* [Buildroot] [PATCH 1/1] package/jbig2dec: security bump to version 0.18
@ 2020-05-01 12:05 Fabrice Fontaine
2020-05-01 12:37 ` Yann E. MORIN
0 siblings, 1 reply; 2+ messages in thread
From: Fabrice Fontaine @ 2020-05-01 12:05 UTC (permalink / raw)
To: buildroot
- Fix CVE-2020-12268: jbig2_image_compose in jbig2_image.c in Artifex
jbig2dec before 0.18 has a heap-based buffer overflow.
- Add JBIG2DEC_AUTORECONF=YES otherwise build will fail because
install-sh has been removed from the tarball
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/jbig2dec/jbig2dec.hash | 6 +++---
package/jbig2dec/jbig2dec.mk | 6 ++++--
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/package/jbig2dec/jbig2dec.hash b/package/jbig2dec/jbig2dec.hash
index eb2b674443..86584b19a6 100644
--- a/package/jbig2dec/jbig2dec.hash
+++ b/package/jbig2dec/jbig2dec.hash
@@ -1,7 +1,7 @@
-# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS
+# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS
# and SHA512SUMS are missing the hashes for this file.
# Locally computed:
-sha256 a4f6bf15d217e7816aa61b92971597c801e81f0a63f9fe1daee60fb88e0f0602 jbig2dec-0.16.tar.gz
+sha256 9e19775237350e299c422b7b91b0c045e90ffa4ba66abf28c8fb5eb005772f5e jbig2dec-0.18.tar.gz
# Hash for license files:
-sha256 1bf5258afe453934484fd0cea97508b72301633a6a78b0ae8a9ee44ac78f26d9 LICENSE
+sha256 1bf5258afe453934484fd0cea97508b72301633a6a78b0ae8a9ee44ac78f26d9 LICENSE
diff --git a/package/jbig2dec/jbig2dec.mk b/package/jbig2dec/jbig2dec.mk
index 5ac5b87a72..08ef89bfcb 100644
--- a/package/jbig2dec/jbig2dec.mk
+++ b/package/jbig2dec/jbig2dec.mk
@@ -4,10 +4,12 @@
#
################################################################################
-JBIG2DEC_VERSION = 0.16
-JBIG2DEC_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927
+JBIG2DEC_VERSION = 0.18
+JBIG2DEC_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952
JBIG2DEC_LICENSE = AGPL-3.0+
JBIG2DEC_LICENSE_FILES = LICENSE
JBIG2DEC_INSTALL_STAGING = YES
+# tarball is missing install-sh, install.sh, or shtool
+JBIG2DEC_AUTORECONF = YES
$(eval $(autotools-package))
--
2.26.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [Buildroot] [PATCH 1/1] package/jbig2dec: security bump to version 0.18
2020-05-01 12:05 [Buildroot] [PATCH 1/1] package/jbig2dec: security bump to version 0.18 Fabrice Fontaine
@ 2020-05-01 12:37 ` Yann E. MORIN
0 siblings, 0 replies; 2+ messages in thread
From: Yann E. MORIN @ 2020-05-01 12:37 UTC (permalink / raw)
To: buildroot
Fabrice, All,
On 2020-05-01 14:05 +0200, Fabrice Fontaine spake thusly:
> - Fix CVE-2020-12268: jbig2_image_compose in jbig2_image.c in Artifex
> jbig2dec before 0.18 has a heap-based buffer overflow.
> - Add JBIG2DEC_AUTORECONF=YES otherwise build will fail because
> install-sh has been removed from the tarball
> - Update indentation of hash file (two spaces)
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/jbig2dec/jbig2dec.hash | 6 +++---
> package/jbig2dec/jbig2dec.mk | 6 ++++--
> 2 files changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/package/jbig2dec/jbig2dec.hash b/package/jbig2dec/jbig2dec.hash
> index eb2b674443..86584b19a6 100644
> --- a/package/jbig2dec/jbig2dec.hash
> +++ b/package/jbig2dec/jbig2dec.hash
> @@ -1,7 +1,7 @@
> -# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927/MD5SUMS
> +# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952/MD5SUMS
> # and SHA512SUMS are missing the hashes for this file.
> # Locally computed:
> -sha256 a4f6bf15d217e7816aa61b92971597c801e81f0a63f9fe1daee60fb88e0f0602 jbig2dec-0.16.tar.gz
> +sha256 9e19775237350e299c422b7b91b0c045e90ffa4ba66abf28c8fb5eb005772f5e jbig2dec-0.18.tar.gz
>
> # Hash for license files:
> -sha256 1bf5258afe453934484fd0cea97508b72301633a6a78b0ae8a9ee44ac78f26d9 LICENSE
> +sha256 1bf5258afe453934484fd0cea97508b72301633a6a78b0ae8a9ee44ac78f26d9 LICENSE
> diff --git a/package/jbig2dec/jbig2dec.mk b/package/jbig2dec/jbig2dec.mk
> index 5ac5b87a72..08ef89bfcb 100644
> --- a/package/jbig2dec/jbig2dec.mk
> +++ b/package/jbig2dec/jbig2dec.mk
> @@ -4,10 +4,12 @@
> #
> ################################################################################
>
> -JBIG2DEC_VERSION = 0.16
> -JBIG2DEC_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs927
> +JBIG2DEC_VERSION = 0.18
> +JBIG2DEC_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs952
> JBIG2DEC_LICENSE = AGPL-3.0+
> JBIG2DEC_LICENSE_FILES = LICENSE
> JBIG2DEC_INSTALL_STAGING = YES
> +# tarball is missing install-sh, install.sh, or shtool
> +JBIG2DEC_AUTORECONF = YES
>
> $(eval $(autotools-package))
> --
> 2.26.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-01 12:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-01 12:05 [Buildroot] [PATCH 1/1] package/jbig2dec: security bump to version 0.18 Fabrice Fontaine
2020-05-01 12:37 ` Yann E. MORIN
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox