diff --git a/tiff-4.0.8.tar.gz b/tiff-4.0.8.tar.gz deleted file mode 100644 index bba6cd6..0000000 --- a/tiff-4.0.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910 -size 2065574 diff --git a/tiff-4.0.9.tar.gz b/tiff-4.0.9.tar.gz new file mode 100644 index 0000000..c0cd671 --- /dev/null +++ b/tiff-4.0.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd +size 2305681 diff --git a/tiff.changes b/tiff.changes index ede2842..df6e196 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,7 +1,274 @@ +------------------------------------------------------------------- +Wed Nov 29 09:08:42 UTC 2017 - fstrba@suse.com + +- Upgrade to upstream release 4.0.9 + * Changes in the software configuration: + + test/Makefile.am: Add some tests for tiff2bw. + + .appveyor.yml, .travis.yml, build/travis-ci: apply patches + 0001-ci-Travis-script-improvements.patch and + 0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh + + .travis.yml, build/travis-ci: new files from + 0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch + by Roger Leigh. This patch adds support for the Travis-CI + service. + + .appveyor.yml: new file from + 0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to + mailing list on 2017-06-08) This patch adds a .appveyor.yml + file to the top-level. This allows one to opt in to having a + branch built on Windows with Cygwin, MinGW and MSVC + automatically when a branch is pushed to GitHub, GitLab, + BitBucket or any other supported git hosting service. + + CMakeLists.txt, test/CMakeLists.txt, + test/TiffTestCommon.cmake: apply patch + 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from + Roger Leigh. This patch makes the CMake build system support + running the tests with MinGW or Cygwin. + + test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: + new files to test old-style LZW decompression + + test/common.sh, Makefile.am, CMakeList.txt: updated with above + + test/Makefile.am: add missing reference to + images/quad-lzw-compat.tiff to fix "make distcheck". Patch by + Roger Leigh + + nmake.opt: support a DEBUG=1 option, so as to adjust OPTFLAGS + and use /MDd runtime in debug mode. + * Changes in libtiff: + + libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping + to avoid int32 overflow in TIFFYCbCrtoRGB(). Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 + + libtiff/tif_getimage.c: initYCbCrConversion(): stricter + validation for refBlackWhite coefficients values. To avoid + invalid float->int32 conversion (when refBlackWhite[0] == + 2147483648.f) Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 + + libtiff/tif_dirinfo.c, tif_dirread.c: add + _TIFFCheckFieldIsValidForCodec(), and use it in + TIFFReadDirectory() so as to ignore fields whose tag is a + codec-specified tag but this codec is not enabled. This avoids + TIFFGetField() to behave differently depending on whether the + codec is enabled or not, and thus can avoid stack based buffer + overflows in a number of TIFF utilities such as tiffsplit, + tiffcmp, thumbnail, etc. Patch derived from + 0063-Handle-properly-CODEC-specific-tags.patch + (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaƫl + Hertzog. + Fixes: http://bugzilla.maptools.org/show_bug.cgi?id=2580 + http://bugzilla.maptools.org/show_bug.cgi?id=2693 + http://bugzilla.maptools.org/show_bug.cgi?id=2625 + (CVE-2016-10095, bsc#1017690) + http://bugzilla.maptools.org/show_bug.cgi?id=2564 + (CVE-2015-7554, bsc#960341) + http://bugzilla.maptools.org/show_bug.cgi?id=2561 + (CVE-2016-5318, bsc#983436) + http://bugzilla.maptools.org/show_bug.cgi?id=2499 + (CVE-2014-8128, bsc#969783) + http://bugzilla.maptools.org/show_bug.cgi?id=2441 + http://bugzilla.maptools.org/show_bug.cgi?id=2433 + + libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is + defined, do not do the #ifdef TIFFSwabXXX checks. Make it + easier for GDAL to rename the symbols of its internal libtiff + copy. + + libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in + ChopUpSingleUncompressedStrip() regarding update of newly + single-strip uncompressed files whose bytecount is 0. Before + the change of 2016-12-03, the condition bytecount==0 used to + trigger an early exit/disabling of strip chop. Re-introduce + that in update mode. Otherwise this cause later incorrect + setting for the value of StripByCounts/StripOffsets. + (https://trac.osgeo.org/gdal/ticket/6924) + + libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the + number of items read in StripOffsets/StripByteCounts tags to + the number of strips to avoid excessive memory allocation. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215 + + libtiff/tif_getimage.c: avoid many (harmless) unsigned int + overflows. + + libtiff/tif_fax3.c: avoid unsigned int overflow in + Fax3Encode2DRow(). Could potentially be a bug with huge rows. + + libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on + tiled images. + + libtiff/tif_dirread.c: avoid unsigned int overflow in + EstimateStripByteCounts() and BYTECOUNTLOOKSBAD when file is + too short. + + libtiff/tif_predict.c: decorate legitimate functions where + unsigned int overflow occur with + TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW + + libtiff/tif_dirread.c: avoid unsigned int overflow in + EstimateStripByteCounts() + + libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW + macro to disable CLang warnings raised by + -fsanitize=undefined,unsigned-integer-overflow + + libtiff/tif_jpeg.c: add anti-denial of service measure to + avoid excessive CPU consumption on progressive JPEGs with a + huge number of scans. See + http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf + Note: only affects libtiff since 2014-12-29 where support of + non-baseline JPEG was added. + + libtiff/tif_jpeg.c: error out at decoding time if anticipated + libjpeg memory allocation is above 100 MB. libjpeg in case of + multiple scans, which is allowed even in baseline JPEG, if + components are spread over several scans and not + interleavedin a single one, needs to allocate memory (or + backing store) for the whole strip/tile. See + http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf + This limitation may be overriden by setting the + LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or + recompiling libtiff with a custom value of + TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro. + + libtiff/tif_jbig.c: fix memory leak in error code path of + JBIGDecode() + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 + (CVE-2017-9936, bsc#1046073) + + libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that + a double value can fit in a float before casting. + + libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c, + libtiff/tif_read.c: make TIFFReadScanline() works in + CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple + scans. Also make configurable through a + LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER environment variable the + maximum number of scans allowed. Defaults to 100. + + libtiff/tif_read.c: TIFFFillTile(): add limitation to the + number of bytes read in case td_stripbytecount[strip] is + bigger than reasonable, so as to avoid excessive memory + allocation (similarly to what was done for TIFFFileStrip() on + 2017-05-10) + + libtiff/tif_getimage.c: use + _TIFFReadEncodedStripAndAllocBuffer(). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2708 and + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 + + libtiff/tif_read.c, tiffiop.h: add a + _TIFFReadEncodedStripAndAllocBuffer() function, variant of + TIFFReadEncodedStrip() that allocates the decoded buffer only + after a first successful TIFFFillStrip(). This avoids + excessive memory allocation on corrupted files. + + libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() + functions associated with LONG8/SLONG8 data type, replace + assertion that the file is BigTIFF, by a non-fatal error. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 + + libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to + tif_rawdataloaded when it is set. Similarly to + TIFFStartStrip(). This issue was revealed by the change of + 2017-06-30 in TIFFFileTile(), limiting the number of bytes + read. But it could probably have been hit too in + CHUNKY_STRIP_READ_SUPPORT mode previously. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454 + + libtiff/tif_error.c, tif_warning.c: correctly use va_list + when both an old-style and new-style warning/error handlers + are installed. Patch by Paavo Helde (sent on the mailing list) + + libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470 + + libtiff/tif_read.c, tiffiop.h: add a + _TIFFReadEncodedTileAndAllocBuffer() and + _TIFFReadTileAndAllocBuffer() variants of + TIFFReadEncodedTile() and TIFFReadTile() that allocates the + decoded buffer only after a first successful TIFFFillTile(). + This avoids excessive memory allocation on corrupted files. + + libtiff/tif_pixarlog.c: avoid excessive memory allocation on + decoding when RowsPerStrip tag is not defined (and thus + td_rowsperstrip == UINT_MAX) Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554 + + libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of + old-style LZW compressed files. + + libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte + LZW strips. Crashing issue only on memory mapped files, where + the strip offset is the last byte of the file, and the file + size is a multiple of one page size on the CPU architecture + (typically 4096) + + libtiff/tif_dir.c: avoid potential null pointer dereference + in _TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag + instance. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713 + + tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" + mode on PlanarConfig=Contig input images. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2715 + + libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile(). + Complementary fix for + http://bugzilla.maptools.org/show_bug.cgi?id=2708 in the + isMapped() case, so as to avoid excessive memory allocation + when we need a temporary buffer but the file is truncated. + + libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the + arrays that hold StripOffsets/StripByteCounts, when they are + smaller than the expected number of striles, up to 1 million + striles, and error out beyond. Can be tweaked by setting the + environment variable LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. + This partially goes against a change added on 2002-12-17 to + accept those arrays of wrong sizes, but is needed to avoid + denial of services. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 + + libtiff/tif_read.c: add protection against excessive memory + allocation attempts in TIFFReadDirEntryArray() on short files. + Effective for mmap'ed case. And non-mmap'ed case, but + restricted to 64bit builds. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2675 + + libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683 + + libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate(): + properly break from loops on error when stoponerr is set, + instead of going on iterating on row based loop. + + libtiff/tif_getimage.c: fix fromskew computation when + to-be-skipped pixel number is not a multiple of the horizontal + subsampling, and also in some other cases. Impact + putcontig8bitYCbCr44tile, putcontig8bitYCbCr42tile, + putcontig8bitYCbCr41tile, putcontig8bitYCbCr21tile and + putcontig8bitYCbCr12tile Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2637 and + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 + + libtiff/tif_luv.c: further reduce memory requirements for + temporary buffer when RowsPerStrip >= image_length in + LogLuvInitState() and LogL16InitState(). Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700 + + libtiff/tif_dirwrite.c: replace assertion related to not + finding the SubIFD tag by runtime check (in + TIFFWriteDirectorySec()) Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2727 + + libtiff/tif_dirwrite.c: replace assertion to tag value not + fitting on uint32 when selecting the value of SubIFD tag by + runtime check (in TIFFWriteDirectoryTagSubifd()). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2728 + + libtiff/tif_jpeg.c: accept reading the last strip of a JPEG + compressed file if the codestream height is larger than the + truncated height of the strip. Emit a warning in this + situation since this is non compliant. + + libtiff/tiffiop.h, tif_aux.c: redirect SeekOK() macro to a + _TIFFSeekoK() function that checks if the offset is not + bigger than INT64_MAX, so as to avoid a -1 error return code + of TIFFSeekFile() to match a required seek to UINT64_MAX/-1. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726 + + libtiff/tif_dirread.c: add NULL check to avoid likely false + positive null-pointer dereference warning by CLang Static + Analyzer. + + libtiff/libtiff.def: add TIFFReadRGBAStripExt and + TIFFReadRGBATileExt Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2735 + + libtiff/tif_jpeg.c: add compatibility with libjpeg-turbo + 1.5.2 that honours max_memory_to_use > 0. Cf + https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162 + + libtiff/tif_getimage.c: avoid floating point division by zero + in initCIELabConversion() Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3733 + * Changes in the tools: + + tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" + mode on PlanarConfig=Contig input images. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2715 + + tools/tiffset.c: fix setting a single value for the + ExtraSamples tag (and other tags with variable number of + values). So 'tiffset -s ExtraSamples 1 X'. This only worked + when setting 2 or more values, but not just one. + + tools/fax2tiff.c (_FAX_Client_Data): Pass FAX_Client_Data as + the client data. This client data is not used at all at the + moment, but it makes the most sense. Issue that the value of + client_data.fd was passed where a pointer is expected. + + tools/tiff2pdf.c (t2p_sample_realize_palette): Fix possible + arithmetic overflow in bounds checking code and eliminate + comparison between signed and unsigned type. + + tools/tiff2bw.c (main): Free memory allocated in the tiff2bw + program. This is in response to the report associated with + CVE-2017-16232, bsc#1069213 but does not solve the extremely + high memory usage with the associated POC file. + ------------------------------------------------------------------- Tue Jun 20 08:15:57 UTC 2017 - fstrba@suse.com -- Upgrade to upstream relaase 4.0.8 +- Upgrade to upstream release 4.0.8 * libtiff/tif_getimage.c, libtiff/tif_open.c + add parenthesis to fix cppcheck clarifyCalculation warnings * libtiff/tif_predict.c, libtiff/tif_print.c diff --git a/tiff.spec b/tiff.spec index efa0750..7d7b46c 100644 --- a/tiff.spec +++ b/tiff.spec @@ -17,7 +17,7 @@ Name: tiff -Version: 4.0.8 +Version: 4.0.9 Release: 0 Summary: Tools for Converting from and to the Tagged Image File Format License: HPND