pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2010Q2]: pkgsrc/graphics/tiff Pullup ticket 3197 - requested b...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/35d02e3e7427
branches:  pkgsrc-2010Q2
changeset: 576938:35d02e3e7427
user:      spz <spz%pkgsrc.org@localhost>
date:      Wed Aug 04 21:23:39 2010 +0000

description:
Pullup ticket 3197 - requested by tron
security patches

Revisions pulled up:
- pkgsrc/graphics/tiff/Makefile         1.97
- pkgsrc/graphics/tiff/distinfo         1.49

Files added:
pkgsrc/graphics/tiff/patches/patch-aa
pkgsrc/graphics/tiff/patches/patch-ab
pkgsrc/graphics/tiff/patches/patch-ac
pkgsrc/graphics/tiff/patches/patch-ad
pkgsrc/graphics/tiff/patches/patch-ae

-------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tron
   Date:           Wed Aug  4 17:48:22 UTC 2010

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-aa patch-ab patch-ac patch-ad
               patch-ae

   Log Message:
   Add patches from either libtiff's or Red Hat's Bugzilla which fix the
   following vulnerabilities:
   - CVE-2010-2233
   - CVE-2010-2482
   - CVE-2010-2483
   - CVE-2010-2595
   - CVE-2010-2597
   There is no patch for CVE-2010-2596 yet. But it is low risk (an assertion
   gets triggered) and cannot be exploited after the above vulnerabilities
   are fixed (at least if I understood correctly).

   No butcher was involved in fixing this package.


   To generate a diff of this commit:
   cvs rdiff -u -r1.96 -r1.97 pkgsrc/graphics/tiff/Makefile
   cvs rdiff -u -r1.48 -r1.49 pkgsrc/graphics/tiff/distinfo
   cvs rdiff -u -r0 -r1.19 pkgsrc/graphics/tiff/patches/patch-aa
   cvs rdiff -u -r0 -r1.20 pkgsrc/graphics/tiff/patches/patch-ab
   cvs rdiff -u -r0 -r1.22 pkgsrc/graphics/tiff/patches/patch-ac
   cvs rdiff -u -r0 -r1.16 pkgsrc/graphics/tiff/patches/patch-ad
   cvs rdiff -u -r0 -r1.11 pkgsrc/graphics/tiff/patches/patch-ae

diffstat:

 graphics/tiff/Makefile         |   3 +-
 graphics/tiff/distinfo         |   7 ++++-
 graphics/tiff/patches/patch-aa |  59 ++++++++++++++++++++++++++++++++++++++++++
 graphics/tiff/patches/patch-ab |  19 +++++++++++++
 graphics/tiff/patches/patch-ac |  32 ++++++++++++++++++++++
 graphics/tiff/patches/patch-ad |  31 ++++++++++++++++++++++
 graphics/tiff/patches/patch-ae |  47 +++++++++++++++++++++++++++++++++
 7 files changed, 196 insertions(+), 2 deletions(-)

diffs (235 lines):

diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile    Wed Aug 04 21:11:23 2010 +0000
+++ b/graphics/tiff/Makefile    Wed Aug 04 21:23:39 2010 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.96 2010/06/16 13:56:41 drochner Exp $
+# $NetBSD: Makefile,v 1.96.2.1 2010/08/04 21:23:39 spz Exp $
 
 DISTNAME=      tiff-3.9.4
+PKGREVISION=   1
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://ftp.remotesensing.org/pub/libtiff/ \
                http://libtiff.maptools.org/dl/
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo    Wed Aug 04 21:11:23 2010 +0000
+++ b/graphics/tiff/distinfo    Wed Aug 04 21:23:39 2010 +0000
@@ -1,5 +1,10 @@
-$NetBSD: distinfo,v 1.48 2010/06/16 13:56:41 drochner Exp $
+$NetBSD: distinfo,v 1.48.2.1 2010/08/04 21:23:39 spz Exp $
 
 SHA1 (tiff-3.9.4.tar.gz) = a4e32d55afbbcabd0391a9c89995e8e8a19961de
 RMD160 (tiff-3.9.4.tar.gz) = 3e0a74b6294297c16fb983ad68056a1dfbbdb1de
 Size (tiff-3.9.4.tar.gz) = 1436968 bytes
+SHA1 (patch-aa) = 0ed02eb18454f4d91bf2fad6b9262bc442cd0822
+SHA1 (patch-ab) = 66101ec437ff222d629120e52e2011ea5b36dca0
+SHA1 (patch-ac) = 7211eebf68e73790ac1263efb16943e59cbffa95
+SHA1 (patch-ad) = bae790a9309967f874987f1da57e5f93a67094e1
+SHA1 (patch-ae) = 33dd5e9307a55273e9aaacdd7f5f9aea51aa5adc
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-aa    Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-aa,v 1.19.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2233 taken from here ...
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2207
+
+... and for CVE-2010-2483 taken from here:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=603081
+
+--- libtiff/tif_getimage.c.orig        2010-06-08 19:50:42.000000000 +0100
++++ libtiff/tif_getimage.c     2010-08-04 18:20:24.000000000 +0100
+@@ -1846,6 +1846,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+       uint32* cp2;
++      int32 incr = 2*toskew+w;
+       (void) y;
+       fromskew = (fromskew / 2) * 6;
+       cp2 = cp+w+toskew;
+@@ -1872,8 +1873,8 @@
+                       cp2 ++ ;
+                       pp += 6;
+               }
+-              cp += toskew*2+w;
+-              cp2 += toskew*2+w;
++              cp += incr;
++              cp2 += incr;
+               pp += fromskew;
+               h-=2;
+       }
+@@ -1939,6 +1940,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+       uint32* cp2;
++      int32 incr = 2*toskew+w;
+       (void) y;
+       fromskew = (fromskew / 2) * 4;
+       cp2 = cp+w+toskew;
+@@ -1953,8 +1955,8 @@
+                       cp2 ++;
+                       pp += 4;
+               } while (--x);
+-              cp += toskew*2+w;
+-              cp2 += toskew*2+w;
++              cp += incr;
++              cp2 += incr;
+               pp += fromskew;
+               h-=2;
+       }
+@@ -2397,7 +2399,7 @@
+                       }
+                       break;
+               case PHOTOMETRIC_YCBCR:
+-                      if (img->bitspersample == 8)
++                      if ((img->bitspersample==8) && (img->samplesperpixel==3))
+                       {
+                               if (initYCbCrConversion(img)!=0)
+                               {
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ab    Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-ab,v 1.20.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2482 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
+--- libtiff/tif_ojpeg.c.orig   2010-06-09 00:29:51.000000000 +0100
++++ libtiff/tif_ojpeg.c        2010-08-04 18:14:07.000000000 +0100
+@@ -1920,6 +1920,10 @@
+                                                       sp->in_buffer_file_pos=0;
+                                               else
+                                               {
++                                                      if (sp->tif->tif_dir.td_stripbytecount == 0) {
++                                                              TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
++                                                              return(0);
++                                                      }
+                                                       sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];  
+                                                       if (sp->in_buffer_file_togo==0)
+                                                               sp->in_buffer_file_pos=0;
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ac    Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-ac,v 1.22.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for        CVE-2010-2482 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
+--- tools/tiffsplit.c.orig     2010-06-08 19:50:44.000000000 +0100
++++ tools/tiffsplit.c  2010-08-04 18:14:07.000000000 +0100
+@@ -237,7 +237,10 @@
+               tstrip_t s, ns = TIFFNumberOfStrips(in);
+               uint32 *bytecounts;
+ 
+-              TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
++              if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
++                      fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
++                      return (0);
++              }
+               for (s = 0; s < ns; s++) {
+                       if (bytecounts[s] > (uint32)bufsize) {
+                               buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
+@@ -267,7 +270,10 @@
+               ttile_t t, nt = TIFFNumberOfTiles(in);
+               uint32 *bytecounts;
+ 
+-              TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
++              if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
++                      fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
++                      return (0);
++              }
+               for (t = 0; t < nt; t++) {
+                       if (bytecounts[t] > (uint32) bufsize) {
+                               buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ad    Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-ad,v 1.16.2.2 2010/08/04 21:23:39 spz Exp $
+
+Patch for CVE-2010-2595 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2208
+
+--- libtiff/tif_color.c.orig   2010-06-08 19:50:41.000000000 +0100
++++ libtiff/tif_color.c        2010-08-04 18:24:14.000000000 +0100
+@@ -183,13 +183,18 @@
+ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
+              uint32 *r, uint32 *g, uint32 *b)
+ {
++      int32 i;
++
+       /* XXX: Only 8-bit YCbCr input supported for now */
+       Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
+ 
+-      *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
+-      *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
+-          + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
+-      *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
++      i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
++      *r = CLAMP(i, 0, 255);
++      i = ycbcr->Y_tab[Y]
++          + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
++      *g = CLAMP(i, 0, 255);
++      i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
++      *b = CLAMP(i, 0, 255);
+ }
+ 
+ /*
diff -r b15a40177adf -r 35d02e3e7427 graphics/tiff/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ae    Wed Aug 04 21:23:39 2010 +0000
@@ -0,0 +1,47 @@
+$NetBSD: patch-ae,v 1.11.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2597 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2215
+
+--- libtiff/tif_strip.c.orig   2010-06-08 19:50:43.000000000 +0100
++++ libtiff/tif_strip.c        2010-08-04 18:35:46.000000000 +0100
+@@ -124,9 +124,9 @@
+               uint16 ycbcrsubsampling[2];
+               tsize_t w, scanline, samplingarea;
+ 
+-              TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
+-                            ycbcrsubsampling + 0,
+-                            ycbcrsubsampling + 1 );
++              TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++                                    ycbcrsubsampling + 0,
++                                    ycbcrsubsampling + 1);
+ 
+               samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
+               if (samplingarea == 0) {
+@@ -234,9 +234,9 @@
+                   && !isUpSampled(tif)) {
+                       uint16 ycbcrsubsampling[2];
+ 
+-                      TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+-                                   ycbcrsubsampling + 0,
+-                                   ycbcrsubsampling + 1);
++                      TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++                                            ycbcrsubsampling + 0,
++                                            ycbcrsubsampling + 1);
+ 
+                       if (ycbcrsubsampling[0] == 0) {
+                               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+@@ -308,9 +308,9 @@
+                   && !isUpSampled(tif)) {
+                       uint16 ycbcrsubsampling[2];
+ 
+-                      TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+-                                   ycbcrsubsampling + 0,
+-                                   ycbcrsubsampling + 1);
++                      TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++                                            ycbcrsubsampling + 0,
++                                            ycbcrsubsampling + 1);
+ 
+                       if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+                               TIFFErrorExt(tif->tif_clientdata, tif->tif_name,



Home | Main Index | Thread Index | Old Index