diff --git a/SOURCES/libjpeg-turbo12-CVE-2016-3616_CVE-2018-11213_CVE-2018-11214.patch b/SOURCES/libjpeg-turbo12-CVE-2016-3616_CVE-2018-11213_CVE-2018-11214.patch new file mode 100644 index 0000000..9dbe592 --- /dev/null +++ b/SOURCES/libjpeg-turbo12-CVE-2016-3616_CVE-2018-11213_CVE-2018-11214.patch @@ -0,0 +1,111 @@ +From 779fbd23c0297aa571a7e0c99e48c58f7c766d56 Mon Sep 17 00:00:00 2001 +From: Frank Bossen +Date: Mon, 29 Dec 2014 19:42:20 +0100 +Subject: [PATCH 2/3] Check range of integer values in PPM text file + +Add checks to ensure values are within the specified range. + +Fixes mozilla/mozjpeg#141, closes #8 +--- + cderror.h | 1 + + rdppm.c | 24 ++++++++++++++++-------- + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/cderror.h b/cderror.h +index e19c475..d69b501 100644 +--- a/cderror.h ++++ b/cderror.h +@@ -74,6 +74,7 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out of GIF bits") + #ifdef PPM_SUPPORTED + JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB") + JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file") ++JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file") + JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file") + JMESSAGE(JTRC_PGM, "%ux%u PGM image") + JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image") +diff --git a/rdppm.c b/rdppm.c +index a757022..5da1646 100644 +--- a/rdppm.c ++++ b/rdppm.c +@@ -76,6 +76,7 @@ typedef struct { + JSAMPROW pixrow; /* FAR pointer to same */ + size_t buffer_width; /* width of I/O buffer */ + JSAMPLE *rescale; /* => maxval-remapping array, or NULL */ ++ int maxval; + } ppm_source_struct; + + typedef ppm_source_struct * ppm_source_ptr; +@@ -99,7 +100,7 @@ pbm_getc (FILE * infile) + + + LOCAL(unsigned int) +-read_pbm_integer (j_compress_ptr cinfo, FILE * infile) ++read_pbm_integer (j_compress_ptr cinfo, FILE * infile, int maxval) + /* Read an unsigned decimal integer from the PPM file */ + /* Swallows one trailing character after the integer */ + /* Note that on a 16-bit-int machine, only values up to 64k can be read. */ +@@ -123,6 +124,10 @@ read_pbm_integer (j_compress_ptr cinfo, FILE * infile) + val *= 10; + val += ch - '0'; + } ++ ++ if (val > maxval) ++ ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ + return val; + } + +@@ -147,10 +152,11 @@ get_text_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + register JSAMPROW ptr; + register JSAMPLE *rescale = source->rescale; + JDIMENSION col; ++ int maxval = source->maxval; + + ptr = source->pub.buffer[0]; + for (col = cinfo->image_width; col > 0; col--) { +- *ptr++ = rescale[read_pbm_integer(cinfo, infile)]; ++ *ptr++ = rescale[read_pbm_integer(cinfo, infile, maxval)]; + } + return 1; + } +@@ -165,12 +171,13 @@ get_text_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + register JSAMPROW ptr; + register JSAMPLE *rescale = source->rescale; + JDIMENSION col; ++ int maxval = source->maxval; + + ptr = source->pub.buffer[0]; + for (col = cinfo->image_width; col > 0; col--) { +- *ptr++ = rescale[read_pbm_integer(cinfo, infile)]; +- *ptr++ = rescale[read_pbm_integer(cinfo, infile)]; +- *ptr++ = rescale[read_pbm_integer(cinfo, infile)]; ++ *ptr++ = rescale[read_pbm_integer(cinfo, infile, maxval)]; ++ *ptr++ = rescale[read_pbm_integer(cinfo, infile, maxval)]; ++ *ptr++ = rescale[read_pbm_integer(cinfo, infile, maxval)]; + } + return 1; + } +@@ -319,9 +326,9 @@ start_input_ppm (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + } + + /* fetch the remaining header info */ +- w = read_pbm_integer(cinfo, source->pub.input_file); +- h = read_pbm_integer(cinfo, source->pub.input_file); +- maxval = read_pbm_integer(cinfo, source->pub.input_file); ++ w = read_pbm_integer(cinfo, source->pub.input_file, 65535); ++ h = read_pbm_integer(cinfo, source->pub.input_file, 65535); ++ maxval = read_pbm_integer(cinfo, source->pub.input_file, 65535); + + if (w <= 0 || h <= 0 || maxval <= 0) /* error check */ + ERREXIT(cinfo, JERR_PPM_NOT); +@@ -329,6 +336,7 @@ start_input_ppm (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + cinfo->data_precision = BITS_IN_JSAMPLE; /* we always rescale data to this */ + cinfo->image_width = (JDIMENSION) w; + cinfo->image_height = (JDIMENSION) h; ++ source->maxval = maxval; + + /* initialize flags to most common settings */ + need_iobuffer = TRUE; /* do we need an I/O buffer? */ +-- +2.17.2 + diff --git a/SOURCES/libjpeg-turbo12-CVE-2018-11212.patch b/SOURCES/libjpeg-turbo12-CVE-2018-11212.patch new file mode 100644 index 0000000..f22ad12 --- /dev/null +++ b/SOURCES/libjpeg-turbo12-CVE-2018-11212.patch @@ -0,0 +1,29 @@ +From 7dab681ec8e28c3174d00729b76f109e91e408f9 Mon Sep 17 00:00:00 2001 +From: Frank Bossen +Date: Mon, 29 Dec 2014 18:38:36 +0100 +Subject: [PATCH 1/3] Check image size when reading targa file + +Throw an error when image width or height is 0. + +Fixes mozilla/mozjpeg#140, closes #7. +--- + rdtarga.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/rdtarga.c b/rdtarga.c +index 4c2cd26..d305f1f 100644 +--- a/rdtarga.c ++++ b/rdtarga.c +@@ -363,7 +363,8 @@ start_input_tga (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + if (cmaptype > 1 || /* cmaptype must be 0 or 1 */ + source->pixel_size < 1 || source->pixel_size > 4 || + (UCH(targaheader[16]) & 7) != 0 || /* bits/pixel must be multiple of 8 */ +- interlace_type != 0) /* currently don't allow interlaced image */ ++ interlace_type != 0 || /* currently don't allow interlaced image */ ++ width == 0 || height == 0) /* image width/height must be non-zero */ + ERREXIT(cinfo, JERR_TGA_BADPARMS); + + if (subtype > 8) { +-- +2.17.2 + diff --git a/SOURCES/libjpeg-turbo12-CVE-2018-11813.patch b/SOURCES/libjpeg-turbo12-CVE-2018-11813.patch new file mode 100644 index 0000000..44d23a9 --- /dev/null +++ b/SOURCES/libjpeg-turbo12-CVE-2018-11813.patch @@ -0,0 +1,49 @@ +From fbdaee2d3ef393d67386c1a07a9b71f6b6ef3b25 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 12 Jun 2018 16:08:26 -0500 +Subject: [PATCH 3/3] Fix CVE-2018-11813 + +Refer to change log for details. + +Fixes #242 +--- + rdtarga.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/rdtarga.c b/rdtarga.c +index d305f1f..459e8b3 100644 +--- a/rdtarga.c ++++ b/rdtarga.c +@@ -123,11 +123,10 @@ METHODDEF(void) + read_non_rle_pixel (tga_source_ptr sinfo) + /* Read one Targa pixel from the input file; no RLE expansion */ + { +- register FILE *infile = sinfo->pub.input_file; + register int i; + + for (i = 0; i < sinfo->pixel_size; i++) { +- sinfo->tga_pixel[i] = (U_CHAR) getc(infile); ++ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo); + } + } + +@@ -136,7 +135,6 @@ METHODDEF(void) + read_rle_pixel (tga_source_ptr sinfo) + /* Read one Targa pixel from the input file, expanding RLE data as needed */ + { +- register FILE *infile = sinfo->pub.input_file; + register int i; + + /* Duplicate previously read pixel? */ +@@ -158,7 +156,7 @@ read_rle_pixel (tga_source_ptr sinfo) + + /* Read next pixel */ + for (i = 0; i < sinfo->pixel_size; i++) { +- sinfo->tga_pixel[i] = (U_CHAR) getc(infile); ++ sinfo->tga_pixel[i] = (U_CHAR) read_byte(sinfo); + } + } + +-- +2.17.2 + diff --git a/SOURCES/libjpeg-turbo12-CVE-2018-14498.patch b/SOURCES/libjpeg-turbo12-CVE-2018-14498.patch new file mode 100644 index 0000000..d2bdda3 --- /dev/null +++ b/SOURCES/libjpeg-turbo12-CVE-2018-14498.patch @@ -0,0 +1,121 @@ +From c51b66ebcace2adec0cfbe42d25cb418ed0c02a2 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Fri, 20 Jul 2018 17:21:36 -0500 +Subject: [PATCH] cjpeg: Fix OOB read caused by malformed 8-bit BMP + +... in which one or more of the color indices is out of range for the +number of palette entries. + +Fix partly borrowed from jpeg-9c. This commit also adopts Guido's +JERR_PPM_OUTOFRANGE enum value in lieu of our project-specific +JERR_PPM_TOOLARGE enum value. + +Fixes #258 +--- + cderror.h | 5 +++-- + rdbmp.c | 7 ++++++- + rdppm.c | 4 ++-- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/cderror.h b/cderror.h +index d69b501..46b0f49 100644 +--- a/cderror.h ++++ b/cderror.h +@@ -2,7 +2,7 @@ + * cderror.h + * + * Copyright (C) 1994-1997, Thomas G. Lane. +- * Modified 2009 by Guido Vollbeding. ++ * Modified 2009-2017 by Guido Vollbeding. + * This file is part of the Independent JPEG Group's software. + * For conditions of distribution and use, see the accompanying README file. + * +@@ -48,6 +48,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB") + JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported") + JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image") + JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM") ++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file") + JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image") + JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image") + JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image") +@@ -74,8 +75,8 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out of GIF bits") + #ifdef PPM_SUPPORTED + JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB") + JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file") +-JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file") + JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file") ++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file") + JMESSAGE(JTRC_PGM, "%ux%u PGM image") + JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image") + JMESSAGE(JTRC_PPM, "%ux%u PPM image") +diff --git a/rdbmp.c b/rdbmp.c +index c053074..7a27cab 100644 +--- a/rdbmp.c ++++ b/rdbmp.c +@@ -3,7 +3,7 @@ + * + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. +- * Modified 2009-2010 by Guido Vollbeding. ++ * Modified 2009-2017 by Guido Vollbeding. + * Modifications: + * Modified 2011 by Siarhei Siamashka. + * For conditions of distribution and use, see the accompanying README file. +@@ -64,6 +64,7 @@ typedef struct _bmp_source_struct { + JDIMENSION row_width; /* Physical width of scanlines in file */ + + int bits_per_pixel; /* remembers 8- or 24-bit format */ ++ int cmap_length; /* colormap length */ + } bmp_source_struct; + + +@@ -124,6 +125,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + { + bmp_source_ptr source = (bmp_source_ptr) sinfo; + register JSAMPARRAY colormap = source->colormap; ++ int cmaplen = source->cmap_length; + JSAMPARRAY image_ptr; + register int t; + register JSAMPROW inptr, outptr; +@@ -140,6 +142,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + outptr = source->pub.buffer[0]; + for (col = cinfo->image_width; col > 0; col--) { + t = GETJSAMPLE(*inptr++); ++ if (t >= cmaplen) ++ ERREXIT(cinfo, JERR_BMP_OUTOFRANGE); + *outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */ + *outptr++ = colormap[1][t]; + *outptr++ = colormap[2][t]; +@@ -399,6 +403,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + source->colormap = (*cinfo->mem->alloc_sarray) + ((j_common_ptr) cinfo, JPOOL_IMAGE, + (JDIMENSION) biClrUsed, (JDIMENSION) 3); ++ source->cmap_length = (int)biClrUsed; + /* and read it from the file */ + read_colormap(source, (int) biClrUsed, mapentrysize); + /* account for size of colormap */ +diff --git a/rdppm.c b/rdppm.c +index 5da1646..59da2bb 100644 +--- a/rdppm.c ++++ b/rdppm.c +@@ -76,7 +76,7 @@ typedef struct { + JSAMPROW pixrow; /* FAR pointer to same */ + size_t buffer_width; /* width of I/O buffer */ + JSAMPLE *rescale; /* => maxval-remapping array, or NULL */ +- int maxval; ++ unsigned int maxval; + } ppm_source_struct; + + typedef ppm_source_struct * ppm_source_ptr; +@@ -126,7 +126,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE * infile, int maxval) + } + + if (val > maxval) +- ERREXIT(cinfo, JERR_PPM_TOOLARGE); ++ ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); + + return val; + } +-- +2.17.2 + diff --git a/SPECS/libjpeg-turbo.spec b/SPECS/libjpeg-turbo.spec index 3473f19..92ccfe8 100644 --- a/SPECS/libjpeg-turbo.spec +++ b/SPECS/libjpeg-turbo.spec @@ -1,6 +1,6 @@ Name: libjpeg-turbo Version: 1.2.90 -Release: 6%{?dist} +Release: 8%{?dist} Summary: A MMX/SSE2 accelerated library for manipulating JPEG image files Group: System Environment/Libraries @@ -28,6 +28,10 @@ Patch0: libjpeg-turbo12-noinst.patch Patch1: libjpeg-turbo12-CVE-2013-6630.patch Patch2: libjpeg-turbo12-CVE-2013-6629.patch Patch3: libjpeg-turbo12-pkgconfig.patch +Patch4: libjpeg-turbo12-CVE-2018-11212.patch +Patch5: libjpeg-turbo12-CVE-2016-3616_CVE-2018-11213_CVE-2018-11214.patch +Patch6: libjpeg-turbo12-CVE-2018-11813.patch +Patch7: libjpeg-turbo12-CVE-2018-14498.patch %description The libjpeg-turbo package contains a library of functions for manipulating @@ -98,6 +102,10 @@ will manipulate JPEG files using the TurboJPEG library. %patch1 -p1 -b .CVE-2013-6630 %patch2 -p1 -b .CVE-2013-6629 %patch3 -p1 -b .pkgconfig +%patch4 -p1 -b .CVE-2018-11212 +%patch5 -p1 -b .CVE-2016-3616_CVE-2018-11213_CVE-2018-11214 +%patch6 -p1 -b .CVE-2018-11813 +%patch7 -p1 -b .CVE-2018-14498 %build autoreconf -fiv @@ -173,6 +181,15 @@ make test %{_libdir}/pkgconfig/libturbojpeg.pc %changelog +* Wed Mar 20 2019 Nikola Forró - 1.2.90-8 +- Fix CVE-2018-14498 (#1687475) + +* Thu Dec 06 2018 Nikola Forró - 1.2.90-7 +- Fix CVE-2018-11212 (#1586062) +- Fix CVE-2016-3616 (#1318509), CVE-2018-11213 (#1589091) + and CVE-2018-11214 (#1589110) +- Fix CVE-2018-11813 (#1591203) + * Thu May 24 2018 Nikola Forró - 1.2.90-6 - Add pkgconfig scripts (#1581687)