- fixed regression caused by previous update [bnc#682871]

* modified CVE-2011-0192.patch - fixed buffer overflow in thunder decoder [bnc#683337] * added CVE-2011-1167.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=27
2011-03-31 21:13:45 +00:00 · 2011-03-31 21:13:45 +00:00 · 02c9a4e927
commit 02c9a4e927
parent c3318cf877
4 changed files with 104 additions and 12 deletions
--- a/tiff-3.9.4-CVE-2011-0192.patch
+++ b/tiff-3.9.4-CVE-2011-0192.patch
@ -1,15 +1,29 @@
-Index: libtiff/tif_fax3.h
-===================================================================
--- libtiff/tif_fax3.h.orig
-+++ libtiff/tif_fax3.h
-@@ -478,6 +478,10 @@ done1d:									\
+Protect against a fax VL(n) codeword commanding a move left.  Without
+this, a malicious input file can generate an indefinitely large series
+of runs without a0 ever reaching the right margin, thus overrunning
+our buffer of run lengths.  Per CVE-2011-0192.  This is a modified
+version of a patch proposed by Drew Yao of Apple Product Security.
+It adds an unexpected() report, and disallows the equality case except
+for the first run of a line, since emitting a run without increasing a0
+still allows buffer overrun.  (We have to allow it for the first run to
+cover the case of encoding a zero-length run at start of line using VL.)
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2297
+
+diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
+--- libtiff/tif_fax3.h	2010-06-08 14:50:42.000000000 -0400
+++ libtiff/tif_fax3.h	2011-03-10 12:11:20.850839162 -0500
+@@ -478,6 +478,12 @@
 	    break;							\
 	case S_VL:							\
 	    CHECK_b1;							\
 +	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
+		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
 +		    unexpected("VL", a0);				\
 +		    goto eol2d;						\
+		}							\
 +	    }								\
 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
 	    b1 -= *--pb;						\
 	    break;							\
+
--- a/tiff-3.9.4-CVE-2011-1167.patch
+++ b/tiff-3.9.4-CVE-2011-1167.patch
@ -0,0 +1,68 @@
+Index: libtiff/tif_thunder.c
+===================================================================
+--- libtiff/tif_thunder.c.orig
+++ libtiff/tif_thunder.c
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include "tiffiop.h"
+#include <assert.h>
+ #ifdef THUNDER_SUPPORT
+ /*
+  * TIFF Library.
+@@ -55,12 +56,32 @@
+ static const int twobitdeltas[4] = { 0, 1, 0, -1 };
+ static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
+ 
+-#define	SETPIXEL(op, v) { \
+-	lastpixel = (v) & 0xf; \
+-	if (npixels++ & 1) \
+-	    *op++ |= lastpixel; \
+-	else \
+#define	SETPIXEL(op, v) {                     \
+	lastpixel = (v) & 0xf;                \
+        if ( npixels < maxpixels )         \
+        {                                     \
+	  if (npixels++ & 1)                  \
+	    *op++ |= lastpixel;               \
+	  else                                \
+ 	    op[0] = (tidataval_t) (lastpixel << 4); \
+        }                                     \
+}
+
+static int
+ThunderSetupDecode(TIFF* tif)
+{
+	static const char module[] = "ThunderSetupDecode";
+
+        if( tif->tif_dir.td_bitspersample != 4 )
+        {
+                TIFFErrorExt(tif->tif_clientdata, module,
+                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
+                             (int) tif->tif_dir.td_bitspersample );
+                return 0;
+        }
+        
+
+	return (1);
+ }
+ 
+ static int
+@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf
+ 		occ -= tif->tif_scanlinesize;
+ 		row += tif->tif_scanlinesize;
+ 	}
+-	return (1);
+
+        return (1);
+ }
+ 
+ int
+@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem
+ 	(void) scheme;
+ 	tif->tif_decoderow = ThunderDecodeRow;
+ 	tif->tif_decodestrip = ThunderDecodeRow;
+        tif->tif_setupdecode = ThunderSetupDecode;
+ 	return (1);
+ }
+ #endif /* THUNDER_SUPPORT */
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Mar 31 21:49:49 CEST 2011 - pgajdos@suse.cz
+
+- fixed regression caused by previous update [bnc#682871]
+  * modified CVE-2011-0192.patch
+- fixed buffer overflow in thunder decoder [bnc#683337]
+  * added CVE-2011-1167.patch
+
 -------------------------------------------------------------------
 Thu Feb 17 15:40:54 CET 2011 - pgajdos@suse.cz

--- a/tiff.spec
+++ b/tiff.spec
@ -1,7 +1,7 @@
 #
-# spec file for package tiff
+# spec file for package tiff (Version 3.9.4)
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -29,7 +29,7 @@ Obsoletes:      tiff-64bit
 #
 Url:            http://www.remotesensing.org/libtiff/
 Version:        3.9.4
-Release:        3
+Release:        2
 Summary:        Tools for Converting from and to the Tiff  Format
 Source:         tiff-%{version}.tar.bz2
 Source2:        README.SUSE
@ -41,6 +41,7 @@ Patch7:         tiff-%{version}-getimage-64bit.patch
 Patch8:         tiff-%{version}-scanlinesize.patch
 Patch9:         tiff-%{version}-dont-fancy-upsampling.patch
 Patch10:        tiff-%{version}-CVE-2011-0192.patch
+Patch11:        tiff-3.9.4-CVE-2011-1167.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@ -107,6 +108,7 @@ the libtiff library.
 %patch8 -p1
 %patch9 -p1
 %patch10
+%patch11
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755