main/libjpeg-turbo: Backport fix for CVE-2018-1152

Cherry-pick commit f1322ac from the 1.5.x branch

Signed-off-by: Euan Harris <euan.harris@docker.com>
(cherry picked from commit 8d429487fdfea72fe6b0e45659274a62fa8c89bd)

1 files changed, 11 insertions, 3 deletions

diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD
index d39fb59f0c..cc4380274c 100644
--- a/main/libjpeg-turbo/APKBUILD
+++ b/main/libjpeg-turbo/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libjpeg-turbo
 pkgver=1.5.3
-pkgrel=0
+pkgrel=1
 pkgdesc="accelerated baseline JPEG compression and decompression library"
 url="http://libjpeg-turbo.virtualgl.org/"
 arch="all"
@@ -12,7 +12,14 @@ depends_dev=""
 makedepends="$depends_dev nasm"
 replaces="libjpeg"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-utils"
-source="http://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz"
+source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz
+        0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"
+
+# secfixes:
+#   1.5.3-r1:
+#   - CVE-2018-1152
+#   1.5.3-r0:
+#   - CVE-2017-15232
 
 builddir="$srcdir"/libjpeg-turbo-$pkgver
 
@@ -53,4 +60,5 @@ dev() {
 	replaces="jpeg-dev"
 }
 
-sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202  libjpeg-turbo-1.5.3.tar.gz"
+sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202  libjpeg-turbo-1.5.3.tar.gz
+d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74  0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"