diff --git a/SOURCES/jbigkit-2.0-CVE-2013-6369.patch b/SOURCES/jbigkit-2.0-CVE-2013-6369.patch
new file mode 100644
index 0000000..031fe3f
--- /dev/null
+++ b/SOURCES/jbigkit-2.0-CVE-2013-6369.patch
@@ -0,0 +1,113 @@
+From 377085a7fd41e01c0c1ad5d1c1f90b59e8257593
+From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
+Subject: [PATCH] Fix two DPPRIV buffer overflows and a bug
+
+* jbig.c:jbg_dec_in(): when a BIE with option DPPRIV=1 was received,
+ the included private DP table (1728 bytes) was loaded into
+ 20-byte array s->buffer, creating a buffer overflow vulnerability.
+ It is now loaded instead into a malloc'ed temporary buffer.
+
+* jbig.c:jbg_dec_in(): buffer allocated for internal representation
+ of private DP table was 1728 bytes long, but must be 6912 bytes long,
+ creating another buffer overflow vulnerability.
+
+* jbig.c: a loop in the routines for converting between the internal and
+ external representations of a DP table terminated earlier than intended.
+ As a result, a private DP table provided to the decoder was not
+ interpreted correctly. Likewise, if a user asked the encoder to output
+ its standard DP table (which is only useful for testing), the result
+ would have been incorrect.
+
+* tstcodec.c: test case for DPPRIV=1 added.
+
+The buffer overflow vulnerability was reported by Florian Weimer (Red Hat)
+and has been assigned CVE-2013-6369.
+
+None of these fixes should affect ABI compatibility; jbig.h remains unchanged.
+
+All past releases of jbig.c are believed to be affected.
+The jbig85.c lightwight implementation was not affected.
+---
+ libjbig/jbig.c | 16 ++++++++++------
+ libjbig/tstcodec.c | 11 ++++++++---
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/libjbig/jbig.c b/libjbig/jbig.c
+index f3c35cc..48fc128 100644
+--- a/libjbig/jbig.c
++++ b/libjbig/jbig.c
+@@ -1738,7 +1738,7 @@ void jbg_int2dppriv(unsigned char *dptable, const char *internal)
+ #define FILL_TABLE1(offset, len, trans) \
+ for (i = 0; i < len; i++) { \
+ k = 0; \
+- for (j = 0; j < 8; j++) \
++ for (j = 0; i >> j; j++) \
+ k |= ((i >> j) & 1) << trans[j]; \
+ dptable[(i + offset) >> 2] |= \
+ (internal[k + offset] & 3) << ((3 - (i&3)) << 1); \
+@@ -1769,7 +1769,7 @@ void jbg_dppriv2int(char *internal, const unsigned char *dptable)
+ #define FILL_TABLE2(offset, len, trans) \
+ for (i = 0; i < len; i++) { \
+ k = 0; \
+- for (j = 0; j < 8; j++) \
++ for (j = 0; i >> j; j++) \
+ k |= ((i >> j) & 1) << trans[j]; \
+ internal[k + offset] = \
+ (dptable[(i + offset) >> 2] >> ((3 - (i & 3)) << 1)) & 3; \
+@@ -2574,6 +2574,7 @@ int jbg_dec_in(struct jbg_dec_state *s, unsigned char *data, size_t len,
+ unsigned long x, y;
+ unsigned long is[3], ie[3];
+ size_t dummy_cnt;
++ unsigned char *dppriv;
+
+ if (!cnt) cnt = &dummy_cnt;
+ *cnt = 0;
+@@ -2711,13 +2712,16 @@ int jbg_dec_in(struct jbg_dec_state *s, unsigned char *data, size_t len,
+ (s->options & (JBG_DPON | JBG_DPPRIV | JBG_DPLAST)) ==
+ (JBG_DPON | JBG_DPPRIV)) {
+ assert(s->bie_len >= 20);
++ if (!s->dppriv || s->dppriv == jbg_dptable)
++ s->dppriv = (char *) checked_malloc(1728, sizeof(char));
+ while (s->bie_len < 20 + 1728 && *cnt < len)
+- s->buffer[s->bie_len++ - 20] = data[(*cnt)++];
++ s->dppriv[s->bie_len++ - 20] = data[(*cnt)++];
+ if (s->bie_len < 20 + 1728)
+ return JBG_EAGAIN;
+- if (!s->dppriv || s->dppriv == jbg_dptable)
+- s->dppriv = (char *) checked_malloc(1728, sizeof(char));
+- jbg_dppriv2int(s->dppriv, s->buffer);
++ dppriv = s->dppriv;
++ s->dppriv = (char *) checked_malloc(6912, sizeof(char));
++ jbg_dppriv2int(s->dppriv, dppriv);
++ checked_free(dppriv);
+ }
+
+ /*
+diff --git a/libjbig/tstcodec.c b/libjbig/tstcodec.c
+index 44bae57..6289748 100644
+--- a/libjbig/tstcodec.c
++++ b/libjbig/tstcodec.c
+@@ -483,11 +483,16 @@ int main(int argc, char **argv)
+ problems += test_cycle(&pp, 1960, 1951,
+ JBG_DELAY_AT | JBG_TPBON | JBG_TPDON | JBG_DPON,
+ 0, 6, 1, 2, 8, 279314L, "3.4");
+-#if 0
+- puts("Test 3.5: as Test 3.4 but with order bit SEQ set");
++ puts("Test 3.5: as Test 3.4 but with DPPRIV=1");
++ problems += test_cycle(&pp, 1960, 1951,
++ JBG_DELAY_AT | JBG_TPBON | JBG_TPDON | JBG_DPON |
++ JBG_DPPRIV,
++ 0, 6, 1, 2, 8, 279314L + 1728, "3.5");
++#if 0 /* Note: option SEQ is currently not supported by the decoder */
++ puts("Test 3.6: as Test 3.4 but with order bit SEQ set");
+ problems += test_cycle(&pp, 1960, 1951,
+ JBG_DELAY_AT | JBG_TPBON | JBG_TPDON | JBG_DPON,
+- JBG_SEQ, 6, 1, 2, 8, 279314L, "3.5");
++ JBG_SEQ, 6, 1, 2, 8, 279314L, "3.6");
+ #endif
+ #endif
+
+--
+1.7.9.5
+
+
diff --git a/SPECS/jbigkit.spec b/SPECS/jbigkit.spec
index 9fb6312..ba90f98 100644
--- a/SPECS/jbigkit.spec
+++ b/SPECS/jbigkit.spec
@@ -1,6 +1,6 @@
Name: jbigkit
Version: 2.0
-Release: 8%{?dist}
+Release: 11%{?dist}
Summary: JBIG1 lossless image compression tools
Group: Development/Libraries
@@ -9,6 +9,7 @@ URL: http://www.cl.cam.ac.uk/~mgk25/jbigkit/
Source0: http://www.cl.cam.ac.uk/~mgk25/download/jbigkit-%{version}.tar.gz
Patch0: jbigkit-2.0-shlib.patch
Patch1: jbigkit-2.0-warnings.patch
+Patch2: jbigkit-2.0-CVE-2013-6369.patch
%package libs
Summary: JBIG1 lossless image compression library
@@ -46,6 +47,7 @@ formats.
%setup -q -n jbigkit
%patch0 -p1 -b .shlib
%patch1 -p1 -b .warnings
+%patch2 -p1 -b .CVE-2013-6369
%build
make %{?_smp_mflags} CCFLAGS="$RPM_OPT_FLAGS"
@@ -90,6 +92,15 @@ make test
%{_includedir}/jbig*.h
%changelog
+* Wed Apr 02 2014 Jiri Popelka <jpopelka@redhat.com> - 2.0-11
+- CVE-2013-6369 (#1083412)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.0-10
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.0-9
+- Mass rebuild 2013-12-27
+
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild