This commit is contained in:
parent
573d56a528
commit
ce111c7af9
245
tiff.changes
245
tiff.changes
@ -1,3 +1,248 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 29 08:45:11 UTC 2016 - fstrba@suse.com
|
||||||
|
|
||||||
|
- Upgrade to upstream release 4.0.7
|
||||||
|
* libtiff/tif_aux.c
|
||||||
|
+ Fix crash in TIFFVGetFieldDefaulted() when requesting
|
||||||
|
Predictor tag and that the zip/lzw codec is not configured.
|
||||||
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591
|
||||||
|
* libtiff/tif_compress.c
|
||||||
|
+ Make TIFFNoDecode() return 0 to indicate an error and make
|
||||||
|
upper level read routines treat it accordingly. (linked to the
|
||||||
|
test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
|
||||||
|
* libtiff/tif_dir.c
|
||||||
|
+ Discard values of SMinSampleValue and SMaxSampleValue when
|
||||||
|
they have been read and the value of SamplesPerPixel is
|
||||||
|
changed afterwards (like when reading a OJPEG compressed image
|
||||||
|
with a missing SamplesPerPixel tag, and whose photometric is
|
||||||
|
RGB or YCbCr, forcing SamplesPerPixel being 3). Otherwise when
|
||||||
|
rewriting the directory (for example with tiffset, we will
|
||||||
|
expect 3 values whereas the array had been allocated with just
|
||||||
|
one), thus causing a out of bound read access. Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||||
|
(CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, bsc#974840)
|
||||||
|
* libtiff/tif_dirread.c
|
||||||
|
+ In TIFFFetchNormalTag(), do not dereference NULL pointer when
|
||||||
|
values of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII
|
||||||
|
access are 0-byte arrays. Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression
|
||||||
|
introduced by previous fix done on 2016-11-11 for
|
||||||
|
CVE-2016-9297, bsc#1010161). Assigned as CVE-2016-9448,
|
||||||
|
bsc#1011103
|
||||||
|
+ In TIFFFetchNormalTag(), make sure that values of tags with
|
||||||
|
TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are null
|
||||||
|
terminated, to avoid potential read outside buffer in
|
||||||
|
_TIFFPrintField(). Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2590
|
||||||
|
(CVE-2016-9297, bsc#1010161)
|
||||||
|
+ Initialize doubledata at line 3693 to NULL to please MSVC 2013
|
||||||
|
+ Prevent reading ColorMap or TransferFunction if
|
||||||
|
BitsPerPixel > 24, so as to avoid huge memory allocation and
|
||||||
|
file read attempts
|
||||||
|
+ Reject images with OJPEG compression that have no
|
||||||
|
TileOffsets/StripOffsets tag, when OJPEG compression is
|
||||||
|
disabled. Prevent null pointer dereference in
|
||||||
|
TIFFReadRawStrip1() and other functions that expect
|
||||||
|
td_stripbytecount to be non NULL. Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2585
|
||||||
|
+ When compiled with DEFER_STRILE_LOAD, fix regression, when
|
||||||
|
reading a one-strip file without a StripByteCounts tag.
|
||||||
|
+ Workaround false positive warning of Clang Static Analyzer
|
||||||
|
about null pointer dereference in TIFFCheckDirOffset().
|
||||||
|
* libtiff/tif_dirwrite.c
|
||||||
|
+ Avoid null pointer dereference on td_stripoffset when writing
|
||||||
|
directory, if FIELD_STRIPOFFSETS was artificially set for a
|
||||||
|
hack case in OJPEG case. Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
||||||
|
(CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658,
|
||||||
|
bsc#974840)
|
||||||
|
+ Fix truncation to 32 bit of file offsets in TIFFLinkDirectory()
|
||||||
|
and TIFFWriteDirectorySec() when aligning directory offsets on
|
||||||
|
an even offset (affects BigTIFF).
|
||||||
|
* libtiff/tif_dumpmode.c
|
||||||
|
+ DumpModeEncode() should return 0 in case of failure so that
|
||||||
|
the above mentionned functions detect the error.
|
||||||
|
* libtiff/tif_fax3.c
|
||||||
|
+ remove dead assignment in Fax3PutEOLgdal().
|
||||||
|
* libtiff/tif_fax3.h
|
||||||
|
+ make Param member of TIFFFaxTabEnt structure a uint16 to
|
||||||
|
reduce size of the binary.
|
||||||
|
* libtiff/tif_getimage.c
|
||||||
|
+ Fix out-of-bound reads in TIFFRGBAImage interface in case of
|
||||||
|
unsupported values of SamplesPerPixel/ExtraSamples for
|
||||||
|
LogLUV/CIELab. Add explicit call to TIFFRGBAImageOK() in
|
||||||
|
TIFFRGBAImageBegin(). Fix CVE-2015-8665 and CVE-2015-8683.
|
||||||
|
+ Fix some benign warnings which appear in 64-bit compilation
|
||||||
|
under Microsoft Visual Studio of the form "Arithmetic
|
||||||
|
overflow: 32-bit value is shifted, then cast to 64-bit value.
|
||||||
|
Results might not be an expected value."
|
||||||
|
+ TIFFRGBAImageOK: Reject attempts to read floating point images.
|
||||||
|
* libtiff/tif_luv.c
|
||||||
|
+ Fix potential out-of-bound writes in decode functions in non
|
||||||
|
debug builds by replacing assert()s by regular if checks
|
||||||
|
(http://bugzilla.maptools.org/show_bug.cgi?id=2522). Fix
|
||||||
|
potential out-of-bound reads in case of short input data.
|
||||||
|
+ Validate that for COMPRESSION_SGILOG and PHOTOMETRIC_LOGL,
|
||||||
|
there is only one sample per pixel. Avoid potential invalid
|
||||||
|
memory write on corrupted/unexpected images when using the
|
||||||
|
TIFFRGBAImageBegin() interface
|
||||||
|
* libtiff/tif_next.c
|
||||||
|
+ Fix potential out-of-bound write in NeXTDecode()
|
||||||
|
(http://bugzilla.maptools.org/show_bug.cgi?id=2508)
|
||||||
|
* libtiff/tif_pixarlog.c
|
||||||
|
+ Avoid zlib error messages to pass a NULL string to %s
|
||||||
|
formatter, which is undefined behaviour in sprintf().
|
||||||
|
+ Fix out-of-bounds write vulnerabilities in heap allocated
|
||||||
|
buffers. Reported as MSVR 35094.
|
||||||
|
+ Fix potential buffer write overrun in PixarLogDecode() on
|
||||||
|
corrupted/unexpected images (CVE-2016-5875, bsc#987351)
|
||||||
|
+ Fix write buffer overflow in PixarLogEncode if more input
|
||||||
|
samples are provided than expected by PixarLogSetupEncode.
|
||||||
|
Idea based on libtiff-CVE-2016-3990.patch from
|
||||||
|
libtiff-4.0.3-25.el7_2.src.rpm, but with different and simpler
|
||||||
|
check. (http://bugzilla.maptools.org/show_bug.cgi?id=2544,
|
||||||
|
bsc#975069)
|
||||||
|
* libtiff/tif_predict.c
|
||||||
|
+ PredictorSetup: Enforce bits-per-sample requirements of
|
||||||
|
floating point predictor (3). Fixes CVE-2016-3622 "Divide By
|
||||||
|
Zero in the tiff2rgba tool." (bsc#974449)
|
||||||
|
* libtiff/tif_predict.h, libtiff/tif_predict.c
|
||||||
|
+ Replace assertions by runtime checks to avoid assertions in
|
||||||
|
debug mode, or buffer overflows in release mode. Can happen
|
||||||
|
when dealing with unusual tile size like YCbCr with
|
||||||
|
subsampling. Reported as MSVR 35105.
|
||||||
|
* libtiff/tif_read.c
|
||||||
|
+ Fix out-of-bounds read on memory-mapped files in
|
||||||
|
TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset
|
||||||
|
is beyond tmsize_t max value
|
||||||
|
+ Make TIFFReadEncodedStrip() and TIFFReadEncodedTile() directly
|
||||||
|
use user provided buffer when no compression (and other
|
||||||
|
conditions) to save a memcpy().
|
||||||
|
* libtiff/tif_strip.c
|
||||||
|
+ Make TIFFNumberOfStrips() return the td->td_nstrips value when
|
||||||
|
it is non-zero, instead of recomputing it. This is needed in
|
||||||
|
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read
|
||||||
|
outsize of array in tiffsplit (or other utilities using
|
||||||
|
TIFFNumberOfStrips()). Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2587
|
||||||
|
(CVE-2016-9273, bsc#1010163)
|
||||||
|
* libtiff/tif_write.c
|
||||||
|
+ Fix issue in error code path of TIFFFlushData1() that didn't
|
||||||
|
reset the tif_rawcc and tif_rawcp members. I'm not completely
|
||||||
|
sure if that could happen in practice outside of the odd
|
||||||
|
behaviour of t2p_seekproc() of tiff2pdf). The report points
|
||||||
|
that a better fix could be to check the return value of
|
||||||
|
TIFFFlushData1() in places where it isn't done currently, but
|
||||||
|
it seems this patch is enough. Reported as MSVR 35095.
|
||||||
|
+ Make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile()
|
||||||
|
directly use user provided buffer when no compression to save
|
||||||
|
a memcpy().
|
||||||
|
+ TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() should
|
||||||
|
return -1 in case of failure of tif_encodestrip() as documented
|
||||||
|
* tools/fax2tiff.c
|
||||||
|
+ Fix segfault when specifying -r without argument. Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2572
|
||||||
|
* tools/Makefile.am
|
||||||
|
+ The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff,
|
||||||
|
sgisv, and ycbcr are completely removed from the distribution.
|
||||||
|
The libtiff tools rgb2ycbcr and thumbnail are only built in
|
||||||
|
the build tree for testing. Old files are put in new 'archive'
|
||||||
|
subdirectory of the source repository, but not in
|
||||||
|
distribution archives. These changes are made in order to
|
||||||
|
lessen the maintenance burden.
|
||||||
|
* tools/rgb2ycbcr.c
|
||||||
|
+ Validate values of -v and -h parameters to avoid potential
|
||||||
|
divide by zero. Fixes CVE-2016-3623, bsc#974618
|
||||||
|
(http://bugzilla.maptools.org/show_bug.cgi?id=2569)
|
||||||
|
* tools/tiff2bw.c
|
||||||
|
+ Fix weight computation that could result of color value
|
||||||
|
overflow (no security implication). Fix
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2550.
|
||||||
|
* tools/tiff2pdf.c
|
||||||
|
+ Avoid undefined behaviour related to overlapping of source and
|
||||||
|
destination buffer in memcpy() call in
|
||||||
|
t2p_sample_rgbaa_to_rgb() Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2577
|
||||||
|
+ Fix out-of-bounds write vulnerabilities in heap allocate buffer
|
||||||
|
in t2p_process_jpeg_strip(). Reported as MSVR 35098.
|
||||||
|
+ Fix potential integer overflows on 32 bit builds in
|
||||||
|
t2p_read_tiff_size() Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2576
|
||||||
|
+ Fix read -largely- outsize of buffer in
|
||||||
|
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
|
||||||
|
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
|
||||||
|
Reported as MSVR 35101. CVE-2016-9453, bsc#1011107
|
||||||
|
+ Fix write buffer overflow of 2 bytes on JPEG compressed images.
|
||||||
|
Reported as TALOS-CAN-0187, CVE-2016-5652, bsc#1007280. Also
|
||||||
|
prevents writing 2 extra uninitialized bytes to the file
|
||||||
|
stream.
|
||||||
|
* tools/tiff2rgba.c
|
||||||
|
+ Fix integer overflow in size of allocated buffer, when -b mode
|
||||||
|
is enabled, that could result in out-of-bounds write. Based
|
||||||
|
initially on patch tiff-CVE-2016-3945.patch from
|
||||||
|
libtiff-4.0.3-25.el7_2.src.rpm, with correction for invalid
|
||||||
|
tests that rejected valid files.
|
||||||
|
(http://bugzilla.maptools.org/show_bug.cgi?id=2545, bsc#974614)
|
||||||
|
* tools/tiffcp.c
|
||||||
|
+ Fix out-of-bounds write on tiled images with odd tile width vs
|
||||||
|
image width. Reported as MSVR 35103.
|
||||||
|
+ Fix read of undefined variable in case of missing required
|
||||||
|
tags. Found on test case of MSVR 35100.
|
||||||
|
* tools/tiffcrop.c
|
||||||
|
+ Avoid access outside of stack allocated array on a tiled
|
||||||
|
separate TIFF with more than 8 samples per pixel.
|
||||||
|
(CVE-2016-5321, CVE-2016-5323,
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2558,
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2559, bsc#984813,
|
||||||
|
bsc#984815)
|
||||||
|
+ Fix memory leak in (recent) error code path. Fixes Coverity
|
||||||
|
1394415.
|
||||||
|
+ Fix multiple uint32 overflows in writeBufferToSeparateStrips(),
|
||||||
|
writeBufferToContigTiles() and writeBufferToSeparateTiles()
|
||||||
|
that could cause heap buffer overflows. Fixes
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2592
|
||||||
|
+ Fix out-of-bound read of up to 3 bytes in
|
||||||
|
readContigTilesIntoBuffer(). Reported as MSVR 35092.
|
||||||
|
+ Fix out-of-bounds write in loadImage(). From patch
|
||||||
|
libtiff-CVE-2016-3991.patch from
|
||||||
|
libtiff-4.0.3-25.el7_2.src.rpm
|
||||||
|
(http://bugzilla.maptools.org/show_bug.cgi?id=2543, bsc#975070)
|
||||||
|
+ Fix read of undefined buffer in readContigStripsIntoBuffer()
|
||||||
|
due to uint16 overflow. Reported as MSVR 35100.
|
||||||
|
+ Fix various out-of-bounds write vulnerabilities in heap or
|
||||||
|
stack allocated buffers. Reported as MSVR 35093, MSVR 35096
|
||||||
|
and MSVR 35097.
|
||||||
|
+ readContigTilesIntoBuffer: Fix signed/unsigned comparison
|
||||||
|
warning.
|
||||||
|
* tools/tiffdump.c
|
||||||
|
+ Fix a few misaligned 64-bit reads warned by -fsanitize
|
||||||
|
+ ReadDirectory: Remove uint32 cast to_TIFFmalloc() argument
|
||||||
|
which resulted in Coverity report. Added more mutiplication
|
||||||
|
overflow checks
|
||||||
|
* tools/tiffinfo.c
|
||||||
|
+ Fix out-of-bound read on some tiled images.
|
||||||
|
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)
|
||||||
|
+ TIFFReadContigTileData: Fix signed/unsigned comparison warning.
|
||||||
|
+ TIFFReadSeparateTileData: Fix signed/unsigned comparison
|
||||||
|
warning.
|
||||||
|
- Removed patches:
|
||||||
|
* tiff-4.0.4-uninitialized_mem_NeXTDecode.patch
|
||||||
|
* tiff-4.0.6-CVE-2015-8782.patch
|
||||||
|
* tiff-4.0.6-CVE-2016-3186.patch
|
||||||
|
* tiff-4.0.6-CVE-2016-3623.patch
|
||||||
|
* tiff-4.0.6-CVE-2016-3945.patch
|
||||||
|
* tiff-4.0.6-CVE-2016-3990.patch
|
||||||
|
* tiff-4.0.6-CVE-2016-3991.patch
|
||||||
|
* tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch
|
||||||
|
* tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
|
||||||
|
* tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
|
||||||
|
* tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
|
||||||
|
* tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch
|
||||||
|
- Fixed in the upsteam release
|
||||||
|
- Changed patch:
|
||||||
|
* tiff-4.0.6-CVE-2015-7554.patch -> tiff-4.0.7-CVE-2015-7554.patch
|
||||||
|
- Rediffed to the changed context
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Oct 6 07:47:19 UTC 2016 - fstrba@suse.com
|
Thu Oct 6 07:47:19 UTC 2016 - fstrba@suse.com
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@ Patch0: tiff-4.0.3-seek.patch
|
|||||||
# http://bugzilla.maptools.org/show_bug.cgi?id=2442
|
# http://bugzilla.maptools.org/show_bug.cgi?id=2442
|
||||||
Patch1: tiff-4.0.3-compress-warning.patch
|
Patch1: tiff-4.0.3-compress-warning.patch
|
||||||
# http://bugzilla.maptools.org/show_bug.cgi?id=2508
|
# http://bugzilla.maptools.org/show_bug.cgi?id=2508
|
||||||
Patch3: tiff-4.0.6-CVE-2015-7554.patch
|
Patch3: tiff-4.0.7-CVE-2015-7554.patch
|
||||||
|
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: libjpeg-devel
|
BuildRequires: libjpeg-devel
|
||||||
|
Loading…
Reference in New Issue
Block a user