diff --git a/tiff-4.0.10.tar.gz b/tiff-4.0.10.tar.gz new file mode 100644 index 0000000..2288774 --- /dev/null +++ b/tiff-4.0.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4 +size 2402867 diff --git a/tiff-4.0.9-bsc1081690-CVE-2018-5784.patch b/tiff-4.0.9-bsc1081690-CVE-2018-5784.patch deleted file mode 100644 index 8fb8316..0000000 --- a/tiff-4.0.9-bsc1081690-CVE-2018-5784.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001 -From: Nathan Baker -Date: Tue, 6 Feb 2018 10:13:57 -0500 -Subject: [PATCH] Fix for bug 2772 - -It is possible to craft a TIFF document where the IFD list is circular, -leading to an infinite loop while traversing the chain. The libtiff -directory reader has a failsafe that will break out of this loop after -reading 65535 directory entries, but it will continue processing, -consuming time and resources to process what is essentially a bogus TIFF -document. - -This change fixes the above behavior by breaking out of processing when -a TIFF document has >= 65535 directories and terminating with an error. ---- - contrib/addtiffo/tif_overview.c | 14 +++++++++++++- - tools/tiff2pdf.c | 10 ++++++++++ - tools/tiffcrop.c | 13 +++++++++++-- - 3 files changed, 34 insertions(+), 3 deletions(-) - -diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c -index c61ffbb..03b3573 100644 ---- a/contrib/addtiffo/tif_overview.c -+++ b/contrib/addtiffo/tif_overview.c -@@ -65,6 +65,8 @@ - # define MAX(a,b) ((a>b) ? a : b) - #endif - -+#define TIFF_DIR_MAX 65534 -+ - void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, - int (*)(double,void*), void * ); - -@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - { - toff_t nBaseDirOffset; - toff_t nOffset; -+ tdir_t iNumDir; - - (void) bUseSubIFDs; - -@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - return 0; - - TIFFWriteDirectory( hTIFF ); -- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); -+ iNumDir = TIFFNumberOfDirectories(hTIFF); -+ if( iNumDir > TIFF_DIR_MAX ) -+ { -+ TIFFErrorExt( TIFFClientdata(hTIFF), -+ "TIFF_WriteOverview", -+ "File `%s' has too many directories.\n", -+ TIFFFileName(hTIFF) ); -+ exit(-1); -+ } -+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); - - nOffset = TIFFCurrentDirOffset( hTIFF ); - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index 984ef65..832a247 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); - - #define PS_UNIT_SIZE 72.0F - -+#define TIFF_DIR_MAX 65534 -+ - /* This type is of PDF color spaces. */ - typedef enum { - T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ -@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); -+ if(directorycount > TIFF_DIR_MAX) { -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "TIFF contains too many directories, %s", -+ TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); - if(t2p->tiff_pages==NULL){ - TIFFError( -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 91a38f6..e466dae 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -215,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); - #define DUMP_TEXT 1 - #define DUMP_RAW 2 - -+#define TIFF_DIR_MAX 65534 -+ - /* Offsets into buffer for margins and fixed width and length segments */ - struct offset { - uint32 tmargin; -@@ -2232,7 +2234,7 @@ main(int argc, char* argv[]) - pageNum = -1; - else - total_images = 0; -- /* read multiple input files and write to output file(s) */ -+ /* Read multiple input files and write to output file(s) */ - while (optind < argc - 1) - { - in = TIFFOpen (argv[optind], "r"); -@@ -2240,7 +2242,14 @@ main(int argc, char* argv[]) - return (-3); - - /* If only one input file is specified, we can use directory count */ -- total_images = TIFFNumberOfDirectories(in); -+ total_images = TIFFNumberOfDirectories(in); -+ if (total_images > TIFF_DIR_MAX) -+ { -+ TIFFError (TIFFFileName(in), "File contains too many directories"); -+ if (out != NULL) -+ (void) TIFFClose(out); -+ return (1); -+ } - if (image_count == 0) - { - dirnum = 0; --- -libgit2 0.26.0 - diff --git a/tiff-4.0.9.tar.gz b/tiff-4.0.9.tar.gz deleted file mode 100644 index c0cd671..0000000 --- a/tiff-4.0.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd -size 2305681 diff --git a/tiff-CVE-2017-11613,CVE-2018-16335,15209.patch b/tiff-CVE-2017-11613,CVE-2018-16335,15209.patch deleted file mode 100644 index cde8d80..0000000 --- a/tiff-CVE-2017-11613,CVE-2018-16335,15209.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: tiff-4.0.9/libtiff/tif_dirread.c -=================================================================== ---- tiff-4.0.9.orig/libtiff/tif_dirread.c 2018-06-04 16:49:48.940452546 +0200 -+++ tiff-4.0.9/libtiff/tif_dirread.c 2018-06-04 16:50:18.572859131 +0200 -@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - if( nstrips == 0 ) - return; - -+ /* If we are going to allocate a lot of memory, make sure that the */ -+ /* file is as big as needed */ -+ if( tif->tif_mode == O_RDONLY && -+ nstrips > 1000000 && -+ (offset >= TIFFGetFileSize(tif) || -+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) -+ { -+ return; -+ } -+ - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/tiff-CVE-2017-18013.patch b/tiff-CVE-2017-18013.patch deleted file mode 100644 index f3b428d..0000000 --- a/tiff-CVE-2017-18013.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", - (unsigned long) s, -- (unsigned __int64) td->td_stripoffset[s], -- (unsigned __int64) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); - #else - fprintf(fd, " %3lu: [%8llu, %8llu]\n", - (unsigned long) s, -- (unsigned long long) td->td_stripoffset[s], -- (unsigned long long) td->td_stripbytecount[s]); -+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, -+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); - #endif - } - } - diff --git a/tiff-CVE-2017-9935,CVE-2018-17795.patch b/tiff-CVE-2017-9935,CVE-2018-17795.patch deleted file mode 100644 index fdea74b..0000000 --- a/tiff-CVE-2017-9935,CVE-2018-17795.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 -From: Brian May -Date: Thu, 7 Dec 2017 07:46:47 +1100 -Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 - -Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 - -This vulnerability - at least for the supplied test case - is because we -assume that a tiff will only have one transfer function that is the same -for all pages. This is not required by the TIFF standards. - -We than read the transfer function for every page. Depending on the -transfer function, we allocate either 2 or 4 bytes to the XREF buffer. -We allocate this memory after we read in the transfer function for the -page. - -For the first exploit - POC1, this file has 3 pages. For the first page -we allocate 2 extra extra XREF entries. Then for the next page 2 more -entries. Then for the last page the transfer function changes and we -allocate 4 more entries. - -When we read the file into memory, we assume we have 4 bytes extra for -each and every page (as per the last transfer function we read). Which -is not correct, we only have 2 bytes extra for the first 2 pages. As a -result, we end up writing past the end of the buffer. - -There are also some related issues that this also fixes. For example, -TIFFGetField can return uninitalized pointer values, and the logic to -detect a N=3 vs N=1 transfer function seemed rather strange. - -It is also strange that we declare the transfer functions to be of type -float, when the standard says they are unsigned 16 bit values. This is -fixed in another patch. - -This patch will check to ensure that the N value for every transfer -function is the same for every page. If this changes, we abort with an -error. In theory, we should perhaps check that the transfer function -itself is identical for every page, however we don't do that due to the -confusion of the type of the data in the transfer function. ---- - libtiff/tif_dir.c | 3 +++ - tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++++++++++++++--------------------- - 2 files changed, 47 insertions(+), 21 deletions(-) - -From d4f213636b6f950498a1386083199bd7f65676b9 Mon Sep 17 00:00:00 2001 -From: Brian May -Date: Thu, 7 Dec 2017 07:49:20 +1100 -Subject: [PATCH] tiff2pdf: Fix apparent incorrect type for transfer table - -The standard says the transfer table contains unsigned 16 bit values, -I have no idea why we refer to them as floats. ---- - tools/tiff2pdf.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index 2ccaf44..cbf2b69 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) - if (td->td_samplesperpixel - td->td_extrasamples > 1) { - *va_arg(ap, uint16**) = td->td_transferfunction[1]; - *va_arg(ap, uint16**) = td->td_transferfunction[2]; -+ } else { -+ *va_arg(ap, uint16**) = NULL; -+ *va_arg(ap, uint16**) = NULL; - } - break; - case TIFFTAG_REFERENCEBLACKWHITE: -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index d1a9b09..c3ec074 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16 pagen=0; - uint16 paged=0; - uint16 xuint16=0; -+ uint16 tiff_transferfunctioncount=0; -+ float* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); -@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - } - #endif - if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, -- &(t2p->tiff_transferfunction[0]), -- &(t2p->tiff_transferfunction[1]), -- &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -- t2p->tiff_transferfunctioncount = 3; -- t2p->tiff_pages[i].page_extra += 4; -- t2p->pdf_xrefcount += 4; -- } else { -- t2p->tiff_transferfunctioncount = 1; -- t2p->tiff_pages[i].page_extra += 2; -- t2p->pdf_xrefcount += 2; -- } -- if(t2p->pdf_minorversion < 2) -- t2p->pdf_minorversion = 2; -+ &(tiff_transferfunction[0]), -+ &(tiff_transferfunction[1]), -+ &(tiff_transferfunction[2]))) { -+ -+ if((tiff_transferfunction[1] != (float*) NULL) && -+ (tiff_transferfunction[2] != (float*) NULL) -+ ) { -+ tiff_transferfunctioncount=3; -+ } else { -+ tiff_transferfunctioncount=1; -+ } - } else { -- t2p->tiff_transferfunctioncount=0; -+ tiff_transferfunctioncount=0; - } -+ -+ if (i > 0){ -+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "Different transfer function on page %d", -+ i); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } -+ } -+ -+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; -+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; -+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; -+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; -+ if(tiff_transferfunctioncount == 3){ -+ t2p->tiff_pages[i].page_extra += 4; -+ t2p->pdf_xrefcount += 4; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } else if (tiff_transferfunctioncount == 1){ -+ t2p->tiff_pages[i].page_extra += 2; -+ t2p->pdf_xrefcount += 2; -+ if(t2p->pdf_minorversion < 2) -+ t2p->pdf_minorversion = 2; -+ } -+ - if( TIFFGetField( - input, - TIFFTAG_ICCPROFILE, -@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { - if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) && -- (t2p->tiff_transferfunction[1] != -- t2p->tiff_transferfunction[0])) { -+ (t2p->tiff_transferfunction[2] != (float*) NULL) -+ ) { - t2p->tiff_transferfunctioncount=3; - } else { - t2p->tiff_transferfunctioncount=1; - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index c3ec074..484776c 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -237,7 +237,7 @@ typedef struct { - float tiff_whitechromaticities[2]; - float tiff_primarychromaticities[6]; - float tiff_referenceblackwhite[2]; -- float* tiff_transferfunction[3]; -+ uint16* tiff_transferfunction[3]; - int pdf_image_interpolate; /* 0 (default) : do not interpolate, - 1 : interpolate */ - uint16 tiff_transferfunctioncount; -@@ -1048,7 +1048,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16 paged=0; - uint16 xuint16=0; - uint16 tiff_transferfunctioncount=0; -- float* tiff_transferfunction[3]; -+ uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); -@@ -1153,8 +1153,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - &(tiff_transferfunction[1]), - &(tiff_transferfunction[2]))) { - -- if((tiff_transferfunction[1] != (float*) NULL) && -- (tiff_transferfunction[2] != (float*) NULL) -+ if((tiff_transferfunction[1] != (uint16*) NULL) && -+ (tiff_transferfunction[2] != (uint16*) NULL) - ) { - tiff_transferfunctioncount=3; - } else { -@@ -1851,8 +1851,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { -- if((t2p->tiff_transferfunction[1] != (float*) NULL) && -- (t2p->tiff_transferfunction[2] != (float*) NULL) -+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && -+ (t2p->tiff_transferfunction[2] != (uint16*) NULL) - ) { - t2p->tiff_transferfunctioncount=3; - } else { --- -libgit2 0.26.0 - diff --git a/tiff-CVE-2018-10779.patch b/tiff-CVE-2018-10779.patch deleted file mode 100644 index fae407d..0000000 --- a/tiff-CVE-2018-10779.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c -index 586f6fdff66a7a0c1864dbe1e2c5831602b055ce..a31ecd12c133ac18bed6bfbc97fcbad5e19a3257 100644 ---- a/libtiff/tif_write.c -+++ b/libtiff/tif_write.c -@@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif) - if (td->td_planarconfig == PLANARCONFIG_SEPARATE) - td->td_stripsperimage /= td->td_samplesperpixel; - td->td_stripoffset = (uint64 *) -- _TIFFmalloc(td->td_nstrips * sizeof (uint64)); -+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), -+ "for \"StripOffsets\" array"); - td->td_stripbytecount = (uint64 *) -- _TIFFmalloc(td->td_nstrips * sizeof (uint64)); -+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), -+ "for \"StripByteCounts\" array"); - if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) - return (0); - /* - diff --git a/tiff-CVE-2018-10963.patch b/tiff-CVE-2018-10963.patch deleted file mode 100644 index 0a0dc51..0000000 --- a/tiff-CVE-2018-10963.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 2430de6..c15a28d 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) - } - break; - default: -- assert(0); /* we should never get here */ -- break; -+ TIFFErrorExt(tif->tif_clientdata,module, -+ "Cannot write tag %d (%s)", -+ TIFFFieldTag(o), -+ o->field_name ? o->field_name : "unknown"); -+ goto bad; - } - } - } - diff --git a/tiff-CVE-2018-17100.patch b/tiff-CVE-2018-17100.patch deleted file mode 100644 index cb0c8a4..0000000 --- a/tiff-CVE-2018-17100.patch +++ /dev/null @@ -1,27 +0,0 @@ -Index: tiff-4.0.9/tools/ppm2tiff.c -=================================================================== ---- tiff-4.0.9.orig/tools/ppm2tiff.c 2018-10-17 12:25:05.271940872 +0200 -+++ tiff-4.0.9/tools/ppm2tiff.c 2018-10-17 12:26:15.468262130 +0200 -@@ -72,15 +72,16 @@ BadPPM(char* file) - exit(-2); - } - -+ -+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) -+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) -+ - static tmsize_t - multiply_ms(tmsize_t m1, tmsize_t m2) - { -- tmsize_t bytes = m1 * m2; -- -- if (m1 && bytes / m1 != m2) -- bytes = 0; -- -- return bytes; -+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) -+ return 0; -+ return m1 * m2; - } - - int diff --git a/tiff-CVE-2018-17101.patch b/tiff-CVE-2018-17101.patch deleted file mode 100644 index fc00c0b..0000000 --- a/tiff-CVE-2018-17101.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c -index 01fcf941..01d8502e 100644 ---- a/tools/pal2rgb.c -+++ b/tools/pal2rgb.c -@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out) - { - struct cpTag *p; - for (p = tags; p < &tags[NTAGS]; p++) -- cpTag(in, out, p->tag, p->count, p->type); -+ { -+ if( p->tag == TIFFTAG_GROUP3OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX3 ) -+ continue; -+ } -+ if( p->tag == TIFFTAG_GROUP4OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX4 ) -+ continue; -+ } -+ cpTag(in, out, p->tag, p->count, p->type); -+ } - } - #undef NTAGS - -diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c -index 05faba87..5bef3142 100644 ---- a/tools/tiff2bw.c -+++ b/tools/tiff2bw.c -@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out) - { - struct cpTag *p; - for (p = tags; p < &tags[NTAGS]; p++) -- cpTag(in, out, p->tag, p->count, p->type); -+ { -+ if( p->tag == TIFFTAG_GROUP3OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX3 ) -+ continue; -+ } -+ if( p->tag == TIFFTAG_GROUP4OPTIONS ) -+ { -+ uint16 compression; -+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || -+ compression != COMPRESSION_CCITTFAX4 ) -+ continue; -+ } -+ cpTag(in, out, p->tag, p->count, p->type); -+ } - } - #undef NTAGS - diff --git a/tiff-CVE-2018-7456.patch b/tiff-CVE-2018-7456.patch deleted file mode 100644 index b369c7f..0000000 --- a/tiff-CVE-2018-7456.patch +++ /dev/null @@ -1,108 +0,0 @@ -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 6baa7b3..af5b84a 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin - static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); - static void ChopUpSingleUncompressedStrip(TIFF*); - static uint64 TIFFReadUInt64(const uint8 *value); -+static int _TIFFGetMaxColorChannels(uint16 photometric); - - static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); - -@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c - } - - /* -+ * Return the maximum number of color channels specified for a given photometric -+ * type. 0 is returned if photometric type isn't supported or no default value -+ * is defined by the specification. -+ */ -+static int _TIFFGetMaxColorChannels( uint16 photometric ) -+{ -+ switch (photometric) { -+ case PHOTOMETRIC_PALETTE: -+ case PHOTOMETRIC_MINISWHITE: -+ case PHOTOMETRIC_MINISBLACK: -+ return 1; -+ case PHOTOMETRIC_YCBCR: -+ case PHOTOMETRIC_RGB: -+ case PHOTOMETRIC_CIELAB: -+ return 3; -+ case PHOTOMETRIC_SEPARATED: -+ case PHOTOMETRIC_MASK: -+ return 4; -+ case PHOTOMETRIC_LOGL: -+ case PHOTOMETRIC_LOGLUV: -+ case PHOTOMETRIC_CFA: -+ case PHOTOMETRIC_ITULAB: -+ case PHOTOMETRIC_ICCLAB: -+ default: -+ return 0; -+ } -+} -+ -+/* - * Read the next TIFF directory from a file and convert it to the internal - * format. We read directories sequentially. - */ -@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif) - uint32 fii=FAILED_FII; - toff_t nextdiroff; - int bitspersample_read = FALSE; -+ int color_channels; - - tif->tif_diroff=tif->tif_nextdiroff; - if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) -@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif) - } - } - } -+ -+ /* -+ * Make sure all non-color channels are extrasamples. -+ * If it's not the case, define them as such. -+ */ -+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); -+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { -+ uint16 old_extrasamples; -+ uint16 *new_sampleinfo; -+ -+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " -+ "color channels and ExtraSamples doesn't match SamplesPerPixel. " -+ "Defining non-color channels as ExtraSamples."); -+ -+ old_extrasamples = tif->tif_dir.td_extrasamples; -+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); -+ -+ // sampleinfo should contain information relative to these new extra samples -+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); -+ if (!new_sampleinfo) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " -+ "temporary new sampleinfo array (%d 16 bit elements)", -+ tif->tif_dir.td_extrasamples); -+ goto bad; -+ } -+ -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); -+ _TIFFfree(new_sampleinfo); -+ } -+ - /* - * Verify Palette image has a Colormap. - */ -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index 8deceb2..1d86adb 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - uint16 i; - fprintf(fd, " %2ld: %5u", - l, td->td_transferfunction[0][l]); -- for (i = 1; i < td->td_samplesperpixel; i++) -+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) - fprintf(fd, " %5u", - td->td_transferfunction[i][l]); - fputc('\n', fd); - diff --git a/tiff-CVE-2018-8905.patch b/tiff-CVE-2018-8905.patch deleted file mode 100644 index dc5f046..0000000 --- a/tiff-CVE-2018-8905.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index 4ccb443..94d85e3 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - char *tp; - unsigned char *bp; - int code, nbits; -+ int len; - long nextbits, nextdata, nbitsmask; - code_t *codep, *free_entp, *maxcodep, *oldcodep; - -@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) - } while (--occ); - break; - } -- assert(occ >= codep->length); -- op += codep->length; -- occ -= codep->length; -- tp = op; -+ len = codep->length; -+ tp = op + len; - do { -- *--tp = codep->value; -- } while( (codep = codep->next) != NULL ); -+ int t; -+ --tp; -+ t = codep->value; -+ codep = codep->next; -+ *tp = (char)t; -+ } while (codep && tp > op); -+ assert(occ >= len); -+ op += len; -+ occ -= len; - } else { - *op++ = (char)code; - occ--; - diff --git a/tiff.changes b/tiff.changes index 4fbb244..2139086 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Nov 12 11:37:11 UTC 2018 - Petr Gajdos + +- upddated to 4.0.10: + * fixes several CVEs mentioned below plus CVE-2018-18557 and + CVE-2018-18661 and more +- removed patches + * tiff-CVE-2017-11613,CVE-2018-16335,15209.patch + * tiff-CVE-2017-18013.patch + * tiff-CVE-2017-9935,CVE-2018-17795.patch + * tiff-CVE-2018-10779.patch + * tiff-CVE-2018-10963.patch + * tiff-CVE-2018-17100.patch + * tiff-CVE-2018-17101.patch + * tiff-CVE-2018-7456.patch + * tiff-CVE-2018-8905.patch + ------------------------------------------------------------------- Fri Oct 19 07:02:18 UTC 2018 - Petr Gajdos diff --git a/tiff.spec b/tiff.spec index af34684..29479ce 100644 --- a/tiff.spec +++ b/tiff.spec @@ -16,10 +16,11 @@ # -%define asan_build 0 +%define asan_build 0 +%define debug_build 0 Name: tiff -Version: 4.0.9 +Version: 4.0.10 Release: 0 Summary: Tools for Converting from and to the Tagged Image File Format License: HPND @@ -31,17 +32,6 @@ Source3: baselibs.conf Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch -# Contained in upstream repo. See bsc#1046077 for commit IDs. -Patch2: tiff-CVE-2017-9935,CVE-2018-17795.patch -Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch -Patch4: tiff-CVE-2018-10963.patch -Patch5: tiff-CVE-2017-18013.patch -Patch6: tiff-CVE-2018-7456.patch -Patch7: tiff-CVE-2017-11613,CVE-2018-16335,15209.patch -Patch8: tiff-CVE-2018-8905.patch -Patch9: tiff-CVE-2018-10779.patch -Patch10: tiff-CVE-2018-17100.patch -Patch11: tiff-CVE-2018-17101.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -105,19 +95,12 @@ the libtiff library. %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 %build CFLAGS="%{optflags} -fPIE" +%if %{debug_build} +CFLAGS="$CFLAGS -O0" +%endif %configure --disable-static %if %{asan_build} find -name Makefile | xargs sed -i 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' @@ -162,12 +145,12 @@ done %defattr(-,root,root) %{_bindir}/* %doc html -%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE +%doc README.md COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE %{_mandir}/man1/* %files -n libtiff5 %defattr(-,root,root) -%doc README COPYRIGHT README.SUSE +%doc README.md COPYRIGHT README.SUSE %{_libdir}/*.so.* %files -n libtiff-devel