[kirkstone,07/23] libjpeg-turbo: upgrade 2.1.4 -> 2.1.5

Message ID	1ca7a15d7dece08e18cdb41f897ec37d1349ab70.1676990336.git.steve@sakoman.com
State	Accepted, archived
Commit	1ca7a15d7dece08e18cdb41f897ec37d1349ab70
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.172, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/23] libjpeg-turbo: upgrade 2.1.4 -> 2.1.5 Date: Tue, 21 Feb 2023 04:40:50 -1000 Message-Id: <1ca7a15d7dece08e18cdb41f897ec37d1349ab70.1676990336.git.steve@sakoman.com> In-Reply-To: <cover.1676990336.git.steve@sakoman.com> References: <cover.1676990336.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/23] tar: CVE-2022-48303 \| expand [kirkstone,01/23] tar: CVE-2022-48303 [kirkstone,02/23] diffutils: update 3.8 -> 3.9 [kirkstone,03/23] lttng-tools: update 2.13.8 -> 2.13.9 [kirkstone,04/23] apr: update 1.7.0 -> 1.7.2 [kirkstone,05/23] apr-util: update 1.6.1 -> 1.6.3 [kirkstone,06/23] bind: upgrade 9.18.10 -> 9.18.11 [kirkstone,07/23] libjpeg-turbo: upgrade 2.1.4 -> 2.1.5 [kirkstone,08/23] linux-firmware: upgrade 20221214 -> 20230117 [kirkstone,09/23] git: upgrade 2.35.6 -> 2.35.7 [kirkstone,10/23] sudo: upgrade 1.9.12p1 -> 1.9.12p2 [kirkstone,11/23] libgit2: uprade 1.4.3 -> 1.4.4 [kirkstone,12/23] libgit2: upgrade 1.4.4 -> 1.4.5 [kirkstone,13/23] qemu: fix compile error [kirkstone,14/23] update-alternatives: fix typos [kirkstone,15/23] image.bbclass: print all QA functions exceptions [kirkstone,16/23] devshell: Do not add scripts/git-intercept to PATH [kirkstone,17/23] oeqa ssh.py: move output prints to new line [kirkstone,18/23] oeqa ssh.py: add connection keep alive options to ssh client [kirkstone,19/23] oeqa dump.py: add error counter and stop after 5 failures [kirkstone,20/23] oeqa qemurunner: read more data at a time from serial [kirkstone,21/23] oeqa qemurunner.py: add timeout to QMP calls [kirkstone,22/23] oeqa qemurunner.py: try to avoid reading one character at a time [kirkstone,23/23] oeqa/selftest/bbtests: Update message lookup for test_git_unpack_nonetwork_fail

Message ID

1ca7a15d7dece08e18cdb41f897ec37d1349ab70.1676990336.git.steve@sakoman.com

State

Accepted, archived

Commit

1ca7a15d7dece08e18cdb41f897ec37d1349ab70

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 07/23] libjpeg-turbo: upgrade 2.1.4 -> 2.1.5
Date: Tue, 21 Feb 2023 04:40:50 -1000
Message-Id: 
 <1ca7a15d7dece08e18cdb41f897ec37d1349ab70.1676990336.git.steve@sakoman.com>
In-Reply-To: <cover.1676990336.git.steve@sakoman.com>
References: <cover.1676990336.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/23] tar: CVE-2022-48303 | expand

Commit Message

Steve Sakoman Feb. 21, 2023, 2:40 p.m. UTC

From: Alexander Kanavin <alex.kanavin@gmail.com>

Significant changes relative to 2.1.4

Fixed issues in the build system whereby, when using the Ninja Multi-Config CMake generator, a static build of libjpeg-turbo (a build in which ENABLE_SHARED is 0) could not be installed, a Windows installer could not be built, and the Java regression tests failed.

Fixed a regression introduced by 2.0 beta1[15] that caused a buffer overrun in the progressive Huffman encoder when attempting to transform a specially-crafted malformed 12-bit-per-component JPEG image into a progressive 12-bit-per-component JPEG image using a 12-bit-per-component build of libjpeg-turbo (-DWITH_12BIT=1.) Given that the buffer overrun was fully contained within the progressive Huffman encoder structure and did not cause a segfault or other user-visible errant behavior, given that the lossless transformer (unlike the decompressor) is not generally exposed to arbitrary data exploits, and given that 12-bit-per-component builds of libjpeg-turbo are uncommon, this issue did not likely pose a security risk.

Fixed an issue whereby, when using a 12-bit-per-component build of libjpeg-turbo (-DWITH_12BIT=1), passing samples with values greater than 4095 or less than 0 to jpeg_write_scanlines() caused a buffer overrun or underrun in the RGB-to-YCbCr color converter.

Fixed a floating point exception that occurred when attempting to use the jpegtran -drop and -trim options to losslessly transform a specially-crafted malformed JPEG image.

Fixed an issue in tjBufSizeYUV2() whereby it returned a bogus result, rather than throwing an error, if the align parameter was not a power of 2. Fixed a similar issue in tjCompressFromYUV() whereby it generated a corrupt JPEG image in certain cases, rather than throwing an error, if the align parameter was not a power of 2.

Fixed an issue whereby tjDecompressToYUV2(), which is a wrapper for tjDecompressToYUVPlanes(), used the desired YUV image dimensions rather than the actual scaled image dimensions when computing the plane pointers and strides to pass to tjDecompressToYUVPlanes(). This caused a buffer overrun and subsequent segfault if the desired image dimensions exceeded the scaled image dimensions.

Fixed an issue whereby, when decompressing a 12-bit-per-component JPEG image (-DWITH_12BIT=1) using an alpha-enabled output color space such as JCS_EXT_RGBA, the alpha channel was set to 255 rather than 4095.

Fixed an issue whereby the Java version of TJBench did not accept a range of quality values.

Fixed an issue whereby, when -progressive was passed to TJBench, the JPEG input image was not transformed into a progressive JPEG image prior to decompression.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f779689c2c766b609be31222d71110c1a15145a8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit a5d15ae9f4671790d3c5fb3606ec0861c17ed6dd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../jpeg/{libjpeg-turbo_2.1.4.bb => libjpeg-turbo_2.1.5.bb}     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/jpeg/{libjpeg-turbo_2.1.4.bb => libjpeg-turbo_2.1.5.bb} (97%)

diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.bb
similarity index 97%
rename from meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.4.bb
rename to meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.bb
index 1708fa97f0..4d21ca1e1d 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.4.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.bb
@@ -14,7 +14,7 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
            file://0001-libjpeg-turbo-fix-package_qa-error.patch \
            "
 
-SRC_URI[sha256sum] = "d3ed26a1131a13686dfca4935e520eb7c90ae76fbc45d98bb50a8dc86230342b"
+SRC_URI[sha256sum] = "bc12bc9dce55300c6bf4342bc233bcc26bd38bf289eedf147360d731c668ddaf"
 UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/libjpeg-turbo/files/"
 UPSTREAM_CHECK_REGEX = "/libjpeg-turbo/files/(?P<pver>(\d+[\.\-_]*)+)/"

[kirkstone,07/23] libjpeg-turbo: upgrade 2.1.4 -> 2.1.5

Commit Message

Patch