package/openjpeg: bump version to 2.5.4
And drop now included security patch. For details, see:
https://github.com/uclouvain/openjpeg/releases/tag/v2.5.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4655cfd8f3)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
This commit is contained in:
Peter Korsgaard
committed by
Titouan Christophe
Titouan Christophe
parent
3072f0ae88
commit
3674708480
@@ -1,41 +0,0 @@
|
||||
From f809b80c67717c152a5ad30bf06774f00da4fd2d Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Rasmussen <sebras@gmail.com>
|
||||
Date: Thu, 16 Jan 2025 02:13:43 +0100
|
||||
Subject: [PATCH] opj_jp2_read_header: Check for error after parsing header.
|
||||
|
||||
Consider the case where the caller has not set the p_image
|
||||
pointer to NULL before calling opj_read_header().
|
||||
|
||||
If opj_j2k_read_header_procedure() fails while obtaining the rest
|
||||
of the marker segment when calling opj_stream_read_data() because
|
||||
the data stream is too short, then opj_j2k_read_header() will
|
||||
never have the chance to initialize p_image, leaving it
|
||||
uninitialized.
|
||||
|
||||
opj_jp2_read_header() will check the p_image value whether
|
||||
opj_j2k_read_header() suceeded or failed. This may be detected as
|
||||
an error in valgrind or ASAN.
|
||||
|
||||
The fix is to check whether opj_j2k_read_header() suceeded before
|
||||
using the output argument p_image.
|
||||
|
||||
Upstream: https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d
|
||||
CVE: CVE-2025-54874
|
||||
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
|
||||
---
|
||||
src/lib/openjp2/jp2.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
|
||||
index 4df055a54..da5063186 100644
|
||||
--- a/src/lib/openjp2/jp2.c
|
||||
+++ b/src/lib/openjp2/jp2.c
|
||||
@@ -2873,7 +2873,7 @@ OPJ_BOOL opj_jp2_read_header(opj_stream_private_t *p_stream,
|
||||
p_image,
|
||||
p_manager);
|
||||
|
||||
- if (p_image && *p_image) {
|
||||
+ if (ret && p_image && *p_image) {
|
||||
/* Set Image Color Space */
|
||||
if (jp2->enumcs == 16) {
|
||||
(*p_image)->color_space = OPJ_CLRSPC_SRGB;
|
||||
@@ -1,3 +1,3 @@
|
||||
# Locally computed:
|
||||
sha256 368fe0468228e767433c9ebdea82ad9d801a3ad1e4234421f352c8b06e7aa707 openjpeg-2.5.3.tar.gz
|
||||
sha256 a695fbe19c0165f295a8531b1e4e855cd94d0875d2f88ec4b61080677e27188a openjpeg-2.5.4.tar.gz
|
||||
sha256 a6af136f3e15038a666b61f376612a07d9a4e48cb7c01adbf3e33b3f14ab49b6 LICENSE
|
||||
|
||||
@@ -4,16 +4,13 @@
|
||||
#
|
||||
################################################################################
|
||||
|
||||
OPENJPEG_VERSION = 2.5.3
|
||||
OPENJPEG_VERSION = 2.5.4
|
||||
OPENJPEG_SITE = $(call github,uclouvain,openjpeg,v$(OPENJPEG_VERSION))
|
||||
OPENJPEG_LICENSE = BSD-2-Clause
|
||||
OPENJPEG_LICENSE_FILES = LICENSE
|
||||
OPENJPEG_CPE_ID_VENDOR = uclouvain
|
||||
OPENJPEG_INSTALL_STAGING = YES
|
||||
|
||||
# 0001-check-for-error-after-parsing-header.patch
|
||||
OPENJPEG_IGNORE_CVES += CVE-2025-54874
|
||||
|
||||
OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
|
||||
OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_LIBPNG),libpng)
|
||||
OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_TIFF),tiff)
|
||||
|
||||
Reference in New Issue
Block a user