pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2010Q2]: pkgsrc/graphics/tiff Pullup ticket 3197 - requested b...
details: https://anonhg.NetBSD.org/pkgsrc/rev/35d02e3e7427
branches: pkgsrc-2010Q2
changeset: 576938:35d02e3e7427
user: spz <spz%pkgsrc.org@localhost>
date: Wed Aug 04 21:23:39 2010 +0000
description:
Pullup ticket 3197 - requested by tron
security patches
Revisions pulled up:
- pkgsrc/graphics/tiff/Makefile 1.97
- pkgsrc/graphics/tiff/distinfo 1.49
Files added:
pkgsrc/graphics/tiff/patches/patch-aa
pkgsrc/graphics/tiff/patches/patch-ab
pkgsrc/graphics/tiff/patches/patch-ac
pkgsrc/graphics/tiff/patches/patch-ad
pkgsrc/graphics/tiff/patches/patch-ae
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Wed Aug 4 17:48:22 UTC 2010
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
Added Files:
pkgsrc/graphics/tiff/patches: patch-aa patch-ab patch-ac patch-ad
patch-ae
Log Message:
Add patches from either libtiff's or Red Hat's Bugzilla which fix the
following vulnerabilities:
- CVE-2010-2233
- CVE-2010-2482
- CVE-2010-2483
- CVE-2010-2595
- CVE-2010-2597
There is no patch for CVE-2010-2596 yet. But it is low risk (an assertion
gets triggered) and cannot be exploited after the above vulnerabilities
are fixed (at least if I understood correctly).
No butcher was involved in fixing this package.
To generate a diff of this commit:
cvs rdiff -u -r1.96 -r1.97 pkgsrc/graphics/tiff/Makefile
cvs rdiff -u -r1.48 -r1.49 pkgsrc/graphics/tiff/distinfo
cvs rdiff -u -r0 -r1.19 pkgsrc/graphics/tiff/patches/patch-aa
cvs rdiff -u -r0 -r1.20 pkgsrc/graphics/tiff/patches/patch-ab
cvs rdiff -u -r0 -r1.22 pkgsrc/graphics/tiff/patches/patch-ac
cvs rdiff -u -r0 -r1.16 pkgsrc/graphics/tiff/patches/patch-ad
cvs rdiff -u -r0 -r1.11 pkgsrc/graphics/tiff/patches/patch-ae
diffstat:
graphics/tiff/Makefile | 3 +-
graphics/tiff/distinfo | 7 ++++-
graphics/tiff/patches/patch-aa | 59 ++++++++++++++++++++++++++++++++++++++++++
graphics/tiff/patches/patch-ab | 19 +++++++++++++
graphics/tiff/patches/patch-ac | 32 ++++++++++++++++++++++
graphics/tiff/patches/patch-ad | 31 ++++++++++++++++++++++
graphics/tiff/patches/patch-ae | 47 +++++++++++++++++++++++++++++++++
7 files changed, 196 insertions(+), 2 deletions(-)
diffs (235 lines):
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile Wed Aug 04 21:11:23 2010 +0000
+++ b/graphics/tiff/Makefile Wed Aug 04 21:23:39 2010 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.96 2010/06/16 13:56:41 drochner Exp $
+# $NetBSD: Makefile,v 1.96.2.1 2010/08/04 21:23:39 spz Exp $
DISTNAME= tiff-3.9.4
+PKGREVISION= 1
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://libtiff.maptools.org/dl/
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo Wed Aug 04 21:11:23 2010 +0000
+++ b/graphics/tiff/distinfo Wed Aug 04 21:23:39 2010 +0000
@@ -1,5 +1,10 @@
-$NetBSD: distinfo,v 1.48 2010/06/16 13:56:41 drochner Exp $
+$NetBSD: distinfo,v 1.48.2.1 2010/08/04 21:23:39 spz Exp $
SHA1 (tiff-3.9.4.tar.gz) = a4e32d55afbbcabd0391a9c89995e8e8a19961de
RMD160 (tiff-3.9.4.tar.gz) = 3e0a74b6294297c16fb983ad68056a1dfbbdb1de
Size (tiff-3.9.4.tar.gz) = 1436968 bytes
+SHA1 (patch-aa) = 0ed02eb18454f4d91bf2fad6b9262bc442cd0822
+SHA1 (patch-ab) = 66101ec437ff222d629120e52e2011ea5b36dca0
+SHA1 (patch-ac) = 7211eebf68e73790ac1263efb16943e59cbffa95
+SHA1 (patch-ad) = bae790a9309967f874987f1da57e5f93a67094e1
+SHA1 (patch-ae) = 33dd5e9307a55273e9aaacdd7f5f9aea51aa5adc
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-aa
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-aa Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-aa,v 1.19.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2233 taken from here ...
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2207
+
+... and for CVE-2010-2483 taken from here:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=603081
+
+--- libtiff/tif_getimage.c.orig 2010-06-08 19:50:42.000000000 +0100
++++ libtiff/tif_getimage.c 2010-08-04 18:20:24.000000000 +0100
+@@ -1846,6 +1846,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ uint32* cp2;
++ int32 incr = 2*toskew+w;
+ (void) y;
+ fromskew = (fromskew / 2) * 6;
+ cp2 = cp+w+toskew;
+@@ -1872,8 +1873,8 @@
+ cp2 ++ ;
+ pp += 6;
+ }
+- cp += toskew*2+w;
+- cp2 += toskew*2+w;
++ cp += incr;
++ cp2 += incr;
+ pp += fromskew;
+ h-=2;
+ }
+@@ -1939,6 +1940,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ uint32* cp2;
++ int32 incr = 2*toskew+w;
+ (void) y;
+ fromskew = (fromskew / 2) * 4;
+ cp2 = cp+w+toskew;
+@@ -1953,8 +1955,8 @@
+ cp2 ++;
+ pp += 4;
+ } while (--x);
+- cp += toskew*2+w;
+- cp2 += toskew*2+w;
++ cp += incr;
++ cp2 += incr;
+ pp += fromskew;
+ h-=2;
+ }
+@@ -2397,7 +2399,7 @@
+ }
+ break;
+ case PHOTOMETRIC_YCBCR:
+- if (img->bitspersample == 8)
++ if ((img->bitspersample==8) && (img->samplesperpixel==3))
+ {
+ if (initYCbCrConversion(img)!=0)
+ {
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-ab
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ab Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-ab,v 1.20.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2482 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
+--- libtiff/tif_ojpeg.c.orig 2010-06-09 00:29:51.000000000 +0100
++++ libtiff/tif_ojpeg.c 2010-08-04 18:14:07.000000000 +0100
+@@ -1920,6 +1920,10 @@
+ sp->in_buffer_file_pos=0;
+ else
+ {
++ if (sp->tif->tif_dir.td_stripbytecount == 0) {
++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
++ return(0);
++ }
+ sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];
+ if (sp->in_buffer_file_togo==0)
+ sp->in_buffer_file_pos=0;
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ac Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-ac,v 1.22.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2482 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
+--- tools/tiffsplit.c.orig 2010-06-08 19:50:44.000000000 +0100
++++ tools/tiffsplit.c 2010-08-04 18:14:07.000000000 +0100
+@@ -237,7 +237,10 @@
+ tstrip_t s, ns = TIFFNumberOfStrips(in);
+ uint32 *bytecounts;
+
+- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
++ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
++ fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
++ return (0);
++ }
+ for (s = 0; s < ns; s++) {
+ if (bytecounts[s] > (uint32)bufsize) {
+ buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
+@@ -267,7 +270,10 @@
+ ttile_t t, nt = TIFFNumberOfTiles(in);
+ uint32 *bytecounts;
+
+- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
++ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
++ fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
++ return (0);
++ }
+ for (t = 0; t < nt; t++) {
+ if (bytecounts[t] > (uint32) bufsize) {
+ buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-ad
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ad Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-ad,v 1.16.2.2 2010/08/04 21:23:39 spz Exp $
+
+Patch for CVE-2010-2595 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2208
+
+--- libtiff/tif_color.c.orig 2010-06-08 19:50:41.000000000 +0100
++++ libtiff/tif_color.c 2010-08-04 18:24:14.000000000 +0100
+@@ -183,13 +183,18 @@
+ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
+ uint32 *r, uint32 *g, uint32 *b)
+ {
++ int32 i;
++
+ /* XXX: Only 8-bit YCbCr input supported for now */
+ Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
+
+- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
+- *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
+- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
+- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
++ *r = CLAMP(i, 0, 255);
++ i = ycbcr->Y_tab[Y]
++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
++ *g = CLAMP(i, 0, 255);
++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
++ *b = CLAMP(i, 0, 255);
+ }
+
+ /*
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-ae
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ae Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,47 @@
+$NetBSD: patch-ae,v 1.11.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2597 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2215
+
+--- libtiff/tif_strip.c.orig 2010-06-08 19:50:43.000000000 +0100
++++ libtiff/tif_strip.c 2010-08-04 18:35:46.000000000 +0100
+@@ -124,9 +124,9 @@
+ uint16 ycbcrsubsampling[2];
+ tsize_t w, scanline, samplingarea;
+
+- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
+- ycbcrsubsampling + 0,
+- ycbcrsubsampling + 1 );
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++ ycbcrsubsampling + 0,
++ ycbcrsubsampling + 1);
+
+ samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
+ if (samplingarea == 0) {
+@@ -234,9 +234,9 @@
+ && !isUpSampled(tif)) {
+ uint16 ycbcrsubsampling[2];
+
+- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+- ycbcrsubsampling + 0,
+- ycbcrsubsampling + 1);
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++ ycbcrsubsampling + 0,
++ ycbcrsubsampling + 1);
+
+ if (ycbcrsubsampling[0] == 0) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+@@ -308,9 +308,9 @@
+ && !isUpSampled(tif)) {
+ uint16 ycbcrsubsampling[2];
+
+- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+- ycbcrsubsampling + 0,
+- ycbcrsubsampling + 1);
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++ ycbcrsubsampling + 0,
++ ycbcrsubsampling + 1);
+
+ if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
Home |
Main Index |
Thread Index |
Old Index