package/jpeg-turbo: security bump to version 2.0.5

Fixes the following security issue:

- CVE-2020-13790: ibjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based
  buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input
  file

For more details, see the release notes:
https://github.com/libjpeg-turbo/libjpeg-turbo/releases/tag/2.0.5

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
[Peter: mark as security bump / extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Heiko Stuebner 2020-11-13 13:28:35 +01:00 committed by Peter Korsgaard
parent d3343d3f7a
commit 105d61c850
2 changed files with 5 additions and 5 deletions

View File

@ -1,7 +1,7 @@
# From https://sourceforge.net/projects/libjpeg-turbo/files/2.0.4/
sha1 163d8f96d0999526a117de0388624241b54dcd67 libjpeg-turbo-2.0.4.tar.gz
md5 d01d9e0c28c27bc0de9f4e2e8ff49855 libjpeg-turbo-2.0.4.tar.gz
# From https://sourceforge.net/projects/libjpeg-turbo/files/2.0.5/
sha1 9d4c565d402b2f5661be78d76098073ec7e30f10 libjpeg-turbo-2.0.5.tar.gz
md5 3a7dc293918775fc933f81e2bce36464 libjpeg-turbo-2.0.5.tar.gz
# Locally computed
sha256 33dd8547efd5543639e890efbf2ef52d5a21df81faf41bb940657af916a23406 libjpeg-turbo-2.0.4.tar.gz
sha256 16f8f6f2715b3a38ab562a84357c793dd56ae9899ce130563c72cd93d8357b5d libjpeg-turbo-2.0.5.tar.gz
sha256 69e570a251515ced17d4492256d57c89db77ed949652f88a44c80c1ca9607920 LICENSE.md
sha256 82fece2bff2669c476495f0fe70096b154e8bc5b40916a64e99836d9a01c3110 README.ijg

View File

@ -4,7 +4,7 @@
#
################################################################################
JPEG_TURBO_VERSION = 2.0.4
JPEG_TURBO_VERSION = 2.0.5
JPEG_TURBO_SOURCE = libjpeg-turbo-$(JPEG_TURBO_VERSION).tar.gz
JPEG_TURBO_SITE = https://downloads.sourceforge.net/project/libjpeg-turbo/$(JPEG_TURBO_VERSION)
JPEG_TURBO_LICENSE = IJG (libjpeg), BSD-3-Clause (TurboJPEG), Zlib (SIMD)