diff options
Diffstat (limited to 'main/libjpeg-turbo')
| -rw-r--r-- | main/libjpeg-turbo/0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch | 49 | ||||
| -rw-r--r-- | main/libjpeg-turbo/APKBUILD | 38 | ||||
| -rw-r--r-- | main/libjpeg-turbo/CVE-2018-11813.patch | 72 |
3 files changed, 17 insertions, 142 deletions
diff --git a/main/libjpeg-turbo/0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch b/main/libjpeg-turbo/0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch deleted file mode 100644 index f700d67cb1..0000000000 --- a/main/libjpeg-turbo/0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f1322acf6cdc8c25db0075d7d32dc2f25ed9d477 Mon Sep 17 00:00:00 2001 -From: DRC <information@libjpeg-turbo.org> -Date: Tue, 12 Jun 2018 20:27:00 -0500 -Subject: [PATCH] rdbmp.c: Fix FPE triggered by malformed BMP - -In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound -when allocating the row buffer, because since BMP files have 32-bit -width and height fields, the value of biWidth can be up to 4294967295. -Specifically, high values of biWidth could cause the samplesperrow -argument in alloc_sarray() to wrap around to 0, triggering a division by -zero error at line 460 in jmemmgr.c, or to wrap around to a small -number, likely triggering a buffer overflow. - -This fix is not documented in the change log for this branch, because -the bug was exposed using the tjLoadImage() function in the 2.0.x -branch. However, it is posited that the issue could be triggered using -TJBench in this branch. ---- - rdbmp.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/rdbmp.c b/rdbmp.c -index eaa7086..6b73f7c 100644 ---- a/rdbmp.c -+++ b/rdbmp.c -@@ -6,7 +6,7 @@ - * Modified 2009-2010 by Guido Vollbeding. - * libjpeg-turbo Modifications: - * Modified 2011 by Siarhei Siamashka. -- * Copyright (C) 2015, D. R. Commander. -+ * Copyright (C) 2015, 2018, D. R. Commander. - * For conditions of distribution and use, see the accompanying README.ijg - * file. - * -@@ -434,6 +434,11 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) - progress->total_extra_passes++; /* count file input as separate pass */ - } - -+ /* Ensure that biWidth * 3 doesn't exceed the maximum value of the -+ JDIMENSION type. This is only a danger with BMP files, since their width -+ and height fields are 32-bit integers. */ -+ if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL) -+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); - /* Allocate one-row buffer for returned data */ - source->pub.buffer = (*cinfo->mem->alloc_sarray) - ((j_common_ptr) cinfo, JPOOL_IMAGE, --- -2.17.1 - diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD index c1436da699..1ec516417b 100644 --- a/main/libjpeg-turbo/APKBUILD +++ b/main/libjpeg-turbo/APKBUILD @@ -1,20 +1,17 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libjpeg-turbo -pkgver=1.5.3 -pkgrel=4 +pkgver=2.0.2 +pkgrel=0 pkgdesc="accelerated baseline JPEG compression and decompression library" url="https://libjpeg-turbo.org/" arch="all" license="IJG" depends="" -makedepends="nasm" +makedepends="cmake nasm" replaces="libjpeg" subpackages="$pkgname-doc $pkgname-dev $pkgname-utils" -source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz - 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch - CVE-2018-11813.patch - " +source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz" # secfixes: # 1.5.3-r3: @@ -26,15 +23,17 @@ builddir="$srcdir"/libjpeg-turbo-$pkgver build() { cd "$builddir" - ./configure \ - --build=$CBUILD \ - --host=$CHOST \ - --prefix=/usr \ - --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --infodir=/usr/share/info \ - --localstatedir=/var \ - --with-jpeg8 + if [ "$CBUILD" != "$CHOST" ]; then + CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux" + fi + cmake \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_INSTALL_LIBDIR=/usr/lib \ + -DBUILD_SHARED_LIBS=True \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_C_FLAGS="$CFLAGS" \ + -DWITH_JPEG8=1 \ + ${CMAKE_CROSSOPTS} make } @@ -45,8 +44,7 @@ check() { package() { cd "$builddir" - make -j1 DESTDIR="$pkgdir" docdir=/usr/share/doc/$pkgname \ - install + make -j1 DESTDIR="$pkgdir" install install -d "$pkgdir"/usr/share/licenses/$pkgname ln -s ../../doc/libjpeg-turbo/LICENSE.md "$pkgdir/usr/share/licenses/$pkgname" } @@ -68,6 +66,4 @@ dev() { replaces="jpeg-dev" } -sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202 libjpeg-turbo-1.5.3.tar.gz -d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74 0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch -d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a CVE-2018-11813.patch" +sha512sums="204b6d083e99488c975c75efb08699e4dc1c409556e4dee4f21e3ee67e9c6682eb342f2e5712816b0342c00399fbe6e43fbce30c3d22f30f7ef91db006b3be08 libjpeg-turbo-2.0.2.tar.gz" diff --git a/main/libjpeg-turbo/CVE-2018-11813.patch b/main/libjpeg-turbo/CVE-2018-11813.patch deleted file mode 100644 index 194a4f8e13..0000000000 --- a/main/libjpeg-turbo/CVE-2018-11813.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 19074854d9d8bc32dff3ed252eed17ed6cc2ecfc Mon Sep 17 00:00:00 2001 -From: DRC <information@libjpeg-turbo.org> -Date: Tue, 12 Jun 2018 16:08:26 -0500 -Subject: [PATCH] Fix CVE-2018-11813 - -Refer to change log for details. - -Fixes #242 ---- - ChangeLog.md | 14 ++++++++++++++ - rdtarga.c | 6 ++---- - 2 files changed, 16 insertions(+), 4 deletions(-) - -diff --git a/ChangeLog.md b/ChangeLog.md -index bf63eb2dc..3aa41d173 100644 ---- a/ChangeLog.md -+++ b/ChangeLog.md -@@ -24,6 +24,20 @@ an image was passed to `tjDecompressHeader3()`, `tjTransform()`, - `tjDecompressToYUVPlanes()`, `tjDecompressToYUV2()`, or the equivalent Java - methods. - -+5. Fixed an issue (CVE-2018-11813) whereby a specially-crafted malformed input -+file (specifically, a file with a valid Targa header but incomplete pixel data) -+would cause cjpeg to generate a JPEG file that was potentially thousands of -+times larger than the input file. The Targa reader in cjpeg was not properly -+detecting that the end of the input file had been reached prematurely, so after -+all valid pixels had been read from the input, the reader injected dummy pixels -+with values of 255 into the JPEG compressor until the number of pixels -+specified in the Targa header had been compressed. The Targa reader in cjpeg -+now behaves like the PPM reader and aborts compression if the end of the input -+file is reached prematurely. Because this issue only affected cjpeg and not -+the underlying library, and because it did not involve any out-of-bounds reads -+or other exploitable behaviors, it was not believed to represent a security -+threat. -+ - - 1.5.3 - ===== -diff --git a/rdtarga.c b/rdtarga.c -index b9bbd07cb..f874ece67 100644 ---- a/rdtarga.c -+++ b/rdtarga.c -@@ -125,11 +125,10 @@ METHODDEF(void) - read_non_rle_pixel (tga_source_ptr sinfo) - /* Read one Targa pixel from the input file; no RLE expansion */ - { -- register FILE *infile = sinfo->pub.input_file; - register int i; - - for (i = 0; i < sinfo->pixel_size; i++) { -- sinfo->tga_pixel[i] = (U_CHAR) getc(infile); -+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo); - } - } - -@@ -138,7 +137,6 @@ METHODDEF(void) - read_rle_pixel (tga_source_ptr sinfo) - /* Read one Targa pixel from the input file, expanding RLE data as needed */ - { -- register FILE *infile = sinfo->pub.input_file; - register int i; - - /* Duplicate previously read pixel? */ -@@ -160,7 +158,7 @@ read_rle_pixel (tga_source_ptr sinfo) - - /* Read next pixel */ - for (i = 0; i < sinfo->pixel_size; i++) { -- sinfo->tga_pixel[i] = (U_CHAR) getc(infile); -+ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo); - } - } - |