- fixed regression caused by previous update [bnc#682871]

* modified CVE-2011-0192.patch
- fixed buffer overflow in thunder decoder [bnc#683337]
  * added CVE-2011-1167.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=27

tiff-3.9.4-CVE-2011-0192.patch

@@ -1,15 +1,29 @@
-Index: libtiff/tif_fax3.h
+Protect against a fax VL(n) codeword commanding a move left.  Without
-===================================================================
+this, a malicious input file can generate an indefinitely large series
---- libtiff/tif_fax3.h.orig
+of runs without a0 ever reaching the right margin, thus overrunning
-+++ libtiff/tif_fax3.h
+our buffer of run lengths.  Per CVE-2011-0192.  This is a modified
-@@ -478,6 +478,10 @@ done1d:									\
+version of a patch proposed by Drew Yao of Apple Product Security.
+It adds an unexpected() report, and disallows the equality case except
+for the first run of a line, since emitting a run without increasing a0
+still allows buffer overrun.  (We have to allow it for the first run to
+cover the case of encoding a zero-length run at start of line using VL.)
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2297
+
+diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
+--- libtiff/tif_fax3.h	2010-06-08 14:50:42.000000000 -0400
++++ libtiff/tif_fax3.h	2011-03-10 12:11:20.850839162 -0500
+@@ -478,6 +478,12 @@
  	    break;							\
  	case S_VL:							\
  	    CHECK_b1;							\
-+            if (b1 <= (int) (a0 + TabEnt->Param)) {                     \
++	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
-+              unexpected("VL", a0);                                     \
++		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
-+              goto eol2d;                                               \
++		    unexpected("VL", a0);				\
-+            }                                                           \
++		    goto eol2d;						\
++		}							\
++	    }								\
  	    SETVALUE(b1 - a0 - TabEnt->Param);				\
  	    b1 -= *--pb;						\
  	    break;							\
+

tiff-3.9.4-CVE-2011-1167.patch

@@ -0,0 +1,68 @@
+Index: libtiff/tif_thunder.c
+===================================================================
+--- libtiff/tif_thunder.c.orig
++++ libtiff/tif_thunder.c
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include "tiffiop.h"
++#include <assert.h>
+ #ifdef THUNDER_SUPPORT
+ /*
+  * TIFF Library.
+@@ -55,12 +56,32 @@
+ static const int twobitdeltas[4] = { 0, 1, 0, -1 };
+ static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
+ 
+-#define	SETPIXEL(op, v) { \
+-	lastpixel = (v) & 0xf; \
+-	if (npixels++ & 1) \
+-	    *op++ |= lastpixel; \
+-	else \
++#define	SETPIXEL(op, v) {                     \
++	lastpixel = (v) & 0xf;                \
++        if ( npixels < maxpixels )         \
++        {                                     \
++	  if (npixels++ & 1)                  \
++	    *op++ |= lastpixel;               \
++	  else                                \
+ 	    op[0] = (tidataval_t) (lastpixel << 4); \
++        }                                     \
++}
++
++static int
++ThunderSetupDecode(TIFF* tif)
++{
++	static const char module[] = "ThunderSetupDecode";
++
++        if( tif->tif_dir.td_bitspersample != 4 )
++        {
++                TIFFErrorExt(tif->tif_clientdata, module,
++                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
++                             (int) tif->tif_dir.td_bitspersample );
++                return 0;
++        }
++        
++
++	return (1);
+ }
+ 
+ static int
+@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf
+ 		occ -= tif->tif_scanlinesize;
+ 		row += tif->tif_scanlinesize;
+ 	}
+-	return (1);
++
++        return (1);
+ }
+ 
+ int
+@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem
+ 	(void) scheme;
+ 	tif->tif_decoderow = ThunderDecodeRow;
+ 	tif->tif_decodestrip = ThunderDecodeRow;
++        tif->tif_setupdecode = ThunderSetupDecode;
+ 	return (1);
+ }
+ #endif /* THUNDER_SUPPORT */

tiff.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Mar 31 21:49:49 CEST 2011 - pgajdos@suse.cz
+
+- fixed regression caused by previous update [bnc#682871]
+  * modified CVE-2011-0192.patch
+- fixed buffer overflow in thunder decoder [bnc#683337]
+  * added CVE-2011-1167.patch
+
 -------------------------------------------------------------------
 Thu Feb 17 15:40:54 CET 2011 - pgajdos@suse.cz
 

tiff.spec

@@ -1,7 +1,7 @@
 #
-# spec file for package tiff
+# spec file for package tiff (Version 3.9.4)
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +29,7 @@ Obsoletes:      tiff-64bit
 #
 Url:            http://www.remotesensing.org/libtiff/
 Version:        3.9.4
-Release:        3
+Release:        2
 Summary:        Tools for Converting from and to the Tiff  Format
 Source:         tiff-%{version}.tar.bz2
 Source2:        README.SUSE
@@ -41,6 +41,7 @@ Patch7:         tiff-%{version}-getimage-64bit.patch
 Patch8:         tiff-%{version}-scanlinesize.patch
 Patch9:         tiff-%{version}-dont-fancy-upsampling.patch
 Patch10:        tiff-%{version}-CVE-2011-0192.patch
+Patch11:        tiff-3.9.4-CVE-2011-1167.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -107,6 +108,7 @@ the libtiff library.
 %patch8 -p1
 %patch9 -p1
 %patch10
+%patch11
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755