libjpeg-turbo (1.5.2-0ubuntu5.18.04.6) bionic-security; urgency=medium * SECURITY UPDATE: large loop because read_pixel mishandles EOF - debian/patches/CVE-2018-11813.patch: fix read handling in rdtarga.c. - CVE-2018-11813 * SECURITY UPDATE: stack-based buffer overflow in the "transform" component - debian/patches/CVE-2020-17541.patch: fix very rare local buffer overrun in jchuff.c. - CVE-2020-17541 * SECURITY UPDATE: null pointer dereference - debian/patches/CVE-2020-35538-pre1.patch: fix jpeg_skip_scanlines() segfault w/merged upsamp in jdapistd.c. - debian/patches/CVE-2020-35538.patch: fix jpeg_skip_scanlines() segfault w/merged upsamp in jdapistd.c, jdmerge.c, jdmerge.h, jdmrg565.c, jdmrgext.c. - debian/patches/CVE-2020-35538-2.patch: further jpeg_skip_scanlines() fixes in CMakeLists.txt, croptest.in, jdapistd.c. - CVE-2020-35538 -- Marc Deslauriers Wed, 21 Sep 2022 14:07:11 -0400 libjpeg-turbo (1.5.2-0ubuntu5.18.04.4) bionic-security; urgency=medium * SECURITY UPDATE: Heap-based buffer over-read - debian/patches/CVE-2020-13790.patch: fix buf overrun caused by bad binary PPM in rdppm.c. - CVE-2020-13790 -- Leonidas S. Barbosa Thu, 04 Jun 2020 13:24:18 -0300 libjpeg-turbo (1.5.2-0ubuntu5.18.04.3) bionic-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-14498.patch: Fix OOB read caused by malformed 8-bit BMP in cderror.h, rdbmp.c, rdppm.c. - CVE-2018-14498 * SECURITY UPDATE: Several integer overflow and subsequent segfaults - debian/patches/CVE-2019-2201.patch: properly handled gigapixel images in java/TJBench.java, tjbench.c, turbojpeg.c. - CVE-2019-2201 -- Leonidas S. Barbosa Tue, 12 Nov 2019 10:09:57 -0300 libjpeg-turbo (1.5.2-0ubuntu5.18.04.1) bionic-security; urgency=medium * SECURITY UPDATE: NULL pointer dereference via JPEG image - debian/patches/CVE-2017-15232-1.patch: exit gracefully with non-PPM formats in djpeg.1, djpeg.c. - debian/patches/CVE-2017-15232-2.patch: add further partial image decompression fixes in cdjpeg.h, djpeg.1, djpeg.c, jdapistd.c, wrbmp.c, wrgif.c, wrppm.c, wrppm.h, wrrle.c, wrtarga.c. - CVE-2017-15232 * SECURITY UPDATE: division by zero via BMP image - debian/patches/CVE-2018-1152.patch: add size check in rdbmp.c. - CVE-2018-1152 -- Marc Deslauriers Thu, 05 Jul 2018 15:18:48 -0400 libjpeg-turbo (1.5.2-0ubuntu5) artful; urgency=medium * Revert the last upload. * Move libturbojpeg.a to the libturbojpeg0-dev package. -- Matthias Klose Wed, 11 Oct 2017 07:07:23 +0200 libjpeg-turbo (1.5.2-0ubuntu4) artful; urgency=medium * Drop libturbojpeg.a static library in libturbojpeg0-dev package, already ship in jpeg-turbo8 package (this fixes the installability issue. The static library is still in libjpeg-turbo8-dev for retro-compatibility, the dynamic one is in libturbojpeg0-dev and libturbojpeg packages. -- Gianfranco Costamagna Tue, 10 Oct 2017 16:48:35 +0200 libjpeg-turbo (1.5.2-0ubuntu3) artful; urgency=medium * libturbojpeg0-dev: Depend on libturbojpeg0-dev. * libturbojpeg0-dev: Include the turbojpeg.h header here. -- Matthias Klose Mon, 18 Sep 2017 18:10:01 +0200 libjpeg-turbo (1.5.2-0ubuntu2) artful; urgency=medium * libturbojpeg0-dev: Drop conflict with libjpeg-turbo8-dev, depend on it instead, and leave the header files libjpeg-turbo8-dev. This stops pulling the legacy turbojpeg API into main. See the README in the sources ("Using libjpeg-turbo"). There is no reason to pull libturbojpeg0-dev and libturbojpeg0 into main. -- Matthias Klose Mon, 18 Sep 2017 12:40:49 +0200 libjpeg-turbo (1.5.2-0ubuntu1) artful; urgency=medium * New upstream version. -- Matthias Klose Tue, 12 Sep 2017 14:17:22 +0200 libjpeg-turbo (1.5.1-0ubuntu2) artful; urgency=medium * Install turbojpeg development file -- Gianfranco Costamagna Sun, 03 Sep 2017 12:49:04 +0200 libjpeg-turbo (1.5.1-0ubuntu1) zesty; urgency=medium * New upstream version. * Keep the Ubuntu packaging. -- Matthias Klose Wed, 02 Nov 2016 16:58:27 +0100 libjpeg-turbo (1.5.0-0ubuntu1) yakkety; urgency=medium * New upstream version. * Keep the Ubuntu packaging. * Update symbols file. -- Matthias Klose Tue, 02 Aug 2016 13:36:10 +0200 libjpeg-turbo (1.4.2-0ubuntu3) xenial; urgency=medium * libjpeg8-turbo-dev: Install an libjpeg pkgconfig file. -- Matthias Klose Mon, 22 Feb 2016 15:52:51 +0100 libjpeg-turbo (1.4.2-0ubuntu2) xenial; urgency=medium * libjpeg-turbo-progs: Conflict with libjpeg-progs. LP: #1518035, #1532581. -- Matthias Klose Tue, 12 Jan 2016 13:10:10 +0100 libjpeg-turbo (1.4.2-0ubuntu1) xenial; urgency=medium * New upstream version. * Keep the Ubuntu packaging. -- Matthias Klose Thu, 07 Jan 2016 17:40:46 +0100 libjpeg-turbo (1.3.0-0ubuntu2) trusty; urgency=low * SECURITY UPDATE: information disclosure via uninitialized memory in the get_sos function (LP: #1252912) - debian/patches/CVE-2013-6629.patch: check for duplications in jdmarker.c. - CVE-2013-6629 * SECURITY UPDATE: information disclosure via uninitialized memory in the get_dht function (LP: #1252912) - debian/patches/CVE-2013-6630.patch: properly clear out memory in jdmarker.c. - CVE-2013-6630 -- Marc Deslauriers Thu, 19 Dec 2013 15:07:26 -0500 libjpeg-turbo (1.3.0-0ubuntu1) saucy; urgency=low * New upstream release. - drop debian/patches/branch-updates.diff - refresh tjunittest.patch (now renamed to install-tjunittest.patch) * Update debian/control: - add myself to Uploaders. * Update debian/copyright: - add RSA Data Security copyright (md5). * Update debian/libturbojpeg.install: - install libturbojpeg.so.0* (needed by tjunittest and tjbench). -- Fathi Boudra Sun, 28 Jul 2013 16:52:51 +0300 libjpeg-turbo (1.2.1-0ubuntu2) quantal; urgency=low * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273. -- Matthias Klose Thu, 20 Sep 2012 14:53:18 +0200 libjpeg-turbo (1.2.1-0ubuntu1) quantal; urgency=low [ Tom Gall ] * Update to stable 1.2.1. LP: #1012861. * Addresses CVE-2012-2806. LP: #1025537. A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. * Cosmetic fixes to argument lists * Added flags to the TurboJPEG API that allow the caller to force the use of either the fast or the accurate DCT/IDCT algorithms in the underlying codec. * More recent versions of autoconf add -traditional-cpp to the CPP flags, which causes jsimdcfg.inc.h to not preprocess correctly unless we expand all of the instances of the #definev macro. * Fixed regression caused by a bug in the 32-bit strict memory access code in jdmrgss2.asm (contributed by Chromium to stop valgrind from whining whenever the output buffer size was not evenly divisible by 16 bytes.) On Linux/x86, this regression generated incorrect pixels on the right-hand side of images whose rows were not 16-byte aligned, whenever fancy upsampling was used. This patch also enables the strict memory access code on all platforms, not just Linux (it does no harm on other platforms) and removes a couple of pcmpeqb instructions that were rendered unnecessary by r835. * Accelerated 4:2:2 upsampling routine for ARM (improves performance ~20-30% when decompressing 4:2:2 JPEGs using fancy upsampling) * Eliminate the use of the MASKMOVDQU instruction, to speed up decompression performance by 10x on AMD Bobcat embedded processors (and ~5% on AMD desktop processors.) * add tjbench to libjpeg-turbo-test packages * Guard against num_components being a ridiculous value due to a corrupt header * Preserve all 128 bits of xmm6 and xmm7 [ Matthias Klose ] * Prepare the package for quantal, basing on the 1.2.1 release tarball. * d/patches/branch-updates.diff: Update to 20120919 of the 1.2.x branch, but don't bump the version to 1.2.2. * d/patches/guard-inline-define: Remove, integrated upstream. -- Matthias Klose Thu, 20 Sep 2012 00:18:15 +0200 libjpeg-turbo (1.1.90+svn733-0ubuntu6) quantal; urgency=low * Strip -Wl,-Bsymbolic-functions out of LDFLAGS, so that hpcups and pxljr can override jinit_color_converter. LP: #777670. -- Steve Langasek Tue, 10 Jul 2012 17:03:31 +0000 libjpeg-turbo (1.1.90+svn733-0ubuntu5) quantal; urgency=low * Guard the definition of INLINE in an ifndef block, so that third parties including our headers don't get it redefined unexpectedly from under them (which cause the spice FTBFS) -- Adam Conrad Wed, 20 Jun 2012 14:26:21 -0600 libjpeg-turbo (1.1.90+svn733-0ubuntu4.1) precise-proposed; urgency=low * debian/rules: Remove "-Bsymbolic-functions" from LDFLAGS, as this flag breaks the libjpeg use by HPLIP and pxljr, in both cases for printing on the HP Color LaserJet 3500/3550/3600 (LP: #777670). -- Till Kamppeter Tue, 10 Jul 2012 18:44:23 +0200 libjpeg-turbo (1.1.90+svn733-0ubuntu4.1) precise-proposed; urgency=low * debian/rules: Remove "-Bsymbolic-functions" from LDFLAGS, as this flag breaks the libjpeg use by HPLIP and pxljr, in both cases for printing on the HP Color LaserJet 3500/3550/3600 (LP: #777670). -- Till Kamppeter Tue, 10 Jul 2012 18:44:23 +0200 libjpeg-turbo (1.1.90+svn733-0ubuntu4) precise; urgency=low * Install jpegint.h in the -dev package. * Install jconfig.h in the multiarch include directory. -- Matthias Klose Fri, 13 Jan 2012 12:02:38 +0100 libjpeg-turbo (1.1.90+svn733-0ubuntu3) precise; urgency=low * libjpeg-turbo-progs: Remove dependency on libturbojpeg. -- Matthias Klose Wed, 21 Dec 2011 20:10:28 +0100 libjpeg-turbo (1.1.90+svn733-0ubuntu2) precise; urgency=low * Sync with upstream to svn733. * Rename libjpeg-test to libjpeg-turbo-test. * Rename libjpeg-turbo-dbg to libjpeg-turbo8-dbg. * Rename libjpeg8-dev to libjpeg-turbo8-dev. * Move the docs into the -dev package, install the upstream changelog in the -dev only. * Split out libturbojpeg.so into it's own package, don't let libjpeg-turbo8-dev depend on it. * Fix libjpeg-turbo8-dbg package description. * Install jconfig.h into multiarch include path. * Remove HAVE_STD{LIB,DEF}_H from jconfig.h since they are not used and conflict with autoconf. * libjpeg-turbo8: - Add a symbols file, with a different version for symbols only found in the libjpeg-turbo implementation. - Remove the shlibs file. - Breaks/Replaces libjpeg8 (<< 8c-2ubuntu5). * Copy the exifautotran and jpegexiforient tools from the libjpeg8 sources, install into libjpeg-turbo-progs. * Don't install tjbench in libjpeg-turbo-progs to avoid dependency on libturbojpeg. -- Matthias Klose Tue, 20 Dec 2011 23:12:52 +0100 libjpeg-turbo (1.1.90+svn722-1ubuntu5) precise; urgency=low * Remove all useage of diverts in preparation to replace libjpeg8 in precise * small clean up in debian/control -- Tom Gall Thu, 01 Dec 2011 09:50:26 -0600 libjpeg-turbo (1.1.90+svn722-1ubuntu4) precise; urgency=low * Switch package to include libjpeg8 compatibility * Supply -dev -dbg and -test debs -- Tom Gall Wed, 16 Nov 2011 22:14:00 +0000 libjpeg-turbo (1.1.90+svn722-1ubuntu2) oneiric; urgency=low * 11.11 Release * Sync with upstream to svn722 -- Tom Gall Wed, 16 Nov 2011 14:32:12 +0000 libjpeg-turbo (1.1.90+svn702-0ubuntu1) oneiric; urgency=low * Initial Release based on svn 702 * Initial Release and packaging based on svn 702 (LP: #852207) -- Tom Gall Tue, 13 Sep 2011 03:53:56 +0000