Accepting request 41989 from graphics

Copy from graphics/tiff based on submit request 41989 from user pgajdos OBS-URL: https://build.opensuse.org/request/show/41989 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=19
2010-06-25 18:48:22 +00:00 · 2010-06-25 18:48:22 +00:00 · ff80e6ed0b
commit ff80e6ed0b
parent 0096186dac
6 changed files with 110 additions and 1 deletions
--- a/tiff-3.9.2-NULL-deref.patch
+++ b/tiff-3.9.2-NULL-deref.patch
@ -0,0 +1,19 @@
+Index: libtiff/tif_ojpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.24.2.5
+retrieving revision 1.24.2.6
+diff -u -p -r1.24.2.5 -r1.24.2.6
+--- libtiff/tif_ojpeg.c	8 Jun 2010 18:50:42 -0000	1.24.2.5
+++ libtiff/tif_ojpeg.c	8 Jun 2010 23:29:51 -0000	1.24.2.6
+@@ -1909,6 +1909,10 @@ OJPEGReadBufferFill(OJPEGState* sp)
+ 					sp->in_buffer_source=osibsEof;
+ 				else
+ 				{
+					if (sp->tif->tif_dir.td_stripoffset == 0) {
+						TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip offsets are missing");
+						return(0);
+					}
+ 					sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];  
+ 					if (sp->in_buffer_file_pos!=0)
+ 					{
--- a/tiff-3.9.2-getimage-64bit.patch
+++ b/tiff-3.9.2-getimage-64bit.patch
@ -0,0 +1,41 @@
+diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-10 15:07:28.000000000 -0400
+@@ -1846,6 +1846,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ 	uint32* cp2;
+	int32 incr = 2*toskew+w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * 6;
+ 	cp2 = cp+w+toskew;
+@@ -1872,8 +1873,8 @@
+ 			cp2 ++ ;
+ 			pp += 6;
+ 		}
+-		cp += toskew*2+w;
+-		cp2 += toskew*2+w;
+		cp += incr;
+		cp2 += incr;
+ 		pp += fromskew;
+ 		h-=2;
+ 	}
+@@ -1939,6 +1940,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ 	uint32* cp2;
+	int32 incr = 2*toskew+w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * 4;
+ 	cp2 = cp+w+toskew;
+@@ -1953,8 +1955,8 @@
+ 			cp2 ++;
+ 			pp += 4;
+ 		} while (--x);
+-		cp += toskew*2+w;
+-		cp2 += toskew*2+w;
+		cp += incr;
+		cp2 += incr;
+ 		pp += fromskew;
+ 		h-=2;
+ 	}
--- a/tiff-3.9.2-integer-overflow.patch
+++ b/tiff-3.9.2-integer-overflow.patch
@ -0,0 +1,17 @@
+Index: libtiff/tif_read.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
+retrieving revision 1.16.2.1
+retrieving revision 1.16.2.2
+diff -u -p -r1.16.2.1 -r1.16.2.2
+--- libtiff/tif_read.c	8 Jun 2010 18:50:43 -0000	1.16.2.1
+++ libtiff/tif_read.c	8 Jun 2010 23:29:51 -0000	1.16.2.2
+@@ -609,7 +610,7 @@ TIFFReadBufferSetup(TIFF* tif, tdata_t b
+ 		tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize);
+ 		tif->tif_flags |= TIFF_MYBUFFER;
+ 	}
+-	if (tif->tif_rawdata == NULL) {
+	if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) {
+ 		TIFFErrorExt(tif->tif_clientdata, module,
+ 		    "%s: No space for data buffer at scanline %ld",
+ 		    tif->tif_name, (long) tif->tif_row);
--- a/tiff-3.9.2-oob-read.patch
+++ b/tiff-3.9.2-oob-read.patch
@ -0,0 +1,12 @@
+diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
+++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-11 12:06:47.000000000 -0400
+@@ -2397,7 +2397,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_YCBCR:
+-			if (img->bitspersample == 8)
+			if ((img->bitspersample==8) && (img->samplesperpixel==3))
+ 			{
+ 				if (initYCbCrConversion(img)!=0)
+ 				{
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Jun 23 10:32:01 CEST 2010 - pgajdos@suse.cz
+
+- fixed CVE-2010-2065
+  * integer-overflow.patch
+  * NULL-deref.patch
+-  fixed out of bounds read
+  * oob-read.patch
+-  fixed CVE-2010-2233
+  * getimage-64bit.patch
+- [bnc#612879]
+
 -------------------------------------------------------------------
 Mon Apr 26 15:07:09 CEST 2010 - pgajdos@suse.cz

--- a/tiff.spec
+++ b/tiff.spec
@ -29,13 +29,17 @@ Obsoletes:      tiff-64bit
 #
 Url:            http://www.remotesensing.org/libtiff/
 Version:        3.9.2
-Release:        3
+Release:        4
 Summary:        Tools for Converting from and to the Tiff  Format
 Source:         tiff-%{version}.tar.bz2
 Source2:        README.SUSE
 Source3:        baselibs.conf
 Patch2:         tiff-%{version}-seek.patch
 Patch3:         tiff-%{version}-tiff2pdf-colors.patch
+Patch4:         tiff-%{version}-NULL-deref.patch
+Patch5:         tiff-%{version}-integer-overflow.patch
+Patch6:         tiff-%{version}-oob-read.patch
+Patch7:         tiff-%{version}-getimage-64bit.patch
 # FYI: this issue is solved another way
 # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
 # Patch9:         tiff-%{version}-lzw-CVE-2009-2285.patch
@ -97,6 +101,10 @@ the libtiff library.
 %setup -q 
 %patch2
 %patch3 -p1
+%patch4
+%patch5
+%patch6 -p1
+%patch7 -p1
 find -type d -name "CVS" | xargs rm -rfv
 find -type d | xargs chmod 755