libjpeg-turbo-soname8: Fix for CVE-2019-2201

libjpeg-turbo/libjpeg-turbo#388 Minor backport of: libjpeg-turbo/libjpeg-turbo@c30b1e7 "64-bit tjbench: Fix signed int overflow/segfault that occurred when attempting to decompress images with more than 715827882 (2048*1024*1024 / 3) pixels." CVEs fixed in this build: CVE-2019-2201
clearlinux-pkgs · Nov 12, 2019 · 39828c3 · 39828c3
1 parent 2a42842
commit 39828c3
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 11 deletions.
diff --git a/CVE-2019-2201.patch b/CVE-2019-2201.patch
@@ -0,0 +1,54 @@
+From 6548377e7ed7653e555dac0b9faa4152b00ecbaf Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 12 Nov 2019 12:11:54 -0800
+Subject: [PATCH] 64-bit tjbench: Fix signed int overflow/segfault
+
+... that occurred when attempting to decompress images with more than
+715827882 (2048*1024*1024 / 3) pixels.
+
+Fixes #388
+---
+ ChangeLog.md | 4 ++++
+ tjbench.c    | 4 ++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index f5fe44b..4e501c5 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -41,6 +41,10 @@ end of a single-scan (non-progressive) image, subsequent calls to
+ JPEG images that were compressed with a sampling factor other than 1 (for
+ instance, with `cjpeg -grayscale -sample 2x2`).
+
++2. Fixed a signed integer overflow and subsequent segfault that occurred when
++attempting to decompress images with more than 715827882 pixels using the
++64-bit C version of TJBench.
++
+
+ 1.5.2
+ =====
+diff --git a/tjbench.c b/tjbench.c
+index 76b61cd..393c014 100644
+--- a/tjbench.c
++++ b/tjbench.c
+@@ -133,7 +133,7 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+ 	}
+ 	/* Set the destination buffer to gray so we know whether the decompressor
+ 	   attempted to write to it */
+-	memset(dstbuf, 127, pitch*scaledh);
++	memset(dstbuf, 127, (size_t)pitch * scaledh);
+
+ 	if(doyuv)
+ 	{
+@@ -152,7 +152,7 @@ int decomp(unsigned char *srcbuf, unsigned char **jpegbuf,
+ 	{
+ 		int tile=0;
+ 		double start=gettime();
+-		for(row=0, dstptr=dstbuf; row<ntilesh; row++, dstptr+=pitch*tileh)
++		for(row=0, dstptr=dstbuf; row<ntilesh; row++, dstptr+=(size_t)pitch*tileh)
+ 		{
+ 			for(col=0, dstptr2=dstptr; col<ntilesw; col++, tile++, dstptr2+=ps*tilew)
+ 			{
+-- 
+2.24.0
+
diff --git a/libjpeg-turbo-soname8.spec b/libjpeg-turbo-soname8.spec
@@ -6,7 +6,7 @@
 #
 Name     : libjpeg-turbo-soname8
 Version  : 1.5.3
-Release  : 46
+Release  : 47
 URL      : https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-1.5.3.tar.gz
 Source0  : https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-1.5.3.tar.gz
 Source1 : https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-1.5.3.tar.gz.sig
@@ -25,6 +25,7 @@ BuildRequires : nasm
 BuildRequires : yasm
 Patch1: cve-2017-15232.patch
 Patch2: CVE-2018-14498.patch
+Patch3: CVE-2019-2201.patch
 
 %description
 TurboJPEG Java Wrapper
@@ -66,8 +67,10 @@ license components for the libjpeg-turbo-soname8 package.
 
 %prep
 %setup -q -n libjpeg-turbo-1.5.3
+cd %{_builddir}/libjpeg-turbo-1.5.3
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 pushd ..
 cp -a libjpeg-turbo-1.5.3 build32
 popd
@@ -80,7 +83,7 @@ export http_proxy=http://127.0.0.1:9/
 export https_proxy=http://127.0.0.1:9/
 export no_proxy=localhost,127.0.0.1,0.0.0.0
 export LANG=C.UTF-8
-export SOURCE_DATE_EPOCH=1567802846
+export SOURCE_DATE_EPOCH=1573589789
 export GCC_IGNORE_WERROR=1
 export AR=gcc-ar
 export RANLIB=gcc-ranlib
@@ -93,16 +96,18 @@ export CFLAGS_GENERATE="$CFLAGS -fprofile-generate -fprofile-dir=/var/tmp/pgo -f
 export FCFLAGS_GENERATE="$FCFLAGS -fprofile-generate -fprofile-dir=/var/tmp/pgo -fprofile-update=atomic "
 export FFLAGS_GENERATE="$FFLAGS -fprofile-generate -fprofile-dir=/var/tmp/pgo -fprofile-update=atomic "
 export CXXFLAGS_GENERATE="$CXXFLAGS -fprofile-generate -fprofile-dir=/var/tmp/pgo -fprofile-update=atomic "
+export LDFLAGS_GENERATE="$LDFLAGS -fprofile-generate -fprofile-dir=/var/tmp/pgo -fprofile-update=atomic "
 export CFLAGS_USE="$CFLAGS -fprofile-use -fprofile-dir=/var/tmp/pgo -fprofile-correction "
 export FCFLAGS_USE="$FCFLAGS -fprofile-use -fprofile-dir=/var/tmp/pgo -fprofile-correction "
 export FFLAGS_USE="$FFLAGS -fprofile-use -fprofile-dir=/var/tmp/pgo -fprofile-correction "
 export CXXFLAGS_USE="$CXXFLAGS -fprofile-use -fprofile-dir=/var/tmp/pgo -fprofile-correction "
-CFLAGS="${CFLAGS_GENERATE}" CXXFLAGS="${CXXFLAGS_GENERATE}" FFLAGS="${FFLAGS_GENERATE}" FCFLAGS="${FCFLAGS_GENERATE}" %configure --disable-static --with-jpeg8
+export LDFLAGS_USE="$LDFLAGS -fprofile-use -fprofile-dir=/var/tmp/pgo -fprofile-correction "
+CFLAGS="${CFLAGS_GENERATE}" CXXFLAGS="${CXXFLAGS_GENERATE}" FFLAGS="${FFLAGS_GENERATE}" FCFLAGS="${FCFLAGS_GENERATE}" LDFLAGS="${LDFLAGS_GENERATE}" %configure --disable-static --with-jpeg8
 make  %{?_smp_mflags}
 
 ./tjbench testimages/testimgint.jpg
 make clean
-CFLAGS="${CFLAGS_USE}" CXXFLAGS="${CXXFLAGS_USE}" FFLAGS="${FFLAGS_USE}" FCFLAGS="${FCFLAGS_USE}" %configure --disable-static --with-jpeg8
+CFLAGS="${CFLAGS_USE}" CXXFLAGS="${CXXFLAGS_USE}" FFLAGS="${FFLAGS_USE}" FCFLAGS="${FCFLAGS_USE}" LDFLAGS="${LDFLAGS_USE}" %configure --disable-static --with-jpeg8
 make  %{?_smp_mflags}
 
 pushd ../build32/
@@ -134,11 +139,11 @@ cd ../buildavx2;
 make VERBOSE=1 V=1 %{?_smp_mflags} check || :
 
 %install
-export SOURCE_DATE_EPOCH=1567802846
+export SOURCE_DATE_EPOCH=1573589789
 rm -rf %{buildroot}
 mkdir -p %{buildroot}/usr/share/package-licenses/libjpeg-turbo-soname8
-cp LICENSE.md %{buildroot}/usr/share/package-licenses/libjpeg-turbo-soname8/LICENSE.md
-cp release/License.rtf %{buildroot}/usr/share/package-licenses/libjpeg-turbo-soname8/release_License.rtf
+cp %{_builddir}/libjpeg-turbo-1.5.3/LICENSE.md %{buildroot}/usr/share/package-licenses/libjpeg-turbo-soname8/7b111516fb0f6aa2063908e9098aa5727200abf3
+cp %{_builddir}/libjpeg-turbo-1.5.3/release/License.rtf %{buildroot}/usr/share/package-licenses/libjpeg-turbo-soname8/f0b17b88210d4efef996d99421683315b8ded689
 pushd ../build32/
 %make_install32
 if [ -d  %{buildroot}/usr/lib32/pkgconfig ]
@@ -225,5 +230,5 @@ rm -rf %{buildroot}/usr/lib64/libturbojpeg.so.0*
 
 %files license
 %defattr(0644,root,root,0755)
-/usr/share/package-licenses/libjpeg-turbo-soname8/LICENSE.md
-/usr/share/package-licenses/libjpeg-turbo-soname8/release_License.rtf
+/usr/share/package-licenses/libjpeg-turbo-soname8/7b111516fb0f6aa2063908e9098aa5727200abf3
+/usr/share/package-licenses/libjpeg-turbo-soname8/f0b17b88210d4efef996d99421683315b8ded689
diff --git a/options.conf b/options.conf
@@ -3,6 +3,7 @@ name = libjpeg-turbo-soname8
 url = https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-1.5.3.tar.gz
 archives = 
 giturl = 
+domain = 
 
 [autospec]
 # build 32 bit libraries
@@ -17,7 +18,7 @@ autoupdate = false
 broken_c++ = false
 # disable parallelization during build
 broken_parallel_build = false
-# this package is a library compatability package and only ships versioned library files
+# this package is a library compatibility package and only ships versioned library files
 compat = false
 # set conservative build flags
 conservative_flags = false

diff --git a/release b/release
@@ -1 +1 @@
-46
+47
diff --git a/series b/series
@@ -1,2 +1,3 @@
 cve-2017-15232.patch
 CVE-2018-14498.patch
+CVE-2019-2201.patch