Accepting request 670119 from home:pgajdos

- extend tiff-CVE-2018-19210.patch and rename it to
  tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
  * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]

OBS-URL: https://build.opensuse.org/request/show/670119
OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=135
This commit is contained in:
Michael Vetter 2019-01-30 13:03:18 +00:00 committed by Git OBS Bridge
parent 252bc8dd8e
commit 6232377d76
4 changed files with 63 additions and 15 deletions

View File

@ -0,0 +1,55 @@
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200
+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100
@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
}
m=(1<<tif->tif_dir.td_bitspersample);
n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ tif->tif_dir.td_transferfunction[1] == NULL)
+ n = 1;
/*
* Check if the table can be written as a single column,
* or if it must be written as 3 columns. Note that we
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFfree(td->td_smaxsamplevalue);
td->td_smaxsamplevalue = NULL;
}
+ /* Test if 3 transfer functions instead of just one are now needed
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "SamplesPerPixel tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
}
td->td_samplesperpixel = (uint16) v;
break;
@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
break;
case TIFFTAG_EXTRASAMPLES:
+ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "ExtraSamples tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
if (!setExtraSamples(td, ap, &v))
goto badvalue;
break;

View File

@ -1,14 +0,0 @@
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200
+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100
@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
}
m=(1<<tif->tif_dir.td_bitspersample);
n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ tif->tif_dir.td_transferfunction[1] == NULL)
+ n = 1;
/*
* Check if the table can be written as a single column,
* or if it must be written as 3 columns. Note that we

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Jan 30 12:47:58 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
- extend tiff-CVE-2018-19210.patch and rename it to
tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
* solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 30 10:12:37 UTC 2019 - Petr Gajdos <pgajdos@suse.com> Wed Jan 30 10:12:37 UTC 2019 - Petr Gajdos <pgajdos@suse.com>

View File

@ -34,7 +34,7 @@ Patch1: tiff-4.0.3-compress-warning.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2798 # http://bugzilla.maptools.org/show_bug.cgi?id=2798
# https://gitlab.com/libtiff/libtiff/merge_requests/44 # https://gitlab.com/libtiff/libtiff/merge_requests/44
Patch2: tiff-CVE-2018-12900.patch Patch2: tiff-CVE-2018-12900.patch
Patch3: tiff-CVE-2018-19210.patch Patch3: tiff-CVE-2018-17000,19210.patch
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libjbig-devel BuildRequires: libjbig-devel
BuildRequires: libjpeg-devel BuildRequires: libjpeg-devel