From 38f5467976e6c3a10ac7911ae247e5c7cf8cc591 Mon Sep 17 00:00:00 2001
From: Chris Adams <cadams@loc.gov>
Date: Fri, 9 Aug 2019 13:44:22 -0400
Subject: [PATCH 1/5] Handle grayscale JP2s with RGB color profiles

This installs the patch from https://github.com/uclouvain/openjpeg/issues/1207 to handle the case where an image has a color profile which is not compatible with the actual channel definitions.
---
 Dockerfile                        | 37 ++++++++++++++++++++++++++++++-
 handle_colorspace_conflicts.patch | 13 +++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 handle_colorspace_conflicts.patch

diff --git a/Dockerfile b/Dockerfile
index d1d4b40..9f7194e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,34 @@
+FROM debian:buster AS builder
+
+ENV DEBIAN_FRONTEND="noninteractive"
+
+# Enable deb-src repos so we can retrieve the packages used to build libopenjp2:
+RUN sed -i -e '/^deb/p; s/^deb /deb-src /' /etc/apt/sources.list
+
+RUN apt-get update -qqy && apt-get dist-upgrade -qqy && apt-get install -qqy quilt devscripts && apt-get build-dep -qy libopenjp2-tools
+
+RUN adduser --system --group builder
+RUN install -d -o builder -g builder /build
+
+USER builder
+
+WORKDIR /build
+
+RUN apt-get source openjpeg2
+
+WORKDIR /build/openjpeg2-2.3.0
+ENV QUILT_PATCHES=debian/patches
+
+# Add the patch from https://github.com/uclouvain/openjpeg/issues/1207
+COPY handle_colorspace_conflicts.patch /build/
+
+# Apply the patch to the local source directory
+RUN quilt import /build/handle_colorspace_conflicts.patch
+RUN quilt push -a -v
+
+# Build all of the openjpeg2 packages
+RUN debuild -uc -us
+
 FROM debian:buster
 
 ENV CANTALOUPE_VERSION=4.1.5
@@ -9,9 +40,13 @@ VOLUME /imageroot
 # Update packages and install tools
 RUN apt-get update -qy && apt-get dist-upgrade -qy && \
     apt-get install -qy --no-install-recommends curl imagemagick \
-    libopenjp2-tools ffmpeg unzip default-jre-headless && \
+    ffmpeg unzip default-jre-headless && \
     apt-get -qqy autoremove && apt-get -qqy autoclean
 
+# Install the patched openjpeg2 tools
+COPY --from=builder /build/*.deb /tmp/
+RUN dpkg -i /tmp/libopenjp2-*.deb /tmp/libopenjp2-tools-*.deb
+
 # Run non privileged
 RUN adduser --system cantaloupe
 
diff --git a/handle_colorspace_conflicts.patch b/handle_colorspace_conflicts.patch
new file mode 100644
index 0000000..039397c
--- /dev/null
+++ b/handle_colorspace_conflicts.patch
@@ -0,0 +1,13 @@
+--- a/src/bin/common/color.c 2019-08-08 00:45:01.903651387 +0200
++++ b/src/bin/common/color.c 2019-08-08 00:39:24.442674016 +0200
+@@ -488,6 +488,10 @@
+     if (out_space == cmsSigRgbData) { /* enumCS 16 */
+         unsigned int i, nr_comp = image->numcomps;
+
++        if (nr_comp < 3) { /* GRAY or GRAYA, not RGB or RGBA */
++            cmsCloseProfile(in_prof);
++            return;
++        }
+         if (nr_comp > 4) {
+             nr_comp = 4;
+         }

From b1b3694655b55983a225d40bc060a8b591020473 Mon Sep 17 00:00:00 2001
From: Chris Adams <cadams@loc.gov>
Date: Thu, 6 Feb 2020 14:12:00 -0500
Subject: [PATCH 2/5] =?UTF-8?q?Don=E2=80=99t=20bundle=20ffmpeg?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This does not allow use of the FFMPEG processor but we didn’t need that and it reduces the container size considerably, not to mention avoiding some CVEs which are in ffmpeg dependencies and currently unfixed such as CVE-2019-14889.
---
 Dockerfile | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9f7194e..7ea58ff 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,9 +39,12 @@ VOLUME /imageroot
 
 # Update packages and install tools
 RUN apt-get update -qy && apt-get dist-upgrade -qy && \
-    apt-get install -qy --no-install-recommends curl imagemagick \
-    ffmpeg unzip default-jre-headless && \
-    apt-get -qqy autoremove && apt-get -qqy autoclean
+    apt-get install -qy --no-install-recommends \
+	curl \
+	imagemagick \
+    unzip \
+	default-jre-headless \
+	&& apt-get -qqy autoremove && apt-get -qqy autoclean
 
 # Install the patched openjpeg2 tools
 COPY --from=builder /build/*.deb /tmp/

From 0010b6555c6a0f6e4207bc9cb6db8856b798f376 Mon Sep 17 00:00:00 2001
From: Chris Adams <cadams@loc.gov>
Date: Mon, 19 Jul 2021 15:59:00 -0400
Subject: [PATCH 3/5] Change default baseline version to Cantaloupe 4.11

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 7ea58ff..33b49d5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,7 +31,7 @@ RUN debuild -uc -us
 
 FROM debian:buster
 
-ENV CANTALOUPE_VERSION=4.1.5
+ENV CANTALOUPE_VERSION=4.1.11
 
 EXPOSE 8182
 

From abc2e3019e22b5a6a8b73e0a29326c2b2f7ae544 Mon Sep 17 00:00:00 2001
From: Chris Adams <cadams@loc.gov>
Date: Mon, 26 Jun 2023 16:24:24 -0400
Subject: [PATCH 4/5] Install Library of Congress root CA

---
 Dockerfile        | 12 ++++++++----
 LOC-ROOT-CA-1.crt | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 LOC-ROOT-CA-1.crt

diff --git a/Dockerfile b/Dockerfile
index 33b49d5..8202ff8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -40,11 +40,15 @@ VOLUME /imageroot
 # Update packages and install tools
 RUN apt-get update -qy && apt-get dist-upgrade -qy && \
     apt-get install -qy --no-install-recommends \
-	curl \
-	imagemagick \
+    ca-certificates \
+    curl \
+    imagemagick \
     unzip \
-	default-jre-headless \
-	&& apt-get -qqy autoremove && apt-get -qqy autoclean
+    default-jre-headless \
+    && apt-get -qqy autoremove && apt-get -qqy autoclean
+
+COPY LOC-ROOT-CA-1.crt /usr/local/share/ca-certificates/
+RUN update-ca-certificates
 
 # Install the patched openjpeg2 tools
 COPY --from=builder /build/*.deb /tmp/
diff --git a/LOC-ROOT-CA-1.crt b/LOC-ROOT-CA-1.crt
new file mode 100644
index 0000000..2cf7e78
--- /dev/null
+++ b/LOC-ROOT-CA-1.crt
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFxTCCA62gAwIBAgIQZcOK6KFOibFEbn9VFqwpvTANBgkqhkiG9w0BAQsFADB1
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCREMxEzARBgNVBAcTCldhc2hpbmd0b24x
+HDAaBgNVBAoTE0xpYnJhcnkgb2YgQ29uZ3Jlc3MxJjAkBgNVBAMTHUxpYnJhcnkg
+b2YgQ29uZ3Jlc3MgUm9vdCBDQSAxMB4XDTE4MDQzMDE0MDUyNVoXDTMzMDQzMDE0
+MTUyMlowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkRDMRMwEQYDVQQHEwpXYXNo
+aW5ndG9uMRwwGgYDVQQKExNMaWJyYXJ5IG9mIENvbmdyZXNzMSYwJAYDVQQDEx1M
+aWJyYXJ5IG9mIENvbmdyZXNzIFJvb3QgQ0EgMTCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAOIU7o+961urv+BoyqV1/xWeBQNU3q6zIrFPwA+zg/SwfCWg
+RX2se+4M/vIZs/KY6rGb782VeRDU9hGH+H0KtGd/twOYsQ7Mq08Ij+PJnoJFi1fB
+mfifW4xjwqo3ruJ0/jS0CrdFHuGhO5uEDHjQ0WhAt2KqzKz5Scx8nYQlcarY8Bok
+9vWj+m7ClCI97YOp86pW7nKQmvSMshgzmjI9667SYk/RsfH7cdndXzu3iS+VGVa6
+WDwX7N64Kr3s/opMEgg7TjCR/EkOCEbO4qF4XO8MdR5U0pknLTplXhm0hKZAQF9N
+t7uEvfYQqHcNL9I3aVNpfIiIoYGg8Oy5Zz81GS42UeUwHf6dwFoBtU5BLNIMEaJI
+VR4nFXsW58C3aLeeUMWANKSXYY/Sl3CZt9K4eAxVUaIknkALivXNOUJwgxbDmNBN
+6wYfXg4LPxgDvnQ74MO/b/XoH05uu3ww01CCqRhvxFU9lvI9Pn+zU6g0JyVlnUAo
+juSWyBV8L87Iyyk7NdDAmh6xgdv5LQ4b4sboJcUSZB+C+w/B6HpA9gDmLqB4ibEr
+wqUUU0VIHieWKhgRWwTFEkGdTTiw0JYx8WLaLHtxb8FPG2BiKRJD3NbQs3nESd/m
+E5Vpk92vD+Lv6l15C2RGRIXhPi/wg3caRKO6Fam3zFYSFgbUZMx+vJy19MF1AgMB
+AAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSh
+TOIBB3oOiGPSggKBWGsWPbiRkjAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0B
+AQsFAAOCAgEAqLfz2zTGF+D0yaw5z7B/RtaKeuf6rxpcoprGvmdPtXpZaw5Zoap4
+0mWW5vmnE4ykNlrDoc0w3SUK/fBUusdUuj9445aIMN7vGEfowkdi6be6O0cVGf8U
+GE10Ma9RmEz3870gJa964DhGexl0sK+WnQ4cMlW+w+PFg/9Ul5VkdeEd97bFKg/X
+yMFa1Ax0Ja3dxUqgYjDmv5xrrx7/qVHjHGUm1B/F5ptMvdsEZbwoYpfdz5gJVe4x
++/4fToEhQ0UW5u3afnJOsr7l3o1YM1R730mJ2RaFSvgJWj0lljGpCYWcLDTeRqKm
+pZTJ3xXxmgBorOufnMXzANi9XiEAttyo+PY/j3DM+S8iGL+42PnqiU5wZx6swjLZ
+nkyhYoFq34WurLqCH1bRGRMaRfa/wJmsJsNqpCD1hQIHjN6T99tYmdFr4yf1+3Th
+GBfp11AcMpB8rxru8ZMg0bpCgR6jZAB9wT2mfFpG3VYASt0ApZuAnfybt+zxUjwb
+4e89n3Xv4JJMGBAfdWhPnE1meJv7TER95PrZ2PoNTbHnqCPJa6wEJ89BbmfxvrRx
+eIGQRBO31a44ntDoOp4AvcuU84PgfblHDUsO4P1tXkzNSSZZfyHNjkwmB02RTL31
+DDBIJg3ELXudbEiQJWTTWNhMPkuQ9GPn5AhQCzM72kDGoqVf0cdxorU=
+-----END CERTIFICATE-----

From 23cf95bd57ea86292ccae9475ba40edf79c26a7f Mon Sep 17 00:00:00 2001
From: Chris Adams <cadams@loc.gov>
Date: Mon, 11 Mar 2024 12:32:38 -0400
Subject: [PATCH 5/5] Force installation of the ca-certificates-java package

This appears to be a regression upstream:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1784553
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8202ff8..434c156 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,7 +5,7 @@ ENV DEBIAN_FRONTEND="noninteractive"
 # Enable deb-src repos so we can retrieve the packages used to build libopenjp2:
 RUN sed -i -e '/^deb/p; s/^deb /deb-src /' /etc/apt/sources.list
 
-RUN apt-get update -qqy && apt-get dist-upgrade -qqy && apt-get install -qqy quilt devscripts && apt-get build-dep -qy libopenjp2-tools
+RUN apt-get update -qqy && apt-get dist-upgrade -qqy && apt-get install -qqy quilt devscripts ca-certificates ca-certificates-java && apt-get build-dep -qy libopenjp2-tools
 
 RUN adduser --system --group builder
 RUN install -d -o builder -g builder /build
@@ -40,7 +40,7 @@ VOLUME /imageroot
 # Update packages and install tools
 RUN apt-get update -qy && apt-get dist-upgrade -qy && \
     apt-get install -qy --no-install-recommends \
-    ca-certificates \
+    ca-certificates ca-certificates-java \
     curl \
     imagemagick \
     unzip \