Accepting request 67297 from graphics

Accepted submit request 67297 from user coolo

OBS-URL: https://build.opensuse.org/request/show/67297
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=29

tiff-3.9.4-CVE-2011-0192.patch

@@ -1,29 +0,0 @@
-Protect against a fax VL(n) codeword commanding a move left.  Without
-this, a malicious input file can generate an indefinitely large series
-of runs without a0 ever reaching the right margin, thus overrunning
-our buffer of run lengths.  Per CVE-2011-0192.  This is a modified
-version of a patch proposed by Drew Yao of Apple Product Security.
-It adds an unexpected() report, and disallows the equality case except
-for the first run of a line, since emitting a run without increasing a0
-still allows buffer overrun.  (We have to allow it for the first run to
-cover the case of encoding a zero-length run at start of line using VL.)
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2297
-
-diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
---- libtiff/tif_fax3.h	2010-06-08 14:50:42.000000000 -0400
-+++ libtiff/tif_fax3.h	2011-03-10 12:11:20.850839162 -0500
-@@ -478,6 +478,12 @@
- 	    break;							\
- 	case S_VL:							\
- 	    CHECK_b1;							\
-+	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
-+		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
-+		    unexpected("VL", a0);				\
-+		    goto eol2d;						\
-+		}							\
-+	    }								\
- 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
- 	    b1 -= *--pb;						\
- 	    break;							\
-

tiff-3.9.4-CVE-2011-1167.patch

@@ -1,68 +0,0 @@
-Index: libtiff/tif_thunder.c
-===================================================================
---- libtiff/tif_thunder.c.orig
-+++ libtiff/tif_thunder.c
-@@ -25,6 +25,7 @@
-  */
- 
- #include "tiffiop.h"
-+#include <assert.h>
- #ifdef THUNDER_SUPPORT
- /*
-  * TIFF Library.
-@@ -55,12 +56,32 @@
- static const int twobitdeltas[4] = { 0, 1, 0, -1 };
- static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
- 
--#define	SETPIXEL(op, v) { \
--	lastpixel = (v) & 0xf; \
--	if (npixels++ & 1) \
--	    *op++ |= lastpixel; \
--	else \
-+#define	SETPIXEL(op, v) {                     \
-+	lastpixel = (v) & 0xf;                \
-+        if ( npixels < maxpixels )         \
-+        {                                     \
-+	  if (npixels++ & 1)                  \
-+	    *op++ |= lastpixel;               \
-+	  else                                \
- 	    op[0] = (tidataval_t) (lastpixel << 4); \
-+        }                                     \
-+}
-+
-+static int
-+ThunderSetupDecode(TIFF* tif)
-+{
-+	static const char module[] = "ThunderSetupDecode";
-+
-+        if( tif->tif_dir.td_bitspersample != 4 )
-+        {
-+                TIFFErrorExt(tif->tif_clientdata, module,
-+                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
-+                             (int) tif->tif_dir.td_bitspersample );
-+                return 0;
-+        }
-+        
-+
-+	return (1);
- }
- 
- static int
-@@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf
- 		occ -= tif->tif_scanlinesize;
- 		row += tif->tif_scanlinesize;
- 	}
--	return (1);
-+
-+        return (1);
- }
- 
- int
-@@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem
- 	(void) scheme;
- 	tif->tif_decoderow = ThunderDecodeRow;
- 	tif->tif_decodestrip = ThunderDecodeRow;
-+        tif->tif_setupdecode = ThunderSetupDecode;
- 	return (1);
- }
- #endif /* THUNDER_SUPPORT */

tiff-3.9.4-getimage-64bit.patch

@@ -1,41 +0,0 @@
-diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
---- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
-+++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-10 15:07:28.000000000 -0400
-@@ -1846,6 +1846,7 @@
- DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
- {
- 	uint32* cp2;
-+	int32 incr = 2*toskew+w;
- 	(void) y;
- 	fromskew = (fromskew / 2) * 6;
- 	cp2 = cp+w+toskew;
-@@ -1872,8 +1873,8 @@
- 			cp2 ++ ;
- 			pp += 6;
- 		}
--		cp += toskew*2+w;
--		cp2 += toskew*2+w;
-+		cp += incr;
-+		cp2 += incr;
- 		pp += fromskew;
- 		h-=2;
- 	}
-@@ -1939,6 +1940,7 @@
- DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
- {
- 	uint32* cp2;
-+	int32 incr = 2*toskew+w;
- 	(void) y;
- 	fromskew = (fromskew / 2) * 4;
- 	cp2 = cp+w+toskew;
-@@ -1953,8 +1955,8 @@
- 			cp2 ++;
- 			pp += 4;
- 		} while (--x);
--		cp += toskew*2+w;
--		cp2 += toskew*2+w;
-+		cp += incr;
-+		cp2 += incr;
- 		pp += fromskew;
- 		h-=2;
- 	}

tiff-3.9.4-oob-read.patch

@@ -1,12 +0,0 @@
-diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
---- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
-+++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-11 12:06:47.000000000 -0400
-@@ -2397,7 +2397,7 @@
- 			}
- 			break;
- 		case PHOTOMETRIC_YCBCR:
--			if (img->bitspersample == 8)
-+			if ((img->bitspersample==8) && (img->samplesperpixel==3))
- 			{
- 				if (initYCbCrConversion(img)!=0)
- 				{

tiff-3.9.4-scanlinesize.patch

@@ -1,65 +0,0 @@
-diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
---- tiff-3.9.2.orig/libtiff/tif_jpeg.c	2009-08-30 12:21:46.000000000 -0400
-+++ tiff-3.9.2/libtiff/tif_jpeg.c	2010-01-05 22:40:40.000000000 -0500
-@@ -988,8 +988,15 @@
- 	tsize_t nrows;
- 	(void) s;
- 
--	/* data is expected to be read in multiples of a scanline */
--	if ( (nrows = sp->cinfo.d.image_height) ) {
-+    nrows = cc / sp->bytesperline;
-+    if (cc % sp->bytesperline)
-+		TIFFWarningExt(tif->tif_clientdata, tif->tif_name, "fractional scanline not read");
-+
-+    if( nrows > (int) sp->cinfo.d.image_height )
-+        nrows = sp->cinfo.d.image_height;
-+
-+    /* data is expected to be read in multiples of a scanline */
-+    if (nrows) {
- 		/* Cb,Cr both have sampling factors 1, so this is correct */
- 		JDIMENSION clumps_per_line = sp->cinfo.d.comp_info[1].downsampled_width;            
- 		int samples_per_clump = sp->samplesperclump;
-@@ -1087,8 +1094,7 @@
- 			 * TODO: resolve this */
- 			buf += sp->bytesperline;
- 			cc -= sp->bytesperline;
--			nrows -= sp->v_sampling;
--		} while (nrows > 0);
-+		} while (--nrows > 0);
- 
- #ifdef JPEG_LIB_MK1
- 		_TIFFfree(tmpbuf);
-diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
---- tiff-3.9.2.orig/libtiff/tif_strip.c	2006-03-25 13:04:35.000000000 -0500
-+++ tiff-3.9.2/libtiff/tif_strip.c	2010-01-05 21:39:20.000000000 -0500
-@@ -238,23 +238,19 @@
- 				     ycbcrsubsampling + 0,
- 				     ycbcrsubsampling + 1);
- 
--			if (ycbcrsubsampling[0] == 0) {
-+			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
- 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- 					     "Invalid YCbCr subsampling");
- 				return 0;
- 			}
- 
--			scanline = TIFFroundup(td->td_imagewidth,
-+			/* number of sample clumps per line */
-+			scanline = TIFFhowmany(td->td_imagewidth,
- 					       ycbcrsubsampling[0]);
--			scanline = TIFFhowmany8(multiply(tif, scanline,
--							 td->td_bitspersample,
--							 "TIFFScanlineSize"));
--			return ((tsize_t)
--				summarize(tif, scanline,
--					  multiply(tif, 2,
--						scanline / ycbcrsubsampling[0],
--						"TIFFVStripSize"),
--					  "TIFFVStripSize"));
-+			/* number of samples per line */
-+			scanline = multiply(tif, scanline,
-+					    ycbcrsubsampling[0]*ycbcrsubsampling[1] + 2,
-+					    "TIFFScanlineSize");
- 		} else {
- 			scanline = multiply(tif, td->td_imagewidth,
- 					    td->td_samplesperpixel,

tiff-3.9.4.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a2102a511ebee0d99d769e70efe017c7a114cd17c98f338dd5e073a6b61cd6ba
-size 1116882

tiff-3.9.5.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:69d6692ca085662b33aee0775efcd29a7d92c073289949142e2359787bd7c469
+size 1180957

tiff.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Apr 14 14:02:12 CEST 2011 - pgajdos@suse.cz
+
+- updated to 3.9.5:
+  * fixed integer overflow CVE-2010-4665
+  * fixed buffer overflow in ojpeg decoder
+  * upstreamed:
+    - oob-read.patch
+    - CVE-2011-0192.patch
+    - getimage-64bit.patch
+    - CVE-2011-1167.patch
+    - scanlinesize.patch
+
 -------------------------------------------------------------------
 Thu Mar 31 21:49:49 CEST 2011 - pgajdos@suse.cz
 

tiff.spec

@@ -28,7 +28,7 @@ Obsoletes:      tiff-64bit
 %endif
 #
 Url:            http://www.remotesensing.org/libtiff/
-Version:        3.9.4
+Version:        3.9.5
 Release:        4
 Summary:        Tools for Converting from and to the Tiff  Format
 Source:         tiff-%{version}.tar.bz2
@@ -36,12 +36,7 @@ Source2:        README.SUSE
 Source3:        baselibs.conf
 Patch2:         tiff-%{version}-seek.patch
 Patch3:         tiff-%{version}-tiff2pdf-colors.patch
-Patch6:         tiff-%{version}-oob-read.patch
-Patch7:         tiff-%{version}-getimage-64bit.patch
-Patch8:         tiff-%{version}-scanlinesize.patch
 Patch9:         tiff-%{version}-dont-fancy-upsampling.patch
-Patch10:        tiff-%{version}-CVE-2011-0192.patch
-Patch11:        tiff-3.9.4-CVE-2011-1167.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -103,12 +98,7 @@ the libtiff library.
 %setup -q 
 %patch2
 %patch3 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
 %patch9 -p1
-%patch10
-%patch11
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755