!3 fix some cve

From: @jackie_wu123 Reviewed-by: @shinwell_hu Signed-off-by:
2020-09-17 17:12:23 +08:00 · 2020-09-17 17:12:23 +08:00 · 9f4148f0cc
commit 9f4148f0cc
parent dda1ea2e0b f23e4ebb1a
11 changed files with 435 additions and 1 deletions
--- a/CVE-2018-18873.patch
+++ b/CVE-2018-18873.patch
@ -0,0 +1,30 @@
+From 12db8078ba17a8ffc5cc2429fb506988f0f11b44 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@gmail.com>
+Date: Sun, 28 Jun 2020 13:25:12 +0200
+Subject: [PATCH] ras_enc: check components for RGB, fixes NULL pointer
+ dereference
+
+Fixes CVE-2018-18873
+
+Closes https://github.com/jasper-maint/jasper/issues/15
+Closes https://github.com/mdadams/jasper/issues/184
+---
+ src/libjasper/ras/ras_enc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/libjasper/ras/ras_enc.c b/src/libjasper/ras/ras_enc.c
+index 85ff9a3..dc4f151 100644
+--- a/src/libjasper/ras/ras_enc.c
+++ b/src/libjasper/ras/ras_enc.c
+@@ -232,6 +232,11 @@ static int ras_putdatastd(jas_stream_t *out, ras_hdr_t *hdr, jas_image_t *image,
+ 
+ 	assert(numcmpts <= 3);
+ 
+	if (RAS_ISRGB(hdr) && numcmpts < 3) {
+		/* need 3 components for RGB */
+		return -1;
+	}
+
+ 	for (i = 0; i < 3; ++i) {
+ 		data[i] = 0;
+ 	}
--- a/CVE-2018-19139.patch
+++ b/CVE-2018-19139.patch
@ -0,0 +1,28 @@
+From 708871879b86443c28bcb5505d3fd04e8384f8aa Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@gmail.com>
+Date: Wed, 24 Jun 2020 21:09:02 +0200
+Subject: [PATCH] jpc_cs: register jpc_unk_destroyparms() in all unknown
+ segments
+
+Fixes CVE-2018-19139 (memory leak)
+
+Closes https://github.com/jasper-maint/jasper/issues/14
+---
+ src/libjasper/jpc/jpc_cs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c
+index 8a2e0ab..6c61d44 100644
+--- a/src/libjasper/jpc/jpc_cs.c
+++ b/src/libjasper/jpc/jpc_cs.c
+@@ -190,8 +190,8 @@ static const jpc_mstabent_t jpc_mstab[] = {
+ 	  jpc_qcc_putparms, jpc_qcc_dumpparms}},
+ 	{JPC_MS_POC, "POC", {jpc_poc_destroyparms, jpc_poc_getparms,
+ 	  jpc_poc_putparms, jpc_poc_dumpparms}},
+-	{JPC_MS_TLM, "TLM", {0, jpc_unk_getparms, jpc_unk_putparms, 0}},
+-	{JPC_MS_PLM, "PLM", {0, jpc_unk_getparms, jpc_unk_putparms, 0}},
+	{JPC_MS_TLM, "TLM", {jpc_unk_destroyparms, jpc_unk_getparms, jpc_unk_putparms, 0}},
+	{JPC_MS_PLM, "PLM", {jpc_unk_destroyparms, jpc_unk_getparms, jpc_unk_putparms, 0}},
+ 	{JPC_MS_PPM, "PPM", {jpc_ppm_destroyparms, jpc_ppm_getparms,
+ 	  jpc_ppm_putparms, jpc_ppm_dumpparms}},
+ 	{JPC_MS_PPT, "PPT", {jpc_ppt_destroyparms, jpc_ppt_getparms,
--- a/CVE-2018-19539.patch
+++ b/CVE-2018-19539.patch
@ -0,0 +1,14 @@
+diff --git a/jasper-2.0.14/src/libjasper/base/jas_image.c b/jasper-2.0.14-edit/src/libjasper/base/jas_image.c
+index e71b86a..6aafc3a 100644
+--- a/src/libjasper/base/jas_image.c
+++ b/src/libjasper/base/jas_image.c
+@@ -553,6 +553,9 @@ int jas_image_writecmpt(jas_image_t *image, int cmptno, jas_image_coord_t x,
+ 	  image, cmptno, JAS_CAST(long, x), JAS_CAST(long, y),
+ 	  JAS_CAST(long, width), JAS_CAST(long, height), data));
+ 
+        if(data == NULL)
+		return -1;
+
+ 	if (cmptno < 0 || cmptno >= image->numcmpts_) {
+ 		return -1;
+ 	}
--- a/CVE-2018-19540.patch
+++ b/CVE-2018-19540.patch
@ -0,0 +1,13 @@
+diff --git a/jasper-2.0.14/src/libjasper/base/jas_icc.c b/jasper-2.0.14-edit/src/libjasper/base/jas_icc.c
+index 4607930..762c0e8 100644
+--- a/src/libjasper/base/jas_icc.c
+++ b/src/libjasper/base/jas_icc.c
+@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
+ 	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
+ 	  JAS_CAST(int, txtdesc->asclen))
+ 		goto error;
+	if (txtdesc->asclen < 1)
+		goto error;
+ 	txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
+ 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
+ 	  jas_iccgetuint32(in, &txtdesc->uclen))
--- a/CVE-2018-19541.patch
+++ b/CVE-2018-19541.patch
@ -0,0 +1,14 @@
+diff --git a/jasper-2.0.14/src/libjasper/base/jas_image.c b/jasper-2.0.14-edit/src/libjasper/base/jas_image.c
+index 6aafc3a..31ddb4b 100644
+--- a/src/libjasper/base/jas_image.c
+++ b/src/libjasper/base/jas_image.c
+@@ -978,6 +978,9 @@ int jas_image_depalettize(jas_image_t *image, int cmptno, int numlutents,
+ 	cmptparms.prec = JAS_IMAGE_CDT_GETPREC(dtype);
+ 	cmptparms.sgnd = JAS_IMAGE_CDT_GETSGND(dtype);
+ 
+	if (numlutents < 1) {
+		return -1;
+	}
+ 	if (jas_image_addcmpt(image, newcmptno, &cmptparms)) {
+ 		return -1;
+ 	}
--- a/CVE-2018-20570.patch
+++ b/CVE-2018-20570.patch
@ -0,0 +1,47 @@
+From 03db7c81f6a8a92d896249bc673877749987fd7a Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@gmail.com>
+Date: Wed, 24 Jun 2020 21:26:10 +0200
+Subject: [PATCH] jp2_enc: check number of components before dereferencing them
+
+Fixes CVE-2018-20570
+
+Closes https://github.com/jasper-maint/jasper/issues/11
+Closes https://github.com/mdadams/jasper/issues/191
+---
+ src/libjasper/jp2/jp2_enc.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/libjasper/jp2/jp2_enc.c b/src/libjasper/jp2/jp2_enc.c
+index fd39a84..1b44c18 100644
+--- a/src/libjasper/jp2/jp2_enc.c
+++ b/src/libjasper/jp2/jp2_enc.c
+@@ -293,7 +293,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
+ 	needcdef = 1;
+ 	switch (jas_clrspc_fam(jas_image_clrspc(image))) {
+ 	case JAS_CLRSPC_FAM_RGB:
+-		if (jas_image_cmpttype(image, 0) ==
+		if (jas_image_numcmpts(image) >= 3 &&
+		  jas_image_cmpttype(image, 0) ==
+ 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_R) &&
+ 		  jas_image_cmpttype(image, 1) ==
+ 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_RGB_G) &&
+@@ -302,7 +303,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
+ 			needcdef = 0;
+ 		break;
+ 	case JAS_CLRSPC_FAM_YCBCR:
+-		if (jas_image_cmpttype(image, 0) ==
+		if (jas_image_numcmpts(image) >= 3 &&
+		  jas_image_cmpttype(image, 0) ==
+ 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_YCBCR_Y) &&
+ 		  jas_image_cmpttype(image, 1) ==
+ 		  JAS_IMAGE_CT_COLOR(JAS_CLRSPC_CHANIND_YCBCR_CB) &&
+@@ -311,7 +313,8 @@ int jp2_encode(jas_image_t *image, jas_stream_t *out, const char *optstr)
+ 			needcdef = 0;
+ 		break;
+ 	case JAS_CLRSPC_FAM_GRAY:
+-		if (jas_image_cmpttype(image, 0) ==
+		if (jas_image_numcmpts(image) >= 1 &&
+		  jas_image_cmpttype(image, 0) ==
+ 		  JAS_IMAGE_CT_COLOR(JAS_IMAGE_CT_GRAY_Y))
+ 			needcdef = 0;
+ 		break;
--- a/CVE-2018-20622.patch
+++ b/CVE-2018-20622.patch
@ -0,0 +1,86 @@
+From aa8516b28344aa1263ee538bb7366c4679a0e1a5 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@gmail.com>
+Date: Wed, 24 Jun 2020 21:41:24 +0200
+Subject: [PATCH] jpc_t2dec: fix various memory leaks in jpc_dec_decodepkt()
+
+Fixes CVE-2018-20622
+
+Closes https://github.com/jasper-maint/jasper/issues/12
+Closes https://github.com/mdadams/jasper/issues/193
+---
+ src/libjasper/jpc/jpc_t2dec.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/libjasper/jpc/jpc_t2dec.c b/src/libjasper/jpc/jpc_t2dec.c
+index 81d1f61..e88ccb6 100644
+--- a/src/libjasper/jpc/jpc_t2dec.c
+++ b/src/libjasper/jpc/jpc_t2dec.c
+@@ -225,6 +225,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
+ 	}
+ 
+ 	if ((present = jpc_bitstream_getbit(inb)) < 0) {
+		jpc_bitstream_close(inb);
+ 		return 1;
+ 	}
+ 	JAS_DBGLOG(10, ("\n", present));
+@@ -252,10 +253,12 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
+ 				if (!cblk->numpasses) {
+ 					leaf = jpc_tagtree_getleaf(prc->incltagtree, usedcblkcnt - 1);
+ 					if ((included = jpc_tagtree_decode(prc->incltagtree, leaf, lyrno + 1, inb)) < 0) {
+						jpc_bitstream_close(inb);
+ 						return -1;
+ 					}
+ 				} else {
+ 					if ((included = jpc_bitstream_getbit(inb)) < 0) {
+						jpc_bitstream_close(inb);
+ 						return -1;
+ 					}
+ 				}
+@@ -269,6 +272,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
+ 					leaf = jpc_tagtree_getleaf(prc->numimsbstagtree, usedcblkcnt - 1);
+ 					for (;;) {
+ 						if ((ret = jpc_tagtree_decode(prc->numimsbstagtree, leaf, i, inb)) < 0) {
+							jpc_bitstream_close(inb);
+ 							return -1;
+ 						}
+ 						if (ret) {
+@@ -280,6 +284,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
+ 					cblk->firstpassno = cblk->numimsbs * 3;
+ 				}
+ 				if ((numnewpasses = jpc_getnumnewpasses(inb)) < 0) {
+					jpc_bitstream_close(inb);
+ 					return -1;
+ 				}
+ 				JAS_DBGLOG(10, ("numnewpasses=%d ", numnewpasses));
+@@ -288,6 +293,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
+ 				mycounter = 0;
+ 				if (numnewpasses > 0) {
+ 					if ((m = jpc_getcommacode(inb)) < 0) {
+						jpc_bitstream_close(inb);
+ 						return -1;
+ 					}
+ 					cblk->numlenbits += m;
+@@ -298,6 +304,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
+ 						maxpasses = JPC_SEGPASSCNT(passno, cblk->firstpassno, 10000, (ccp->cblkctx & JPC_COX_LAZY) != 0, (ccp->cblkctx & JPC_COX_TERMALL) != 0);
+ 						if (!discard && !seg) {
+ 							if (!(seg = jpc_seg_alloc())) {
+								jpc_bitstream_close(inb);
+ 								return -1;
+ 							}
+ 							jpc_seglist_insert(&cblk->segs, cblk->segs.tail, seg);
+@@ -312,6 +319,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
+ 						mycounter += n;
+ 						numnewpasses -= n;
+ 						if ((len = jpc_bitstream_getbits(inb, cblk->numlenbits + jpc_floorlog2(n))) < 0) {
+							jpc_bitstream_close(inb);
+ 							return -1;
+ 						}
+ 						JAS_DBGLOG(10, ("len=%d ", len));
+@@ -333,6 +341,7 @@ hdroffstart = jas_stream_getrwcount(pkthdrstream);
+ 	} else {
+ 		if (jpc_bitstream_inalign(inb, 0x7f, 0)) {
+ 			jas_eprintf("alignment failed\n");
+			jpc_bitstream_close(inb);
+ 			return -1;
+ 		}
+ 	}
--- a/CVE-2018-9055.patch
+++ b/CVE-2018-9055.patch
@ -0,0 +1,63 @@
+From d4358fb62a01bd542146a1d25b8f6fd2a0b210fe Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Mon, 25 Mar 2019 12:20:26 +0100
+Subject: [PATCH] Fix integer width in jpc_math
+
+Fix denial of service via a reachable assertion in the function jpc_firstone in libjasper/jpc/jpc_math.c.
+
+Assigned CVE-2018-9055.
+Fixes https://github.com/mdadams/jasper/issues/172.
+
+Fix by Fridrich Strba <FStrba@suse.com>.
+---
+ src/libjasper/jpc/jpc_math.c | 4 ++--
+ src/libjasper/jpc/jpc_math.h | 5 +++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_math.c b/src/libjasper/jpc/jpc_math.c
+index 2b70844..1b18880 100644
+--- a/src/libjasper/jpc/jpc_math.c
+++ b/src/libjasper/jpc/jpc_math.c
+@@ -86,7 +86,7 @@
+ 
+ /* Calculate the integer quantity floor(log2(x)), where x is a positive
+   integer. */
+-int jpc_floorlog2(int x)
+int jpc_floorlog2(int_fast32_t x)
+ {
+ 	int y;
+ 
+@@ -105,7 +105,7 @@ int jpc_floorlog2(int x)
+   integer. */
+ /* This function is the basically the same as ceillog2(x), except that the
+   allowable range for x is slightly different. */
+-int jpc_firstone(int x)
+int jpc_firstone(int_fast32_t x)
+ {
+ 	int n;
+ 
+diff --git a/src/libjasper/jpc/jpc_math.h b/src/libjasper/jpc/jpc_math.h
+index e8e0978..bd80d51 100644
+--- a/src/libjasper/jpc/jpc_math.h
+++ b/src/libjasper/jpc/jpc_math.h
+@@ -67,6 +67,7 @@
+ \******************************************************************************/
+ 
+ #include	<assert.h>
+#include	<stdint.h>
+ 
+ /******************************************************************************\
+ * Macros
+@@ -90,10 +91,10 @@
+ 
+ /* Calculate the bit position of the first leading one in a nonnegative
+   integer. */
+-int jpc_firstone(int x);
+int jpc_firstone(int_fast32_t x);
+ 
+ /* Calculate the integer quantity floor(log2(x)), where x is a positive
+   integer. */
+-int jpc_floorlog2(int x);
+int jpc_floorlog2(int_fast32_t x);
+ 
+ #endif
--- a/CVE-2018-9154.patch
+++ b/CVE-2018-9154.patch
@ -0,0 +1,40 @@
+From fcbabdaaba217124c92dc29472596146756b968e Mon Sep 17 00:00:00 2001
+From: Michael Vetter <jubalh@iodoru.org>
+Date: Tue, 17 Mar 2020 13:32:11 +0100
+Subject: [PATCH] Use return in jpc_dec_process_sot() instead of abort
+
+We don't need to and should not abort here.
+
+Fix CVE-2018-9154.
+Fix https://github.com/mdadams/jasper/issues/215
+Fix https://github.com/mdadams/jasper/issues/166
+Fix https://github.com/mdadams/jasper/issues/175
+
+See: https://github.com/mdadams/jasper/pull/216
+Fix https://github.com/jasper-maint/jasper/issues/8
+---
+ src/libjasper/jpc/jpc_dec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c
+index 6d40786..817009e 100644
+--- a/src/libjasper/jpc/jpc_dec.c
+++ b/src/libjasper/jpc/jpc_dec.c
+@@ -485,7 +485,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_t *ms)
+ 
+ 		if (!(compinfos = jas_alloc2(dec->numcomps,
+ 		  sizeof(jas_image_cmptparm_t)))) {
+-			abort();
+			return -1;
+ 		}
+ 		for (cmptno = 0, cmpt = dec->cmpts, compinfo = compinfos;
+ 		  cmptno < dec->numcomps; ++cmptno, ++cmpt, ++compinfo) {
+@@ -512,7 +512,7 @@ static int jpc_dec_process_sot(jpc_dec_t *dec, jpc_ms_t *ms)
+ 			/* Convert the PPM marker segment data into a collection of streams
+ 			  (one stream per tile-part). */
+ 			if (!(dec->pkthdrstreams = jpc_ppmstabtostreams(dec->ppmstab))) {
+-				abort();
+				return -1;
+ 			}
+ 			jpc_ppxstab_destroy(dec->ppmstab);
+ 			dec->ppmstab = 0;
--- a/CVE-2018-9252.patch
+++ b/CVE-2018-9252.patch
@ -0,0 +1,76 @@
+From 6cd1e1d8aff56d0d86d4e7d1e7e3e4dd1c64b55d Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@gmail.com>
+Date: Wed, 24 Jun 2020 19:01:35 +0200
+Subject: [PATCH] jpc_enc: jpc_abstorelstepsize() returns error instead of
+ aborting
+
+Fixes CVE-2018-9252
+
+Closes https://github.com/jasper-maint/jasper/issues/16
+---
+ src/libjasper/jpc/jpc_enc.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/src/libjasper/jpc/jpc_enc.c b/src/libjasper/jpc/jpc_enc.c
+index a779645..b11a450 100644
+--- a/src/libjasper/jpc/jpc_enc.c
+++ b/src/libjasper/jpc/jpc_enc.c
+@@ -165,6 +165,9 @@ static jpc_enc_cp_t *cp_create(const char *optstr, jas_image_t *image);
+ void jpc_enc_cp_destroy(jpc_enc_cp_t *cp);
+ static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn);
+ 
+/**
+ * @return UINT_FAST32_MAX on error
+ */
+ static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
+ {
+ 	int p;
+@@ -173,7 +176,7 @@ static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
+ 	int n;
+ 
+ 	if (absdelta < 0) {
+-		abort();
+		return UINT_FAST32_MAX;
+ 	}
+ 
+ 	p = jpc_firstone(absdelta) - JPC_FIX_FRACBITS;
+@@ -179,8 +182,10 @@ static uint_fast32_t jpc_abstorelstepsize(jpc_fix_t absdelta, int scaleexpn)
+ 	mant = ((n < 0) ? (absdelta >> (-n)) : (absdelta << n)) & 0x7ff;
+ 	expn = scaleexpn - p;
+ 	if (scaleexpn < p) {
+-		abort();
+		return UINT_FAST32_MAX;
+ 	}
+	if (expn >= 0x1f)
+		return UINT_FAST32_MAX;
+ 	return JPC_QCX_EXPN(expn) | JPC_QCX_MANT(mant);
+ }
+ 
+@@ -991,9 +996,12 @@ startoff = jas_stream_getrwcount(enc->out);
+ 			} else {
+ 				absstepsize = jpc_inttofix(1);
+ 			}	
+-			cp->ccps[cmptno].stepsizes[bandno] =
+			const uint_fast32_t stepsize =
+ 			  jpc_abstorelstepsize(absstepsize,
+ 			  cp->ccps[cmptno].prec + analgain);
+			if (stepsize == UINT_FAST32_MAX)
+				return -1;
+			cp->ccps[cmptno].stepsizes[bandno] = stepsize;
+ 		}
+ 		cp->ccps[cmptno].numstepsizes = numbands;
+ 	}
+@@ -1234,9 +1242,12 @@ jas_eprintf("%d %d mag=%d actual=%d numgbits=%d\n", cp->ccps[cmptno].prec, band-
+ 					} else {
+ 						band->absstepsize = jpc_inttofix(1);
+ 					}
+-					band->stepsize = jpc_abstorelstepsize(
+					const uint_fast32_t stepsize = jpc_abstorelstepsize(
+ 					  band->absstepsize, cp->ccps[cmptno].prec +
+ 					  band->analgain);
+					if (stepsize == UINT_FAST32_MAX)
+						return -1;
+					band->stepsize = stepsize;
+ 					band->numbps = cp->tccp.numgbits +
+ 					  JPC_QCX_GETEXPN(band->stepsize) - 1;
+ 
--- a/jasper.spec
+++ b/jasper.spec
@ -1,6 +1,6 @@
 Name:                jasper
 Version:             2.0.14
-Release:             8
+Release:             9
 Summary:             Reference implementation of the codec specified in the JPEG-2000 standard, Part 1
 License:             JasPer
 URL:                 http://www.ece.uvic.ca/~frodo/jasper/
@ -8,6 +8,16 @@ Source0:             http://www.ece.uvic.ca/~frodo/jasper/software/jasper-%{vers

 Patch0001:           jasper-2.0.14-CVE-2016-9396.patch
 Patch0002:           jasper-2.0.14-rpath.patch
+Patch0003:           CVE-2018-9055.patch
+Patch0004:           CVE-2018-9154.patch
+Patch0005:           CVE-2018-9252.patch
+Patch0006:           CVE-2018-18873.patch
+Patch0007:           CVE-2018-19139.patch
+Patch0008:           CVE-2018-19539.patch
+Patch0009:           CVE-2018-19540.patch
+Patch0010:           CVE-2018-19541.patch
+Patch0011:           CVE-2018-20570.patch
+Patch0012:           CVE-2018-20622.patch

 BuildRequires:       cmake freeglut-devel libGLU-devel libjpeg-devel libXmu-devel libXi-devel
 BuildRequires:       pkgconfig doxygen mesa-libGL-devel
@ -87,5 +97,18 @@ make test -C builder
 %doc README

 %changelog
+* Wed Sep 16 2020 wutao <wutao61@huawei.com> - 2.0.14-9
+- fix folllowing CVE in this revision
+  CVE-2018-18873
+  CVE-2018-19541 
+  CVE-2018-9055
+  CVE-2018-9154 
+  CVE-2018-19539 
+  CVE-2018-20570
+  CVE-2018-9252 
+  CVE-2018-19540 
+  CVE-2018-20622
+  CVE-2018-19139
+
 * Wed Apr 22 2020 leiju <leiju4@huawei.com> - 2.0.14-8
 - Package init