diff --git a/tiff-CVE-2017-11613.patch b/tiff-CVE-2017-11613,CVE-2018-16335,15209.patch similarity index 100% rename from tiff-CVE-2017-11613.patch rename to tiff-CVE-2017-11613,CVE-2018-16335,15209.patch diff --git a/tiff-4.0.9-bsc1046077-CVE-2017-9935.patch b/tiff-CVE-2017-9935,CVE-2018-17795.patch similarity index 100% rename from tiff-4.0.9-bsc1046077-CVE-2017-9935.patch rename to tiff-CVE-2017-9935,CVE-2018-17795.patch diff --git a/tiff-CVE-2018-17100.patch b/tiff-CVE-2018-17100.patch new file mode 100644 index 0000000..cb0c8a4 --- /dev/null +++ b/tiff-CVE-2018-17100.patch @@ -0,0 +1,27 @@ +Index: tiff-4.0.9/tools/ppm2tiff.c +=================================================================== +--- tiff-4.0.9.orig/tools/ppm2tiff.c 2018-10-17 12:25:05.271940872 +0200 ++++ tiff-4.0.9/tools/ppm2tiff.c 2018-10-17 12:26:15.468262130 +0200 +@@ -72,15 +72,16 @@ BadPPM(char* file) + exit(-2); + } + ++ ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- tmsize_t bytes = m1 * m2; +- +- if (m1 && bytes / m1 != m2) +- bytes = 0; +- +- return bytes; ++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) ++ return 0; ++ return m1 * m2; + } + + int diff --git a/tiff-CVE-2018-17101.patch b/tiff-CVE-2018-17101.patch new file mode 100644 index 0000000..fc00c0b --- /dev/null +++ b/tiff-CVE-2018-17101.patch @@ -0,0 +1,58 @@ +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01fcf941..01d8502e 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index 05faba87..5bef3142 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + diff --git a/tiff.changes b/tiff.changes index 89909d1..4fbb244 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Fri Oct 19 07:02:18 UTC 2018 - Petr Gajdos + +- security update + * CVE-2018-17795 [bsc#1110358] + % tiff-4.0.9-bsc1046077-CVE-2017-9935.patch renamed to + tiff-CVE-2017-9935,CVE-2018-17795.patch + * CVE-2018-16335 [bsc#1106853] + % tiff-CVE-2017-11613.patch renamed to + tiff-CVE-2017-11613,CVE-2018-16335,15209.patch +- add a possibility to build with ASAN + +------------------------------------------------------------------- +Wed Oct 17 11:29:07 UTC 2018 - Petr Gajdos + +- security update + * CVE-2018-17100 [bsc#1108637] + + tiff-CVE-2018-17100.patch + * CVE-2018-17101 [bsc#1108627] + + tiff-CVE-2018-17101.patch + ------------------------------------------------------------------- Fri Aug 24 11:43:53 UTC 2018 - pgajdos@suse.com diff --git a/tiff.spec b/tiff.spec index 0250b61..af34684 100644 --- a/tiff.spec +++ b/tiff.spec @@ -12,10 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # +%define asan_build 0 + Name: tiff Version: 4.0.9 Release: 0 @@ -30,14 +32,16 @@ Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # Contained in upstream repo. See bsc#1046077 for commit IDs. -Patch2: tiff-4.0.9-bsc1046077-CVE-2017-9935.patch +Patch2: tiff-CVE-2017-9935,CVE-2018-17795.patch Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch Patch4: tiff-CVE-2018-10963.patch Patch5: tiff-CVE-2017-18013.patch Patch6: tiff-CVE-2018-7456.patch -Patch7: tiff-CVE-2017-11613.patch +Patch7: tiff-CVE-2017-11613,CVE-2018-16335,15209.patch Patch8: tiff-CVE-2018-8905.patch Patch9: tiff-CVE-2018-10779.patch +Patch10: tiff-CVE-2018-17100.patch +Patch11: tiff-CVE-2018-17101.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -109,10 +113,15 @@ the libtiff library. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build CFLAGS="%{optflags} -fPIE" %configure --disable-static +%if %{asan_build} +find -name Makefile | xargs sed -i 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' +%endif make %{?_smp_mflags} LDFLAGS="-pie" %install @@ -137,6 +146,10 @@ for tool in pal2rgb; do done %check +%if %{asan_build} +# ASAN needs /proc to be mounted +exit 0 +%endif for i in tools test; do (cd $i && make %{?_smp_mflags} check) done