diff --git a/.gitignore b/.gitignore index 95b118f..516d268 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ /openjpeg-2.1.2.tar.gz /openjpeg-2.2.0.tar.gz /openjpeg-2.3.0.tar.gz +/openjpeg-2.3.1.tar.gz diff --git a/CVE-2018-18088.patch b/CVE-2018-18088.patch deleted file mode 100644 index 41f699f..0000000 --- a/CVE-2018-18088.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -rupN openjpeg-2.3.0/src/bin/jp2/convert.c openjpeg-2.3.0-new/src/bin/jp2/convert.c ---- openjpeg-2.3.0/src/bin/jp2/convert.c 2017-10-05 00:23:14.000000000 +0200 -+++ openjpeg-2.3.0-new/src/bin/jp2/convert.c 2018-12-20 10:51:16.454336033 +0100 -@@ -2210,6 +2210,11 @@ int imagetopnm(opj_image_t * image, cons - opj_version(), wr, hr, max); - - red = image->comps[compno].data; -+ if (!red) { -+ fclose(fdest); -+ continue; -+ } -+ - adjustR = - (image->comps[compno].sgnd ? 1 << (image->comps[compno].prec - 1) : 0); - -diff -rupN openjpeg-2.3.0/src/bin/jp3d/convert.c openjpeg-2.3.0-new/src/bin/jp3d/convert.c ---- openjpeg-2.3.0/src/bin/jp3d/convert.c 2017-10-05 00:23:14.000000000 +0200 -+++ openjpeg-2.3.0-new/src/bin/jp3d/convert.c 2018-12-20 10:51:16.453336036 +0100 -@@ -297,8 +297,8 @@ opj_volume_t* pgxtovolume(char *relpath, - fprintf(stdout, "[INFO] Loading %s \n", pgxfiles[pos]); - - fseek(f, 0, SEEK_SET); -- fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, &endian2, -- signtmp, &prec, temp, &w, temp, &h); -+ fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, -+ &endian2, signtmp, &prec, temp, &w, temp, &h); - - i = 0; - sign = '+'; -diff -rupN openjpeg-2.3.0/src/bin/jpwl/convert.c openjpeg-2.3.0-new/src/bin/jpwl/convert.c ---- openjpeg-2.3.0/src/bin/jpwl/convert.c 2017-10-05 00:23:14.000000000 +0200 -+++ openjpeg-2.3.0-new/src/bin/jpwl/convert.c 2018-12-20 10:51:16.453336036 +0100 -@@ -1348,7 +1348,7 @@ opj_image_t* pgxtoimage(const char *file - } - - fseek(f, 0, SEEK_SET); -- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, -+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, - &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { - fprintf(stderr, - "ERROR: Failed to read the right number of element from the fscanf() function!\n"); diff --git a/CVE-2018-5785.patch b/CVE-2018-5785.patch deleted file mode 100644 index b93515c..0000000 --- a/CVE-2018-5785.patch +++ /dev/null @@ -1,79 +0,0 @@ -From ca16fe55014c57090dd97369256c7657aeb25975 Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre -Date: Sat, 22 Sep 2018 14:33:19 -0400 -Subject: [PATCH] convertbmp: fix issues with zero bitmasks - -In the case where a BMP file declares compression 3 (BI_BITFIELDS) -with header size <= 56, all bitmask values keep their initialization -value 0. This may lead to various undefined behavior later e.g. when -doing 1 << (l_comp->prec - 1). - -This issue does not affect files with bit count 16 because of a check -added in 16240e2 which sets default values to the color masks if they -are all 0. - -This commit adds similar checks for the 32 bit case. - -Also, if a BMP file declares compression 3 with header size >= 56 and -intentional 0 bitmasks, the same issue will be triggered in both the -16 and 32 bit count case. - -This commit adds checks to bmp_read_info_header() rejecting BMP files -with "intentional" 0 bitmasks. These checks might be removed in the -future when proper handling of zero bitmasks will be available in -openjpeg2. - -fixes #1057 (CVE-2018-5785) ---- - src/bin/jp2/convertbmp.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c -index 084f70bb7..7fde99ab3 100644 ---- a/src/bin/jp2/convertbmp.c -+++ b/src/bin/jp2/convertbmp.c -@@ -435,16 +435,31 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header) - header->biRedMask |= (OPJ_UINT32)getc(IN) << 16; - header->biRedMask |= (OPJ_UINT32)getc(IN) << 24; - -+ if (!header->biRedMask) { -+ fprintf(stderr, "Error, invalid red mask value %d\n", header->biRedMask); -+ return OPJ_FALSE; -+ } -+ - header->biGreenMask = (OPJ_UINT32)getc(IN); - header->biGreenMask |= (OPJ_UINT32)getc(IN) << 8; - header->biGreenMask |= (OPJ_UINT32)getc(IN) << 16; - header->biGreenMask |= (OPJ_UINT32)getc(IN) << 24; - -+ if (!header->biGreenMask) { -+ fprintf(stderr, "Error, invalid green mask value %d\n", header->biGreenMask); -+ return OPJ_FALSE; -+ } -+ - header->biBlueMask = (OPJ_UINT32)getc(IN); - header->biBlueMask |= (OPJ_UINT32)getc(IN) << 8; - header->biBlueMask |= (OPJ_UINT32)getc(IN) << 16; - header->biBlueMask |= (OPJ_UINT32)getc(IN) << 24; - -+ if (!header->biBlueMask) { -+ fprintf(stderr, "Error, invalid blue mask value %d\n", header->biBlueMask); -+ return OPJ_FALSE; -+ } -+ - header->biAlphaMask = (OPJ_UINT32)getc(IN); - header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 8; - header->biAlphaMask |= (OPJ_UINT32)getc(IN) << 16; -@@ -831,6 +846,12 @@ opj_image_t* bmptoimage(const char *filename, opj_cparameters_t *parameters) - bmpmask32toimage(pData, stride, image, 0x00FF0000U, 0x0000FF00U, 0x000000FFU, - 0x00000000U); - } else if (Info_h.biBitCount == 32 && Info_h.biCompression == 3) { /* bitmask */ -+ if ((Info_h.biRedMask == 0U) && (Info_h.biGreenMask == 0U) && -+ (Info_h.biBlueMask == 0U)) { -+ Info_h.biRedMask = 0x00FF0000U; -+ Info_h.biGreenMask = 0x0000FF00U; -+ Info_h.biBlueMask = 0x000000FFU; -+ } - bmpmask32toimage(pData, stride, image, Info_h.biRedMask, Info_h.biGreenMask, - Info_h.biBlueMask, Info_h.biAlphaMask); - } else if (Info_h.biBitCount == 16 && Info_h.biCompression == 0) { /* RGBX */ diff --git a/CVE-2018-6616.patch b/CVE-2018-6616.patch deleted file mode 100644 index fd40bf5..0000000 --- a/CVE-2018-6616.patch +++ /dev/null @@ -1,49 +0,0 @@ -diff -rupN openjpeg-2.3.0/src/bin/jp2/convertbmp.c openjpeg-2.3.0-new/src/bin/jp2/convertbmp.c ---- openjpeg-2.3.0/src/bin/jp2/convertbmp.c 2018-12-20 10:51:16.451336040 +0100 -+++ openjpeg-2.3.0-new/src/bin/jp2/convertbmp.c 2018-12-20 10:51:16.491335949 +0100 -@@ -534,14 +534,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* - static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, - OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) - { -- OPJ_UINT32 x, y; -+ OPJ_UINT32 x, y, written; - OPJ_UINT8 *pix; - const OPJ_UINT8 *beyond; - - beyond = pData + stride * height; - pix = pData; - -- x = y = 0U; -+ x = y = written = 0U; - while (y < height) { - int c = getc(IN); - if (c == EOF) { -@@ -561,6 +561,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* - for (j = 0; (j < c) && (x < width) && - ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { - *pix = c1; -+ written++; - } - } else { - c = getc(IN); -@@ -598,6 +599,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* - } - c1 = (OPJ_UINT8)c1_int; - *pix = c1; -+ written++; - } - if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ - c = getc(IN); -@@ -608,6 +610,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* - } - } - }/* while() */ -+ -+ if (written != width * height) { -+ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); -+ return OPJ_FALSE; -+ } -+ - return OPJ_TRUE; - } - diff --git a/openjpeg2.spec b/openjpeg2.spec index 566c127..0a14271 100644 --- a/openjpeg2.spec +++ b/openjpeg2.spec @@ -4,8 +4,8 @@ #global optional_components 1 Name: openjpeg2 -Version: 2.3.0 -Release: 11%{?dist} +Version: 2.3.1 +Release: 1%{?dist} Summary: C-Library for JPEG 2000 # windirent.h is MIT, the rest is BSD @@ -19,19 +19,8 @@ Source1: data.tar.xz # Remove bundled libraries Patch0: openjpeg2_remove-thirdparty.patch -# Fix shared libraries not getting installed if static libraries are disabled -Patch1: openjpeg2_install.patch # Rename tool names to avoid conflicts with openjpeg-1.x -Patch2: openjpeg2_opj2.patch -# Backport patch for CVE-2018-5785 -# https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975 -Patch3: CVE-2018-5785.patch -# Backport patch for CVE-2018-18088 -# https://github.com/uclouvain/openjpeg/commit/92023cd6c377e0384a7725949b25655d4d94dced -Patch4: CVE-2018-18088.patch -# Backport patch for CVE-2018-6616 -# https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3 -Patch5: CVE-2018-6616.patch +Patch1: openjpeg2_opj2.patch BuildRequires: cmake @@ -338,6 +327,9 @@ make test -C %{_target_platform} %changelog +* Tue Apr 02 2019 Sandro Mani - 2.3.1-1 +- Update to 2.3.1 + * Fri Feb 01 2019 Fedora Release Engineering - 2.3.0-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/openjpeg2_install.patch b/openjpeg2_install.patch deleted file mode 100644 index 9e06fd2..0000000 --- a/openjpeg2_install.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -rupN openjpeg-2.3.0/src/lib/openjp2/CMakeLists.txt openjpeg-2.3.0-new/src/lib/openjp2/CMakeLists.txt ---- openjpeg-2.3.0/src/lib/openjp2/CMakeLists.txt 2017-10-05 00:23:14.000000000 +0200 -+++ openjpeg-2.3.0-new/src/lib/openjp2/CMakeLists.txt 2017-12-25 13:53:07.000000000 +0100 -@@ -99,6 +99,7 @@ else() - set(INSTALL_LIBS ${OPENJPEG_LIBRARY_NAME} openjp2_static) - else() - add_library(${OPENJPEG_LIBRARY_NAME} ${OPENJPEG_SRCS}) -+ set(INSTALL_LIBS ${OPENJPEG_LIBRARY_NAME}) - endif() - endif() - diff --git a/openjpeg2_opj2.patch b/openjpeg2_opj2.patch index ff60009..4a531ad 100644 --- a/openjpeg2_opj2.patch +++ b/openjpeg2_opj2.patch @@ -1,12 +1,12 @@ -diff -rupN openjpeg-2.3.0/src/bin/jp2/CMakeLists.txt openjpeg-2.3.0-new/src/bin/jp2/CMakeLists.txt ---- openjpeg-2.3.0/src/bin/jp2/CMakeLists.txt 2017-10-05 00:23:14.000000000 +0200 -+++ openjpeg-2.3.0-new/src/bin/jp2/CMakeLists.txt 2017-12-25 14:55:37.562470567 +0100 +diff -rupN openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt +--- openjpeg-2.3.1/src/bin/jp2/CMakeLists.txt 2019-04-02 14:45:15.000000000 +0200 ++++ openjpeg-2.3.1-new/src/bin/jp2/CMakeLists.txt 2019-04-02 16:14:13.726252297 +0200 @@ -44,6 +44,8 @@ endif() # Loop over all executables: foreach(exe opj_decompress opj_compress opj_dump) add_executable(${exe} ${exe}.c ${common_SRCS}) -+ STRING(REPLACE "opj_" "opj2_" exe2 ${exe}) ++ string(REPLACE "opj_" "opj2_" exe2 ${exe}) + set_target_properties(${exe} PROPERTIES OUTPUT_NAME ${exe2}) - if(${CMAKE_VERSION} VERSION_GREATER "2.8.11") + if(NOT ${CMAKE_VERSION} VERSION_LESS "2.8.12") target_compile_options(${exe} PRIVATE ${OPENJP2_COMPILE_OPTIONS}) endif() diff --git a/openjpeg2_remove-thirdparty.patch b/openjpeg2_remove-thirdparty.patch index 6987fc2..12ac763 100644 --- a/openjpeg2_remove-thirdparty.patch +++ b/openjpeg2_remove-thirdparty.patch @@ -1,7 +1,7 @@ -diff -rupN openjpeg-2.1.1/CMakeLists.txt openjpeg-2.1.1-new/CMakeLists.txt ---- openjpeg-2.1.1/CMakeLists.txt 2016-07-05 16:54:17.000000000 +0200 -+++ openjpeg-2.1.1-new/CMakeLists.txt 2016-07-06 09:38:26.083029127 +0200 -@@ -270,7 +270,6 @@ if(BUILD_CODEC OR BUILD_MJ2) +diff -rupN openjpeg-2.3.1/CMakeLists.txt openjpeg-2.3.1-new/CMakeLists.txt +--- openjpeg-2.3.1/CMakeLists.txt 2019-04-02 14:45:15.000000000 +0200 ++++ openjpeg-2.3.1-new/CMakeLists.txt 2019-04-02 16:14:13.688252343 +0200 +@@ -278,7 +278,6 @@ if(BUILD_CODEC OR BUILD_MJ2) # OFF: It will only build 3rd party libs if they are not found on the system # ON: 3rd party libs will ALWAYS be build, and used option(BUILD_THIRDPARTY "Build the thirdparty executables if it is needed" OFF) diff --git a/sources b/sources index a3906ad..955316f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openjpeg-2.3.0.tar.gz) = 0a9d427be4a820b1d759fca4b50e293721b45fe4885aa61ca1ae09e099f75ed93520448090c780d62f51076d575cc03618cd6d5181bdb6b34e4fc07b4cfdd568 +SHA512 (openjpeg-2.3.1.tar.gz) = 339fbc899bddf2393d214df71ed5d6070a3a76b933b1e75576c8a0ae9dfcc4adec40bdc544f599e4b8d0bc173e4e9e7352408497b5b3c9356985605830c26c03