- fixed CVE-2010-2065

* integer-overflow.patch * NULL-deref.patch and out of bounds read * oob-read.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=17
2010-06-23 08:48:20 +00:00 · 2010-06-23 08:48:20 +00:00 · 534e709f59
commit 534e709f59
parent 647ea5477d
5 changed files with 63 additions and 0 deletions
--- a/tiff-3.9.2-NULL-deref.patch
+++ b/tiff-3.9.2-NULL-deref.patch
@ -0,0 +1,19 @@
 Index: libtiff/tif_ojpeg.c
 ===================================================================
 RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
 retrieving revision 1.24.2.5
 retrieving revision 1.24.2.6
 diff -u -p -r1.24.2.5 -r1.24.2.6
 --- libtiff/tif_ojpeg.c	8 Jun 2010 18:50:42 -0000	1.24.2.5
 +++ libtiff/tif_ojpeg.c	8 Jun 2010 23:29:51 -0000	1.24.2.6
@@ -1909,6 +1909,10 @@ OJPEGReadBufferFill(OJPEGState* sp)
 					sp->in_buffer_source=osibsEof;
 				else
 				{
 +					if (sp->tif->tif_dir.td_stripoffset == 0) {
 +						TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip offsets are missing");
 +						return(0);
 +					}
 					sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];  
 					if (sp->in_buffer_file_pos!=0)
 					{
--- a/tiff-3.9.2-integer-overflow.patch
+++ b/tiff-3.9.2-integer-overflow.patch
@ -0,0 +1,17 @@
 Index: libtiff/tif_read.c
 ===================================================================
 RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
 retrieving revision 1.16.2.1
 retrieving revision 1.16.2.2
 diff -u -p -r1.16.2.1 -r1.16.2.2
 --- libtiff/tif_read.c	8 Jun 2010 18:50:43 -0000	1.16.2.1
 +++ libtiff/tif_read.c	8 Jun 2010 23:29:51 -0000	1.16.2.2
@@ -609,7 +610,7 @@ TIFFReadBufferSetup(TIFF* tif, tdata_t b
 		tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
 		tif->tif_flags |= TIFF_MYBUFFER;
 	}
 -	if (tif->tif_rawdata == NULL) {
 +	if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) {
 		TIFFErrorExt(tif->tif_clientdata, module,
 		    "%s: No space for data buffer at scanline %ld",
 		    tif->tif_name, (long) tif->tif_row);
--- a/tiff-3.9.2-oob-read.patch
+++ b/tiff-3.9.2-oob-read.patch
@ -0,0 +1,12 @@
 diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
 --- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
 +++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-11 12:06:47.000000000 -0400
@@ -2397,7 +2397,7 @@
 			}
 			break;
 		case PHOTOMETRIC_YCBCR:
 -			if (img->bitspersample == 8)
 +			if ((img->bitspersample==8) && (img->samplesperpixel==3))
 			{
 				if (initYCbCrConversion(img)!=0)
 				{
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Wed Jun 23 10:32:01 CEST 2010 - pgajdos@suse.cz
 - fixed CVE-2010-2065
  * integer-overflow.patch
  * NULL-deref.patch
  and out of bounds read
  * oob-read.patch
 -------------------------------------------------------------------
 Mon Apr 26 15:07:09 CEST 2010 - pgajdos@suse.cz
--- a/tiff.spec
+++ b/tiff.spec
@ -36,6 +36,9 @@ Source2:        README.SUSE
 Source3:        baselibs.conf
 Patch2:         tiff-%{version}-seek.patch
 Patch3:         tiff-%{version}-tiff2pdf-colors.patch
 Patch4:         tiff-%{version}-NULL-deref.patch
 Patch5:         tiff-%{version}-integer-overflow.patch
 Patch6:         tiff-%{version}-oob-read.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@ -97,6 +100,9 @@ the libtiff library.
 %setup -q 
 %patch2
 %patch3 -p1
 %patch4
 %patch5
 %patch6 -p1
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755