diff --git a/tiff-3.9.4-CVE-2011-0192.patch b/tiff-3.9.4-CVE-2011-0192.patch deleted file mode 100644 index 6f1c50d..0000000 --- a/tiff-3.9.4-CVE-2011-0192.patch +++ /dev/null @@ -1,29 +0,0 @@ -Protect against a fax VL(n) codeword commanding a move left. Without -this, a malicious input file can generate an indefinitely large series -of runs without a0 ever reaching the right margin, thus overrunning -our buffer of run lengths. Per CVE-2011-0192. This is a modified -version of a patch proposed by Drew Yao of Apple Product Security. -It adds an unexpected() report, and disallows the equality case except -for the first run of a line, since emitting a run without increasing a0 -still allows buffer overrun. (We have to allow it for the first run to -cover the case of encoding a zero-length run at start of line using VL.) - -http://bugzilla.maptools.org/show_bug.cgi?id=2297 - -diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h ---- libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400 -+++ libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500 -@@ -478,6 +478,12 @@ - break; \ - case S_VL: \ - CHECK_b1; \ -+ if (b1 <= (int) (a0 + TabEnt->Param)) { \ -+ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ -+ unexpected("VL", a0); \ -+ goto eol2d; \ -+ } \ -+ } \ - SETVALUE(b1 - a0 - TabEnt->Param); \ - b1 -= *--pb; \ - break; \ - diff --git a/tiff-3.9.4-CVE-2011-1167.patch b/tiff-3.9.4-CVE-2011-1167.patch deleted file mode 100644 index 93032f5..0000000 --- a/tiff-3.9.4-CVE-2011-1167.patch +++ /dev/null @@ -1,68 +0,0 @@ -Index: libtiff/tif_thunder.c -=================================================================== ---- libtiff/tif_thunder.c.orig -+++ libtiff/tif_thunder.c -@@ -25,6 +25,7 @@ - */ - - #include "tiffiop.h" -+#include - #ifdef THUNDER_SUPPORT - /* - * TIFF Library. -@@ -55,12 +56,32 @@ - static const int twobitdeltas[4] = { 0, 1, 0, -1 }; - static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; - --#define SETPIXEL(op, v) { \ -- lastpixel = (v) & 0xf; \ -- if (npixels++ & 1) \ -- *op++ |= lastpixel; \ -- else \ -+#define SETPIXEL(op, v) { \ -+ lastpixel = (v) & 0xf; \ -+ if ( npixels < maxpixels ) \ -+ { \ -+ if (npixels++ & 1) \ -+ *op++ |= lastpixel; \ -+ else \ - op[0] = (tidataval_t) (lastpixel << 4); \ -+ } \ -+} -+ -+static int -+ThunderSetupDecode(TIFF* tif) -+{ -+ static const char module[] = "ThunderSetupDecode"; -+ -+ if( tif->tif_dir.td_bitspersample != 4 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", -+ (int) tif->tif_dir.td_bitspersample ); -+ return 0; -+ } -+ -+ -+ return (1); - } - - static int -@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf - occ -= tif->tif_scanlinesize; - row += tif->tif_scanlinesize; - } -- return (1); -+ -+ return (1); - } - - int -@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem - (void) scheme; - tif->tif_decoderow = ThunderDecodeRow; - tif->tif_decodestrip = ThunderDecodeRow; -+ tif->tif_setupdecode = ThunderSetupDecode; - return (1); - } - #endif /* THUNDER_SUPPORT */ diff --git a/tiff-3.9.4-getimage-64bit.patch b/tiff-3.9.4-getimage-64bit.patch deleted file mode 100644 index 5cd99e4..0000000 --- a/tiff-3.9.4-getimage-64bit.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c ---- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400 -@@ -1846,6 +1846,7 @@ - DECLAREContigPutFunc(putcontig8bitYCbCr22tile) - { - uint32* cp2; -+ int32 incr = 2*toskew+w; - (void) y; - fromskew = (fromskew / 2) * 6; - cp2 = cp+w+toskew; -@@ -1872,8 +1873,8 @@ - cp2 ++ ; - pp += 6; - } -- cp += toskew*2+w; -- cp2 += toskew*2+w; -+ cp += incr; -+ cp2 += incr; - pp += fromskew; - h-=2; - } -@@ -1939,6 +1940,7 @@ - DECLAREContigPutFunc(putcontig8bitYCbCr12tile) - { - uint32* cp2; -+ int32 incr = 2*toskew+w; - (void) y; - fromskew = (fromskew / 2) * 4; - cp2 = cp+w+toskew; -@@ -1953,8 +1955,8 @@ - cp2 ++; - pp += 4; - } while (--x); -- cp += toskew*2+w; -- cp2 += toskew*2+w; -+ cp += incr; -+ cp2 += incr; - pp += fromskew; - h-=2; - } diff --git a/tiff-3.9.4-oob-read.patch b/tiff-3.9.4-oob-read.patch deleted file mode 100644 index 8f67f3c..0000000 --- a/tiff-3.9.4-oob-read.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c ---- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 -@@ -2397,7 +2397,7 @@ - } - break; - case PHOTOMETRIC_YCBCR: -- if (img->bitspersample == 8) -+ if ((img->bitspersample==8) && (img->samplesperpixel==3)) - { - if (initYCbCrConversion(img)!=0) - { diff --git a/tiff-3.9.4-scanlinesize.patch b/tiff-3.9.4-scanlinesize.patch deleted file mode 100644 index d16c62d..0000000 --- a/tiff-3.9.4-scanlinesize.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c ---- tiff-3.9.2.orig/libtiff/tif_jpeg.c 2009-08-30 12:21:46.000000000 -0400 -+++ tiff-3.9.2/libtiff/tif_jpeg.c 2010-01-05 22:40:40.000000000 -0500 -@@ -988,8 +988,15 @@ - tsize_t nrows; - (void) s; - -- /* data is expected to be read in multiples of a scanline */ -- if ( (nrows = sp->cinfo.d.image_height) ) { -+ nrows = cc / sp->bytesperline; -+ if (cc % sp->bytesperline) -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read"); -+ -+ if( nrows > (int) sp->cinfo.d.image_height ) -+ nrows = sp->cinfo.d.image_height; -+ -+ /* data is expected to be read in multiples of a scanline */ -+ if (nrows) { - /* Cb,Cr both have sampling factors 1, so this is correct */ - JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width; - int samples_per_clump = sp->samplesperclump; -@@ -1087,8 +1094,7 @@ - * TODO: resolve this */ - buf += sp->bytesperline; - cc -= sp->bytesperline; -- nrows -= sp->v_sampling; -- } while (nrows > 0); -+ } while (--nrows > 0); - - #ifdef JPEG_LIB_MK1 - _TIFFfree(tmpbuf); -diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c ---- tiff-3.9.2.orig/libtiff/tif_strip.c 2006-03-25 13:04:35.000000000 -0500 -+++ tiff-3.9.2/libtiff/tif_strip.c 2010-01-05 21:39:20.000000000 -0500 -@@ -238,23 +238,19 @@ - ycbcrsubsampling + 0, - ycbcrsubsampling + 1); - -- if (ycbcrsubsampling[0] == 0) { -+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Invalid YCbCr subsampling"); - return 0; - } - -- scanline = TIFFroundup(td->td_imagewidth, -+ /* number of sample clumps per line */ -+ scanline = TIFFhowmany(td->td_imagewidth, - ycbcrsubsampling[0]); -- scanline = TIFFhowmany8(multiply(tif, scanline, -- td->td_bitspersample, -- "TIFFScanlineSize")); -- return ((tsize_t) -- summarize(tif, scanline, -- multiply(tif, 2, -- scanline / ycbcrsubsampling[0], -- "TIFFVStripSize"), -- "TIFFVStripSize")); -+ /* number of samples per line */ -+ scanline = multiply(tif, scanline, -+ ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2, -+ "TIFFScanlineSize"); - } else { - scanline = multiply(tif, td->td_imagewidth, - td->td_samplesperpixel, diff --git a/tiff-3.9.4.tar.bz2 b/tiff-3.9.4.tar.bz2 deleted file mode 100644 index 6e79c79..0000000 --- a/tiff-3.9.4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a2102a511ebee0d99d769e70efe017c7a114cd17c98f338dd5e073a6b61cd6ba -size 1116882 diff --git a/tiff-3.9.4-dont-fancy-upsampling.patch b/tiff-3.9.5-dont-fancy-upsampling.patch similarity index 100% rename from tiff-3.9.4-dont-fancy-upsampling.patch rename to tiff-3.9.5-dont-fancy-upsampling.patch diff --git a/tiff-3.9.4-seek.patch b/tiff-3.9.5-seek.patch similarity index 100% rename from tiff-3.9.4-seek.patch rename to tiff-3.9.5-seek.patch diff --git a/tiff-3.9.4-tiff2pdf-colors.patch b/tiff-3.9.5-tiff2pdf-colors.patch similarity index 100% rename from tiff-3.9.4-tiff2pdf-colors.patch rename to tiff-3.9.5-tiff2pdf-colors.patch diff --git a/tiff-3.9.5.tar.bz2 b/tiff-3.9.5.tar.bz2 new file mode 100644 index 0000000..6264343 --- /dev/null +++ b/tiff-3.9.5.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:69d6692ca085662b33aee0775efcd29a7d92c073289949142e2359787bd7c469 +size 1180957 diff --git a/tiff.changes b/tiff.changes index f676777..54db7a9 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Apr 14 14:02:12 CEST 2011 - pgajdos@suse.cz + +- updated to 3.9.5: + * fixed integer overflow CVE-2010-4665 + * fixed buffer overflow in ojpeg decoder + * upstreamed: + - oob-read.patch + - CVE-2011-0192.patch + - getimage-64bit.patch + - CVE-2011-1167.patch + - scanlinesize.patch + ------------------------------------------------------------------- Thu Mar 31 21:49:49 CEST 2011 - pgajdos@suse.cz diff --git a/tiff.spec b/tiff.spec index 6d00ab0..5b50e3e 100644 --- a/tiff.spec +++ b/tiff.spec @@ -28,7 +28,7 @@ Obsoletes: tiff-64bit %endif # Url: http://www.remotesensing.org/libtiff/ -Version: 3.9.4 +Version: 3.9.5 Release: 4 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 @@ -36,12 +36,7 @@ Source2: README.SUSE Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf-colors.patch -Patch6: tiff-%{version}-oob-read.patch -Patch7: tiff-%{version}-getimage-64bit.patch -Patch8: tiff-%{version}-scanlinesize.patch Patch9: tiff-%{version}-dont-fancy-upsampling.patch -Patch10: tiff-%{version}-CVE-2011-0192.patch -Patch11: tiff-3.9.4-CVE-2011-1167.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -103,12 +98,7 @@ the libtiff library. %setup -q %patch2 %patch3 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 %patch9 -p1 -%patch10 -%patch11 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755