[pkgsrc/pkgsrc-2006Q1]: pkgsrc/graphics/tiff Pullup ticket 1694 - requested b...

[snj <snj%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/c683afa5f2c5
branches:  pkgsrc-2006Q1
changeset: 510333:c683afa5f2c5
user:      snj <snj%pkgsrc.org@localhost>
date:      Fri Jun 09 07:29:35 2006 +0000

description:
Pullup ticket 1694 - requested by salo
security update/fix for tiff

Revisions pulled up:
- pkgsrc/graphics/tiff/Makefile         1.79, 1.80, 1.82
- pkgsrc/graphics/tiff/distinfo         1.37-1.38
- pkgsrc/graphics/tiff/PLIST            1.10
- pkgsrc/graphics/tiff/patches/patch-au 1.5

   Module Name: pkgsrc
   Committed By:        drochner
   Date:                Fri Mar 31 14:31:03 UTC 2006

   Modified Files:
        pkgsrc/graphics/tiff: Makefile distinfo

   Log Message:
   update to 3.8.2
   changes: bugfixes
---
   Module Name: pkgsrc
   Committed By:        uebayasi
   Date:                Wed Apr  5 07:04:18 UTC 2006

   Modified Files:
        pkgsrc/graphics/tiff: Makefile PLIST

   Log Message:
   A missing entry in PLIST, found by ftp://ftp.NetBSD.org/pub/pkgsrc/misc/kristerw
   /pkgstat/i386-2.1/20060404.0711/graphics/tiff/.broken.html.

   Reviewed By: reed
---
   Module Name: pkgsrc
   Committed By:        salo
   Date:                Thu Jun  8 11:05:14 UTC 2006

   Modified Files:
        pkgsrc/graphics/tiff: Makefile distinfo
   Added Files:
        pkgsrc/graphics/tiff/patches: patch-au

   Log Message:
   Security fix for CVE-2006-2193:

   "A vulnerability in LibTIFF can be exploited by malicious people to
    cause a DoS (Denial of Service) and potentially compromise a user's
    system.

    The vulnerability is caused due to a boundary error within tiff2pdf
    when handling a TIFF file with a "DocumentName" tag that contains
    UTF-8 characters.  This can be exploited to cause a stack-based buffer
    overflow and may allow arbitrary code execution."

   http://secunia.com/advisories/20488/
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2193

   Patch from Ubuntu.

diffstat:

 graphics/tiff/Makefile         |   5 +++--
 graphics/tiff/PLIST            |   3 ++-
 graphics/tiff/distinfo         |   9 +++++----
 graphics/tiff/patches/patch-au |  15 +++++++++++++++
 4 files changed, 25 insertions(+), 7 deletions(-)

diffs (66 lines):

diff -r f59c2e9d4381 -r c683afa5f2c5 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile    Wed Jun 07 22:44:30 2006 +0000
+++ b/graphics/tiff/Makefile    Fri Jun 09 07:29:35 2006 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.78 2006/03/14 14:08:30 drochner Exp $
+# $NetBSD: Makefile,v 1.78.2.1 2006/06/09 07:29:35 snj Exp $
 
-DISTNAME=      tiff-3.8.1
+DISTNAME=      tiff-3.8.2
+PKGREVISION=   2
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://ftp.remotesensing.org/pub/libtiff/ \
                http://libtiff.maptools.org/dl/
diff -r f59c2e9d4381 -r c683afa5f2c5 graphics/tiff/PLIST
--- a/graphics/tiff/PLIST       Wed Jun 07 22:44:30 2006 +0000
+++ b/graphics/tiff/PLIST       Fri Jun 09 07:29:35 2006 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2006/03/14 14:08:30 drochner Exp $
+@comment $NetBSD: PLIST,v 1.9.2.1 2006/06/09 07:29:35 snj Exp $
 bin/bmp2tiff
 bin/fax2ps
 bin/fax2tiff
@@ -221,6 +221,7 @@
 share/doc/tiff/html/v3.7.4.html
 share/doc/tiff/html/v3.8.0.html
 share/doc/tiff/html/v3.8.1.html
+share/doc/tiff/html/v3.8.2.html
 @dirrm share/doc/tiff/html/man
 @dirrm share/doc/tiff/html/images
 @dirrm share/doc/tiff/html
diff -r f59c2e9d4381 -r c683afa5f2c5 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo    Wed Jun 07 22:44:30 2006 +0000
+++ b/graphics/tiff/distinfo    Fri Jun 09 07:29:35 2006 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.36 2006/03/14 14:08:30 drochner Exp $
+$NetBSD: distinfo,v 1.36.2.1 2006/06/09 07:29:35 snj Exp $
 
-SHA1 (tiff-3.8.1.tar.gz) = 9c18739ec11ec508a0523c3f7e92698660083d00
-RMD160 (tiff-3.8.1.tar.gz) = c99e3e9f1f7ec6c3ac5387e4d3759e3b31bb6ef2
-Size (tiff-3.8.1.tar.gz) = 1334739 bytes
+SHA1 (tiff-3.8.2.tar.gz) = 549e67b6a15b42bfcd72fe17cda7c9a198a393eb
+RMD160 (tiff-3.8.2.tar.gz) = 1b4d825e3be08764e953fc58246d0c25ab4dd17d
+Size (tiff-3.8.2.tar.gz) = 1336295 bytes
 SHA1 (patch-aa) = edac79a6f3b61e9fc787fe14f750d88023a29bfa
 SHA1 (patch-ab) = b517cb8bc2212d3e6c5a70db1bdf45b85b78fc72
 SHA1 (patch-at) = 4006ed90f6ab88aff30e2537d613a1b44b5c7347
+SHA1 (patch-au) = c53ed7521c3918081526ad63cd0c1c45c9a0b9ff
diff -r f59c2e9d4381 -r c683afa5f2c5 graphics/tiff/patches/patch-au
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-au    Fri Jun 09 07:29:35 2006 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-au,v 1.4.4.1 2006/06/09 07:29:35 snj Exp $
+
+Security fix for CVE-2006-2193, from Ubuntu.
+
+--- tools/tiff2pdf.c.orig      2006-03-21 17:42:51.000000000 +0100
++++ tools/tiff2pdf.c   2006-06-08 12:39:11.000000000 +0200
+@@ -3668,7 +3668,7 @@
+       written += TIFFWriteFile(output, (tdata_t) "(", 1);
+       for (i=0;i<len;i++){
+               if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
+-                      sprintf(buffer, "\\%.3o", pdfstr[i]);
++                      sprintf(buffer, "\\%.3hho", pdfstr[i]);
+                       written += TIFFWriteFile(output, (tdata_t) buffer, 4);
+               } else {
+                       switch (pdfstr[i]){