Accepting request 449993 from graphics

CVE-2017-5225 OBS-URL: https://build.opensuse.org/request/show/449993 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=64
2017-01-18 20:29:04 +00:00 · 2017-01-18 20:29:04 +00:00 · 87c6419082
commit 87c6419082
parent f8131dbb44 aba2738779
3 changed files with 67 additions and 1 deletions
--- a/tiff-4.0.7-CVE-2017-5225.patch
+++ b/tiff-4.0.7-CVE-2017-5225.patch
@ -0,0 +1,54 @@
+--- tiff-4.0.7/tools/tiffcp.c	2016-10-12 03:45:17.405273596 +0200
+++ tiff-4.0.7/tools/tiffcp.c	2017-01-13 10:56:23.389485957 +0100
+@@ -592,7 +592,7 @@
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+-	uint16 bitspersample, samplesperpixel = 1;
+	uint16 bitspersample = 1, samplesperpixel = 1;
+ 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ 	copyFunc cf;
+ 	uint32 width, length;
+@@ -1068,6 +1068,16 @@
+ 	register uint32 n;
+ 	uint32 row;
+ 	tsample_t s;
+	uint16 bps = 0;
+
+	(void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+	if( bps != 8 )
+	{
+		TIFFError(TIFFFileName(in),
+		          "Error, can only handle BitsPerSample=8 in %s",
+		          "cpContig2SeparateByRow");
+		return 0;
+	}
+ 
+ 	inbuf = _TIFFmalloc(scanlinesizein);
+ 	outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1121,6 +1131,16 @@
+ 	register uint32 n;
+ 	uint32 row;
+ 	tsample_t s;
+	uint16 bps = 0;
+
+	(void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+	if( bps != 8 )
+	{
+		TIFFError(TIFFFileName(in),
+		          "Error, can only handle BitsPerSample=8 in %s",
+		          "cpSeparate2ContigByRow");
+		return 0;
+	}
+ 
+ 	inbuf = _TIFFmalloc(scanlinesizein);
+ 	outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1763,7 +1783,7 @@
+ 	uint32 w, l, tw, tl;
+ 	int bychunk;
+ 
+-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
+	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ 		fprintf(stderr,
+ 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Jan 13 10:03:25 UTC 2017 - fstrba@suse.com
+
+- Added patch:
+  * tiff-4.0.7-CVE-2017-5225.patch
+    - Upstream fix for CVE-2017-5225, bsc#1019611: heap buffer
+      overflow in tools/tiffcp via a crafted BitsPerSample value
+
 -------------------------------------------------------------------
 Mon Dec 19 10:09:38 UTC 2016 - jengelh@inai.de

--- a/tiff.spec
+++ b/tiff.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tiff
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -31,6 +31,9 @@ Patch0:         tiff-4.0.3-seek.patch
 Patch1:         tiff-4.0.3-compress-warning.patch
 # http://bugzilla.maptools.org/show_bug.cgi?id=2508
 Patch3:         tiff-4.0.7-CVE-2015-7554.patch
+# http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+# http://bugzilla.maptools.org/show_bug.cgi?id=2657
+Patch4:         tiff-4.0.7-CVE-2017-5225.patch

 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel
@ -95,6 +98,7 @@ the libtiff library.
 %patch0 -p1
 %patch1 -p1
 %patch3
+%patch4 -p1

 %build
 CFLAGS="%{optflags} -fPIE"