,8 +99,9 @@ %postun -n libjasper4 -p /sbin/ldconfig %files -%defattr(-,root,root) -%doc COPYRIGHT LICENSE README doc/* +%license LICENSE +%doc COPYRIGHT README doc/* +%doc %{_docdir}/jasper %{_bindir}/imgcmp %{_bindir}/imginfo %{_bindir}/jasper @@ -115,11 +109,9 @@ %{_mandir}/man*/* %files -n libjasper4 -%defattr(-,root,root) %{_libdir}/libjasper*.so.* %files -n libjasper-devel -%defattr(-,root,root) %{_includedir}/jasper %{_libdir}/libjasper.so %{_libdir}/pkgconfig/jasper.pc
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2019-03-22 14:52:14 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.25356 (New) Package is "jasper" Fri Mar 22 14:52:14 2019 rev:42 rq:687178 version:2.0.14 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2019-03-14 14:50:57.803800057 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new.25356/jasper.changes 2019-03-22 14:52:18.114135392 +0100 @@ -1,0 +2,6 @@ +Thu Mar 21 09:38:27 UTC 2019 - Michael Vetter + +- bsc#1117505 CVE-2018-19542: + * Add jasper-CVE-2018-19542.patch + +--- New: jasper-CVE-2018-19542.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.ZBFELb/_old 2019-03-22 14:52:19.750134416 +0100 +++ /var/tmp/diff_new_pack.ZBFELb/_new 2019-03-22 14:52:19.754134414 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -29,7 +29,10 @@ Patch2: 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch Patch3: 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch Patch4: jasper-CVE-2018-9055.patch +# https://github.com/mdadams/jasper/pull/196 Patch5: jasper-CVE-2018-19539.patch +# https://github.com/mdadams/jasper/pull/200 +Patch6: jasper-CVE-2018-19542.patch BuildRequires: Mesa-libGL-devel BuildRequires: cmake BuildRequires: doxygen @@ -87,6 +90,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE" ++ jasper-CVE-2018-19542.patch ++ See: https://github.com/mdadams/jasper/pull/200 Index: jasper-2.0.14/src/libjasper/jp2/jp2_dec.c === --- jasper-2.0.14.orig/src/libjasper/jp2/jp2_dec.c +++ jasper-2.0.14/src/libjasper/jp2/jp2_dec.c @@ -388,6 +388,9 @@ jas_image_t *jp2_decode(jas_stream_t *in jas_image_setcmpttype(dec->image, newcmptno, jp2_getct(jas_image_clrspc(dec->image), 0, channo + 1)); } #endif + } else { + jas_eprintf("error: invalid MTYP in CMAP box\n"); + goto error; } } }
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2019-03-14 14:50:56 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.28833 (New) Package is "jasper" Thu Mar 14 14:50:56 2019 rev:41 rq:684439 version:2.0.14 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2018-04-05 15:27:26.141275522 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new.28833/jasper.changes 2019-03-14 14:50:57.803800057 +0100 @@ -1,0 +2,6 @@ +Tue Mar 12 16:35:04 UTC 2019 - mvet...@suse.com + +- bsc#1117511 CVE-2018-19539: + * Add jasper-CVE-2018-19539.patch + +--- New: jasper-CVE-2018-19539.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.Fbq7yD/_old 2019-03-14 14:50:58.351799978 +0100 +++ /var/tmp/diff_new_pack.Fbq7yD/_new 2019-03-14 14:50:58.351799978 +0100 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,7 @@ Patch2: 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch Patch3: 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch Patch4: jasper-CVE-2018-9055.patch +Patch5: jasper-CVE-2018-19539.patch BuildRequires: Mesa-libGL-devel BuildRequires: cmake BuildRequires: doxygen @@ -85,6 +86,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE" ++ jasper-CVE-2018-19539.patch ++ Index: jasper-2.0.14/src/libjasper/base/jas_image.c === --- jasper-2.0.14.orig/src/libjasper/base/jas_image.c +++ jasper-2.0.14/src/libjasper/base/jas_image.c @@ -491,6 +491,10 @@ int jas_image_readcmpt(jas_image_t *imag image, cmptno, JAS_CAST(long, x), JAS_CAST(long, y), JAS_CAST(long, width), JAS_CAST(long, height), data)); + if(data == NULL) { + return -1; + } + if (cmptno < 0 || cmptno >= image->numcmpts_) { return -1; }
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2018-04-05 15:27:19 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Thu Apr 5 15:27:19 2018 rev:40 rq:593093 version:2.0.14 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2017-07-17 09:02:00.289283406 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2018-04-05 15:27:26.141275522 +0200 @@ -1,0 +2,38 @@ +Thu Mar 29 14:40:02 UTC 2018 - fst...@suse.com + +- Added patch: + * jasper-CVE-2018-9055.patch ++ fix CVE-2018-9055, bsc#1087020: jasper: denial of service via + a reachable assertion in the function jpc_firstone in + libjasper/jpc/jpc_math.c. + +--- +Thu Mar 29 08:12:30 UTC 2018 - fst...@suse.com + +- Upgrade to 2.0.14 + * Soname and package name change libjasper1 to libjasper4 + * Security fixes: ++ CVE-2016-9557 jasper: Signed integer overflow in jas_image.c +- Removed patches: + * jasper-1.900.1-uninitialized.patch ++ not needed any more + * jasper-CVE-2016-10251.patch + * jasper-CVE-2016-8654.patch + * jasper-CVE-2016-9262.patch + * jasper-CVE-2016-9395.patch + * jasper-CVE-2016-9560.patch + * jasper-CVE-2016-9583.patch + * jasper-CVE-2016-9591.patch + * jasper-CVE-2016-9600.patch + * jasper-CVE-2017-150.patch + * jasper-CVE-2017-5498.patch + * jasper-CVE-2017-6850.patch ++ Fixed upstream +- Added patches: + * 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch ++ fix assertion failure JPC_NOMINALGAIN() which can be caused + by a crafted JP2 file. + * 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch ++ allow JasPer to be build with CMake 2.x as well as CMake 3.x. + +--- Old: jasper-1.900.1-uninitialized.patch jasper-1.900.14.tar.bz2 jasper-CVE-2016-10251.patch jasper-CVE-2016-8654.patch jasper-CVE-2016-9262.patch jasper-CVE-2016-9395.patch jasper-CVE-2016-9560.patch jasper-CVE-2016-9583.patch jasper-CVE-2016-9591.patch jasper-CVE-2016-9600.patch jasper-CVE-2017-150.patch jasper-CVE-2017-5498.patch jasper-CVE-2017-6850.patch New: 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch jasper-2.0.14.tar.gz jasper-CVE-2018-9055.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.HuoFlL/_old 2018-04-05 15:27:26.733254125 +0200 +++ /var/tmp/diff_new_pack.HuoFlL/_new 2018-04-05 15:27:26.737253980 +0200 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,35 +17,30 @@ Name: jasper -Version:1.900.14 +Version:2.0.14 Release:0 Summary:An Implementation of the JPEG-2000 Standard, Part 1 License:SUSE-Public-Domain Group: Productivity/Graphics/Convertors Url:http://www.ece.uvic.ca/~mdadams/jasper/ -Source: %{name}-%{version}.tar.bz2 +Source: %{name}-%{version}.tar.gz Source2:baselibs.conf -Patch0: jasper-1.900.1-uninitialized.patch -Patch1: jasper-CVE-2016-8654.patch -Patch2: jasper-CVE-2016-9395.patch -Patch3: jasper-CVE-2016-9398.patch -Patch4: jasper-CVE-2016-9560.patch -Patch5: jasper-CVE-2016-9591.patch -Patch6: jasper-CVE-2016-10251.patch -Patch7: jasper-CVE-2017-5498.patch -Patch8: jasper-CVE-2016-9600.patch -Patch9: jasper-CVE-2016-9583.patch -Patch10:jasper-CVE-2017-6850.patch -Patch11:jasper-CVE-2017-150.patch -Patch12:jasper-CVE-2016-9262.patch -BuildRequires: autoconf -BuildRequires: automake +Patch1: jasper-CVE-2016-9398.patch +Patch2: 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch +Patch3: 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch +Patch4: jasper-CVE-2018-9055.patch +BuildRequires: Mesa-libGL-devel +BuildRequires: cmake +BuildRequires: doxygen +BuildRequires: fdupes +BuildRequires: freeglut-devel BuildRequires: gcc-c++ +BuildRequires: glu-devel +BuildRequires: libXi-devel +BuildRequires: libXmu-devel BuildRequires: libdrm-devel BuildRequires: libjpeg-devel -BuildRequires: libtool BuildRequires: pkgconfig -BuildRequ
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2017-07-17 09:01:59 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Mon Jul 17 09:01:59 2017 rev:39 rq:509748 version:1.900.14 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2017-03-31 15:01:20.369498459 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2017-07-17 09:02:00.289283406 +0200 @@ -1,0 +2,50 @@ +Wed Jul 12 07:43:06 UTC 2017 - fst...@suse.com + +- Other bugs fixed by existing patches: + * jasper-CVE-2016-9395.patch +- bsc#1010756, CVE-2016-9394: assertion in jas_matrix_t + *jas_seq2d_create(int, int, int, int): Assertion + `xstart <= xend && ystart <= yend' +- bsc#1010757, CVE-2016-9392: pc_dec.c:1637: void + calcstepsizes(uint_fast16_t, int, uint_fast16_t *): + Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - + ((bandno > 0) ? ((bandno + 2) / 3) : (0 & (~0x1f))' + failed. +- bsc#1010766, CVE-2016-9393: jpc_t2cod.c:297: int + jpc_pi_nextrpcl(jpc_pi_t *): Assertion + `pi->prcno pirlvl->numprcs' failed. +- bsc#1010977, CVE-2016-9395: jas_seq.c:90: jas_matrix_t + *jas_seq2d_create(int, int, int, int): Assertion `xstart + <= xend && ystart <= yend' failed. +- Other bugs fixed in current version: + * bsc#1010774, CVE-2016-9390: jas_seq.c:90: jas_matrix_t +*jas_seq2d_create(int, int, int, int): Assertion `xstart <= +xend && ystart <= yend' failed. + * bsc#1010782, CVE-2016-9391: jpc_bs.c:197: long +jpc_bitstream_getbits(jpc_bitstream_t *, int): Assertion +`n >= 0 && n < 32' failed. + * bsc#1010968, CVE-2016-9389: Assertion `((c1)->numcols_) == +numcols && ((c2)->numcols_) == numcols' failed. + * bsc#1010975, CVE-2016-9388: ras_dec.c:330: int +ras_getcmap(jas_stream_t *, ras_hdr_t *, ras_cmap_t *): +Assertion `numcolors <= 256' failed. + * bsc#1010960, CVE-2016-9387: jas_seq.c:90: jas_matrix<= yend' +failed. + +--- +Tue Jul 11 10:45:59 UTC 2017 - fst...@suse.com + +- Added patch: + * jasper-CVE-2016-9262.patch ++ Fix for Multiple overflow vulnerabilities leading to use + after free (bsc#1009994, CVE-2016-9262) + +--- +Tue Jul 11 09:02:39 UTC 2017 - fst...@suse.com + +- Added patch: + * jasper-CVE-2017-150.patch ++ Upstream fix for NULL Pointer Dereference jp2_encode + (bsc#1047958, CVE-2017-150) + +--- New: jasper-CVE-2016-9262.patch jasper-CVE-2017-150.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.54fZeR/_old 2017-07-17 09:02:01.021180344 +0200 +++ /var/tmp/diff_new_pack.54fZeR/_new 2017-07-17 09:02:01.021180344 +0200 @@ -36,6 +36,8 @@ Patch8: jasper-CVE-2016-9600.patch Patch9: jasper-CVE-2016-9583.patch Patch10:jasper-CVE-2017-6850.patch +Patch11:jasper-CVE-2017-150.patch +Patch12:jasper-CVE-2016-9262.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ @@ -95,6 +97,8 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 %build libtoolize --force --copy --install ++ jasper-CVE-2016-9262.patch ++ diff -urEbwB jasper-1.900.14/src/libjasper/base/jas_image.c jasper-1.900.14.new/src/libjasper/base/jas_image.c --- jasper-1.900.14/src/libjasper/base/jas_image.c 2017-07-11 12:01:22.628016305 +0200 +++ jasper-1.900.14.new/src/libjasper/base/jas_image.c 2017-07-11 12:38:10.115887712 +0200 @@ -78,6 +78,7 @@ #include #include #include +#include #include "jasper/jas_math.h" #include "jasper/jas_image.h" @@ -333,8 +334,8 @@ // Compute the number of samples in the image component, while protecting // against overflow. // size = cmpt->width_ * cmpt->height_ * cmpt->cps_; - if (!jas_safe_size_mul(cmpt->width_, cmpt->height_, &size) || - !jas_safe_size_mul(size, cmpt->cps_, &size)) { + if (!jas_safe_size_mul3(cmpt->width_, cmpt->height_, cmpt->cps_, &size) || + size > INT_MAX) { goto error; } cmpt->stream_ = (inmem) ? jas_stream_memopen(0, size) : diff -urEbwB jasper-1.900.14/src/libjasper/include/jasper/jas_math.h jasper-1.900.14.new/src/libjasper/include/jasper/jas_math.h --- jasper-1.900.14/src/libjasper/include/jasper/jas_math.h 2017-07-11 12:01:22.616016305 +0200 +++ jasper-1.900.14.new/src/libjasper/include/jasper/jas_math.h 2017-07-11 12:42:52.798047647
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2017-03-31 15:01:19 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Fri Mar 31 15:01:19 2017 rev:38 rq:483773 version:1.900.14 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2017-03-18 20:49:35.542022975 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2017-03-31 15:01:20.369498459 +0200 @@ -1,0 +2,20 @@ +Thu Mar 30 09:51:07 UTC 2017 - fst...@suse.com + +- Modified patch: + * jasper-CVE-2016-9583.patch ++ integrate upstream change + 99a50593254d1b53002719bbecfc946c84b23d27, which fixed a null + pointer dereferencing crash. + +--- +Wed Mar 22 09:30:41 UTC 2017 - fst...@suse.com + +- Added patches: + * jasper-CVE-2016-9583.patch +- Out of bounds heap read in jpc_pi_nextpcrl() (bsc#1015400, + CVE-2016-9583) + * jasper-CVE-2017-6850.patch +- NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) + (bsc#1021868, CVE-2017-6850) + +--- New: jasper-CVE-2016-9583.patch jasper-CVE-2017-6850.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.CTR5x2/_old 2017-03-31 15:01:21.397353158 +0200 +++ /var/tmp/diff_new_pack.CTR5x2/_new 2017-03-31 15:01:21.397353158 +0200 @@ -34,6 +34,8 @@ Patch6: jasper-CVE-2016-10251.patch Patch7: jasper-CVE-2017-5498.patch Patch8: jasper-CVE-2016-9600.patch +Patch9: jasper-CVE-2016-9583.patch +Patch10:jasper-CVE-2017-6850.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ @@ -91,6 +93,8 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 %build libtoolize --force --copy --install ++ jasper-CVE-2016-9583.patch ++ --- jasper-1.900.14/src/libjasper/include/jasper/jas_types.h2017-03-22 10:14:30.098037013 +0100 +++ jasper-1.900.14/src/libjasper/include/jasper/jas_types.h2017-03-22 10:15:11.619685037 +0100 @@ -128,6 +128,10 @@ #defineJAS_CAST(t, e) \ ((t) (e)) +/* The number of bits in the integeral type uint_fast32_t. */ +/* NOTE: This could underestimate the size on some exotic architectures. */ +#define JAS_UINTFAST32_NUMBITS (8 * sizeof(uint_fast32_t)) + #ifdef __cplusplus extern "C" { #endif --- jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c 2017-03-22 10:14:30.102037013 +0100 +++ jasper-1.900.14/src/libjasper/jpc/jpc_t2cod.c 2017-03-22 10:15:11.619685037 +0100 @@ -200,7 +200,8 @@ JAS_CAST(int, pchg->lyrnoend); ++pi->lyrno) { for (pi->compno = pchg->compnostart, pi->picomp = &pi->picomps[pi->compno]; pi->compno < pi->numcomps && - pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, ++pi->picomp) { + pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, + ++pi->picomp) { if (pi->rlvlno >= pi->picomp->numrlvls) { continue; } @@ -249,10 +250,17 @@ ++compno, ++picomp) { for (rlvlno = 0, pirlvl = picomp->pirlvls; rlvlno < picomp->numrlvls; ++rlvlno, ++pirlvl) { - xstep = picomp->hsamp * (1 << (pirlvl->prcwidthexpn + - picomp->numrlvls - rlvlno - 1)); - ystep = picomp->vsamp * (1 << (pirlvl->prcheightexpn + - picomp->numrlvls - rlvlno - 1)); + // Check for the potential for overflow problems. + if (pirlvl->prcwidthexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2 || + pirlvl->prcheightexpn + pi->picomp->numrlvls > + JAS_UINTFAST32_NUMBITS - 2) { + return -1; + } + xstep = picomp->hsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcwidthexpn + picomp->numrlvls - rlvlno - 1)); + ystep = picomp->vsamp * (JAS_CAST(uint_fast32_t, 1) << + (pirlvl->prcheightexpn + picomp->numrlvls - rlvlno - 1)); pi->xstep = (!pi->xstep) ? xstep : JAS_MIN(pi->xstep, xstep);
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2017-03-18 20:49:34 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Sat Mar 18 20:49:34 2017 rev:37 rq:480785 version:1.900.14 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2017-03-10 21:00:27.344275359 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2017-03-18 20:49:35.542022975 +0100 @@ -1,0 +2,20 @@ +Fri Mar 17 08:25:35 UTC 2017 - fst...@suse.com + +- Added patches: + * jasper-CVE-2017-5498.patch +- Upstream changes putting braces and belts around + CVE-2017-5498, bsc#1020353, left-shift undefined behaviour + * jasper-CVE-2016-9600.patch +- Upstream fix for "Null Pointer Dereference due to missing + check for UNKNOWN color space in JP2 encoder" (CVE-2016-9600, + bsc#1018088) + +--- +Thu Mar 16 08:28:31 UTC 2017 - fst...@suse.com + +- Added patch: + * jasper-CVE-2016-10251.patch +- Upstream fix for bsc#1029497, CVE-2016-10251: Use of + uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c) + +--- New: jasper-CVE-2016-10251.patch jasper-CVE-2016-9600.patch jasper-CVE-2017-5498.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.wuSCfv/_old 2017-03-18 20:49:36.321912490 +0100 +++ /var/tmp/diff_new_pack.wuSCfv/_new 2017-03-18 20:49:36.321912490 +0100 @@ -17,16 +17,12 @@ Name: jasper -BuildRequires: gcc-c++ -BuildRequires: libdrm-devel -BuildRequires: libjpeg-devel -BuildRequires: unzip -Url:http://www.ece.uvic.ca/~mdadams/jasper/ Version:1.900.14 Release:0 Summary:An Implementation of the JPEG-2000 Standard, Part 1 License:SUSE-Public-Domain Group: Productivity/Graphics/Convertors +Url:http://www.ece.uvic.ca/~mdadams/jasper/ Source: %{name}-%{version}.tar.bz2 Source2:baselibs.conf Patch0: jasper-1.900.1-uninitialized.patch @@ -35,7 +31,17 @@ Patch3: jasper-CVE-2016-9398.patch Patch4: jasper-CVE-2016-9560.patch Patch5: jasper-CVE-2016-9591.patch - +Patch6: jasper-CVE-2016-10251.patch +Patch7: jasper-CVE-2017-5498.patch +Patch8: jasper-CVE-2016-9600.patch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc-c++ +BuildRequires: libdrm-devel +BuildRequires: libjpeg-devel +BuildRequires: libtool +BuildRequires: pkgconfig +BuildRequires: unzip BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -46,13 +52,13 @@ %package -n libjasper1 Summary:JPEG-2000 library # bug437293 +# used in <= 11.3 Group: Productivity/Graphics/Convertors +Obsoletes: libjasper < %{version}-%{release} +Provides: libjasper = %{version}-%{release} %ifarch ppc64 Obsoletes: libjasper-64bit %endif -# used in <= 11.3 -Obsoletes: libjasper < %{version}-%{release} -Provides: libjasper = %{version}-%{release} # %description -n libjasper1 @@ -62,13 +68,13 @@ %package -n libjasper-devel Summary:Development files for libjasper, a JPEG-2000 library # bug437293 +# Group: Development/Libraries/C and C++ +Requires: libjasper1 = %{version} +Requires: libjpeg-devel %ifarch ppc64 Obsoletes: libjasper-devel-64bit %endif -# -Requires: libjasper1 = %{version} -Requires: libjpeg-devel %description -n libjasper-devel This package contains libjasper, a library implementing the JPEG-2000 @@ -82,9 +88,14 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build -export CFLAGS="$RPM_OPT_FLAGS -Wall -std=c99 -D_BSD_SOURCE" +libtoolize --force --copy --install +autoreconf -fi +export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE" %configure --prefix="%{_prefix}" --enable-shared --disable-static --libdir=%{_libdir} make %{?_smp_mflags} # @@ -98,22 +109,21 @@ fi %install -make install DESTDIR=$RPM_BUILD_ROOT +%make_install mv doc/README doc/README.doc -rm $RPM_BUILD_ROOT/usr/bin/tmrdemo +rm %{buildroot}%{_bindir}/tmrdemo # compatibility link, there was no interface change -ln -s libjasper.so.1.0.0 $RPM_BUILD_ROOT%{_libdir}/libjasper-1.701.so.1 +ln -s libjasper.so.1.0.0 %{buildroot}%{_libdir}/libjasper-1.701.so.1 %post -n libjasper1 -p /sbin/ldconfig - %postun -n libjasper1 -p /sbin/ldconfig %files %defattr(-,root,root) -%doc COPYRIGHT INSTALL LICENSE NEWS README doc/* -/usr/bin/imgcmp -/usr/bin/imginfo -/usr/bin/jasper +%doc COPYRIGHT L
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2017-03-10 21:00:26 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Fri Mar 10 21:00:26 2017 rev:36 rq:477393 version:1.900.14 Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2016-12-26 21:37:48.048149529 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2017-03-10 21:00:27.344275359 +0100 @@ -1,0 +2,7 @@ +Mon Mar 6 14:19:57 CET 2017 - sbra...@suse.com + +- Add -D_BSD_SOURCE to fix redefinition of system types in + jas_config.h and breakage in ppc64le, s390 and s390x + (bsc#1028070). + +--- Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.TOPWZg/_old 2017-03-10 21:00:28.144162007 +0100 +++ /var/tmp/diff_new_pack.TOPWZg/_new 2017-03-10 21:00:28.148161440 +0100 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -84,9 +84,18 @@ %patch5 -p1 %build -export CFLAGS="$RPM_OPT_FLAGS -Wall -std=c99" +export CFLAGS="$RPM_OPT_FLAGS -Wall -std=c99 -D_BSD_SOURCE" %configure --prefix="%{_prefix}" --enable-shared --disable-static --libdir=%{_libdir} make %{?_smp_mflags} +# +# Sanity check +# With some CFLAGS sets, uint, ulong and ushort are not visible and jas_config.h +# refefines system types. It can trigger build failures after +# #include . +if grep "#define ushort" src/libjasper/include/jasper/jas_config.h ; then + echo "jas_config.h redefines system types" >&2 + exit 1 +fi %install make install DESTDIR=$RPM_BUILD_ROOT
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2016-11-03 11:09:04 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2016-10-28 10:42:57.0 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2016-11-03 11:09:05.0 +0100 @@ -1,0 +2,5 @@ +Fri Oct 28 11:55:35 UTC 2016 - jeng...@inai.de + +- Update summaries. Use %_smp_mflags for parallel build. + +--- Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.An10bs/_old 2016-11-03 11:09:06.0 +0100 +++ /var/tmp/diff_new_pack.An10bs/_new 2016-11-03 11:09:06.0 +0100 @@ -39,8 +39,8 @@ %package -n libjasper1 Summary:JPEG-2000 library -# bug437293 Group: Productivity/Graphics/Convertors +# bug437293 %ifarch ppc64 Obsoletes: libjasper-64bit %endif @@ -54,9 +54,9 @@ image compression standard Part 1. %package -n libjasper-devel -Summary:JPEG-2000 library - files mandatory for development -# bug437293 +Summary:Development files for libjasper, a JPEG-2000 library Group: Development/Libraries/C and C++ +# bug437293 %ifarch ppc64 Obsoletes: libjasper-devel-64bit %endif @@ -74,8 +74,8 @@ %build export CFLAGS="$RPM_OPT_FLAGS -Wall -std=c99" -%configure --prefix=/usr --enable-shared --disable-static --libdir=%{_libdir} -make %{?jobs:-j%jobs} +%configure --prefix="%{_prefix}" --enable-shared --disable-static --libdir=%{_libdir} +make %{?_smp_mflags} %install make install DESTDIR=$RPM_BUILD_ROOT
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2016-10-28 10:42:56 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2016-02-07 09:22:36.0 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2016-10-28 10:42:57.0 +0200 @@ -1,0 +2,204 @@ +Wed Oct 26 14:18:40 UTC 2016 - fst...@suse.com + +- Updated to bugfix release 1.900.14 + * Security fixes ++ bsc#941919, CVE-2015-5203 ++ bsc#1006591, CVE-2016-8880 ++ bsc#1006593, CVE-2016-8881 ++ bsc#1006597, CVE-2016-8882 ++ bsc#1006598, CVE-2016-8883 ++ bsc#1007009, CVE-2016-8884, CVE-2016-8885 ++ bsc#1006599, CVE-2016-8886 ++ bsc#1006836, bsc#1006839, CVE-2016-8887 + * Changes ++ Add another data file for testing (Michael Adams) ++ Ensure that not all tiles lie outside the image area (Michael + Adams) ++ Added a note on sanitizer options (Michael Adams) ++ Added a simple test script (Michael Adams) ++ Added an --enable-memory-limit configure option (Michael + Adams) ++ Manually merged and edited a few changes from Bob Friesenhahn + (GraphicsMagick Maintainer) for Windows (Michael Adams) ++ Added some new mostly small image files (many of which are + corrupt/invalid) that are useful for testing purposes + (Michael Adams) ++ The debugging function jpc_dec_dump did not consider the case + that a band can have a null data pointer (when a band + contains no samples). This caused a null pointer to be + dereferenced (Michael Adams) ++ Changed the JPC bitstream code to more gracefully handle a + request for a larger sized integer than what can be handled + (i.e., return with an error instead of failing an assert). + (Michael Adams) ++ The component domains must be the same for the ICT/RCT in the + JPC codec. This was previously enforced with an assertion. + Now, it is handled in a more graceful manner (Michael Adams) ++ Fixed a few bugs in the RAS encoder and decoder where errors + were tested with assertions instead of being gracefully + handled (Michael Adams) + +--- +Mon Oct 24 06:50:38 UTC 2016 - fst...@suse.com + +- Updated to bugfix release 1.900.13 + * Changes ++ Fixed another problem with incorrect cleanup of JP2 box data + upon error. (Michael Adams) ++ Fixed another integer overflow problem. (Michael Adams) ++ Replaced the remaining left and right shifts in the QMFB/MCT + code that can result in undefined behavior (due to shifting + negative values) with call to inline functions. + These functions collect all of the undefined behavior in one + place and also allow code sanitizers to ignore this ugliness + (via function attributes). (Michael Adams) ++ Fixed a bug in the row/column split operations for QMFBs. + (Michael Adams) ++ Made the PNM decoder more gracefully handle the not-fully- + supported feature of signed sample data. (Michael Adams) ++ The PNM decoder did not gracefully handle an invalid magic + number in the PNM header. (Michael Adams) ++ Fixed a MIF decoder bug. (Michael Adams) ++ The imginfo command did not correctly handle an image with + zero components. (Michael Adams) ++ Fixed an integer overflow problem. (Michael Adams) ++ A new experimental memory allocator has been introduced. The + allocator is experimental in the sense that its API is not + considered stable and the allocator may change or disappear + entirely in future versions of the code. This new allocator + tracks how much memory is being used by jas_malloc and friends. + A maximum upper bound on the memory usage can be set via the + experimental API provided and a default value can be set at + build time as well. Such functionality may be useful in + run-time environments where the user wants to be able to limit + the amount of memory used by JasPer. This allocator is not + used by default. (Michael Adams) ++ Changed the configure setup so that if GCC is used warnings + and pedantic errors are enabled. (Michael Adams) ++ Fixed a bug that resulted in the destruction of JP2 box data + that had never been constructed in the first place. (Michael + Adams) ++ The memory stream interface allows for a buffer size of zero. + The case of a zero-sized buffer was not handled correctly, as + it could lead to a double free (bsc#1005242, CVE-2016-8693). + (Michael Adams) ++ Fixed a small memory leak for CRG marker segments
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2016-02-07 09:22:35 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2016-01-23 01:15:36.0 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2016-02-07 09:22:36.0 +0100 @@ -1,0 +2,18 @@ +Tue Feb 2 07:48:21 UTC 2016 - fst...@suse.com + +- Modified patch + * jasper-CVE-2016-2089.patch ++ Use the new version of patch from + https://bugzilla.redhat.com/show_bug.cgi?id=1302636 + with more targetted checks. +- Version the Obsoletes/Provides so that the package does not + obsolete itself + +--- +Thu Jan 28 14:59:27 UTC 2016 - fst...@suse.com + +- Add jasper-CVE-2016-2089.patch + * CVE-2016-2089: invalid read in the JasPer's jas_matrix_clip() +function (bsc#963983) + +--- New: jasper-CVE-2016-2089.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.qdnWda/_old 2016-02-07 09:22:37.0 +0100 +++ /var/tmp/diff_new_pack.qdnWda/_new 2016-02-07 09:22:37.0 +0100 @@ -43,6 +43,7 @@ # PATCH-FIX-UPSTREAM jasper-jpc_dec.patch deb#469786 badshah...@gmail.com -- Fix failure when manipulating images with 4 component color using reversible color translation (patch taken from Fedora) Patch11:jasper-jpc_dec.patch Patch12:jasper-CVE-2016-1867.patch +Patch13:jasper-CVE-2016-2089.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -58,8 +59,8 @@ Obsoletes: libjasper-64bit %endif # used in <= 11.3 -Obsoletes: libjasper -Provides: libjasper +Obsoletes: libjasper < %{version}-%{release} +Provides: libjasper = %{version}-%{release} # %description -n libjasper1 @@ -95,6 +96,7 @@ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 %build autoreconf -i -f ++ jasper-CVE-2016-2089.patch ++ diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_image.c jasper-1.900.1/src/libjasper/base/jas_image.c --- jasper-1.900.1.orig/src/libjasper/base/jas_image.c 2016-02-01 14:53:56.0 +0100 +++ jasper-1.900.1/src/libjasper/base/jas_image.c 2016-02-01 21:49:58.746006339 +0100 @@ -433,6 +433,10 @@ int jas_image_readcmpt(jas_image_t *imag return -1; } + if (!data->rows_) { + return -1; + } + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { if (jas_matrix_resize(data, height, width)) { return -1; @@ -486,6 +490,10 @@ int jas_image_writecmpt(jas_image_t *ima return -1; } + if (!data->rows_) { + return -1; + } + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { return -1; } diff -pru jasper-1.900.1.orig/src/libjasper/base/jas_seq.c jasper-1.900.1/src/libjasper/base/jas_seq.c --- jasper-1.900.1.orig/src/libjasper/base/jas_seq.c2016-02-01 14:53:56.0 +0100 +++ jasper-1.900.1/src/libjasper/base/jas_seq.c 2016-02-01 21:53:45.149193159 +0100 @@ -266,6 +266,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma int rowstep; jas_seqent_t *data; + if (!matrix->rows_) { + return; + } + rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { @@ -286,6 +290,10 @@ void jas_matrix_clip(jas_matrix_t *matri jas_seqent_t *data; int rowstep; + if (!matrix->rows_) { + return; + } + rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { @@ -310,6 +318,10 @@ void jas_matrix_asr(jas_matrix_t *matrix int rowstep; jas_seqent_t *data; + if (!matrix->rows_) { + return; + } + assert(n >= 0); rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, @@ -329,6 +341,10 @@ void jas_matrix_asl(jas_matrix_t *matrix int rowstep; jas_seqent_t *data; + if (!matrix->rows_) { + return; + } + rowstep = jas_matrix_rowstep(matrix); for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, rowstart += rowstep) { @@ -371,6 +387,10 @@ void jas
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2016-01-23 01:15:17 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2015-07-19 11:45:21.0 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2016-01-23 01:15:36.0 +0100 @@ -1,0 +2,7 @@ +Thu Jan 14 13:55:04 UTC 2016 - fst...@suse.com + +- Add jasper-CVE-2016-1867.patch + * CVE-2016-1867: Out-of-bounds Read in the JasPer's +jpc_pi_nextcprl() function (bsc#961886) + +--- @@ -18 +25 @@ -- fixed CVE-2014-8137, CVE-2014-8137 (bnc#909474, bnc#909475) +- fixed CVE-2014-8137, CVE-2014-8138 (bnc#909474, bnc#909475) @@ -26,0 +34,5 @@ + +--- +Thu Jun 12 11:06:02 UTC 2014 - nadvor...@suse.com + +- added obsoletes and provides of libjasper-32bit (bnc#881716) New: jasper-CVE-2016-1867.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.QOCIuR/_old 2016-01-23 01:15:37.0 +0100 +++ /var/tmp/diff_new_pack.QOCIuR/_new 2016-01-23 01:15:37.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,7 @@ Patch10:jasper-CVE-2014-8158.patch # PATCH-FIX-UPSTREAM jasper-jpc_dec.patch deb#469786 badshah...@gmail.com -- Fix failure when manipulating images with 4 component color using reversible color translation (patch taken from Fedora) Patch11:jasper-jpc_dec.patch +Patch12:jasper-CVE-2016-1867.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -93,6 +94,7 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %build autoreconf -i -f ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.QOCIuR/_old 2016-01-23 01:15:37.0 +0100 +++ /var/tmp/diff_new_pack.QOCIuR/_new 2016-01-23 01:15:37.0 +0100 @@ -1 +1,3 @@ libjasper1 +obsoletes "libjasper-" +provides "libjasper-" ++ jasper-CVE-2016-1867.patch ++ --- jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c2007-01-19 22:43:07.0 +0100 +++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c2016-01-14 14:22:24.569056412 +0100 @@ -429,7 +429,7 @@ } for (pi->compno = pchg->compnostart, pi->picomp = - &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno, + &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno, ++pi->picomp) { pirlvl = pi->picomp->pirlvls; pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2015-07-19 11:45:20 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2015-01-24 22:19:44.0 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2015-07-19 11:45:21.0 +0200 @@ -1,0 +2,7 @@ +Sun Jul 12 09:03:19 UTC 2015 - badshah...@gmail.com + +- Add jasper-jpc_dec.patch to fix failure when manipulating images + with 4 component color using reversible color translation + (deb#469786); patch taken from Fedora. + +--- New: jasper-jpc_dec.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.sti43I/_old 2015-07-19 11:45:22.0 +0200 +++ /var/tmp/diff_new_pack.sti43I/_new 2015-07-19 11:45:22.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,6 +40,8 @@ Patch8: jasper-CVE-2014-8138.patch Patch9: jasper-CVE-2014-8157.patch Patch10:jasper-CVE-2014-8158.patch +# PATCH-FIX-UPSTREAM jasper-jpc_dec.patch deb#469786 badshah...@gmail.com -- Fix failure when manipulating images with 4 component color using reversible color translation (patch taken from Fedora) +Patch11:jasper-jpc_dec.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -90,6 +92,7 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %build autoreconf -i -f ++ jasper-jpc_dec.patch ++ diff -urN jasper-1.900.1/src/libjasper/jpc/jpc_dec.c jasper-1.900.1-fix/src/libjasper/jpc/jpc_dec.c --- jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2007-01-19 14:43:07.0 -0700 +++ jasper-1.900.1-fix/src/libjasper/jpc/jpc_dec.c 2008-03-06 16:51:12.0 -0700 @@ -1069,12 +1069,12 @@ /* Apply an inverse intercomponent transform if necessary. */ switch (tile->cp->mctid) { case JPC_MCT_RCT: - assert(dec->numcomps == 3); + assert(dec->numcomps >= 3); jpc_irct(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break; case JPC_MCT_ICT: - assert(dec->numcomps == 3); + assert(dec->numcomps >= 3); jpc_iict(tile->tcomps[0].data, tile->tcomps[1].data, tile->tcomps[2].data); break;
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2015-01-24 22:19:42 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2014-12-21 12:02:37.0 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2015-01-24 22:19:44.0 +0100 @@ -1,0 +2,7 @@ +Fri Jan 23 14:25:53 UTC 2015 - nadvor...@suse.com + +- fixed CVE-2014-8157, CVE-2014-8158 (bnc#911837) + + jasper-CVE-2014-8157.patch + + jasper-CVE-2014-8158.patch + +--- New: jasper-CVE-2014-8157.patch jasper-CVE-2014-8158.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.GQjfqt/_old 2015-01-24 22:19:45.0 +0100 +++ /var/tmp/diff_new_pack.GQjfqt/_new 2015-01-24 22:19:45.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -38,6 +38,8 @@ Patch6: jasper-overflow-bnc906364.patch Patch7: jasper-CVE-2014-8137.patch Patch8: jasper-CVE-2014-8138.patch +Patch9: jasper-CVE-2014-8157.patch +Patch10:jasper-CVE-2014-8158.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -86,6 +88,8 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 %build autoreconf -i -f ++ jasper-CVE-2014-8157.patch ++ diff -ru jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c jasper-1.900.1/src/libjasper/jpc/jpc_dec.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2007-01-19 22:43:07.0 +0100 +++ jasper-1.900.1/src/libjasper/jpc/jpc_dec.c 2015-01-14 11:45:26.601242398 +0100 @@ -1204,7 +1204,7 @@ dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); dec->numtiles = dec->numhtiles * dec->numvtiles; - if (!(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t { + if (dec->numtiles == 0 || !(dec->tiles = jas_alloc2(dec->numtiles, sizeof(jpc_dec_tile_t { return -1; } ++ jasper-CVE-2014-8158.patch ++ diff -ru jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_qmfb.c2015-01-14 15:36:00.0 +0100 +++ jasper-1.900.1/src/libjasper/jpc/jpc_qmfb.c 2015-01-14 15:36:37.222173618 +0100 @@ -306,11 +306,7 @@ { int bufsize = JPC_CEILDIVPOW2(numcols, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; -#else - jpc_fix_t splitbuf[bufsize]; -#endif jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; @@ -318,7 +314,6 @@ register int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t { @@ -326,7 +321,6 @@ abort(); } } -#endif if (numcols >= 2) { hstartcol = (numcols + 1 - parity) >> 1; @@ -360,12 +354,10 @@ } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf); } -#endif } @@ -374,11 +366,7 @@ { int bufsize = JPC_CEILDIVPOW2(numrows, 1); -#if !defined(HAVE_VLA) jpc_fix_t splitbuf[QMFB_SPLITBUFSIZE]; -#else - jpc_fix_t splitbuf[bufsize]; -#endif jpc_fix_t *buf = splitbuf; register jpc_fix_t *srcptr; register jpc_fix_t *dstptr; @@ -386,7 +374,6 @@ register int m; int hstartcol; -#if !defined(HAVE_VLA) /* Get a buffer. */ if (bufsize > QMFB_SPLITBUFSIZE) { if (!(buf = jas_alloc2(bufsize, sizeof(jpc_fix_t { @@ -394,7 +381,6 @@ abort(); } } -#endif if (numrows >= 2) { hstartcol = (numrows + 1 - parity) >> 1; @@ -428,12 +414,10 @@ } } -#if !defined(HAVE_VLA) /* If the split buffer was allocated on the heap, free this memory. */ if (buf != splitbuf) { jas_free(buf);
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2014-12-21 12:03:28 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2014-03-18 16:21:24.0 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2014-12-21 12:02:37.0 +0100 @@ -1,0 +2,13 @@ +Fri Dec 19 10:31:14 UTC 2014 - nadvor...@suse.com + +- fixed CVE-2014-8137, CVE-2014-8137 (bnc#909474, bnc#909475) + + jasper-CVE-2014-8137.patch + + jasper-CVE-2014-8138.patch + +--- +Fri Dec 5 09:56:39 UTC 2014 - nadvor...@suse.com + +- fixed possible overflow CVE-2014-9029 (bnc#906364) + + jasper-overflow-bnc906364.patch + +--- New: jasper-CVE-2014-8137.patch jasper-CVE-2014-8138.patch jasper-overflow-bnc906364.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.R0UmEH/_old 2014-12-21 12:02:38.0 +0100 +++ /var/tmp/diff_new_pack.R0UmEH/_new 2014-12-21 12:02:38.0 +0100 @@ -35,6 +35,9 @@ Patch3: %{name}-%{version}-bug392410.patch Patch4: %{name}-%{version}-no-undef-true-false.patch Patch5: jasper-1.900.1-bug725758.patch +Patch6: jasper-overflow-bnc906364.patch +Patch7: jasper-CVE-2014-8137.patch +Patch8: jasper-CVE-2014-8138.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -80,6 +83,9 @@ %patch3 %patch4 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build autoreconf -i -f ++ jasper-CVE-2014-8137.patch ++ --- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c2014-12-11 14:06:44.0 +0100 +++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100 @@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr return 0; error: - jas_icccurv_destroy(attrval); return -1; } @@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca #endif return 0; error: - jas_icctxtdesc_destroy(attrval); return -1; } @@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv goto error; return 0; error: - if (txt->string) - jas_free(txt->string); return -1; } @@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr goto error; return 0; error: - jas_icclut8_destroy(attrval); return -1; } @@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt goto error; return 0; error: - jas_icclut16_destroy(attrval); return -1; } --- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100 +++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100 @@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in case JP2_COLR_ICC: iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, dec->colr->data.colr.iccplen); - assert(iccprof); + if (!iccprof) { + jas_eprintf("error: failed to parse ICC profile\n"); + goto error; + } jas_iccprof_gethdr(iccprof, &icchdr); jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); ++ jasper-CVE-2014-8138.patch ++ diff -ru jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c jasper-1.900.1/src/libjasper/jp2/jp2_cod.c --- jasper-1.900.1.orig/src/libjasper/jp2/jp2_cod.c 2007-01-19 22:43:05.0 +0100 +++ jasper-1.900.1/src/libjasper/jp2/jp2_cod.c 2014-12-17 11:58:58.271398603 +0100 @@ -459,7 +459,8 @@ for (channo = 0; channo < cdef->numchans; ++channo) { chan = &cdef->ents[channo]; if (jp2_getuint16(in, &chan->channo) || jp2_getuint16(in, &chan->type) || - jp2_getuint16(in, &chan->assoc)) { + jp2_getuint16(in, &chan->assoc) || + chan->channo >= cdef->numchans ) { return -1; } } ++ jasper-overflow-bnc906364.patch ++ --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:45:44.0 +0100 +++ jasper-1.900.1.orig/src/libjasper/jpc/jpc_dec.c 2014-11-27 12:44:58.0 +0100 @@ -1281,7 +1281,7 @@ static int jpc_dec_process_coc(jpc_dec_t jpc_coc_t *coc = &ms->parms.coc; jpc_dec_tile
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2014-03-18 16:21:18 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2013-09-14 19:10:23.0 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2014-03-18 16:21:24.0 +0100 @@ -1,0 +2,5 @@ +Wed Mar 5 15:26:47 UTC 2014 - nadvor...@suse.com + +- fixed possible overflow (bnc#725758, bnc#830803) + +--- New: jasper-1.900.1-bug725758.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.iWUKGp/_old 2014-03-18 16:21:27.0 +0100 +++ /var/tmp/diff_new_pack.iWUKGp/_new 2014-03-18 16:21:27.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,7 @@ Patch2: %{name}-%{version}-bug258253.patch Patch3: %{name}-%{version}-bug392410.patch Patch4: %{name}-%{version}-no-undef-true-false.patch +Patch5: jasper-1.900.1-bug725758.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -78,6 +79,7 @@ %patch2 %patch3 %patch4 +%patch5 -p1 %build autoreconf -i -f ++ jasper-1.900.1-bug725758.patch ++ diff -ru jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c --- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c 2011-11-29 14:13:01.0 +0100 +++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c 2011-11-29 14:15:11.638066001 +0100 @@ -744,6 +744,12 @@ return -1; } compparms->numrlvls = compparms->numdlvls + 1; + if (compparms->numrlvls > JPC_MAXRLVLS) { + compparms->numrlvls = 0; + jpc_cox_destroycompparms(compparms); + return -1; + } + if (prtflag) { for (i = 0; i < compparms->numrlvls; ++i) { if (jpc_getuint8(in, &tmp)) { @@ -1331,7 +1337,7 @@ jpc_crgcomp_t *comp; uint_fast16_t compno; crg->numcomps = cstate->numcomps; - if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t { + if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t { return -1; } for (compno = 0, comp = crg->comps; compno < cstate->numcomps; -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2013-09-14 19:10:21 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2013-04-02 11:55:24.0 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2013-09-14 19:10:23.0 +0200 @@ -1,0 +2,5 @@ +Wed Sep 11 08:01:48 UTC 2013 - pgaj...@suse.com + +- added no-undef-true-false.patch to fix [bnc#839584] + +--- New: jasper-1.900.1-no-undef-true-false.patch Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.ZOb2eI/_old 2013-09-14 19:10:25.0 +0200 +++ /var/tmp/diff_new_pack.ZOb2eI/_new 2013-09-14 19:10:25.0 +0200 @@ -33,6 +33,7 @@ Patch: %{name}-%{version}-uninitialized.patch Patch2: %{name}-%{version}-bug258253.patch Patch3: %{name}-%{version}-bug392410.patch +Patch4: %{name}-%{version}-no-undef-true-false.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -76,6 +77,7 @@ %patch %patch2 %patch3 +%patch4 %build autoreconf -i -f ++ jasper-1.900.1-no-undef-true-false.patch ++ Index: src/libjasper/include/jasper/jas_types.h === --- src/libjasper/include/jasper/jas_types.h +++ src/libjasper/include/jasper/jas_types.h @@ -93,8 +93,6 @@ #endif #if defined(HAVE_STDLIB_H) -#undef false -#undef true #include #endif #if defined(HAVE_STDDEF_H) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2013-04-02 11:55:22 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper", Maintainer is "nadvor...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2013-01-12 21:23:51.0 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2013-04-02 11:55:24.0 +0200 @@ -1,0 +2,6 @@ +Thu Mar 28 10:34:19 UTC 2013 - mmeis...@suse.com + +- Added url as source. + Please see http://en.opensuse.org/SourceUrls + +--- Old: jasper-1.900.1.tar.bz2 New: jasper-1.900.1.zip Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.8fQpGQ/_old 2013-04-02 11:55:26.0 +0200 +++ /var/tmp/diff_new_pack.8fQpGQ/_new 2013-04-02 11:55:26.0 +0200 @@ -21,13 +21,14 @@ BuildRequires: libdrm-devel BuildRequires: libjpeg-devel BuildRequires: libtool +BuildRequires: unzip Url:http://www.ece.uvic.ca/~mdadams/jasper/ Version:1.900.1 Release:0 Summary:An Implementation of the JPEG-2000 Standard, Part 1 License:SUSE-Public-Domain Group: Productivity/Graphics/Convertors -Source: %{name}-%{version}.tar.bz2 +Source: http://www.ece.uvic.ca/~frodo/jasper/software/%{name}-%{version}.zip Source2:baselibs.conf Patch: %{name}-%{version}-uninitialized.patch Patch2: %{name}-%{version}-bug258253.patch -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2013-01-12 21:23:51 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper", Maintainer is "nadvor...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2011-11-14 11:54:51.0 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2013-01-12 21:23:51.0 +0100 @@ -1,0 +2,5 @@ +Sat Jan 12 19:12:02 UTC 2013 - co...@suse.com + +- remove suse_update_config + +--- Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.9Ibey6/_old 2013-01-12 21:23:53.0 +0100 +++ /var/tmp/diff_new_pack.9Ibey6/_new 2013-01-12 21:23:53.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package jasper # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,18 +15,18 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - Name: jasper -BuildRequires: gcc-c++ libdrm-devel libjpeg-devel libtool +BuildRequires: gcc-c++ +BuildRequires: libdrm-devel +BuildRequires: libjpeg-devel +BuildRequires: libtool Url:http://www.ece.uvic.ca/~mdadams/jasper/ -License:SUSE-Public-Domain -Group: Productivity/Graphics/Convertors -AutoReqProv:on Version:1.900.1 -Release:144 +Release:0 Summary:An Implementation of the JPEG-2000 Standard, Part 1 +License:SUSE-Public-Domain +Group: Productivity/Graphics/Convertors Source: %{name}-%{version}.tar.bz2 Source2:baselibs.conf Patch: %{name}-%{version}-uninitialized.patch @@ -40,7 +40,6 @@ from the JP2 and JPC formats. %package -n libjasper1 -License:SUSE-Public-Domain Summary:JPEG-2000 library Group: Productivity/Graphics/Convertors # bug437293 @@ -57,7 +56,6 @@ image compression standard Part 1. %package -n libjasper-devel -License:SUSE-Public-Domain Summary:JPEG-2000 library - files mandatory for development Group: Development/Libraries/C and C++ # bug437293 @@ -79,7 +77,6 @@ %patch3 %build -%{suse_update_config} autoreconf -i -f export CFLAGS="$RPM_OPT_FLAGS -Wall" %configure --prefix=/usr --enable-shared --disable-static --libdir=%{_libdir} -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2011-12-06 18:20:24 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper", Maintainer is "nadvor...@suse.com" Changes: Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.H6UT24/_old 2011-12-06 18:35:23.0 +0100 +++ /var/tmp/diff_new_pack.H6UT24/_new 2011-12-06 18:35:23.0 +0100 @@ -21,7 +21,7 @@ Name: jasper BuildRequires: gcc-c++ libdrm-devel libjpeg-devel libtool Url:http://www.ece.uvic.ca/~mdadams/jasper/ -License:Public Domain, Freeware +License:SUSE-Public-Domain Group: Productivity/Graphics/Convertors AutoReqProv:on Version:1.900.1 @@ -40,7 +40,7 @@ from the JP2 and JPC formats. %package -n libjasper1 -License:Public Domain, Freeware +License:SUSE-Public-Domain Summary:JPEG-2000 library Group: Productivity/Graphics/Convertors # bug437293 @@ -57,7 +57,7 @@ image compression standard Part 1. %package -n libjasper-devel -License:Public Domain, Freeware +License:SUSE-Public-Domain Summary:JPEG-2000 library - files mandatory for development Group: Development/Libraries/C and C++ # bug437293 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2011-11-14 11:54:50 Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new (New) Package is "jasper", Maintainer is "nadvor...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/jasper/jasper.changes2011-10-06 16:04:42.0 +0200 +++ /work/SRC/openSUSE:Factory/.jasper.new/jasper.changes 2011-11-14 11:54:51.0 +0100 @@ -1,0 +2,5 @@ +Sun Nov 13 09:11:33 UTC 2011 - co...@suse.com + +- add libtool as explicit buildrequire to avoid implicit dependency from prjconf + +--- Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.aTrNxb/_old 2011-11-14 11:54:52.0 +0100 +++ /var/tmp/diff_new_pack.aTrNxb/_new 2011-11-14 11:54:52.0 +0100 @@ -19,7 +19,7 @@ Name: jasper -BuildRequires: gcc-c++ libdrm-devel libjpeg-devel +BuildRequires: gcc-c++ libdrm-devel libjpeg-devel libtool Url:http://www.ece.uvic.ca/~mdadams/jasper/ License:Public Domain, Freeware Group: Productivity/Graphics/Convertors -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit jasper for openSUSE:Factory
Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at Thu Oct 6 16:04:43 CEST 2011. --- openSUSE:Factory/jasper/jasper.changes 2011-09-23 02:04:00.0 +0200 +++ jasper/jasper.changes 2011-10-05 15:59:04.0 +0200 @@ -1,0 +2,5 @@ +Wed Oct 5 13:58:57 UTC 2011 - u...@suse.com + +- cross-build fix: use %configure macro + +--- calling whatdependson for head-i586 Other differences: -- ++ jasper.spec ++ --- /var/tmp/diff_new_pack.TLVtJO/_old 2011-10-06 16:04:40.0 +0200 +++ /var/tmp/diff_new_pack.TLVtJO/_new 2011-10-06 16:04:40.0 +0200 @@ -1,7 +1,7 @@ # -# spec file for package jasper (Version 1.900.1) +# spec file for package jasper # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -81,7 +81,8 @@ %build %{suse_update_config} autoreconf -i -f -CFLAGS="$RPM_OPT_FLAGS -Wall" ./configure --prefix=/usr --enable-shared --disable-static --libdir=%{_libdir} +export CFLAGS="$RPM_OPT_FLAGS -Wall" +%configure --prefix=/usr --enable-shared --disable-static --libdir=%{_libdir} make %{?jobs:-j%jobs} %install continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org