← Back to team overview

desktop-packages team mailing list archive

[Bug 1374583] [NEW] Sync libjpeg-turbo 1:1.3.1-3 (main) from Debian unstable (main)

 

Public bug reported:

Please sync libjpeg-turbo 1:1.3.1-3 (main) from Debian unstable (main)


I think now that debian has switched to libjpeg-turbo too there is no
reason anymore for an ubuntu delta.

However I think the sync should be done when V will open for
development.

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: information disclosure via uninitialized memory in
    the get_sos function (LP: #1252912)
    - debian/patches/CVE-2013-6629.patch: check for duplications in
      jdmarker.c.
    - CVE-2013-6629
  * SECURITY UPDATE: information disclosure via uninitialized memory in
    the get_dht function (LP: #1252912)
    - debian/patches/CVE-2013-6630.patch: properly clear out memory in
      jdmarker.c.
    - CVE-2013-6630
  * SECURITY UPDATE: information disclosure via uninitialized memory in
    the get_sos function (LP: #1252912)
    - debian/patches/CVE-2013-6629.patch: check for duplications in
      jdmarker.c.
    - CVE-2013-6629
  * SECURITY UPDATE: information disclosure via uninitialized memory in
    the get_dht function (LP: #1252912)
    - debian/patches/CVE-2013-6630.patch: properly clear out memory in
      jdmarker.c.
    - CVE-2013-6630
  * New upstream release.
    - drop debian/patches/branch-updates.diff
    - refresh tjunittest.patch (now renamed to install-tjunittest.patch)
  * Update debian/control:
    - add myself to Uploaders.
  * Update debian/copyright:
    - add RSA Data Security copyright (md5).
  * Update debian/libturbojpeg.install:
    - install libturbojpeg.so.0* (needed by tjunittest and tjbench).
  * New upstream release.
    - drop debian/patches/branch-updates.diff
    - refresh tjunittest.patch (now renamed to install-tjunittest.patch)
  * Update debian/control:
    - add myself to Uploaders.
  * Update debian/copyright:
    - add RSA Data Security copyright (md5).
  * Update debian/libturbojpeg.install:
    - install libturbojpeg.so.0* (needed by tjunittest and tjbench).
  * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273.
  * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273.
  * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273.
  [ Tom Gall ]
  * Update to stable 1.2.1. LP: #1012861.
    * Addresses CVE-2012-2806. LP: #1025537.
      A Heap-based buffer overflow was found in the way libjpeg-turbo
      decompressed certain corrupt JPEG images in which the component count
      was erroneously set to a large value. An attacker could create a
      specially-crafted JPEG image that, when opened, could cause an
      application using libpng to crash or, possibly, execute arbitrary code
      with the privileges of the user running the application.
    * Cosmetic fixes to argument lists
    * Added flags to the TurboJPEG API that allow the caller to force
      the use of either the fast or the accurate DCT/IDCT algorithms
      in the underlying codec.
    * More recent versions of autoconf add -traditional-cpp to the CPP
      flags, which causes jsimdcfg.inc.h to not preprocess correctly
      unless we expand all of the instances of the #definev macro.
    * Fixed regression caused by a bug in the 32-bit strict memory access
      code in jdmrgss2.asm (contributed by Chromium to stop valgrind from
      whining whenever the output buffer size was not evenly divisible by
      16 bytes.)  On Linux/x86, this regression generated incorrect
      pixels on the right-hand side of images whose rows were not 16-byte
      aligned, whenever fancy upsampling was used.  This patch also
      enables the strict memory access code on all platforms, not just
      Linux (it does no harm on other platforms) and removes a couple of
      pcmpeqb instructions that were rendered unnecessary by r835.
    * Accelerated 4:2:2 upsampling routine for ARM (improves
      performance ~20-30% when decompressing 4:2:2 JPEGs using
      fancy upsampling)
    * Eliminate the use of the MASKMOVDQU instruction, to speed
      up decompression performance by 10x on AMD Bobcat embedded
      processors (and ~5% on AMD desktop processors.)
    * add tjbench to libjpeg-turbo-test packages
    * Guard against num_components being a ridiculous
      value due to a corrupt header
    * Preserve all 128 bits of xmm6 and xmm7
  [ Matthias Klose ]
  * Prepare the package for quantal, basing on the 1.2.1 release tarball.
  * d/patches/branch-updates.diff: Update to 20120919 of the 1.2.x branch,
    but don't bump the version to 1.2.2.
  * d/patches/guard-inline-define: Remove, integrated upstream.
  * Strip -Wl,-Bsymbolic-functions out of LDFLAGS, so that hpcups and
    pxljr can override jinit_color_converter.  LP: #777670.
  * Guard the definition of INLINE in an ifndef block, so that
    third parties including our headers don't get it redefined
    unexpectedly from under them (which cause the spice FTBFS)
  * Install jpegint.h in the -dev package.
  * Install jconfig.h in the multiarch include directory.
  * Install jpegint.h in the -dev package.
  * Install jconfig.h in the multiarch include directory.
  * libjpeg-turbo-progs: Remove dependency on libturbojpeg.
  * libjpeg-turbo-progs: Remove dependency on libturbojpeg.
  * Sync with upstream to svn733.
  * Rename libjpeg-test to libjpeg-turbo-test.
  * Rename libjpeg-turbo-dbg to libjpeg-turbo8-dbg.
  * Rename libjpeg8-dev to libjpeg-turbo8-dev.
  * Move the docs into the -dev package, install the upstream changelog
    in the -dev only.
  * Split out libturbojpeg.so into it's own package, don't let
    libjpeg-turbo8-dev depend on it.
  * Fix libjpeg-turbo8-dbg package description.
  * Install jconfig.h into multiarch include path.
  * Remove HAVE_STD{LIB,DEF}_H from jconfig.h since they are not used and
    conflict with autoconf.
  * libjpeg-turbo8:
    - Add a symbols file, with a different version for symbols only found
      in the libjpeg-turbo implementation.
    - Remove the shlibs file.
    - Breaks/Replaces libjpeg8 (<< 8c-2ubuntu5).
  * Copy the exifautotran and jpegexiforient tools from the libjpeg8
    sources, install into libjpeg-turbo-progs.
  * Don't install tjbench in libjpeg-turbo-progs to avoid dependency
    on libturbojpeg.
  * Remove all useage of diverts in preparation to replace
    libjpeg8 in precise
  * small clean up in debian/control
  * Switch package to include libjpeg8 compatibility
  * Supply -dev -dbg and -test debs
  * 11.11 Release
  * Sync with upstream to svn722
  * Initial Release based on svn 702
  * Initial Release and packaging based on svn 702 (LP: #852207)
  * Initial Release based on svn 702
  * Initial Release and packaging based on svn 702 (LP: #852207)

Changelog entries since current utopic version 1.3.0-0ubuntu2:

libjpeg-turbo (1:1.3.1-3) unstable; urgency=medium

  * Upload to unstable to proceed with transition (Ref: #754988)

 -- Ondřej Surý <ondrej@xxxxxxxxxx>  Fri, 26 Sep 2014 14:34:39 +0200

libjpeg-turbo (1:1.3.1-2) experimental; urgency=high

  * Add correct Breaks/Replaces: libjpeg-progs (<< 1.3.1-1~) to
    libjpeg-turbo-progs (Closes: #757860)
  * Build with -ffloat-store to fix FTBFS (Closes: #755073)
  * Disable silent building

 -- Ondřej Surý <ondrej@xxxxxxxxxx>  Tue, 26 Aug 2014 12:39:52 +0200

libjpeg-turbo (1:1.3.1-1) experimental; urgency=medium

  * Upload to experimental in preparation for libjpeg-turbo default JPEG
    library switch
  * Bump epoch to 1: to smoothly replace libjpeg62 binaries
  * New upstream version 1.3.1
  * Add myself to uploaders
  * Enable --fail-missing and --parallel in dh invocation
  * debian/patches/003_ftbfs-kfreebsd-x64.patch: Remove, merged upstream
  * debian/patches/004_CVE-2013-6629.patch: Remove; merged upstream
  * debian/patches/005_CVE-2013-6630.patch: Remove; merged upstream
  * Add libjpeg62* packages, add libjpeg-turbo-progs package
    (Closes: #728983, #632869, #632949)
  * Add exifautotran and jpegexiforient.c from Ubuntu to complete
    jpeg-progs compatibility
  * Add tjbench to libjpeg-turbo-progs
  * Remove libjpeg-turbo-test* package that is useful only at compile time
  * Remove CC and CFLAGS from debian/extra/Makefile and also pass CPPFLAGS
    and LFLAGS to enable Hardening in jpegexiforient
  * Don't install turbojpeg.h into libjpeg62-dev
  * Remove the word 'transitional' from libjpeg-progs description
  * Fix debhelper-but-no-misc-depends libjpeg-dev
  * Install help2man+manual fixes tjbench.1 manual page
  * Add missing source for jquery 1.7.1
  * d/copyright: Add jquery.js license and cleanup cruft
  * Add symbols file for libjpeg62

 -- Ondřej Surý <ondrej@xxxxxxxxxx>  Tue, 22 Jul 2014 01:05:35 +0200

libjpeg-turbo (1.3.0-4) unstable; urgency=low

  * debian/rules:
    + Override dh_strip and build individual dbg bin:packages
      for the shared library and the test program.
  * debian/control:
    + Add dbg bin:packages.
    + Alioth-canonicalize Vcs-*: fields.
    + Drop dependency from bin:package libturbojpeg1: libc-dev.
    + EOL clean-up (whitespaces, commas).
    + Modify section of bin:package libjpeg-turbo-test: utils.

 -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Sat, 15 Mar 2014 00:19:42 +0100

libjpeg-turbo (1.3.0-3) unstable; urgency=low

  * debian/patches: (Closes: #729873)
    + Add patch 004_CVE-2013-6629.patch. Check for duplications in
      jdmarker.c (CVE-2013-6629).
    + Add patch 005_CVE-2013-6630.patch: Properly clear out memory in
      jdmarker.c. (CVE-2013-6630).

 -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Fri, 14 Mar 2014 18:56:25 +0100

libjpeg-turbo (1.3.0-2) unstable; urgency=low

  * Add patch: 003_ftbfs-kfreebsd-x64.patch. Fix FTBFS on kfreebsd-amd64
    systems by using ELF64 as object format. (Closes: #710749).

 -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Tue, 04 Jun 2013 21:38:42 +0200

libjpeg-turbo (1.3.0-1) unstable; urgency=low

  * New upstream release.
  * /debian/control:
    + B-D: nasm [any-amd64 any-i386]. Fix FTBFS on hurd and kFreeBSD. (Closes:
      #710566).
  * Lintian issues:
    + Adapt shlib-calls-exit lintian override to new upstream version.

 -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Sat, 01 Jun 2013 01:25:00 +0200

** Affects: libjpeg-turbo (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libjpeg-turbo in Ubuntu.
https://bugs.launchpad.net/bugs/1374583

Title:
  Sync libjpeg-turbo 1:1.3.1-3 (main) from Debian unstable (main)

Status in “libjpeg-turbo” package in Ubuntu:
  New

Bug description:
  Please sync libjpeg-turbo 1:1.3.1-3 (main) from Debian unstable (main)

  
  I think now that debian has switched to libjpeg-turbo too there is no
  reason anymore for an ubuntu delta.

  However I think the sync should be done when V will open for
  development.

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: information disclosure via uninitialized memory in
      the get_sos function (LP: #1252912)
      - debian/patches/CVE-2013-6629.patch: check for duplications in
        jdmarker.c.
      - CVE-2013-6629
    * SECURITY UPDATE: information disclosure via uninitialized memory in
      the get_dht function (LP: #1252912)
      - debian/patches/CVE-2013-6630.patch: properly clear out memory in
        jdmarker.c.
      - CVE-2013-6630
    * SECURITY UPDATE: information disclosure via uninitialized memory in
      the get_sos function (LP: #1252912)
      - debian/patches/CVE-2013-6629.patch: check for duplications in
        jdmarker.c.
      - CVE-2013-6629
    * SECURITY UPDATE: information disclosure via uninitialized memory in
      the get_dht function (LP: #1252912)
      - debian/patches/CVE-2013-6630.patch: properly clear out memory in
        jdmarker.c.
      - CVE-2013-6630
    * New upstream release.
      - drop debian/patches/branch-updates.diff
      - refresh tjunittest.patch (now renamed to install-tjunittest.patch)
    * Update debian/control:
      - add myself to Uploaders.
    * Update debian/copyright:
      - add RSA Data Security copyright (md5).
    * Update debian/libturbojpeg.install:
      - install libturbojpeg.so.0* (needed by tjunittest and tjbench).
    * New upstream release.
      - drop debian/patches/branch-updates.diff
      - refresh tjunittest.patch (now renamed to install-tjunittest.patch)
    * Update debian/control:
      - add myself to Uploaders.
    * Update debian/copyright:
      - add RSA Data Security copyright (md5).
    * Update debian/libturbojpeg.install:
      - install libturbojpeg.so.0* (needed by tjunittest and tjbench).
    * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273.
    * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273.
    * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273.
    [ Tom Gall ]
    * Update to stable 1.2.1. LP: #1012861.
      * Addresses CVE-2012-2806. LP: #1025537.
        A Heap-based buffer overflow was found in the way libjpeg-turbo
        decompressed certain corrupt JPEG images in which the component count
        was erroneously set to a large value. An attacker could create a
        specially-crafted JPEG image that, when opened, could cause an
        application using libpng to crash or, possibly, execute arbitrary code
        with the privileges of the user running the application.
      * Cosmetic fixes to argument lists
      * Added flags to the TurboJPEG API that allow the caller to force
        the use of either the fast or the accurate DCT/IDCT algorithms
        in the underlying codec.
      * More recent versions of autoconf add -traditional-cpp to the CPP
        flags, which causes jsimdcfg.inc.h to not preprocess correctly
        unless we expand all of the instances of the #definev macro.
      * Fixed regression caused by a bug in the 32-bit strict memory access
        code in jdmrgss2.asm (contributed by Chromium to stop valgrind from
        whining whenever the output buffer size was not evenly divisible by
        16 bytes.)  On Linux/x86, this regression generated incorrect
        pixels on the right-hand side of images whose rows were not 16-byte
        aligned, whenever fancy upsampling was used.  This patch also
        enables the strict memory access code on all platforms, not just
        Linux (it does no harm on other platforms) and removes a couple of
        pcmpeqb instructions that were rendered unnecessary by r835.
      * Accelerated 4:2:2 upsampling routine for ARM (improves
        performance ~20-30% when decompressing 4:2:2 JPEGs using
        fancy upsampling)
      * Eliminate the use of the MASKMOVDQU instruction, to speed
        up decompression performance by 10x on AMD Bobcat embedded
        processors (and ~5% on AMD desktop processors.)
      * add tjbench to libjpeg-turbo-test packages
      * Guard against num_components being a ridiculous
        value due to a corrupt header
      * Preserve all 128 bits of xmm6 and xmm7
    [ Matthias Klose ]
    * Prepare the package for quantal, basing on the 1.2.1 release tarball.
    * d/patches/branch-updates.diff: Update to 20120919 of the 1.2.x branch,
      but don't bump the version to 1.2.2.
    * d/patches/guard-inline-define: Remove, integrated upstream.
    * Strip -Wl,-Bsymbolic-functions out of LDFLAGS, so that hpcups and
      pxljr can override jinit_color_converter.  LP: #777670.
    * Guard the definition of INLINE in an ifndef block, so that
      third parties including our headers don't get it redefined
      unexpectedly from under them (which cause the spice FTBFS)
    * Install jpegint.h in the -dev package.
    * Install jconfig.h in the multiarch include directory.
    * Install jpegint.h in the -dev package.
    * Install jconfig.h in the multiarch include directory.
    * libjpeg-turbo-progs: Remove dependency on libturbojpeg.
    * libjpeg-turbo-progs: Remove dependency on libturbojpeg.
    * Sync with upstream to svn733.
    * Rename libjpeg-test to libjpeg-turbo-test.
    * Rename libjpeg-turbo-dbg to libjpeg-turbo8-dbg.
    * Rename libjpeg8-dev to libjpeg-turbo8-dev.
    * Move the docs into the -dev package, install the upstream changelog
      in the -dev only.
    * Split out libturbojpeg.so into it's own package, don't let
      libjpeg-turbo8-dev depend on it.
    * Fix libjpeg-turbo8-dbg package description.
    * Install jconfig.h into multiarch include path.
    * Remove HAVE_STD{LIB,DEF}_H from jconfig.h since they are not used and
      conflict with autoconf.
    * libjpeg-turbo8:
      - Add a symbols file, with a different version for symbols only found
        in the libjpeg-turbo implementation.
      - Remove the shlibs file.
      - Breaks/Replaces libjpeg8 (<< 8c-2ubuntu5).
    * Copy the exifautotran and jpegexiforient tools from the libjpeg8
      sources, install into libjpeg-turbo-progs.
    * Don't install tjbench in libjpeg-turbo-progs to avoid dependency
      on libturbojpeg.
    * Remove all useage of diverts in preparation to replace
      libjpeg8 in precise
    * small clean up in debian/control
    * Switch package to include libjpeg8 compatibility
    * Supply -dev -dbg and -test debs
    * 11.11 Release
    * Sync with upstream to svn722
    * Initial Release based on svn 702
    * Initial Release and packaging based on svn 702 (LP: #852207)
    * Initial Release based on svn 702
    * Initial Release and packaging based on svn 702 (LP: #852207)

  Changelog entries since current utopic version 1.3.0-0ubuntu2:

  libjpeg-turbo (1:1.3.1-3) unstable; urgency=medium

    * Upload to unstable to proceed with transition (Ref: #754988)

   -- Ondřej Surý <ondrej@xxxxxxxxxx>  Fri, 26 Sep 2014 14:34:39 +0200

  libjpeg-turbo (1:1.3.1-2) experimental; urgency=high

    * Add correct Breaks/Replaces: libjpeg-progs (<< 1.3.1-1~) to
      libjpeg-turbo-progs (Closes: #757860)
    * Build with -ffloat-store to fix FTBFS (Closes: #755073)
    * Disable silent building

   -- Ondřej Surý <ondrej@xxxxxxxxxx>  Tue, 26 Aug 2014 12:39:52 +0200

  libjpeg-turbo (1:1.3.1-1) experimental; urgency=medium

    * Upload to experimental in preparation for libjpeg-turbo default JPEG
      library switch
    * Bump epoch to 1: to smoothly replace libjpeg62 binaries
    * New upstream version 1.3.1
    * Add myself to uploaders
    * Enable --fail-missing and --parallel in dh invocation
    * debian/patches/003_ftbfs-kfreebsd-x64.patch: Remove, merged upstream
    * debian/patches/004_CVE-2013-6629.patch: Remove; merged upstream
    * debian/patches/005_CVE-2013-6630.patch: Remove; merged upstream
    * Add libjpeg62* packages, add libjpeg-turbo-progs package
      (Closes: #728983, #632869, #632949)
    * Add exifautotran and jpegexiforient.c from Ubuntu to complete
      jpeg-progs compatibility
    * Add tjbench to libjpeg-turbo-progs
    * Remove libjpeg-turbo-test* package that is useful only at compile time
    * Remove CC and CFLAGS from debian/extra/Makefile and also pass CPPFLAGS
      and LFLAGS to enable Hardening in jpegexiforient
    * Don't install turbojpeg.h into libjpeg62-dev
    * Remove the word 'transitional' from libjpeg-progs description
    * Fix debhelper-but-no-misc-depends libjpeg-dev
    * Install help2man+manual fixes tjbench.1 manual page
    * Add missing source for jquery 1.7.1
    * d/copyright: Add jquery.js license and cleanup cruft
    * Add symbols file for libjpeg62

   -- Ondřej Surý <ondrej@xxxxxxxxxx>  Tue, 22 Jul 2014 01:05:35 +0200

  libjpeg-turbo (1.3.0-4) unstable; urgency=low

    * debian/rules:
      + Override dh_strip and build individual dbg bin:packages
        for the shared library and the test program.
    * debian/control:
      + Add dbg bin:packages.
      + Alioth-canonicalize Vcs-*: fields.
      + Drop dependency from bin:package libturbojpeg1: libc-dev.
      + EOL clean-up (whitespaces, commas).
      + Modify section of bin:package libjpeg-turbo-test: utils.

   -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Sat, 15 Mar 2014 00:19:42
  +0100

  libjpeg-turbo (1.3.0-3) unstable; urgency=low

    * debian/patches: (Closes: #729873)
      + Add patch 004_CVE-2013-6629.patch. Check for duplications in
        jdmarker.c (CVE-2013-6629).
      + Add patch 005_CVE-2013-6630.patch: Properly clear out memory in
        jdmarker.c. (CVE-2013-6630).

   -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Fri, 14 Mar 2014 18:56:25
  +0100

  libjpeg-turbo (1.3.0-2) unstable; urgency=low

    * Add patch: 003_ftbfs-kfreebsd-x64.patch. Fix FTBFS on kfreebsd-amd64
      systems by using ELF64 as object format. (Closes: #710749).

   -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Tue, 04 Jun 2013 21:38:42
  +0200

  libjpeg-turbo (1.3.0-1) unstable; urgency=low

    * New upstream release.
    * /debian/control:
      + B-D: nasm [any-amd64 any-i386]. Fix FTBFS on hurd and kFreeBSD. (Closes:
        #710566).
    * Lintian issues:
      + Adapt shlib-calls-exit lintian override to new upstream version.

   -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Sat, 01 Jun 2013 01:25:00
  +0200

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libjpeg-turbo/+bug/1374583/+subscriptions


Follow ups

References