pool/tiff
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 745973 from home:pgajdos

Browse Source 
- version update to 4.1.0
  * fixes several CVEs mentioned below and more,
    see ChangeLog
- deleted patches
  - tiff-CVE-2018-12900.patch (upstreamed)
  - tiff-CVE-2018-17000,19210.patch (upstreamed)
  - tiff-CVE-2019-6128.patch (upstreamed)
  - tiff-CVE-2019-7663.patch (upstreamed)

OBS-URL: https://build.opensuse.org/request/show/745973
OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=139
This commit is contained in:
Fridrich Strba 2019-11-06 12:58:26 +00:00 committed by Git OBS Bridge
parent 219d98803d
commit f03bf8b65d
8 changed files with 17 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tiff-4.0.10.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4
size 2402867

3
tiff-4.1.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634
size 2421581

17
tiff-CVE-2018-12900.patch
View File

@ -1,17 +0,0 @@
Index: tiff-4.0.10/tools/tiffcp.c
===================================================================
--- tiff-4.0.10.orig/tools/tiffcp.c 2018-10-13 15:58:55.180101778 +0200
+++ tiff-4.0.10/tools/tiffcp.c 2018-11-12 17:00:52.706128841 +0100
@@ -1435,6 +1435,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
status = 0;
goto done;
}
+ if (0xFFFFFFFF / tilew < spp)
+ {
+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or SamplePerPixel (%u) is too large", tilew, spp);
+ status = 0;
+ goto done;
+ }
bytes_per_sample = bps/8;
for (row = 0; row < imagelength; row += tl) {

55
tiff-CVE-2018-17000,19210.patch
View File

@ -1,55 +0,0 @@
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200
+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100
@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
}
m=(1<<tif->tif_dir.td_bitspersample);
n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ tif->tif_dir.td_transferfunction[1] == NULL)
+ n = 1;
/*
* Check if the table can be written as a single column,
* or if it must be written as 3 columns. Note that we
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFfree(td->td_smaxsamplevalue);
td->td_smaxsamplevalue = NULL;
}
+ /* Test if 3 transfer functions instead of just one are now needed
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "SamplesPerPixel tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
}
td->td_samplesperpixel = (uint16) v;
break;
@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
break;
case TIFFTAG_EXTRASAMPLES:
+ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "ExtraSamples tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
if (!setExtraSamples(td, ap, &v))
goto badvalue;
break;

49
tiff-CVE-2019-6128.patch
View File

@ -1,49 +0,0 @@
From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Wed, 23 Jan 2019 15:03:53 -0500
Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
pal2rgb failed to free memory on a few errors. This was reported
here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
---
tools/pal2rgb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 01d8502e..9492f1cf 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -118,12 +118,14 @@ main(int argc, char* argv[])
shortv != PHOTOMETRIC_PALETTE) {
fprintf(stderr, "%s: Expecting a palette image.\n",
argv[optind]);
+ (void) TIFFClose(in);
return (-1);
}
if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
fprintf(stderr,
"%s: No colormap (not a valid palette image).\n",
argv[optind]);
+ (void) TIFFClose(in);
return (-1);
}
bitspersample = 0;
@@ -131,11 +133,14 @@ main(int argc, char* argv[])
if (bitspersample != 8) {
fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
argv[optind]);
+ (void) TIFFClose(in);
return (-1);
}
out = TIFFOpen(argv[optind+1], "w");
- if (out == NULL)
+ if (out == NULL) {
+ (void) TIFFClose(in);
return (-2);
+ }
cpTags(in, out);
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
--
2.18.1

48
tiff-CVE-2019-7663.patch
View File

@ -1,48 +0,0 @@
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c
+++ tiff-4.0.10/libtiff/tif_dirwrite.c
@@ -1896,12 +1896,14 @@ TIFFWriteDirectoryTagTransferfunction(TI
n=3;
if (n==3)
{
- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
n=2;
}
if (n==2)
{
- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ if (tif->tif_dir.td_transferfunction[1] == NULL ||
+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
n=1;
}
if (n==0)
Index: tiff-4.0.10/tools/tiffcp.c
===================================================================
--- tiff-4.0.10.orig/tools/tiffcp.c
+++ tiff-4.0.10/tools/tiffcp.c
@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
int status = 1;
uint32 imagew = TIFFRasterScanlineSize(in);
uint32 tilew = TIFFTileRowSize(in);
- int iskew = imagew - tilew*spp;
+ int iskew;
tsize_t tilesize = TIFFTileSize(in);
tdata_t tilebuf;
uint8* bufp = (uint8*) buf;
@@ -1416,6 +1416,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
uint32 row;
uint16 bps = 0, bytes_per_sample;
+ if (spp > (0x7fffffff / tilew))
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ return 0;
+ }
+ iskew = imagew - tilew*spp;
+
tilebuf = _TIFFmalloc(tilesize);
if (tilebuf == 0)
return 0;

12
tiff.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Nov 6 12:00:35 UTC 2019 - pgajdos@suse.com
- version update to 4.1.0
* fixes several CVEs mentioned below and more,
see ChangeLog
- deleted patches
- tiff-CVE-2018-12900.patch (upstreamed)
- tiff-CVE-2018-17000,19210.patch (upstreamed)
- tiff-CVE-2019-6128.patch (upstreamed)
- tiff-CVE-2019-7663.patch (upstreamed)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 12 15:36:02 UTC 2019 - mvetter@suse.com Tue Feb 12 15:36:02 UTC 2019 - mvetter@suse.com

19
tiff.spec
View File

@ -12,14 +12,14 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
%define asan_build 0 %define asan_build 0
%define debug_build 0 %define debug_build 0
Name: tiff Name: tiff
Version: 4.0.10 Version: 4.1.0
Release: 0 Release: 0
Summary: Tools for Converting from and to the Tagged Image File Format Summary: Tools for Converting from and to the Tagged Image File Format
License: HPND License: HPND
@ -31,17 +31,6 @@ Source3: baselibs.conf
Patch0: tiff-4.0.3-seek.patch Patch0: tiff-4.0.3-seek.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2442 # http://bugzilla.maptools.org/show_bug.cgi?id=2442
Patch1: tiff-4.0.3-compress-warning.patch Patch1: tiff-4.0.3-compress-warning.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2798
# https://gitlab.com/libtiff/libtiff/merge_requests/44
Patch2: tiff-CVE-2018-12900.patch
Patch3: tiff-CVE-2018-17000,19210.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2836
# https://gitlab.com/libtiff/libtiff/merge_requests/50
Patch4: tiff-CVE-2019-6128.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2833
# https://gitlab.com/libtiff/libtiff/merge_requests/54
# https://gitlab.com/libtiff/libtiff/merge_requests/60
Patch5: tiff-CVE-2019-7663.patch
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libjbig-devel BuildRequires: libjbig-devel
BuildRequires: libjpeg-devel BuildRequires: libjpeg-devel
@ -80,10 +69,6 @@ the libtiff library.
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build %build
CFLAGS="%{optflags} -fPIE" CFLAGS="%{optflags} -fPIE"