main/libjpeg-turbo: Backport fix for CVE-2018-1152

Cherry-pick commit f1322ac from the 1.5.x branch

Signed-off-by: Euan Harris <euan.harris@docker.com>

1 files changed, 9 insertions, 3 deletions

diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD
index 5596110b03..8b9267229e 100644
--- a/main/libjpeg-turbo/APKBUILD
+++ b/main/libjpeg-turbo/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libjpeg-turbo
 pkgver=1.5.3
-pkgrel=1
+pkgrel=2
 pkgdesc="accelerated baseline JPEG compression and decompression library"
 url="https://libjpeg-turbo.org/"
 arch="all"
@@ -11,7 +11,12 @@ depends=""
 makedepends="nasm"
 replaces="libjpeg"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-utils"
-source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz"
+source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz
+        0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"
+
+# secfixes:
+#   1.5.3-r2:
+#   - CVE-2018-1152
 
 builddir="$srcdir"/libjpeg-turbo-$pkgver
 
@@ -57,4 +62,5 @@ dev() {
 	replaces="jpeg-dev"
 }
 
-sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202  libjpeg-turbo-1.5.3.tar.gz"
+sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202  libjpeg-turbo-1.5.3.tar.gz
+d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74  0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch"