- fixed CVE-2010-2065

* integer-overflow.patch * NULL-deref.patch and out of bounds read * oob-read.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=17
2010-06-23 08:48:20 +00:00 · 2010-06-23 08:48:20 +00:00 · 534e709f59
commit 534e709f59
parent 647ea5477d
5 changed files with 63 additions and 0 deletions
--- a/tiff-3.9.2-NULL-deref.patch
+++ b/tiff-3.9.2-NULL-deref.patch
@ -0,0 +1,19 @@
+Index: libtiff/tif_ojpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.24.2.5
+retrieving revision 1.24.2.6
+diff -u -p -r1.24.2.5 -r1.24.2.6
+--- libtiff/tif_ojpeg.c	8 Jun 2010 18:50:42 -0000	1.24.2.5
+++ libtiff/tif_ojpeg.c	8 Jun 2010 23:29:51 -0000	1.24.2.6
+@@ -1909,6 +1909,10 @@ OJPEGReadBufferFill(OJPEGState* sp)
+ 					sp->in_buffer_source=osibsEof;
+ 				else
+ 				{
+					if (sp->tif->tif_dir.td_stripoffset == 0) {
+						TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip offsets are missing");
+						return(0);
+					}
+ 					sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];  
+ 					if (sp->in_buffer_file_pos!=0)
+ 					{
--- a/tiff-3.9.2-integer-overflow.patch
+++ b/tiff-3.9.2-integer-overflow.patch
@ -0,0 +1,17 @@
+Index: libtiff/tif_read.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
+retrieving revision 1.16.2.1
+retrieving revision 1.16.2.2
+diff -u -p -r1.16.2.1 -r1.16.2.2
+--- libtiff/tif_read.c	8 Jun 2010 18:50:43 -0000	1.16.2.1
+++ libtiff/tif_read.c	8 Jun 2010 23:29:51 -0000	1.16.2.2
+@@ -609,7 +610,7 @@ TIFFReadBufferSetup(TIFF* tif, tdata_t b
+ 		tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
+ 		tif->tif_flags |= TIFF_MYBUFFER;
+ 	}
+-	if (tif->tif_rawdata == NULL) {
+	if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) {
+ 		TIFFErrorExt(tif->tif_clientdata, module,
+ 		    "%s: No space for data buffer at scanline %ld",
+ 		    tif->tif_name, (long) tif->tif_row);
--- a/tiff-3.9.2-oob-read.patch
+++ b/tiff-3.9.2-oob-read.patch
@ -0,0 +1,12 @@
+diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-11 12:06:47.000000000 -0400
+@@ -2397,7 +2397,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_YCBCR:
+-			if (img->bitspersample == 8)
+			if ((img->bitspersample==8) && (img->samplesperpixel==3))
+ 			{
+ 				if (initYCbCrConversion(img)!=0)
+ 				{
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jun 23 10:32:01 CEST 2010 - pgajdos@suse.cz
+
+- fixed CVE-2010-2065
+  * integer-overflow.patch
+  * NULL-deref.patch
+  and out of bounds read
+  * oob-read.patch
+
 -------------------------------------------------------------------
 Mon Apr 26 15:07:09 CEST 2010 - pgajdos@suse.cz

--- a/tiff.spec
+++ b/tiff.spec
@ -36,6 +36,9 @@ Source2:        README.SUSE
 Source3:        baselibs.conf
 Patch2:         tiff-%{version}-seek.patch
 Patch3:         tiff-%{version}-tiff2pdf-colors.patch
+Patch4:         tiff-%{version}-NULL-deref.patch
+Patch5:         tiff-%{version}-integer-overflow.patch
+Patch6:         tiff-%{version}-oob-read.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@ -97,6 +100,9 @@ the libtiff library.
 %setup -q 
 %patch2
 %patch3 -p1
+%patch4
+%patch5
+%patch6 -p1
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755