CVS commit: pkgsrc/graphics/tiff

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/graphics/tiff
From: "Havard Eidnes" <he%netbsd.org@localhost>
Date: Sat, 6 May 2017 21:02:00 +0000

Module Name:    pkgsrc
Committed By:   he
Date:           Sat May  6 21:02:00 UTC 2017

Modified Files:
        pkgsrc/graphics/tiff: Makefile distinfo
Added Files:
        pkgsrc/graphics/tiff/patches: patch-libtiff_tif__luv.c
            patch-libtiff_tif__pixarlog.c

Log Message:
Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
and
https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.130 -r1.131 pkgsrc/graphics/tiff/Makefile
cvs rdiff -u -r1.76 -r1.77 pkgsrc/graphics/tiff/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/tiff/Makefile
diff -u pkgsrc/graphics/tiff/Makefile:1.130 pkgsrc/graphics/tiff/Makefile:1.131
--- pkgsrc/graphics/tiff/Makefile:1.130 Sat May  6 20:34:40 2017
+++ pkgsrc/graphics/tiff/Makefile       Sat May  6 21:02:00 2017
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.130 2017/05/06 20:34:40 he Exp $
+# $NetBSD: Makefile,v 1.131 2017/05/06 21:02:00 he Exp $
 
 DISTNAME=      tiff-4.0.7
-PKGREVISION=   6
+PKGREVISION=   7
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 

Index: pkgsrc/graphics/tiff/distinfo
diff -u pkgsrc/graphics/tiff/distinfo:1.76 pkgsrc/graphics/tiff/distinfo:1.77
--- pkgsrc/graphics/tiff/distinfo:1.76  Sat May  6 20:34:40 2017
+++ pkgsrc/graphics/tiff/distinfo       Sat May  6 21:02:00 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.76 2017/05/06 20:34:40 he Exp $
+$NetBSD: distinfo,v 1.77 2017/05/06 21:02:00 he Exp $
 
 SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,6 +6,8 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f
 Size (tiff-4.0.7.tar.gz) = 2076392 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
+SHA1 (patch-libtiff_tif__luv.c) = c2e8ce7474119ffa02d226932ad6c8c2b230062c
+SHA1 (patch-libtiff_tif__pixarlog.c) = ad16681cf3fcb5fded048eb70c0a93f1b6447147
 SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7
 SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d
 SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb

Added files:

Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c:1.1
--- /dev/null   Sat May  6 21:02:00 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c       Sat May  6 21:02:00 2017
@@ -0,0 +1,56 @@
+$NetBSD: patch-libtiff_tif__luv.c,v 1.1 2017/05/06 21:02:00 he Exp $
+
+Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
+and
+https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
+
+--- libtiff/tif_luv.c.orig     2016-09-08 13:23:57.000000000 +0000
++++ libtiff/tif_luv.c
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+ 
+ struct logLuvState {
++      int                     encoder_state;  /* 1 if encoder correctly initialized */
+       int                     user_datafmt;   /* user data format */
+       int                     encode_meth;    /* encoding method */
+       int                     pixel_size;     /* bytes per pixel */
+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
+                   td->td_photometric, "must be either LogLUV or LogL");
+               break;
+       }
++      sp->encoder_state = 1;
+       return (1);
+ notsupported:
+       TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@ notsupported:
+ static void
+ LogLuvClose(TIFF* tif)
+ {
++      LogLuvState* sp = (LogLuvState*) tif->tif_data;
+       TIFFDirectory *td = &tif->tif_dir;
+ 
++      assert(sp != 0);
+       /*
+        * For consistency, we always want to write out the same
+        * bitspersample and sampleformat for our TIFF file,
+        * regardless of the data format being used by the application.
+        * Since this routine is called after tags have been set but
+        * before they have been recorded in the file, we reset them here.
++       * Note: this is really a nasty approach. See PixarLogClose
+        */
+-      td->td_samplesperpixel =
+-          (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+-      td->td_bitspersample = 16;
+-      td->td_sampleformat = SAMPLEFORMAT_INT;
++      if( sp->encoder_state )
++      {
++          /* See PixarLogClose. Might avoid issues with tags whose size depends
++           * on those below, but not completely sure this is enough. */
++          td->td_samplesperpixel =
++              (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
++          td->td_bitspersample = 16;
++          td->td_sampleformat = SAMPLEFORMAT_INT;
++      }
+ }
+ 
+ static void
Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c:1.1
--- /dev/null   Sat May  6 21:02:00 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c  Sat May  6 21:02:00 2017
@@ -0,0 +1,41 @@
+$NetBSD: patch-libtiff_tif__pixarlog.c,v 1.1 2017/05/06 21:02:00 he Exp $
+
+Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
+and
+https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
+
+--- libtiff/tif_pixarlog.c.orig        2016-09-23 22:56:06.000000000 +0000
++++ libtiff/tif_pixarlog.c
+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
+ static void
+ PixarLogClose(TIFF* tif)
+ {
++      PixarLogState* sp = (PixarLogState*) tif->tif_data;
+       TIFFDirectory *td = &tif->tif_dir;
+ 
++      assert(sp != 0);
+       /* In a really sneaky (and really incorrect, and untruthful, and
+        * troublesome, and error-prone) maneuver that completely goes against
+        * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
+        * readers that don't know about PixarLog, or how to set
+        * the PIXARLOGDATFMT pseudo-tag.
+        */
+-      td->td_bitspersample = 8;
+-      td->td_sampleformat = SAMPLEFORMAT_UINT;
++
++      if (sp->state&PLSTATE_INIT) {
++          /* We test the state to avoid an issue such as in
++           * http://bugzilla.maptools.org/show_bug.cgi?id=2604
++           * What appends in that case is that the bitspersample is 1 and
++           * a TransferFunction is set. The size of the TransferFunction
++           * depends on 1<<bitspersample. So if we increase it, an access
++           * out of the buffer will happen at directory flushing.
++           * Another option would be to clear those targs. 
++           */
++          td->td_bitspersample = 8;
++          td->td_sampleformat = SAMPLEFORMAT_UINT;
++      }
+ }
+ 
+ static void

Prev by Date: CVS commit: pkgsrc/graphics/tiff
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/graphics/tiff
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index