Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package jasper for openSUSE:Factory checked
in at 2024-01-12 23:44:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jasper (Old)
and /work/SRC/openSUSE:Factory/.jasper.new.21961 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jasper"
Fri Jan 12 23:44:53 2024 rev:26 rq:1138151 version:4.1.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/jasper/jasper.changes 2023-11-30
22:00:22.790978996 +0100
+++ /work/SRC/openSUSE:Factory/.jasper.new.21961/jasper.changes 2024-01-12
23:45:08.325965405 +0100
@@ -1,0 +2,7 @@
+Thu Jan 11 15:45:02 UTC 2024 - Michael Vetter <mvet...@suse.com>
+
+- Update to 4.1.2:
+ * Fix invalid memory write bug (#367) (CVE-2023-51257).
+ * Fix missing range check in the JPC encoder (#368).
+
+-------------------------------------------------------------------
Old:
----
version-4.1.1.tar.gz
New:
----
version-4.1.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jasper.spec ++++++
--- /var/tmp/diff_new_pack.VYt1mp/_old 2024-01-12 23:45:09.614012548 +0100
+++ /var/tmp/diff_new_pack.VYt1mp/_new 2024-01-12 23:45:09.614012548 +0100
@@ -1,7 +1,7 @@
#
# spec file for package jasper
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
%global __builddir obs_build
Name: jasper
-Version: 4.1.1
+Version: 4.1.2
Release: 0
Summary: An Implementation of the JPEG-2000 Standard, Part 1
License: JasPer-2.0
++++++ version-4.1.1.tar.gz -> version-4.1.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jasper-version-4.1.1/CMakeLists.txt
new/jasper-version-4.1.2/CMakeLists.txt
--- old/jasper-version-4.1.1/CMakeLists.txt 2023-11-28 18:19:23.000000000
+0100
+++ new/jasper-version-4.1.2/CMakeLists.txt 2024-01-11 16:13:42.000000000
+0100
@@ -12,7 +12,7 @@
# The major, minor, and micro version numbers of the project.
set(JAS_VERSION_MAJOR 4)
set(JAS_VERSION_MINOR 1)
-set(JAS_VERSION_PATCH 1)
+set(JAS_VERSION_PATCH 2)
# The shared library versioning information.
# Guidelines on how to change this information can be found below.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jasper-version-4.1.1/NEWS.txt
new/jasper-version-4.1.2/NEWS.txt
--- old/jasper-version-4.1.1/NEWS.txt 2023-11-28 18:19:23.000000000 +0100
+++ new/jasper-version-4.1.2/NEWS.txt 2024-01-11 16:13:42.000000000 +0100
@@ -1,3 +1,9 @@
+4.1.2 (2024-01-11)
+==================
+
+* Fix invalid memory write bug (#367) (CVE-2023-51257).
+* Fix missing range check in the JPC encoder (#368).
+
4.1.1 (2023-11-28)
==================
Binary files old/jasper-version-4.1.1/data/test/bad/367-PoC.jp2 and
new/jasper-version-4.1.2/data/test/bad/367-PoC.jp2 differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jasper-version-4.1.1/data/test/good/368_poc_min.pnm
new/jasper-version-4.1.2/data/test/good/368_poc_min.pnm
--- old/jasper-version-4.1.1/data/test/good/368_poc_min.pnm 1970-01-01
01:00:00.000000000 +0100
+++ new/jasper-version-4.1.2/data/test/good/368_poc_min.pnm 2024-01-11
16:13:42.000000000 +0100
@@ -0,0 +1 @@
+P413 1 30
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jasper-version-4.1.1/src/libjasper/base/jas_icc.c
new/jasper-version-4.1.2/src/libjasper/base/jas_icc.c
--- old/jasper-version-4.1.1/src/libjasper/base/jas_icc.c 2023-11-28
18:19:23.000000000 +0100
+++ new/jasper-version-4.1.2/src/libjasper/base/jas_icc.c 2024-01-11
16:13:42.000000000 +0100
@@ -1324,12 +1324,22 @@
{
jas_icctxt_t *txt = &attrval->data.txt;
txt->string = 0;
+ /* The string must at least contain a single null character. */
+ if (cnt < 1) {
+ goto error;
+ }
if (!(txt->string = jas_malloc(cnt))) {
goto error;
}
if (jas_stream_read(in, txt->string, cnt) != cnt) {
goto error;
}
+ /* Ensure that the string is null terminated. */
+ if (txt->string[cnt - 1] != '\0') {
+ goto error;
+ }
+ /* The following line is redundant, unless we do not enforce that
+ the last character must be null. */
txt->string[cnt - 1] = '\0';
if (strlen(txt->string) + 1 != cnt) {
goto error;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/jasper-version-4.1.1/src/libjasper/include/jasper/jas_math.h
new/jasper-version-4.1.2/src/libjasper/include/jasper/jas_math.h
--- old/jasper-version-4.1.1/src/libjasper/include/jasper/jas_math.h
2023-11-28 18:19:23.000000000 +0100
+++ new/jasper-version-4.1.2/src/libjasper/include/jasper/jas_math.h
2024-01-11 16:13:42.000000000 +0100
@@ -407,7 +407,7 @@
* Safe 32-bit unsigned integer arithmetic (i.e., with overflow checking).
\******************************************************************************/
-#define JAS_SAFEUI32_MAX (0xffffffffU)
+#define JAS_SAFEUI32_MAX (0xffffffffUL)
typedef struct {
bool valid;
@@ -432,7 +432,8 @@
static inline bool jas_safeui32_to_intfast32(jas_safeui32_t x,
int_fast32_t* y)
{
- if (x.value <= INT_FAST32_MAX) {
+ const long I32_MAX = 0x7fffffffL;
+ if (x.value <= I32_MAX) {
*y = x.value;
return true;
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jasper-version-4.1.1/src/libjasper/jpc/jpc_enc.c
new/jasper-version-4.1.2/src/libjasper/jpc/jpc_enc.c
--- old/jasper-version-4.1.1/src/libjasper/jpc/jpc_enc.c 2023-11-28
18:19:23.000000000 +0100
+++ new/jasper-version-4.1.2/src/libjasper/jpc/jpc_enc.c 2024-01-11
16:13:42.000000000 +0100
@@ -566,6 +566,14 @@
jas_logwarnf("warning: invalid intermediate
layer rates specifier ignored (%s)\n",
jas_tvparser_getval(tvp));
}
+ /* Ensure that the intermediate layer rates are
nonnegative. */
+ for (i = 0; i < numilyrrates; ++i) {
+ if (ilyrrates[i] < 0) {
+ jas_logerrorf(
+ "intermediate layer rate must be
nonnegative\n");
+ goto error;
+ }
+ }
break;
case OPT_JP2OVERHEAD:
