From a4befe7391841409902ede381ebc2a8b4157f0b31f77d169e0f58220b3bed096 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Mon, 11 Jan 2016 10:12:16 +0000 Subject: [PATCH 1/2] tiff bugzilla #2508 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=72 --- tiff-4.0.6-nextdecode-oob.patch | 36 +++++++++++++++++++++++++++++++++ tiff.changes | 9 +++++++++ tiff.spec | 5 ++++- 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 tiff-4.0.6-nextdecode-oob.patch diff --git a/tiff-4.0.6-nextdecode-oob.patch b/tiff-4.0.6-nextdecode-oob.patch new file mode 100644 index 0000000..263abc1 --- /dev/null +++ b/tiff-4.0.6-nextdecode-oob.patch @@ -0,0 +1,36 @@ +--- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 ++++ libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18 +@@ -37,7 +37,7 @@ + case 0: op[0] = (unsigned char) ((v) << 6); break; \ + case 1: op[0] |= (v) << 4; break; \ + case 2: op[0] |= (v) << 2; break; \ +- case 3: *op++ |= (v); break; \ ++ case 3: *op++ |= (v); op_offset++; break; \ + } \ + } + +@@ -103,6 +103,7 @@ + } + default: { + uint32 npixels = 0, grey; ++ tmsize_t op_offset = 0; + uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; +@@ -122,10 +123,15 @@ + * bounds, potentially resulting in a security + * issue. + */ +- while (n-- > 0 && npixels < imagewidth) ++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) + SETPIXEL(op, grey); + if (npixels >= imagewidth) + break; ++ if (op_offset >= scanline ) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", ++ (long) tif->tif_row); ++ return (0); ++ } + if (cc == 0) + goto bad; + n = *bp++, cc--; diff --git a/tiff.changes b/tiff.changes index 2e3ae43..1ba2d68 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Jan 11 09:48:49 UTC 2016 - fstrba@suse.com + +- Added patch: + * tiff-4.0.6-nextdecode-oob.patch + - Fix potential out-of-bound write in NeXTDecode() triggered by + http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (#2508, + bsc#942690) + ------------------------------------------------------------------- Tue Dec 8 15:55:30 UTC 2015 - p.drouand@gmail.com diff --git a/tiff.spec b/tiff.spec index f7f9988..bbb68b0 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,8 @@ Source3: baselibs.conf Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2508 +Patch2: tiff-4.0.6-nextdecode-oob.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool @@ -94,6 +96,7 @@ the libtiff library. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p0 %build CFLAGS="%{optflags} -fPIE" From 616d19b8b7697bdaabf22d77648bcd0650052223dd216f05ebbaa6aa4e55e561 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 13 Jan 2016 17:00:35 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=73 --- ... => tiff-4.0.4-uninitialized_mem_NeXTDecode.patch | 12 ++++++------ tiff.changes | 10 ++++------ tiff.spec | 7 ++----- 3 files changed, 12 insertions(+), 17 deletions(-) rename tiff-4.0.6-nextdecode-oob.patch => tiff-4.0.4-uninitialized_mem_NeXTDecode.patch (85%) diff --git a/tiff-4.0.6-nextdecode-oob.patch b/tiff-4.0.4-uninitialized_mem_NeXTDecode.patch similarity index 85% rename from tiff-4.0.6-nextdecode-oob.patch rename to tiff-4.0.4-uninitialized_mem_NeXTDecode.patch index 263abc1..1c4b9ef 100644 --- a/tiff-4.0.6-nextdecode-oob.patch +++ b/tiff-4.0.4-uninitialized_mem_NeXTDecode.patch @@ -1,5 +1,5 @@ --- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 -+++ libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18 ++++ libtiff/tif_next.c 27 Dec 2015 16:55:20 -0000 1.17 @@ -37,7 +37,7 @@ case 0: op[0] = (unsigned char) ((v) << 6); break; \ case 1: op[0] |= (v) << 4; break; \ @@ -9,14 +9,14 @@ } \ } -@@ -103,6 +103,7 @@ - } - default: { - uint32 npixels = 0, grey; -+ tmsize_t op_offset = 0; +@@ -106,6 +106,7 @@ uint32 imagewidth = tif->tif_dir.td_imagewidth; if( isTiled(tif) ) imagewidth = tif->tif_dir.td_tilewidth; ++ tmsize_t op_offset = 0; + + /* + * The scanline is composed of a sequence of constant @@ -122,10 +123,15 @@ * bounds, potentially resulting in a security * issue. diff --git a/tiff.changes b/tiff.changes index 1ba2d68..9b70785 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,11 +1,9 @@ ------------------------------------------------------------------- -Mon Jan 11 09:48:49 UTC 2016 - fstrba@suse.com +Mon Jan 11 13:53:42 UTC 2016 - kstreitova@suse.com -- Added patch: - * tiff-4.0.6-nextdecode-oob.patch - - Fix potential out-of-bound write in NeXTDecode() triggered by - http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (#2508, - bsc#942690) +- add tiff-4.0.4-uninitialized_mem_NeXTDecode.patch to fix + uninitialized memory in NeXTDecode (upstream bug #2508) + [bnc#942690] ------------------------------------------------------------------- Tue Dec 8 15:55:30 UTC 2015 - p.drouand@gmail.com diff --git a/tiff.spec b/tiff.spec index bbb68b0..0137efb 100644 --- a/tiff.spec +++ b/tiff.spec @@ -30,14 +30,11 @@ Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2508 -Patch2: tiff-4.0.6-nextdecode-oob.patch +Patch2: tiff-4.0.4-uninitialized_mem_NeXTDecode.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool BuildRequires: zlib-devel -# FYI: this issue is solved another way -# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 -# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} > 1030 BuildRequires: lzma-devel @@ -96,7 +93,7 @@ the libtiff library. %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p0 +%patch2 %build CFLAGS="%{optflags} -fPIE"