diff --git a/CVE-2018-18544.patch b/CVE-2018-18544.patch new file mode 100644 index 0000000000000000000000000000000000000000..95edec4ea2a8c5f7b46dcfcf2f2be21928a2a07e --- /dev/null +++ b/CVE-2018-18544.patch @@ -0,0 +1,26 @@ +From 960de60924208e2fceff6d118c0bcec38dae627b Mon Sep 17 00:00:00 2001 +From: maminjie +Date: Sat, 19 Sep 2020 16:00:58 +0800 +Subject: [PATCH] ProcessMSLScript(): Release msl_image if OpenBlob fails. + (CVE-2018-18544) + +refers to http://hg.code.sf.net/p/graphicsmagick/code/rev/31349424878d +--- + coders/msl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/coders/msl.c b/coders/msl.c +index 5add044..9e99629 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -4540,6 +4540,7 @@ ProcessMSLScript(const ImageInfo *image_info,Image **image, + status=OpenBlob(image_info,msl_image,ReadBinaryBlobMode,exception); + if (status == False) + { ++ DestroyImage(msl_image); + ThrowException(exception,FileOpenError,UnableToOpenFile, + msl_image->filename); + return(False); +-- +2.23.0 + diff --git a/CVE-2019-11005.patch b/CVE-2019-11005.patch new file mode 100644 index 0000000000000000000000000000000000000000..10cca6b520609250026ecbe03eae402306d9e1ce --- /dev/null +++ b/CVE-2019-11005.patch @@ -0,0 +1,30 @@ +SVGStartElement(): Fix stack buffer overflow while parsing quoted font family value. +(CVE-2019-11005) + +refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d + +diff -r f7610c1281c1 -r b6fb77d7d54d coders/svg.c +--- a/coders/svg.c Fri Apr 05 08:13:14 2019 -0500 ++++ b/coders/svg.c Fri Apr 05 08:43:15 2019 -0500 +@@ -1745,12 +1745,12 @@ + font-family. Maybe we need a generalized solution for + this. + */ +- if ((value[0] == '\'') && (value[strlen(value)-1] == '\'')) ++ int value_length; ++ if ((value[0] == '\'') && ((value_length=(int) strlen(value)) > 2) ++ && (value[value_length-1] == '\'')) + { +- char nvalue[MaxTextExtent]; +- (void) strlcpy(nvalue,value+1,sizeof(nvalue)); +- nvalue[strlen(nvalue)-1]='\0'; +- MVGPrintf(svg_info->file,"font-family '%s'\n",nvalue); ++ MVGPrintf(svg_info->file,"font-family '%.*s'\n", ++ (int)(value_length-2),value+1); + } + else + { + + + + diff --git a/CVE-2019-11006.patch b/CVE-2019-11006.patch new file mode 100644 index 0000000000000000000000000000000000000000..20bc2239c712c0991df215d134eb305f310d7616 --- /dev/null +++ b/CVE-2019-11006.patch @@ -0,0 +1,45 @@ +From a404f04f6114057b9b64eab8436a0668f6aa16f7 Mon Sep 17 00:00:00 2001 +From: maminjie +Date: Sat, 19 Sep 2020 15:35:05 +0800 +Subject: [PATCH] ReadMIFFImage(): Detect end of file while reading RLE + packets. (CVE-2019-11006) + +refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1 +--- + coders/miff.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/coders/miff.c b/coders/miff.c +index 307b10e..60ad6f7 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1706,7 +1706,13 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + p=pixels; + for (length=0; length < image->columns; ) + { +- p+=ReadBlob(image,packet_size,p); ++ size_t ++ bytes_read; ++ ++ if ((bytes_read=ReadBlob(image,packet_size,p)) != packet_size) ++ ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile, ++ image); ++ p+=bytes_read; + length+=*(p-1)+1; + } + +@@ -1731,7 +1737,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + if (q == (PixelPacket *) NULL) + break; + pixels_p=pixels; +- (void) ReadBlobZC(image,packet_size*image->columns,&pixels_p); ++ if (ReadBlobZC(image,packet_size*image->columns,&pixels_p) ++ != (size_t) packet_size*image->columns) ++ ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile, ++ image); + (void) ImportImagePixelArea(image,quantum_type,quantum_size,(const unsigned char*) pixels_p,0,0); + if (!SyncImagePixels(image)) + break; +-- +2.23.0 + diff --git a/CVE-2019-11010.patch b/CVE-2019-11010.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1b46bae737954f5f6b3b7627729177d42af305d --- /dev/null +++ b/CVE-2019-11010.patch @@ -0,0 +1,110 @@ +From 38b2e7d3f5a027058a92a48c440b1cf47f2d8af5 Mon Sep 17 00:00:00 2001 +From: maminjie +Date: Sat, 19 Sep 2020 17:41:12 +0800 +Subject: [PATCH] ReadMPCImage(): Deal with a profile length of zero, or an + irrationally large profile length. (CVE-2019-11010) + +refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019 +--- + coders/miff.c | 36 ++++++++++++++++++++++++++++-------- + coders/mpc.c | 37 ++++++++++++++++++++++++++++--------- + 2 files changed, 56 insertions(+), 17 deletions(-) + +diff --git a/coders/miff.c b/coders/miff.c +index 60ad6f7..00813c4 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1368,14 +1368,34 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + { + for (i=0; i < (long) number_of_profiles; i++) + { +- if (profiles[i].length == 0) +- continue; +- profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length); +- if (profiles[i].info == (unsigned char *) NULL) +- ThrowMIFFReaderException(CorruptImageError,UnableToReadGenericProfile, +- image); +- (void) ReadBlob(image,profiles[i].length,profiles[i].info); +- (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length); ++ if (profiles[i].length > 0) ++ { ++ if ((profiles[i].length - ((magick_off_t) profiles[i].length) == 0) && ++ ((BlobIsSeekable(image) ++ && (GetBlobSize(image) - TellBlob(image)) > ++ (magick_off_t) profiles[i].length) || ++ (profiles[i].length < 15*1024*1024))) ++ { ++ profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length); ++ if (profiles[i].info == (unsigned char *) NULL) ++ ThrowMIFFReaderException(CorruptImageError,UnableToReadGenericProfile, ++ image); ++ if (ReadBlob(image,profiles[i].length,profiles[i].info) ++ != profiles[i].length) ++ ThrowMIFFReaderException(CorruptImageError, ++ UnexpectedEndOfFile, ++ image); ++ (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length); ++ } ++ else ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "Profile size %" MAGICK_SIZE_T_F "u is excessively large", ++ (MAGICK_SIZE_T ) profiles[i].length); ++ ThrowMIFFReaderException(CorruptImageError,ImproperImageHeader, ++ image); ++ } ++ } + MagickFreeMemory(profiles[i].name); + MagickFreeMemory(profiles[i].info); + } +diff --git a/coders/mpc.c b/coders/mpc.c +index 3459f92..e184fd1 100644 +--- a/coders/mpc.c ++++ b/coders/mpc.c +@@ -772,15 +772,34 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + for (i=0; i < (long) number_of_profiles; i++) + { +- if (profiles[i].length == 0) +- continue; +- profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length); +- if (profiles[i].info == (unsigned char *) NULL) +- ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile, +- image); +- (void) ReadBlob(image,profiles[i].length,profiles[i].info); +- (void) SetImageProfile(image,profiles[i].name,profiles[i].info, +- profiles[i].length); ++ if (profiles[i].length > 0) ++ { ++ if ((profiles[i].length - ((magick_off_t) profiles[i].length) == 0) && ++ ((BlobIsSeekable(image) ++ && (GetBlobSize(image) - TellBlob(image)) > ++ (magick_off_t) profiles[i].length) || ++ (profiles[i].length < 15*1024*1024))) ++ { ++ profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length); ++ if (profiles[i].info == (unsigned char *) NULL) ++ ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile, ++ image); ++ if (ReadBlob(image,profiles[i].length,profiles[i].info) ++ != profiles[i].length) ++ ThrowMPCReaderException(CorruptImageError, ++ UnexpectedEndOfFile, ++ image); ++ (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length); ++ } ++ else ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "Profile size %" MAGICK_SIZE_T_F "u is excessively large", ++ (MAGICK_SIZE_T ) profiles[i].length); ++ ThrowMPCReaderException(CorruptImageError,ImproperImageHeader, ++ image); ++ } ++ } + MagickFreeMemory(profiles[i].name); + MagickFreeMemory(profiles[i].info); + } +-- +2.23.0 + diff --git a/CVE-2019-12921.patch b/CVE-2019-12921.patch new file mode 100644 index 0000000000000000000000000000000000000000..c4757fb2d4c12918d9e1964e251f52ec7f2113ff --- /dev/null +++ b/CVE-2019-12921.patch @@ -0,0 +1,39 @@ +From 1b5507f188dd0cd76099348c5f151a8ba61a812d Mon Sep 17 00:00:00 2001 +From: maminjie +Date: Sat, 19 Sep 2020 16:39:22 +0800 +Subject: [PATCH] fix CVE-2019-12921 + +the text filename component potentially allows to read arbitrary files via TranslateTextEx for SVG + +refers to https://build.opensuse.org/request/show/788214 +--- + magick/render.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/magick/render.c b/magick/render.c +index 3caf603..75bbe2f 100644 +--- a/magick/render.c ++++ b/magick/render.c +@@ -2360,11 +2360,16 @@ DrawImage(Image *image,const DrawInfo *draw_info) + if (*draw_info->primitive == '\0') + return(MagickFail); + (void) LogMagickEvent(RenderEvent,GetMagickModule(),"begin draw-image"); +- if (*draw_info->primitive != '@') +- primitive=AllocateString(draw_info->primitive); +- else ++ /* ++ Read primitive from file if supplied primitive starts with '@' and ++ we are not already drawing. ++ */ ++ if ((*draw_info->primitive == '@') && ++ (DrawImageGetCurrentRecurseLevel(image) == 1)) + primitive=(char *) + FileToBlob(draw_info->primitive+1,&length,&image->exception); ++ else ++ primitive=AllocateString(draw_info->primitive); + if (primitive == (char *) NULL) + return(MagickFail); + primitive_extent=strlen(primitive); +-- +2.23.0 + diff --git a/CVE-2019-7397.patch b/CVE-2019-7397.patch new file mode 100644 index 0000000000000000000000000000000000000000..da0b615b1538f6c07e58d5118c9d27907d41bc8e --- /dev/null +++ b/CVE-2019-7397.patch @@ -0,0 +1,34 @@ +WritePDFImage(): Make sure to free 'xref' before returning. (ImageMagick CVE-2019-7397) + +refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/11ad3aeb8ab1 + +diff -r e29c20957e2d -r 11ad3aeb8ab1 coders/pdf.c +--- a/coders/pdf.c Sun Feb 10 17:07:33 2019 -0600 ++++ b/coders/pdf.c Mon Feb 11 20:31:53 2019 -0600 +@@ -1,5 +1,5 @@ + /* +-% Copyright (C) 2003-2018 GraphicsMagick Group ++% Copyright (C) 2003-2019 GraphicsMagick Group + % Copyright (C) 2002 ImageMagick Studio + % Copyright 1991-1999 E. I. du Pont de Nemours and Company + % +@@ -1375,6 +1375,7 @@ + if (!status) + { + CloseBlob(image); ++ MagickFreeMemory(xref); + return(False); + } + break; +@@ -1478,6 +1479,7 @@ + if (!status) + { + CloseBlob(image); ++ MagickFreeMemory(xref); + return(False); + } + break; + + + + diff --git a/CVE-2020-10938.patch b/CVE-2020-10938.patch new file mode 100644 index 0000000000000000000000000000000000000000..36645f952e5cd07a559a937f48a675aa94da680f --- /dev/null +++ b/CVE-2020-10938.patch @@ -0,0 +1,296 @@ +HuffmanDecodeImage(): Fix signed overflow on range check which leads to heap overflow in 32-bit applications. Ascii85Tuple(): Fix thread safety issue. +(CVE-2020-10938) + +refers to http://hg.code.sf.net/p/graphicsmagick/code/rev/95abc2b694ce + +diff -r 751e9e822b09 -r 95abc2b694ce magick/compress.c +--- a/magick/compress.c Sun Nov 10 13:33:34 2019 -0600 ++++ b/magick/compress.c Sat Nov 16 10:31:37 2019 -0600 +@@ -1,5 +1,5 @@ + /* +-% Copyright (C) 2003 - 2015 GraphicsMagick Group ++% Copyright (C) 2003-2019 GraphicsMagick Group + % Copyright (C) 2002 ImageMagick Studio + % Copyright 1991-1999 E. I. du Pont de Nemours and Company + % +@@ -53,21 +53,26 @@ + */ + typedef struct HuffmanTable + { ++ unsigned int ++ id; ++ + int +- id, +- code, ++ code; ++ ++ unsigned int + length, + count; ++ + } HuffmanTable; + + /* + Huffman coding declarations. + */ +-#define TWId 23 +-#define MWId 24 +-#define TBId 25 +-#define MBId 26 +-#define EXId 27 ++#define TWId 23U ++#define MWId 24U ++#define TBId 25U ++#define MBId 26U ++#define EXId 27U + + static const HuffmanTable + MBTable[]= +@@ -202,37 +207,38 @@ + */ + #define MaxLineExtent 36 + +-static char *Ascii85Tuple(unsigned char *data) ++static char *Ascii85Tuple(char tuple[6], const unsigned char * restrict data) + { +- static char +- tuple[6]; ++ magick_uint32_t ++ code; + +- register long +- i, +- x; +- +- unsigned long +- code, +- quantum; +- +- code=((((unsigned long) data[0] << 8) | (unsigned long) data[1]) << 16) | +- ((unsigned long) data[2] << 8) | (unsigned long) data[3]; +- if (code == 0L) ++ code=((((magick_uint32_t) data[0] << 8) | (magick_uint32_t) data[1]) << 16) | ++ ((magick_uint32_t) data[2] << 8) | (magick_uint32_t) data[3]; ++ if (code == 0) + { + tuple[0]='z'; + tuple[1]='\0'; +- return(tuple); + } +- quantum=85UL*85UL*85UL*85UL; +- for (i=0; i < 4; i++) +- { +- x=(long) (code/quantum); +- code-=quantum*x; +- tuple[i]=(char) (x+(int) '!'); +- quantum/=85L; +- } +- tuple[4]=(char) ((code % 85L)+(int) '!'); +- tuple[5]='\0'; ++ else ++ { ++ register magick_int32_t ++ i, ++ x; ++ ++ magick_uint32_t ++ quantum; ++ ++ quantum=85U*85U*85U*85U; ++ for (i=0; i < 4; i++) ++ { ++ x=(magick_int32_t) (code/quantum); ++ code-=quantum*x; ++ tuple[i]=(char) (x+(int) '!'); ++ quantum/=85; ++ } ++ tuple[4]=(char) ((code % 85)+(int) '!'); ++ tuple[5]='\0'; ++ } + return(tuple); + } + +@@ -255,6 +261,9 @@ + + MagickExport void Ascii85Flush(Image *image) + { ++ char ++ tuple_buff[6]; ++ + register char + *tuple; + +@@ -266,7 +275,7 @@ + image->ascii85->buffer[image->ascii85->offset]=0; + image->ascii85->buffer[image->ascii85->offset+1]=0; + image->ascii85->buffer[image->ascii85->offset+2]=0; +- tuple=Ascii85Tuple(image->ascii85->buffer); ++ tuple=Ascii85Tuple(tuple_buff, image->ascii85->buffer); + (void) WriteBlob(image,image->ascii85->offset+1, + *tuple == 'z' ? "!!!!" : tuple); + } +@@ -286,6 +295,9 @@ + register unsigned char + *p; + ++ char ++ tuple_buff[6]; ++ + assert(image != (Image *) NULL); + assert(image->signature == MagickSignature); + assert(image->ascii85 != (Ascii85Info *) NULL); +@@ -296,7 +308,7 @@ + p=image->ascii85->buffer; + for (n=image->ascii85->offset; n >= 4; n-=4) + { +- for (q=Ascii85Tuple(p); *q; q++) ++ for (q=Ascii85Tuple(tuple_buff,p); *q; q++) + { + image->ascii85->line_break--; + if ((image->ascii85->line_break < 0) && (*q != '%')) +@@ -355,11 +367,11 @@ + % + % + */ +-#define HashSize 1021 +-#define MBHashA 293 +-#define MBHashB 2695 +-#define MWHashA 3510 +-#define MWHashB 1178 ++#define HashSize 1021U ++#define MBHashA 293U ++#define MBHashB 2695U ++#define MWHashA 3510U ++#define MWHashB 1178U + + #define InitializeHashTable(hash,table,a,b) \ + { \ +@@ -401,26 +413,30 @@ + byte, + code, + color, +- length, + null_lines, + runlength; + + unsigned int + bit, + index, ++ length, + mask; + + long +- count, ++ count; ++ ++ unsigned long + y; + + register IndexPacket + *indexes; + +- register long +- i, ++ register unsigned long + x; + ++ unsigned int ++ i; ++ + register PixelPacket + *q; + +@@ -481,13 +497,13 @@ + image->x_resolution=204.0; + image->y_resolution=196.0; + image->units=PixelsPerInchResolution; +- for (y=0; ((y < (long) image->rows) && (null_lines < 3)); ) ++ for (y=0; ((y < image->rows) && (null_lines < 3)); ) + { + /* + Initialize scanline to white. + */ + p=scanline; +- for (x=0; x < (long) image->columns; x++) ++ for (x=0; x < image->columns; x++) + *p++=0; + /* + Decode Huffman encoded scanline. +@@ -502,7 +518,7 @@ + { + if (byte == EOF) + break; +- if (x >= (long) image->columns) ++ if (x >= image->columns) + { + while (runlength < 11) + InputBit(bit); +@@ -563,7 +579,7 @@ + case TBId: + { + count+=entry->count; +- if ((x+count) > (long) image->columns) ++ if ((x+(unsigned long) count) > image->columns) + count=(long) image->columns-x; + if (count > 0) + { +@@ -603,7 +619,7 @@ + break; + } + indexes=AccessMutableIndexes(image); +- for (x=0; x < (long) image->columns; x++) ++ for (x=0; x < image->columns; x++) + { + index=(unsigned int) (*p++); + indexes[x]=index; +@@ -695,7 +711,9 @@ + runlength; + + long +- n, ++ n; ++ ++ unsigned long + y; + + Image +@@ -704,8 +722,10 @@ + register const IndexPacket + *indexes; + +- register long +- i, ++ unsigned long ++ i; ++ ++ register unsigned long + x; + + register const PixelPacket +@@ -772,10 +792,10 @@ + polarity=(PixelIntensityToQuantum(&huffman_image->colormap[0]) < + PixelIntensityToQuantum(&huffman_image->colormap[1]) ? 0x00 : 0x01); + q=scanline; +- for (i=(long) width; i > 0; i--) ++ for (i=0; i < width; i++) /* was: for (i=(long) width; i > 0; i--) */ + *q++=(unsigned char) polarity; + q=scanline; +- for (y=0; y < (long) huffman_image->rows; y++) ++ for (y=0; y < huffman_image->rows; y++) + { + p=AcquireImagePixels(huffman_image,0,y,huffman_image->columns,1, + &huffman_image->exception); +@@ -785,7 +805,7 @@ + break; + } + indexes=AccessImmutableIndexes(huffman_image); +- for (x=0; x < (long) huffman_image->columns; x++) ++ for (x=0; x < huffman_image->columns; x++) + { + *q=(unsigned char) (indexes[x] == polarity ? !polarity : polarity); + q++; + + + + diff --git a/CVE-2020-12672.patch b/CVE-2020-12672.patch new file mode 100644 index 0000000000000000000000000000000000000000..9295895e616176d6c9c5fe494bb29308d85d5809 --- /dev/null +++ b/CVE-2020-12672.patch @@ -0,0 +1,48 @@ +From a5646313975525c598527269bbfe4524909275f3 Mon Sep 17 00:00:00 2001 +From: maminjie +Date: Sat, 19 Sep 2020 17:59:51 +0800 +Subject: [PATCH] MNG: Fix small heap overwrite or assertion if magnifying and + image to be magnified has rows or columns == 1. (CVE-2020-12672) + +refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/50395430a371 +--- + coders/png.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/coders/png.c b/coders/png.c +index ebb0a4a..b8b6c2b 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -5571,7 +5571,28 @@ static Image *ReadMNGImage(const ImageInfo *image_info, + + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " Processing MNG MAGN chunk"); ++ " Processing MNG MAGN chunk: MB=%u, ML=%u," ++ " MR=%u, MT=%u, MX=%u, MY=%u," ++ " X_method=%u, Y_method=%u", ++ mng_info->magn_mb,mng_info->magn_ml, ++ mng_info->magn_mr,mng_info->magn_mt, ++ mng_info->magn_mx,mng_info->magn_my, ++ mng_info->magn_methx, ++ mng_info->magn_methy); ++ ++ /* ++ If the image width is 1, then X magnification is done ++ by simple pixel replication. ++ */ ++ if (image->columns == 1) ++ mng_info->magn_methx = 1; ++ ++ /* ++ If the image height is 1, then Y magnification is done ++ by simple pixel replication. ++ */ ++ if (image->rows == 1) ++ mng_info->magn_methy = 1; + + if (mng_info->magn_methx == 1) + { +-- +2.23.0 + diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec index 9110268d279287f0eec1deaf2d8d4fa3e845156c..026959db1eff928621b80fc01217581db71a0a25 100644 --- a/GraphicsMagick.spec +++ b/GraphicsMagick.spec @@ -10,7 +10,7 @@ Name: GraphicsMagick Version: 1.3.30 -Release: 7 +Release: 8 Summary: Derived from ImageMagick, providing faster image generation speed and better quality License: MIT Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz @@ -23,6 +23,14 @@ Patch0003: CVE-2019-11505.patch Patch0004: CVE-2019-11008.patch Patch0005: CVE-2019-11506.patch Patch0006: CVE-2019-11009.patch +Patch0007: CVE-2018-18544.patch +Patch0008: CVE-2019-7397.patch +Patch0009: CVE-2019-11005.patch +Patch0010: CVE-2019-11006.patch +Patch0011: CVE-2019-11010.patch +Patch0012: CVE-2019-12921.patch +Patch0013: CVE-2020-10938.patch +Patch0014: CVE-2020-12672.patch BuildRequires: bzip2-devel freetype-devel gcc-c++ giflib-devel lcms2-devel libjpeg-devel BuildRequires: libpng-devel librsvg2-devel libtiff-devel libtool-ltdl-devel libxml2-devel lpr @@ -221,6 +229,10 @@ time %make_build check ||: %changelog +* Sat Sep 19 2020 maminjie - 1.3.30-8 +- fix some CVEs: CVE-2018-18544 CVE-2019-7397 CVE-2019-11005 CVE-2019-11006 + CVE-2019-11010 CVE-2019-12921 CVE-2020-10938 CVE-2020-12672 + * Tue May 19 2020 openEuler Buildteam - 1.3.30-7 - rebuild for libwebp-1.1.0