From 02c9a4e9275bbfe22d06b7d050c5a60ea765f51c1d4100358588f207eb94b517 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Thu, 31 Mar 2011 21:13:45 +0000 Subject: [PATCH] - fixed regression caused by previous update [bnc#682871] * modified CVE-2011-0192.patch - fixed buffer overflow in thunder decoder [bnc#683337] * added CVE-2011-1167.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=27 --- tiff-3.9.4-CVE-2011-0192.patch | 32 +++++++++++----- tiff-3.9.4-CVE-2011-1167.patch | 68 ++++++++++++++++++++++++++++++++++ tiff.changes | 8 ++++ tiff.spec | 8 ++-- 4 files changed, 104 insertions(+), 12 deletions(-) create mode 100644 tiff-3.9.4-CVE-2011-1167.patch diff --git a/tiff-3.9.4-CVE-2011-0192.patch b/tiff-3.9.4-CVE-2011-0192.patch index 0ec65ab..6f1c50d 100644 --- a/tiff-3.9.4-CVE-2011-0192.patch +++ b/tiff-3.9.4-CVE-2011-0192.patch @@ -1,15 +1,29 @@ -Index: libtiff/tif_fax3.h -=================================================================== ---- libtiff/tif_fax3.h.orig -+++ libtiff/tif_fax3.h -@@ -478,6 +478,10 @@ done1d: \ +Protect against a fax VL(n) codeword commanding a move left. Without +this, a malicious input file can generate an indefinitely large series +of runs without a0 ever reaching the right margin, thus overrunning +our buffer of run lengths. Per CVE-2011-0192. This is a modified +version of a patch proposed by Drew Yao of Apple Product Security. +It adds an unexpected() report, and disallows the equality case except +for the first run of a line, since emitting a run without increasing a0 +still allows buffer overrun. (We have to allow it for the first run to +cover the case of encoding a zero-length run at start of line using VL.) + +http://bugzilla.maptools.org/show_bug.cgi?id=2297 + +diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h +--- libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400 ++++ libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500 +@@ -478,6 +478,12 @@ break; \ case S_VL: \ CHECK_b1; \ -+ if (b1 <= (int) (a0 + TabEnt->Param)) { \ -+ unexpected("VL", a0); \ -+ goto eol2d; \ -+ } \ ++ if (b1 <= (int) (a0 + TabEnt->Param)) { \ ++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ ++ unexpected("VL", a0); \ ++ goto eol2d; \ ++ } \ ++ } \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= *--pb; \ break; \ + diff --git a/tiff-3.9.4-CVE-2011-1167.patch b/tiff-3.9.4-CVE-2011-1167.patch new file mode 100644 index 0000000..93032f5 --- /dev/null +++ b/tiff-3.9.4-CVE-2011-1167.patch @@ -0,0 +1,68 @@ +Index: libtiff/tif_thunder.c +=================================================================== +--- libtiff/tif_thunder.c.orig ++++ libtiff/tif_thunder.c +@@ -25,6 +25,7 @@ + */ + + #include "tiffiop.h" ++#include + #ifdef THUNDER_SUPPORT + /* + * TIFF Library. +@@ -55,12 +56,32 @@ + static const int twobitdeltas[4] = { 0, 1, 0, -1 }; + static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; + +-#define SETPIXEL(op, v) { \ +- lastpixel = (v) & 0xf; \ +- if (npixels++ & 1) \ +- *op++ |= lastpixel; \ +- else \ ++#define SETPIXEL(op, v) { \ ++ lastpixel = (v) & 0xf; \ ++ if ( npixels < maxpixels ) \ ++ { \ ++ if (npixels++ & 1) \ ++ *op++ |= lastpixel; \ ++ else \ + op[0] = (tidataval_t) (lastpixel << 4); \ ++ } \ ++} ++ ++static int ++ThunderSetupDecode(TIFF* tif) ++{ ++ static const char module[] = "ThunderSetupDecode"; ++ ++ if( tif->tif_dir.td_bitspersample != 4 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", ++ (int) tif->tif_dir.td_bitspersample ); ++ return 0; ++ } ++ ++ ++ return (1); + } + + static int +@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf + occ -= tif->tif_scanlinesize; + row += tif->tif_scanlinesize; + } +- return (1); ++ ++ return (1); + } + + int +@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem + (void) scheme; + tif->tif_decoderow = ThunderDecodeRow; + tif->tif_decodestrip = ThunderDecodeRow; ++ tif->tif_setupdecode = ThunderSetupDecode; + return (1); + } + #endif /* THUNDER_SUPPORT */ diff --git a/tiff.changes b/tiff.changes index 7e83737..f676777 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Mar 31 21:49:49 CEST 2011 - pgajdos@suse.cz + +- fixed regression caused by previous update [bnc#682871] + * modified CVE-2011-0192.patch +- fixed buffer overflow in thunder decoder [bnc#683337] + * added CVE-2011-1167.patch + ------------------------------------------------------------------- Thu Feb 17 15:40:54 CET 2011 - pgajdos@suse.cz diff --git a/tiff.spec b/tiff.spec index 7d79e76..0f5518f 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # -# spec file for package tiff +# spec file for package tiff (Version 3.9.4) # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ Obsoletes: tiff-64bit # Url: http://www.remotesensing.org/libtiff/ Version: 3.9.4 -Release: 3 +Release: 2 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2: README.SUSE @@ -41,6 +41,7 @@ Patch7: tiff-%{version}-getimage-64bit.patch Patch8: tiff-%{version}-scanlinesize.patch Patch9: tiff-%{version}-dont-fancy-upsampling.patch Patch10: tiff-%{version}-CVE-2011-0192.patch +Patch11: tiff-3.9.4-CVE-2011-1167.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -107,6 +108,7 @@ the libtiff library. %patch8 -p1 %patch9 -p1 %patch10 +%patch11 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755