From aba273877996c667ab5a36d67b8f6d7e84dfee106f00e68697cc38741be8d17b Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Fri, 13 Jan 2017 10:10:49 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=94 --- tiff-4.0.7-CVE-2017-5225.patch | 54 ++++++++++++++++++++++++++++++++++ tiff.changes | 8 +++++ tiff.spec | 6 +++- 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 tiff-4.0.7-CVE-2017-5225.patch diff --git a/tiff-4.0.7-CVE-2017-5225.patch b/tiff-4.0.7-CVE-2017-5225.patch new file mode 100644 index 0000000..502c606 --- /dev/null +++ b/tiff-4.0.7-CVE-2017-5225.patch @@ -0,0 +1,54 @@ +--- tiff-4.0.7/tools/tiffcp.c 2016-10-12 03:45:17.405273596 +0200 ++++ tiff-4.0.7/tools/tiffcp.c 2017-01-13 10:56:23.389485957 +0100 +@@ -592,7 +592,7 @@ + static int + tiffcp(TIFF* in, TIFF* out) + { +- uint16 bitspersample, samplesperpixel = 1; ++ uint16 bitspersample = 1, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; + copyFunc cf; + uint32 width, length; +@@ -1068,6 +1068,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpContig2SeparateByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1121,6 +1131,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpSeparate2ContigByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1763,7 +1783,7 @@ + uint32 w, l, tw, tl; + int bychunk; + +- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); ++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); + if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { + fprintf(stderr, + "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", diff --git a/tiff.changes b/tiff.changes index 26c9154..ac62d2a 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Jan 13 10:03:25 UTC 2017 - fstrba@suse.com + +- Added patch: + * tiff-4.0.7-CVE-2017-5225.patch + - Upstream fix for CVE-2017-5225, bsc#1019611: heap buffer + overflow in tools/tiffcp via a crafted BitsPerSample value + ------------------------------------------------------------------- Mon Dec 19 10:09:38 UTC 2016 - jengelh@inai.de diff --git a/tiff.spec b/tiff.spec index 5690ed0..cf81ff2 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,6 +31,9 @@ Patch0: tiff-4.0.3-seek.patch Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2508 Patch3: tiff-4.0.7-CVE-2015-7554.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2656 and +# http://bugzilla.maptools.org/show_bug.cgi?id=2657 +Patch4: tiff-4.0.7-CVE-2017-5225.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -95,6 +98,7 @@ the libtiff library. %patch0 -p1 %patch1 -p1 %patch3 +%patch4 -p1 %build CFLAGS="%{optflags} -fPIE"