From d2d65365ec3ef6a61ba9299d5fdf8cc82491126c Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Mon, 15 May 2023 16:22:25 +0800 Subject: [PATCH 1/2] update to libjpeg-turbo-2.0.90-6.el9_1 Signed-off-by: Zhao Hang --- dist | 1 + libjpeg-turbo-CVE-2021-46822.patch | 108 +++++++++++++++++++++++++++++ libjpeg-turbo.spec | 12 ++-- 3 files changed, 114 insertions(+), 7 deletions(-) create mode 100644 dist create mode 100644 libjpeg-turbo-CVE-2021-46822.patch diff --git a/dist b/dist new file mode 100644 index 0000000..dbbfc02 --- /dev/null +++ b/dist @@ -0,0 +1 @@ +an9_1 diff --git a/libjpeg-turbo-CVE-2021-46822.patch b/libjpeg-turbo-CVE-2021-46822.patch new file mode 100644 index 0000000..e019ed3 --- /dev/null +++ b/libjpeg-turbo-CVE-2021-46822.patch @@ -0,0 +1,108 @@ +From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 6 Apr 2021 12:51:03 -0500 +Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs + +- The PPM reader now throws an error rather than segfaulting (due to a + buffer overrun) if an application attempts to load a 16-bit PPM file + into a grayscale uncompressed image buffer. No known applications + allowed that (not even the test applications in libjpeg-turbo), + because that mode of operation was never expected to work and did not + work under any circumstances. (In fact, it was necessary to modify + TJBench in order to reproduce the issue outside of a fuzzing + environment.) This was purely a matter of making the library bow out + gracefully rather than crash if an application tries to do something + really stupid. + +- The PPM reader now throws an error rather than generating incorrect + pixels if an application attempts to load a 16-bit PGM file into an + RGB uncompressed image buffer. + +- The PPM reader now correctly loads 16-bit PPM files into extended + RGB uncompressed image buffers. (Previously it generated incorrect + pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.) + +The only way that users could have potentially encountered these issues +was through the tjLoadImage() function. cjpeg and TJBench were +unaffected. +--- + ChangeLog.md | 10 ++++++++++ + rdppm.c | 26 ++++++++++++++++++++------ + 2 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/rdppm.c b/rdppm.c +index c4c937e8..6ac8fdbf 100644 +--- a/rdppm.c ++++ b/rdppm.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1991-1997, Thomas G. Lane. + * Modified 2009 by Bill Allombert, Guido Vollbeding. + * libjpeg-turbo Modifications: +- * Copyright (C) 2015-2017, 2020, D. R. Commander. ++ * Copyright (C) 2015-2017, 2020-2021, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + register JSAMPLE *rescale = source->rescale; + JDIMENSION col; + unsigned int maxval = source->maxval; ++ register int rindex = rgb_red[cinfo->in_color_space]; ++ register int gindex = rgb_green[cinfo->in_color_space]; ++ register int bindex = rgb_blue[cinfo->in_color_space]; ++ register int aindex = alpha_index[cinfo->in_color_space]; ++ register int ps = rgb_pixelsize[cinfo->in_color_space]; + + if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width)) + ERREXIT(cinfo, JERR_INPUT_EOF); +@@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[rindex] = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[gindex] = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[bindex] = rescale[temp]; ++ if (aindex >= 0) ++ ptr[aindex] = 0xFF; ++ ptr += ps; + } + return 1; + } +@@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + cinfo->in_color_space = JCS_GRAYSCALE; + TRACEMS2(cinfo, 1, JTRC_PGM, w, h); + if (maxval > 255) { +- source->pub.get_pixel_rows = get_word_gray_row; ++ if (cinfo->in_color_space == JCS_GRAYSCALE) ++ source->pub.get_pixel_rows = get_word_gray_row; ++ else ++ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); + } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && + cinfo->in_color_space == JCS_GRAYSCALE) { + source->pub.get_pixel_rows = get_raw_row; +@@ -647,7 +658,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + cinfo->in_color_space = JCS_EXT_RGB; + TRACEMS2(cinfo, 1, JTRC_PPM, w, h); + if (maxval > 255) { +- source->pub.get_pixel_rows = get_word_rgb_row; ++ if (IsExtRGB(cinfo->in_color_space)) ++ source->pub.get_pixel_rows = get_word_rgb_row; ++ else ++ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); + } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && + #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3 + (cinfo->in_color_space == JCS_EXT_RGB || +-- +2.34.1 + diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index a412b0d..0eb303b 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,7 +1,6 @@ -%define anolis_release .0.1 Name: libjpeg-turbo Version: 2.0.90 -Release: 5%{anolis_release}%{?dist} +Release: 6%{?dist} Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files License: IJG URL: http://sourceforge.net/projects/libjpeg-turbo @@ -11,6 +10,7 @@ Patch0: libjpeg-turbo-cmake.patch Patch1: libjpeg-turbo-CET.patch Patch3: libjpeg-turbo-CVE-2021-20205.patch Patch4: libjpeg-turbo-CVE-2021-37972.patch +Patch5: libjpeg-turbo-CVE-2021-46822.patch BuildRequires: gcc BuildRequires: cmake @@ -84,9 +84,6 @@ export LDFLAGS="$RPM_LD_FLAGS -Wl,-z,ibt -Wl,-z,shstk" -DCMAKE_SKIP_INSTALL_RPATH:BOOL=YES \ %ifarch s390x -DFLOATTEST:STRING="fp-contract" \ -%endif -%ifarch loongarch64 - -DWITH_SIMD=0 \ %endif -DENABLE_STATIC:BOOL=NO @@ -185,8 +182,9 @@ export LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{_libdir}/pkgconfig/libturbojpeg.pc %changelog -* Thu Dec 22 2022 Liwei Ge - 2.0.90-5.0.1 -- Disable simd for loongarch +* Thu Jul 21 2022 Matej Mužila - 2.0.90-6 +- Fix CVE-2021-46822 +- Resolves: CVE-2021-46822 * Sat Sep 25 2021 Nikola Forró - 2.0.90-5 - Fix CVE-2021-37972 (#2007679) -- Gitee From 9a17c651497bce4148c64ed99efca2c220c28076 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Fri, 23 Dec 2022 10:45:38 +0800 Subject: [PATCH 2/2] spec: disable simd for loongarch --- libjpeg-turbo.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec index 0eb303b..5d86060 100644 --- a/libjpeg-turbo.spec +++ b/libjpeg-turbo.spec @@ -1,6 +1,7 @@ +%define anolis_release .0.1 Name: libjpeg-turbo Version: 2.0.90 -Release: 6%{?dist} +Release: 6%{anolis_release}%{?dist} Summary: A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files License: IJG URL: http://sourceforge.net/projects/libjpeg-turbo @@ -84,6 +85,9 @@ export LDFLAGS="$RPM_LD_FLAGS -Wl,-z,ibt -Wl,-z,shstk" -DCMAKE_SKIP_INSTALL_RPATH:BOOL=YES \ %ifarch s390x -DFLOATTEST:STRING="fp-contract" \ +%endif +%ifarch loongarch64 + -DWITH_SIMD=0 \ %endif -DENABLE_STATIC:BOOL=NO @@ -182,6 +186,9 @@ export LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{_libdir}/pkgconfig/libturbojpeg.pc %changelog +* Mon May 15 2023 Liwei Ge - 2.0.90-6.0.1 +- Disable simd for loongarch + * Thu Jul 21 2022 Matej Mužila - 2.0.90-6 - Fix CVE-2021-46822 - Resolves: CVE-2021-46822 -- Gitee