Hello community, here is the log from the commit of package jasper for openSUSE:Factory checked in at 2019-03-22 14:52:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jasper (Old) and /work/SRC/openSUSE:Factory/.jasper.new.25356 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jasper" Fri Mar 22 14:52:14 2019 rev:42 rq:687178 version:2.0.14 Changes: -------- --- /work/SRC/openSUSE:Factory/jasper/jasper.changes 2019-03-14 14:50:57.803800057 +0100 +++ /work/SRC/openSUSE:Factory/.jasper.new.25356/jasper.changes 2019-03-22 14:52:18.114135392 +0100 @@ -1,0 +2,6 @@ +Thu Mar 21 09:38:27 UTC 2019 - Michael Vetter <mvet...@suse.com> + +- bsc#1117505 CVE-2018-19542: + * Add jasper-CVE-2018-19542.patch + +------------------------------------------------------------------- New: ---- jasper-CVE-2018-19542.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jasper.spec ++++++ --- /var/tmp/diff_new_pack.ZBFELb/_old 2019-03-22 14:52:19.750134416 +0100 +++ /var/tmp/diff_new_pack.ZBFELb/_new 2019-03-22 14:52:19.754134414 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -29,7 +29,10 @@ Patch2: 0001-jpc_cs-reject-all-but-JPC_COX_INS-and-JPC_COX_RFT.patch Patch3: 0001-Added-a-fix-from-nrusch-to-allow-JasPer-to-be-build-.patch Patch4: jasper-CVE-2018-9055.patch +# https://github.com/mdadams/jasper/pull/196 Patch5: jasper-CVE-2018-19539.patch +# https://github.com/mdadams/jasper/pull/200 +Patch6: jasper-CVE-2018-19542.patch BuildRequires: Mesa-libGL-devel BuildRequires: cmake BuildRequires: doxygen @@ -87,6 +90,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build export CFLAGS="%{optflags} -Wall -std=c99 -D_BSD_SOURCE" ++++++ jasper-CVE-2018-19542.patch ++++++ See: https://github.com/mdadams/jasper/pull/200 Index: jasper-2.0.14/src/libjasper/jp2/jp2_dec.c =================================================================== --- jasper-2.0.14.orig/src/libjasper/jp2/jp2_dec.c +++ jasper-2.0.14/src/libjasper/jp2/jp2_dec.c @@ -388,6 +388,9 @@ jas_image_t *jp2_decode(jas_stream_t *in jas_image_setcmpttype(dec->image, newcmptno, jp2_getct(jas_image_clrspc(dec->image), 0, channo + 1)); } #endif + } else { + jas_eprintf("error: invalid MTYP in CMAP box\n"); + goto error; } } }