OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=89

tiff.changes

@@ -1,3 +1,248 @@
+-------------------------------------------------------------------
+Tue Nov 29 08:45:11 UTC 2016 - fstrba@suse.com
+
+- Upgrade to upstream release 4.0.7
+  * libtiff/tif_aux.c
+    + Fix crash in TIFFVGetFieldDefaulted() when requesting
+      Predictor tag and that the zip/lzw codec is not configured.
+      Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591
+  * libtiff/tif_compress.c
+    + Make TIFFNoDecode() return 0 to indicate an error and make
+      upper level read routines treat it accordingly. (linked to the
+      test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
+  * libtiff/tif_dir.c
+    + Discard values of SMinSampleValue and SMaxSampleValue when
+      they have been read and the value of SamplesPerPixel is
+      changed afterwards (like when reading a OJPEG compressed image
+      with a missing SamplesPerPixel tag, and whose photometric is
+      RGB or YCbCr, forcing SamplesPerPixel being 3). Otherwise when
+      rewriting the directory (for example with tiffset, we will
+      expect 3 values whereas the array had been allocated with just
+      one), thus causing a out of bound read access. Fixes
+      http://bugzilla.maptools.org/show_bug.cgi?id=2500
+      (CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, bsc#974840)
+  * libtiff/tif_dirread.c
+    + In TIFFFetchNormalTag(), do not dereference NULL pointer when
+      values of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII
+      access are 0-byte arrays. Fixes
+      http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression
+      introduced by previous fix done on 2016-11-11 for
+      CVE-2016-9297, bsc#1010161). Assigned as CVE-2016-9448,
+      bsc#1011103
+    + In TIFFFetchNormalTag(), make sure that values of tags with
+      TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are null
+      terminated, to avoid potential read outside buffer in
+      _TIFFPrintField(). Fixes 
+      http://bugzilla.maptools.org/show_bug.cgi?id=2590
+      (CVE-2016-9297, bsc#1010161)
+    + Initialize doubledata at line 3693 to NULL to please MSVC 2013
+    + Prevent reading ColorMap or TransferFunction if
+      BitsPerPixel > 24, so as to avoid huge memory allocation and
+      file read attempts
+    + Reject images with OJPEG compression that have no
+      TileOffsets/StripOffsets tag, when OJPEG compression is
+      disabled. Prevent null pointer dereference in
+      TIFFReadRawStrip1() and other functions that expect
+      td_stripbytecount to be non NULL. Fixes
+      http://bugzilla.maptools.org/show_bug.cgi?id=2585
+    + When compiled with DEFER_STRILE_LOAD, fix regression, when
+      reading a one-strip file without a StripByteCounts tag.
+    + Workaround false positive warning of Clang Static Analyzer
+      about null pointer dereference in TIFFCheckDirOffset().
+  * libtiff/tif_dirwrite.c
+    + Avoid null pointer dereference on td_stripoffset when writing
+      directory, if FIELD_STRIPOFFSETS was artificially set for a
+      hack case in OJPEG case. Fixes
+      http://bugzilla.maptools.org/show_bug.cgi?id=2500
+      (CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658,
+      bsc#974840)
+    + Fix truncation to 32 bit of file offsets in TIFFLinkDirectory()
+      and TIFFWriteDirectorySec() when aligning directory offsets on
+      an even offset (affects BigTIFF).
+  * libtiff/tif_dumpmode.c
+    + DumpModeEncode() should return 0 in case of failure so that
+      the above mentionned functions detect the error.
+  * libtiff/tif_fax3.c
+    + remove dead assignment in Fax3PutEOLgdal().
+  * libtiff/tif_fax3.h
+    + make Param member of TIFFFaxTabEnt structure a uint16 to
+      reduce size of the binary.
+  * libtiff/tif_getimage.c
+    + Fix out-of-bound reads in TIFFRGBAImage interface in case of
+      unsupported values of SamplesPerPixel/ExtraSamples for
+      LogLUV/CIELab. Add explicit call to TIFFRGBAImageOK() in
+      TIFFRGBAImageBegin(). Fix CVE-2015-8665 and CVE-2015-8683.
+    + Fix some benign warnings which appear in 64-bit compilation
+      under Microsoft Visual Studio of the form "Arithmetic
+      overflow: 32-bit value is shifted, then cast to 64-bit value.
+      Results might not be an expected value."
+    + TIFFRGBAImageOK: Reject attempts to read floating point images.
+  * libtiff/tif_luv.c
+    + Fix potential out-of-bound writes in decode functions in non
+      debug builds by replacing assert()s by regular if checks
+      (http://bugzilla.maptools.org/show_bug.cgi?id=2522). Fix
+      potential out-of-bound reads in case of short input data.
+    + Validate that for COMPRESSION_SGILOG and PHOTOMETRIC_LOGL,
+      there is only one sample per pixel. Avoid potential invalid
+      memory write on corrupted/unexpected images when using the
+      TIFFRGBAImageBegin() interface
+  * libtiff/tif_next.c
+    + Fix potential out-of-bound write in NeXTDecode()
+    (http://bugzilla.maptools.org/show_bug.cgi?id=2508)
+  * libtiff/tif_pixarlog.c
+    + Avoid zlib error messages to pass a NULL string to %s
+      formatter, which is undefined behaviour in sprintf().
+    + Fix out-of-bounds write vulnerabilities in heap allocated
+      buffers. Reported as MSVR 35094.
+    + Fix potential buffer write overrun in PixarLogDecode() on
+      corrupted/unexpected images (CVE-2016-5875, bsc#987351)
+    + Fix write buffer overflow in PixarLogEncode if more input
+      samples are provided than expected by PixarLogSetupEncode.
+      Idea based on libtiff-CVE-2016-3990.patch from
+      libtiff-4.0.3-25.el7_2.src.rpm, but with different and simpler
+      check. (http://bugzilla.maptools.org/show_bug.cgi?id=2544,
+      bsc#975069)
+  * libtiff/tif_predict.c
+    + PredictorSetup: Enforce bits-per-sample requirements of
+      floating point predictor (3). Fixes CVE-2016-3622 "Divide By
+      Zero in the tiff2rgba tool." (bsc#974449)
+  * libtiff/tif_predict.h, libtiff/tif_predict.c
+    + Replace assertions by runtime checks to avoid assertions in
+      debug mode, or buffer overflows in release mode. Can happen
+      when dealing with unusual tile size like YCbCr with
+      subsampling. Reported as MSVR 35105.
+  * libtiff/tif_read.c
+    + Fix out-of-bounds read on memory-mapped files in
+      TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset
+      is beyond tmsize_t max value
+    + Make TIFFReadEncodedStrip() and TIFFReadEncodedTile() directly
+      use user provided buffer when no compression (and other
+      conditions) to save a memcpy().
+  * libtiff/tif_strip.c
+    + Make TIFFNumberOfStrips() return the td->td_nstrips value when
+      it is non-zero, instead of recomputing it. This is needed in
+      TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read
+      outsize of array in tiffsplit (or other utilities using
+      TIFFNumberOfStrips()). Fixes
+      http://bugzilla.maptools.org/show_bug.cgi?id=2587
+      (CVE-2016-9273, bsc#1010163)
+  * libtiff/tif_write.c
+    + Fix issue in error code path of TIFFFlushData1() that didn't
+      reset the tif_rawcc and tif_rawcp members. I'm not completely
+      sure if that could happen in practice outside of the odd
+      behaviour of t2p_seekproc() of tiff2pdf). The report points
+      that a better fix could be to check the return value of
+      TIFFFlushData1() in places where it isn't done currently, but
+      it seems this patch is enough. Reported as MSVR 35095.
+    + Make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile()
+      directly use user provided buffer when no compression to save
+      a memcpy().
+    + TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() should
+      return -1 in case of failure of tif_encodestrip() as documented
+  * tools/fax2tiff.c
+    + Fix segfault when specifying -r without argument. Fixes 
+      http://bugzilla.maptools.org/show_bug.cgi?id=2572
+  * tools/Makefile.am
+    + The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff,
+      sgisv, and ycbcr are completely removed from the distribution.
+      The libtiff tools rgb2ycbcr and thumbnail are only built in
+      the build tree for testing. Old files are put in new 'archive'
+      subdirectory of the source repository, but not in
+      distribution archives. These changes are made in order to
+      lessen the maintenance burden.
+  * tools/rgb2ycbcr.c
+    + Validate values of -v and -h parameters to avoid potential
+      divide by zero. Fixes CVE-2016-3623, bsc#974618
+      (http://bugzilla.maptools.org/show_bug.cgi?id=2569)
+  * tools/tiff2bw.c
+    + Fix weight computation that could result of color value
+      overflow (no security implication). Fix
+      http://bugzilla.maptools.org/show_bug.cgi?id=2550.
+  * tools/tiff2pdf.c
+    + Avoid undefined behaviour related to overlapping of source and
+      destination buffer in memcpy() call in
+      t2p_sample_rgbaa_to_rgb() Fixes
+      http://bugzilla.maptools.org/show_bug.cgi?id=2577
+    + Fix out-of-bounds write vulnerabilities in heap allocate buffer
+      in t2p_process_jpeg_strip(). Reported as MSVR 35098.
+    + Fix potential integer overflows on 32 bit builds in
+      t2p_read_tiff_size() Fixes
+      http://bugzilla.maptools.org/show_bug.cgi?id=2576
+    + Fix read -largely- outsize of buffer in
+      t2p_readwrite_pdf_image_tile(), causing crash, when reading a
+      JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
+      Reported as MSVR 35101. CVE-2016-9453, bsc#1011107
+    + Fix write buffer overflow of 2 bytes on JPEG compressed images.
+      Reported as TALOS-CAN-0187, CVE-2016-5652, bsc#1007280. Also
+      prevents writing 2 extra uninitialized bytes to the file
+      stream.
+  * tools/tiff2rgba.c
+    + Fix integer overflow in size of allocated buffer, when -b mode
+      is enabled, that could result in out-of-bounds write. Based
+      initially on patch tiff-CVE-2016-3945.patch from
+      libtiff-4.0.3-25.el7_2.src.rpm, with correction for invalid
+      tests that rejected valid files.
+      (http://bugzilla.maptools.org/show_bug.cgi?id=2545, bsc#974614)
+  * tools/tiffcp.c
+    + Fix out-of-bounds write on tiled images with odd tile width vs
+      image width. Reported as MSVR 35103.
+    + Fix read of undefined variable in case of missing required
+      tags. Found on test case of MSVR 35100.
+  * tools/tiffcrop.c
+    + Avoid access outside of stack allocated array on a tiled
+      separate TIFF with more than 8 samples per pixel.
+      (CVE-2016-5321, CVE-2016-5323,
+      http://bugzilla.maptools.org/show_bug.cgi?id=2558,
+      http://bugzilla.maptools.org/show_bug.cgi?id=2559, bsc#984813,
+      bsc#984815)
+    + Fix memory leak in (recent) error code path. Fixes Coverity
+      1394415.
+    + Fix multiple uint32 overflows in writeBufferToSeparateStrips(),
+      writeBufferToContigTiles() and writeBufferToSeparateTiles()
+      that could cause heap buffer overflows. Fixes
+      http://bugzilla.maptools.org/show_bug.cgi?id=2592
+    + Fix out-of-bound read of up to 3 bytes in
+      readContigTilesIntoBuffer(). Reported as MSVR 35092.
+    + Fix out-of-bounds write in loadImage(). From patch
+      libtiff-CVE-2016-3991.patch from
+      libtiff-4.0.3-25.el7_2.src.rpm
+      (http://bugzilla.maptools.org/show_bug.cgi?id=2543, bsc#975070)
+    + Fix read of undefined buffer in readContigStripsIntoBuffer()
+      due to uint16 overflow. Reported as MSVR 35100.
+    + Fix various out-of-bounds write vulnerabilities in heap or
+      stack allocated buffers. Reported as MSVR 35093, MSVR 35096
+      and MSVR 35097.
+    + readContigTilesIntoBuffer: Fix signed/unsigned comparison
+      warning.
+  * tools/tiffdump.c
+    + Fix a few misaligned 64-bit reads warned by -fsanitize
+    + ReadDirectory: Remove uint32 cast to_TIFFmalloc() argument
+      which resulted in Coverity report. Added more mutiplication
+      overflow checks
+  * tools/tiffinfo.c
+    + Fix out-of-bound read on some tiled images.
+      (http://bugzilla.maptools.org/show_bug.cgi?id=2517)
+    + TIFFReadContigTileData: Fix signed/unsigned comparison warning.
+    + TIFFReadSeparateTileData: Fix signed/unsigned comparison
+      warning.
+- Removed patches:
+  * tiff-4.0.4-uninitialized_mem_NeXTDecode.patch
+  * tiff-4.0.6-CVE-2015-8782.patch
+  * tiff-4.0.6-CVE-2016-3186.patch
+  * tiff-4.0.6-CVE-2016-3623.patch
+  * tiff-4.0.6-CVE-2016-3945.patch
+  * tiff-4.0.6-CVE-2016-3990.patch
+  * tiff-4.0.6-CVE-2016-3991.patch
+  * tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
+  * tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
+  * tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
+  * tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
+  * tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
+    - Fixed in the upsteam release
+- Changed patch:
+  * tiff-4.0.6-CVE-2015-7554.patch -> tiff-4.0.7-CVE-2015-7554.patch
+    - Rediffed to the changed context
+
 -------------------------------------------------------------------
 Thu Oct  6 07:47:19 UTC 2016 - fstrba@suse.com
 
@@ -19,7 +264,7 @@ Thu Sep  1 14:35:57 UTC 2016 - fstrba@suse.com
   * tiff-4.0.6-CVE-2016-3991.patch
     - Upstream commits to fix CVE-2016-3623 [bsc#974618],
       CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069],
-	  CVE-2016-3991 [bsc#975070]
+      CVE-2016-3991 [bsc#975070]
 
 -------------------------------------------------------------------
 Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com

tiff.spec

@@ -30,7 +30,7 @@ Patch0:         tiff-4.0.3-seek.patch
 # http://bugzilla.maptools.org/show_bug.cgi?id=2442
 Patch1:         tiff-4.0.3-compress-warning.patch
 # http://bugzilla.maptools.org/show_bug.cgi?id=2508
-Patch3:         tiff-4.0.6-CVE-2015-7554.patch
+Patch3:         tiff-4.0.7-CVE-2015-7554.patch
 
 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel