diff --git a/tiff-4.0.6-CVE-2015-7554.patch b/tiff-4.0.7-CVE-2015-7554.patch similarity index 100% rename from tiff-4.0.6-CVE-2015-7554.patch rename to tiff-4.0.7-CVE-2015-7554.patch diff --git a/tiff.changes b/tiff.changes index f58d71f..e3ebc5c 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,248 @@ +------------------------------------------------------------------- +Tue Nov 29 08:45:11 UTC 2016 - fstrba@suse.com + +- Upgrade to upstream release 4.0.7 + * libtiff/tif_aux.c + + Fix crash in TIFFVGetFieldDefaulted() when requesting + Predictor tag and that the zip/lzw codec is not configured. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591 + * libtiff/tif_compress.c + + Make TIFFNoDecode() return 0 to indicate an error and make + upper level read routines treat it accordingly. (linked to the + test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517) + * libtiff/tif_dir.c + + Discard values of SMinSampleValue and SMaxSampleValue when + they have been read and the value of SamplesPerPixel is + changed afterwards (like when reading a OJPEG compressed image + with a missing SamplesPerPixel tag, and whose photometric is + RGB or YCbCr, forcing SamplesPerPixel being 3). Otherwise when + rewriting the directory (for example with tiffset, we will + expect 3 values whereas the array had been allocated with just + one), thus causing a out of bound read access. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2500 + (CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, bsc#974840) + * libtiff/tif_dirread.c + + In TIFFFetchNormalTag(), do not dereference NULL pointer when + values of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII + access are 0-byte arrays. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression + introduced by previous fix done on 2016-11-11 for + CVE-2016-9297, bsc#1010161). Assigned as CVE-2016-9448, + bsc#1011103 + + In TIFFFetchNormalTag(), make sure that values of tags with + TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are null + terminated, to avoid potential read outside buffer in + _TIFFPrintField(). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2590 + (CVE-2016-9297, bsc#1010161) + + Initialize doubledata at line 3693 to NULL to please MSVC 2013 + + Prevent reading ColorMap or TransferFunction if + BitsPerPixel > 24, so as to avoid huge memory allocation and + file read attempts + + Reject images with OJPEG compression that have no + TileOffsets/StripOffsets tag, when OJPEG compression is + disabled. Prevent null pointer dereference in + TIFFReadRawStrip1() and other functions that expect + td_stripbytecount to be non NULL. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2585 + + When compiled with DEFER_STRILE_LOAD, fix regression, when + reading a one-strip file without a StripByteCounts tag. + + Workaround false positive warning of Clang Static Analyzer + about null pointer dereference in TIFFCheckDirOffset(). + * libtiff/tif_dirwrite.c + + Avoid null pointer dereference on td_stripoffset when writing + directory, if FIELD_STRIPOFFSETS was artificially set for a + hack case in OJPEG case. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2500 + (CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, + bsc#974840) + + Fix truncation to 32 bit of file offsets in TIFFLinkDirectory() + and TIFFWriteDirectorySec() when aligning directory offsets on + an even offset (affects BigTIFF). + * libtiff/tif_dumpmode.c + + DumpModeEncode() should return 0 in case of failure so that + the above mentionned functions detect the error. + * libtiff/tif_fax3.c + + remove dead assignment in Fax3PutEOLgdal(). + * libtiff/tif_fax3.h + + make Param member of TIFFFaxTabEnt structure a uint16 to + reduce size of the binary. + * libtiff/tif_getimage.c + + Fix out-of-bound reads in TIFFRGBAImage interface in case of + unsupported values of SamplesPerPixel/ExtraSamples for + LogLUV/CIELab. Add explicit call to TIFFRGBAImageOK() in + TIFFRGBAImageBegin(). Fix CVE-2015-8665 and CVE-2015-8683. + + Fix some benign warnings which appear in 64-bit compilation + under Microsoft Visual Studio of the form "Arithmetic + overflow: 32-bit value is shifted, then cast to 64-bit value. + Results might not be an expected value." + + TIFFRGBAImageOK: Reject attempts to read floating point images. + * libtiff/tif_luv.c + + Fix potential out-of-bound writes in decode functions in non + debug builds by replacing assert()s by regular if checks + (http://bugzilla.maptools.org/show_bug.cgi?id=2522). Fix + potential out-of-bound reads in case of short input data. + + Validate that for COMPRESSION_SGILOG and PHOTOMETRIC_LOGL, + there is only one sample per pixel. Avoid potential invalid + memory write on corrupted/unexpected images when using the + TIFFRGBAImageBegin() interface + * libtiff/tif_next.c + + Fix potential out-of-bound write in NeXTDecode() + (http://bugzilla.maptools.org/show_bug.cgi?id=2508) + * libtiff/tif_pixarlog.c + + Avoid zlib error messages to pass a NULL string to %s + formatter, which is undefined behaviour in sprintf(). + + Fix out-of-bounds write vulnerabilities in heap allocated + buffers. Reported as MSVR 35094. + + Fix potential buffer write overrun in PixarLogDecode() on + corrupted/unexpected images (CVE-2016-5875, bsc#987351) + + Fix write buffer overflow in PixarLogEncode if more input + samples are provided than expected by PixarLogSetupEncode. + Idea based on libtiff-CVE-2016-3990.patch from + libtiff-4.0.3-25.el7_2.src.rpm, but with different and simpler + check. (http://bugzilla.maptools.org/show_bug.cgi?id=2544, + bsc#975069) + * libtiff/tif_predict.c + + PredictorSetup: Enforce bits-per-sample requirements of + floating point predictor (3). Fixes CVE-2016-3622 "Divide By + Zero in the tiff2rgba tool." (bsc#974449) + * libtiff/tif_predict.h, libtiff/tif_predict.c + + Replace assertions by runtime checks to avoid assertions in + debug mode, or buffer overflows in release mode. Can happen + when dealing with unusual tile size like YCbCr with + subsampling. Reported as MSVR 35105. + * libtiff/tif_read.c + + Fix out-of-bounds read on memory-mapped files in + TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset + is beyond tmsize_t max value + + Make TIFFReadEncodedStrip() and TIFFReadEncodedTile() directly + use user provided buffer when no compression (and other + conditions) to save a memcpy(). + * libtiff/tif_strip.c + + Make TIFFNumberOfStrips() return the td->td_nstrips value when + it is non-zero, instead of recomputing it. This is needed in + TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read + outsize of array in tiffsplit (or other utilities using + TIFFNumberOfStrips()). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2587 + (CVE-2016-9273, bsc#1010163) + * libtiff/tif_write.c + + Fix issue in error code path of TIFFFlushData1() that didn't + reset the tif_rawcc and tif_rawcp members. I'm not completely + sure if that could happen in practice outside of the odd + behaviour of t2p_seekproc() of tiff2pdf). The report points + that a better fix could be to check the return value of + TIFFFlushData1() in places where it isn't done currently, but + it seems this patch is enough. Reported as MSVR 35095. + + Make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() + directly use user provided buffer when no compression to save + a memcpy(). + + TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() should + return -1 in case of failure of tif_encodestrip() as documented + * tools/fax2tiff.c + + Fix segfault when specifying -r without argument. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2572 + * tools/Makefile.am + + The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, + sgisv, and ycbcr are completely removed from the distribution. + The libtiff tools rgb2ycbcr and thumbnail are only built in + the build tree for testing. Old files are put in new 'archive' + subdirectory of the source repository, but not in + distribution archives. These changes are made in order to + lessen the maintenance burden. + * tools/rgb2ycbcr.c + + Validate values of -v and -h parameters to avoid potential + divide by zero. Fixes CVE-2016-3623, bsc#974618 + (http://bugzilla.maptools.org/show_bug.cgi?id=2569) + * tools/tiff2bw.c + + Fix weight computation that could result of color value + overflow (no security implication). Fix + http://bugzilla.maptools.org/show_bug.cgi?id=2550. + * tools/tiff2pdf.c + + Avoid undefined behaviour related to overlapping of source and + destination buffer in memcpy() call in + t2p_sample_rgbaa_to_rgb() Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2577 + + Fix out-of-bounds write vulnerabilities in heap allocate buffer + in t2p_process_jpeg_strip(). Reported as MSVR 35098. + + Fix potential integer overflows on 32 bit builds in + t2p_read_tiff_size() Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2576 + + Fix read -largely- outsize of buffer in + t2p_readwrite_pdf_image_tile(), causing crash, when reading a + JPEG compressed image with TIFFTAG_JPEGTABLES length being one. + Reported as MSVR 35101. CVE-2016-9453, bsc#1011107 + + Fix write buffer overflow of 2 bytes on JPEG compressed images. + Reported as TALOS-CAN-0187, CVE-2016-5652, bsc#1007280. Also + prevents writing 2 extra uninitialized bytes to the file + stream. + * tools/tiff2rgba.c + + Fix integer overflow in size of allocated buffer, when -b mode + is enabled, that could result in out-of-bounds write. Based + initially on patch tiff-CVE-2016-3945.patch from + libtiff-4.0.3-25.el7_2.src.rpm, with correction for invalid + tests that rejected valid files. + (http://bugzilla.maptools.org/show_bug.cgi?id=2545, bsc#974614) + * tools/tiffcp.c + + Fix out-of-bounds write on tiled images with odd tile width vs + image width. Reported as MSVR 35103. + + Fix read of undefined variable in case of missing required + tags. Found on test case of MSVR 35100. + * tools/tiffcrop.c + + Avoid access outside of stack allocated array on a tiled + separate TIFF with more than 8 samples per pixel. + (CVE-2016-5321, CVE-2016-5323, + http://bugzilla.maptools.org/show_bug.cgi?id=2558, + http://bugzilla.maptools.org/show_bug.cgi?id=2559, bsc#984813, + bsc#984815) + + Fix memory leak in (recent) error code path. Fixes Coverity + 1394415. + + Fix multiple uint32 overflows in writeBufferToSeparateStrips(), + writeBufferToContigTiles() and writeBufferToSeparateTiles() + that could cause heap buffer overflows. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2592 + + Fix out-of-bound read of up to 3 bytes in + readContigTilesIntoBuffer(). Reported as MSVR 35092. + + Fix out-of-bounds write in loadImage(). From patch + libtiff-CVE-2016-3991.patch from + libtiff-4.0.3-25.el7_2.src.rpm + (http://bugzilla.maptools.org/show_bug.cgi?id=2543, bsc#975070) + + Fix read of undefined buffer in readContigStripsIntoBuffer() + due to uint16 overflow. Reported as MSVR 35100. + + Fix various out-of-bounds write vulnerabilities in heap or + stack allocated buffers. Reported as MSVR 35093, MSVR 35096 + and MSVR 35097. + + readContigTilesIntoBuffer: Fix signed/unsigned comparison + warning. + * tools/tiffdump.c + + Fix a few misaligned 64-bit reads warned by -fsanitize + + ReadDirectory: Remove uint32 cast to_TIFFmalloc() argument + which resulted in Coverity report. Added more mutiplication + overflow checks + * tools/tiffinfo.c + + Fix out-of-bound read on some tiled images. + (http://bugzilla.maptools.org/show_bug.cgi?id=2517) + + TIFFReadContigTileData: Fix signed/unsigned comparison warning. + + TIFFReadSeparateTileData: Fix signed/unsigned comparison + warning. +- Removed patches: + * tiff-4.0.4-uninitialized_mem_NeXTDecode.patch + * tiff-4.0.6-CVE-2015-8782.patch + * tiff-4.0.6-CVE-2016-3186.patch + * tiff-4.0.6-CVE-2016-3623.patch + * tiff-4.0.6-CVE-2016-3945.patch + * tiff-4.0.6-CVE-2016-3990.patch + * tiff-4.0.6-CVE-2016-3991.patch + * tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch + * tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch + * tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch + * tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch + * tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch + - Fixed in the upsteam release +- Changed patch: + * tiff-4.0.6-CVE-2015-7554.patch -> tiff-4.0.7-CVE-2015-7554.patch + - Rediffed to the changed context + ------------------------------------------------------------------- Thu Oct 6 07:47:19 UTC 2016 - fstrba@suse.com @@ -19,7 +264,7 @@ Thu Sep 1 14:35:57 UTC 2016 - fstrba@suse.com * tiff-4.0.6-CVE-2016-3991.patch - Upstream commits to fix CVE-2016-3623 [bsc#974618], CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069], - CVE-2016-3991 [bsc#975070] + CVE-2016-3991 [bsc#975070] ------------------------------------------------------------------- Tue Jul 12 09:20:56 UTC 2016 - fstrba@suse.com diff --git a/tiff.spec b/tiff.spec index 350c629..afa5881 100644 --- a/tiff.spec +++ b/tiff.spec @@ -30,7 +30,7 @@ Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2508 -Patch3: tiff-4.0.6-CVE-2015-7554.patch +Patch3: tiff-4.0.7-CVE-2015-7554.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel