Subject: CVS commit: [pkgsrc-2019Q1] pkgsrc/graphics/openjpeg
From: Benny Siegert
Date: 2019-04-10 11:40:04
Message id: 20190410094004.2F9F0FB16@cvs.NetBSD.org

Log Message:
Pullup ticket #5932 - requested by taca
graphics/openjpeg: security fix

Revisions pulled up:
- graphics/openjpeg/Makefile                                    1.17
- graphics/openjpeg/distinfo                                    1.14

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Apr  3 08:04:08 UTC 2019

   Modified Files:
   	pkgsrc/graphics/openjpeg: Makefile distinfo

   Log Message:
   openjpeg: updated to 2.3.1

   v2.3.1:
   v2.2.0 regression for decoding images where TNsot == 0
   Int overflow in jp3d
   Heap buffer overflow in opj_j2k_update_image_data() triggered with Ghostscript
   LINUX install doesn't work when building shared libraries is disabled
   OPENJPEG null ptr dereference in openjpeg-2.3.0/src/bin/jp2/convert.c:2243
   How to drop certain subbands/layers in DWT
   where is the MQ-Coder ouput stream in t2.c?
   OpenJPEG 2.3 (and 2.2?) multi component image fails to decode with KDU v7.10
   Missing checks for header_info.height and header_info.width in function \ 
pnmtoimage in src/bin/jpwl/convert.c, which can lead to heap buffer overflow
   Assertion Failure in jp2.c
   Division-by-zero vulnerabilities in the function pi_next_pcrl, pi_next_cprl \ 
and pi_next_rpcl in src/lib/openjp3d/pi.c
   Precinct switch (-c) doesn't right-shift last record to remaining resolution \ 
levels
   Sample: encode J2K a data using streams???
   HIGH THROUGHPUT JPEG 2000 (HTJ2K)
   How to build openjpeg for arm linux?
   crash
   JP2000 returning OPJ_CLRSPC_UNKNOWN color space
   Compilation successful but install unsuccessful: Calling executables throws \ 
libraries missing error
   fprintf format string requires 1 parameter but only 0 are given
   fprintf format string requires 1 parameter but only 0 are given
   sprintf buffer overflow
   sprintf buffer overflow
   Infinite loop when reading jp2
   missing format string parameter
   Excessive Iteration in opj_t1_encode_cblks (src/lib/openjp2/t1.c)
   Out-of-bound left shift in opj_j2k_setup_encoder (src/lib/openjp2/j2k.c)
   Encode image on Unsplash
   Integer overflow in opj_t1_encode_cblks (src/lib/openjp2/t1.c)
   Signed Integer Overflow - 68065512
   Similar vulnerable functions related to CVE-2017-14041
   [ERROR] COD marker already read. No more than one COD marker per tile.
   failing to install latest version of openjpeg from source
   Trouble compressing large raw image
   Download and installed code from 2.3 archive. Installing 2.2?
   missing fclose
   NULL Pointer Access in function imagetopnm of convert.c(jp2):1289
   NULL Pointer Access in function imagetopnm of convert.c:2226(jp2)
   Heap Buffer Overflow in function imagetotga of convert.c(jp2):942

   Merged pull requests:
   abi-check.sh: fix broken download URL
   opj_t1_encode_cblks: fix UBSAN signed integer overflow
   convertbmp: detect invalid file dimensions early (CVE-2018-6616)
   color_apply_icc_profile: avoid potential heap buffer overflow
   Fix multiple potential vulnerabilities and bugs
   Fix several memory and resource leaks
   Fix some potential overflow issues
   jp3d/jpwl convert: fix write stack buffer overflow
   Int overflow fixed
   Update knownfailures- files given current configurations
   CVE-2018-5785: fix issues with zero bitmasks
   openjp2/jp2: Fix two format strings
   Changes in pnmtoimage if image data are missing
   Relative path to header files is hardcoded in OpenJPEGConfig.cmake.in file
   Cast on uint ceildiv
   Add -DBUILD_PKGCONFIG_FILES to install instructions
   Fix some typos in code comments and documentation
   Fix regression in reading files with TNsot == 0 (refs
   Use local type declaration for POSIX standard type only for MS compiler
   Fix Mac builds
   jp3d: Replace sprintf() by snprintf() in volumetobin()
   opj_mj2_extract: Rename output_location to output_prefix
   mj2: Add missing variable to format string in fprintf() invocation in meta_out.c
   Convert files to UTF-8 encoding
   fix unchecked integer multiplication overflow
   Fixed typos
   Note that seek uses SEEK_SET behavior.
   Some Doxygen tags are removed
   Fix resource leak (CID 179466)
   Changed cmake version test to allow for cmake 2.8.11.x
   Add missing fclose() statement in error condition.

Files:
RevisionActionfile
1.16.12.1modifypkgsrc/graphics/openjpeg/Makefile
1.13.12.1modifypkgsrc/graphics/openjpeg/distinfo