download.lst | 4 - external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk | 1 external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1 | 38 ++++++++++ 3 files changed, 41 insertions(+), 2 deletions(-)
New commits: commit ebd556220a5045c1c81891b712648d220a168c70 Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Fri Nov 5 19:40:49 2021 +0100 Commit: Caolán McNamara <caol...@redhat.com> CommitDate: Fri Nov 5 21:09:56 2021 +0100 libjpeg-turbo: add patch for CVE-2020-17541 Change-Id: Ie3fe30bea6a62e7cafeaed957d6ef6aeb879047b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124778 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> diff --git a/external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk b/external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk index a99df67bb011..5440d16ecfc1 100644 --- a/external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk +++ b/external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk @@ -19,6 +19,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,libjpeg-turbo,\ external/libjpeg-turbo/jpeg-turbo.build.patch.1 \ $(if $(filter WNT,$(OS)),external/libjpeg-turbo/jpeg-turbo.win_build.patch.1) \ external/libjpeg-turbo/ubsan.patch \ + external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1 \ )) # vim: set noet sw=4 ts=4: diff --git a/external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1 b/external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1 new file mode 100644 index 000000000000..cc3da737e7b0 --- /dev/null +++ b/external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1 @@ -0,0 +1,38 @@ +From c76f4a08263b0cea40d2967560ac7c21f6959079 Mon Sep 17 00:00:00 2001 +From: DRC <informat...@libjpeg-turbo.org> +Date: Thu, 5 Dec 2019 13:12:28 -0600 +Subject: [PATCH] Huffman enc.: Fix very rare local buffer overrun + +... detected by ASan. This is a similar issue to the issue that was +fixed with 402a715f82313384ef4606660c32d8678c79f197. Apparently it is +possible to create a malformed JPEG image that exceeds the Huffman +encoder's 256-byte local buffer when attempting to losslessly tranform +the image. That makes sense, given that it was necessary to extend the +Huffman decoder's local buffer to 512 bytes in order to handle all +pathological cases (refer to 0463f7c9aad060fcd56e98d025ce16185279e2bc.) + +Since this issue affected only lossless transformation, a workflow that +isn't generally exposed to arbitrary data exploits, and since the +overrun did not overflow the stack (i.e. it did not result in a segfault +or other user-visible issue, and valgrind didn't even detect it), it did +not likely pose a security risk. + +Fixes #392 +--- + ChangeLog.md | 10 ++++++++++ + jchuff.c | 2 +- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/jchuff.c b/jchuff.c +index 206958e2f..cb05055d9 100644 +--- a/jchuff.c ++++ b/jchuff.c +@@ -432,7 +432,7 @@ dump_buffer(working_state *state) + * scanning order-- 1, 8, 16, etc.), then this will produce an encoded block + * larger than 200 bytes. + */ +-#define BUFSIZE (DCTSIZE2 * 4) ++#define BUFSIZE (DCTSIZE2 * 8) + + #define LOAD_BUFFER() { \ + if (state->free_in_buffer < BUFSIZE) { \ commit 7208197a4ac718411fa6e3b4c770fdec8c67557d Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Fri Nov 5 14:03:05 2021 +0100 Commit: Caolán McNamara <caol...@redhat.com> CommitDate: Fri Nov 5 21:09:41 2021 +0100 bzip2: upgrade to release 1.0.8 Fixes CVE-2019-12900 Change-Id: If3fcfff78a61c60014ba6d96f1ee0c432ccc52a1 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124758 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 1289125532a029dc80e4ee3d0a49dca253f51888) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124762 Reviewed-by: Caolán McNamara <caol...@redhat.com> diff --git a/download.lst b/download.lst index 34bb426c8021..23acc03b2b65 100644 --- a/download.lst +++ b/download.lst @@ -18,8 +18,8 @@ export BREAKPAD_SHA256SUM := c44a2e898895cfc13b42d2371ba4b88b0777d7782214d6cdc91 export BREAKPAD_TARBALL := breakpad-b324760c7f53667af128a6b77b790323da04fcb9.tar.xz export BSH_SHA256SUM := 9e93c73e23aff644b17dfff656444474c14150e7f3b38b19635e622235e01c96 export BSH_TARBALL := beeca87be45ec87d241ddd0e1bad80c1-bsh-2.0b6-src.zip -export BZIP2_SHA256SUM := a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd -export BZIP2_TARBALL := 00b516f4704d4a7cb50a1d97e6e8e15b-bzip2-1.0.6.tar.gz +export BZIP2_SHA256SUM := ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269 +export BZIP2_TARBALL := bzip2-1.0.8.tar.gz export CAIRO_SHA256SUM := 5e7b29b3f113ef870d1e3ecf8adf21f923396401604bda16d44be45e66052331 export CAIRO_VERSION_MICRO := 0 export CAIRO_TARBALL := cairo-1.16.$(CAIRO_VERSION_MICRO).tar.xz