diff --git a/tiff-3.9.2-NULL-deref.patch b/tiff-3.9.2-NULL-deref.patch new file mode 100644 index 0000000..338532d --- /dev/null +++ b/tiff-3.9.2-NULL-deref.patch @@ -0,0 +1,19 @@ +Index: libtiff/tif_ojpeg.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v +retrieving revision 1.24.2.5 +retrieving revision 1.24.2.6 +diff -u -p -r1.24.2.5 -r1.24.2.6 +--- libtiff/tif_ojpeg.c 8 Jun 2010 18:50:42 -0000 1.24.2.5 ++++ libtiff/tif_ojpeg.c 8 Jun 2010 23:29:51 -0000 1.24.2.6 +@@ -1909,6 +1909,10 @@ OJPEGReadBufferFill(OJPEGState* sp) + sp->in_buffer_source=osibsEof; + else + { ++ if (sp->tif->tif_dir.td_stripoffset == 0) { ++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip offsets are missing"); ++ return(0); ++ } + sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile]; + if (sp->in_buffer_file_pos!=0) + { diff --git a/tiff-3.9.2-integer-overflow.patch b/tiff-3.9.2-integer-overflow.patch new file mode 100644 index 0000000..964a4aa --- /dev/null +++ b/tiff-3.9.2-integer-overflow.patch @@ -0,0 +1,17 @@ +Index: libtiff/tif_read.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v +retrieving revision 1.16.2.1 +retrieving revision 1.16.2.2 +diff -u -p -r1.16.2.1 -r1.16.2.2 +--- libtiff/tif_read.c 8 Jun 2010 18:50:43 -0000 1.16.2.1 ++++ libtiff/tif_read.c 8 Jun 2010 23:29:51 -0000 1.16.2.2 +@@ -609,7 +610,7 @@ TIFFReadBufferSetup(TIFF* tif, tdata_t b + tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize); + tif->tif_flags |= TIFF_MYBUFFER; + } +- if (tif->tif_rawdata == NULL) { ++ if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: No space for data buffer at scanline %ld", + tif->tif_name, (long) tif->tif_row); diff --git a/tiff-3.9.2-oob-read.patch b/tiff-3.9.2-oob-read.patch new file mode 100644 index 0000000..8f67f3c --- /dev/null +++ b/tiff-3.9.2-oob-read.patch @@ -0,0 +1,12 @@ +diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c +--- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 ++++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 +@@ -2397,7 +2397,7 @@ + } + break; + case PHOTOMETRIC_YCBCR: +- if (img->bitspersample == 8) ++ if ((img->bitspersample==8) && (img->samplesperpixel==3)) + { + if (initYCbCrConversion(img)!=0) + { diff --git a/tiff.changes b/tiff.changes index 995bf05..ba0cfb0 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Jun 23 10:32:01 CEST 2010 - pgajdos@suse.cz + +- fixed CVE-2010-2065 + * integer-overflow.patch + * NULL-deref.patch + and out of bounds read + * oob-read.patch + ------------------------------------------------------------------- Mon Apr 26 15:07:09 CEST 2010 - pgajdos@suse.cz diff --git a/tiff.spec b/tiff.spec index 38ec934..c3d9b98 100644 --- a/tiff.spec +++ b/tiff.spec @@ -36,6 +36,9 @@ Source2: README.SUSE Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf-colors.patch +Patch4: tiff-%{version}-NULL-deref.patch +Patch5: tiff-%{version}-integer-overflow.patch +Patch6: tiff-%{version}-oob-read.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -97,6 +100,9 @@ the libtiff library. %setup -q %patch2 %patch3 -p1 +%patch4 +%patch5 +%patch6 -p1 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755