Accepting request 670119 from home:pgajdos

- extend tiff-CVE-2018-19210.patch and rename it to tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11] * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606] OBS-URL: https://build.opensuse.org/request/show/670119 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=135
2019-01-30 13:03:18 +00:00 · 2019-01-30 13:03:18 +00:00 · 6232377d76
commit 6232377d76
parent 252bc8dd8e
4 changed files with 63 additions and 15 deletions
--- a/tiff-CVE-2018-17000,19210.patch
+++ b/tiff-CVE-2018-17000,19210.patch
@ -0,0 +1,55 @@
+Index: tiff-4.0.10/libtiff/tif_dirwrite.c
+===================================================================
+--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c	2018-06-24 22:26:30.335763566 +0200
+++ tiff-4.0.10/libtiff/tif_dirwrite.c	2018-11-19 14:21:42.703256410 +0100
+@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
+ 	}
+ 	m=(1<<tif->tif_dir.td_bitspersample);
+ 	n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
+        if (tif->tif_dir.td_transferfunction[2] == NULL ||
+            tif->tif_dir.td_transferfunction[1] == NULL)
+          n = 1;
+ 	/*
+ 	 * Check if the table can be written as a single column,
+ 	 * or if it must be written as 3 columns.  Note that we
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644
+--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
+@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+                 _TIFFfree(td->td_smaxsamplevalue);
+                 td->td_smaxsamplevalue = NULL;
+             }
+            /* Test if 3 transfer functions instead of just one are now needed
+               See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+            if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+                !(td->td_samplesperpixel - td->td_extrasamples > 1))
+            {
+                    TIFFWarningExt(tif->tif_clientdata,module,
+                        "SamplesPerPixel tag value is changing, "
+                        "but TransferFunction was read with a different value. Cancelling it");
+                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+                    _TIFFfree(td->td_transferfunction[0]);
+                    td->td_transferfunction[0] = NULL;
+            }
+         }
+ 		td->td_samplesperpixel = (uint16) v;
+ 		break;
+@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 		_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
+ 		break;
+ 	case TIFFTAG_EXTRASAMPLES:
+            if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
+                 !(td->td_samplesperpixel - td->td_extrasamples > 1))
+            {
+                    TIFFWarningExt(tif->tif_clientdata,module,
+                        "ExtraSamples tag value is changing, "
+                        "but TransferFunction was read with a different value. Cancelling it");
+                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+                    _TIFFfree(td->td_transferfunction[0]);
+                    td->td_transferfunction[0] = NULL;
+            }
+ 		if (!setExtraSamples(td, ap, &v))
+ 			goto badvalue;
+ 		break;
+
--- a/tiff-CVE-2018-19210.patch
+++ b/tiff-CVE-2018-19210.patch
@ -1,14 +0,0 @@
-Index: tiff-4.0.10/libtiff/tif_dirwrite.c
-===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c	2018-06-24 22:26:30.335763566 +0200
-+++ tiff-4.0.10/libtiff/tif_dirwrite.c	2018-11-19 14:21:42.703256410 +0100
-@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
- 	}
- 	m=(1<<tif->tif_dir.td_bitspersample);
- 	n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
-+        if (tif->tif_dir.td_transferfunction[2] == NULL ||
-+            tif->tif_dir.td_transferfunction[1] == NULL)
-+          n = 1;
- 	/*
- 	 * Check if the table can be written as a single column,
- 	 * or if it must be written as 3 columns.  Note that we
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Jan 30 12:47:58 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
+
+- extend tiff-CVE-2018-19210.patch and rename it to
+  tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
+  * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]
+
 -------------------------------------------------------------------
 Wed Jan 30 10:12:37 UTC 2019 - Petr Gajdos <pgajdos@suse.com>

--- a/tiff.spec
+++ b/tiff.spec
@ -34,7 +34,7 @@ Patch1:         tiff-4.0.3-compress-warning.patch
 # http://bugzilla.maptools.org/show_bug.cgi?id=2798
 # https://gitlab.com/libtiff/libtiff/merge_requests/44
 Patch2:         tiff-CVE-2018-12900.patch
-Patch3:         tiff-CVE-2018-19210.patch
+Patch3:         tiff-CVE-2018-17000,19210.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libjbig-devel
 BuildRequires:  libjpeg-devel