pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2017Q1] pkgsrc/graphics/tiff



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Thu May 11 17:47:20 UTC 2017

Modified Files:
        pkgsrc/graphics/tiff [pkgsrc-2017Q1]: Makefile distinfo
        pkgsrc/graphics/tiff/patches [pkgsrc-2017Q1]:
            patch-libtiff_tif_dirread.c patch-libtiff_tif_ojpeg.c
            patch-libtiff_tif_read.c patch-tools_tiffcp.c
Added Files:
        pkgsrc/graphics/tiff/patches [pkgsrc-2017Q1]: patch-libtiff_tif__luv.c
            patch-libtiff_tif__pixarlog.c patch-libtiff_tif__strip.c
            patch-libtiff_tiffiop.h patch-tools_tiff2pdf.c

Log Message:
Pullup ticket #5406 - requested by sevan
graphics/tiff: security fix

Revisions pulled up:
- graphics/tiff/Makefile                                        1.130-1.135
- graphics/tiff/distinfo                                        1.76-1.81
- graphics/tiff/patches/patch-libtiff_tif__luv.c                1.1
- graphics/tiff/patches/patch-libtiff_tif__pixarlog.c           1.1
- graphics/tiff/patches/patch-libtiff_tif__strip.c              1.1
- graphics/tiff/patches/patch-libtiff_tif_dirread.c             1.3
- graphics/tiff/patches/patch-libtiff_tif_ojpeg.c               1.2
- graphics/tiff/patches/patch-libtiff_tif_read.c                1.2
- graphics/tiff/patches/patch-libtiff_tiffiop.h                 1.3
- graphics/tiff/patches/patch-tools_tiff2pdf.c                  1.3
- graphics/tiff/patches/patch-tools_tiffcp.c                    1.3

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Sat May  6 20:34:40 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-tools_tiff2pdf.c

   Log Message:
   Fix CVE-2016-10094, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2640
   and https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Sat May  6 21:02:00 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif__luv.c
               patch-libtiff_tif__pixarlog.c

   Log Message:
   Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
   and
   https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Sat May  6 21:29:17 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dirread.c
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif__strip.c

   Log Message:
   Fix CVE-2016-10270, ref.
   http://bugzilla.maptools.org/show_bug.cgi?id=2608
   https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Sat May  6 21:37:16 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
           pkgsrc/graphics/tiff/patches: patch-tools_tiffcp.c

   Log Message:
   Fix CVE-2016-10268, ref.
   http://bugzilla.maptools.org/show_bug.cgi?id=2598
   https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Sun May  7 21:32:30 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif_read.c
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-libtiff_tiffiop.h

   Log Message:
   Fix CVE-2016-10266 ref.
   http://bugzilla.maptools.org/show_bug.cgi?id=2596
   https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Sun May  7 21:52:16 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif_ojpeg.c

   Log Message:
   Fix CVE-2016-10267 ref.
   http://bugzilla.maptools.org/show_bug.cgi?id=2611
   https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
   Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.125.4.2 -r1.125.4.3 pkgsrc/graphics/tiff/Makefile
cvs rdiff -u -r1.71.4.2 -r1.71.4.3 pkgsrc/graphics/tiff/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif__strip.c
cvs rdiff -u -r1.2.2.3 -r1.2.2.4 \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c \
    pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c
cvs rdiff -u -r1.1.2.2 -r1.1.2.3 \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c
cvs rdiff -u -r0 -r1.3.2.2 \
    pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h \
    pkgsrc/graphics/tiff/patches/patch-tools_tiff2pdf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/tiff/Makefile
diff -u pkgsrc/graphics/tiff/Makefile:1.125.4.2 pkgsrc/graphics/tiff/Makefile:1.125.4.3
--- pkgsrc/graphics/tiff/Makefile:1.125.4.2     Sat May  6 15:08:52 2017
+++ pkgsrc/graphics/tiff/Makefile       Thu May 11 17:47:20 2017
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.125.4.2 2017/05/06 15:08:52 bsiegert Exp $
+# $NetBSD: Makefile,v 1.125.4.3 2017/05/11 17:47:20 bsiegert Exp $
 
 DISTNAME=      tiff-4.0.7
-PKGREVISION=   5
+PKGREVISION=   11
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 

Index: pkgsrc/graphics/tiff/distinfo
diff -u pkgsrc/graphics/tiff/distinfo:1.71.4.2 pkgsrc/graphics/tiff/distinfo:1.71.4.3
--- pkgsrc/graphics/tiff/distinfo:1.71.4.2      Sat May  6 15:08:52 2017
+++ pkgsrc/graphics/tiff/distinfo       Thu May 11 17:47:20 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.71.4.2 2017/05/06 15:08:52 bsiegert Exp $
+$NetBSD: distinfo,v 1.71.4.3 2017/05/11 17:47:20 bsiegert Exp $
 
 SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,16 +6,21 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f
 Size (tiff-4.0.7.tar.gz) = 2076392 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
+SHA1 (patch-libtiff_tif__luv.c) = c2e8ce7474119ffa02d226932ad6c8c2b230062c
+SHA1 (patch-libtiff_tif__pixarlog.c) = ad16681cf3fcb5fded048eb70c0a93f1b6447147
+SHA1 (patch-libtiff_tif__strip.c) = f7dc7b24378d0541a8f3bcc3cad78ea2d6ae14d7
 SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7
-SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d
+SHA1 (patch-libtiff_tif_dirread.c) = f6d442da817457d7ac801a3005e21c357ac31f8a
 SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb
 SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6
 SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc
-SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939
-SHA1 (patch-libtiff_tif_read.c) = 85674d2e222846e3971301ce2fb7ebe02f54b9b2
+SHA1 (patch-libtiff_tif_ojpeg.c) = 1c43555434525157c1783de4802af4508c5113a4
+SHA1 (patch-libtiff_tif_read.c) = d43b10fa74a51da21f44abb7bd0251b88e8a702b
 SHA1 (patch-libtiff_tif_unix.c) = c8312771e567f90de0f77ac8eb66ed5c36e35617
 SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc
 SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c
+SHA1 (patch-libtiff_tiffiop.h) = 1100e55483da58037fa3f4168fffdfcbc5407456
 SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f
-SHA1 (patch-tools_tiffcp.c) = 42573d15fc66655a09e9227213b0929238f7e651
+SHA1 (patch-tools_tiff2pdf.c) = ce7a3e77c27ad3cabaa33b5da61cbd1b27f187d1
+SHA1 (patch-tools_tiffcp.c) = bd6abd9dc6e044ff04d761d999fabfb0919ba0db
 SHA1 (patch-tools_tiffcrop.c) = 1d729028fb8c05de958424234d5cc2808acc9b25

Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c
diff -u pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.3 pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.4
--- pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.3    Sat May  6 15:08:52 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c    Thu May 11 17:47:20 2017
@@ -1,4 +1,4 @@
-$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.4 2017/05/11 17:47:20 bsiegert Exp $
 
 CVE-2017-7596
 CVE-2017-7597
@@ -8,7 +8,13 @@ CVE-2017-7600
 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
 https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
 
---- libtiff/tif_dirread.c.orig 2017-05-05 18:56:15.000000000 +0000
+and
+
+CVE-2016-10270
+http://bugzilla.maptools.org/show_bug.cgi?id=2608
+https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
+
+--- libtiff/tif_dirread.c.orig 2016-11-18 02:42:46.000000000 +0000
 +++ libtiff/tif_dirread.c
 @@ -40,6 +40,7 @@
   */
@@ -58,3 +64,59 @@ https://github.com/vadz/libtiff/commit/3
                *value=0.0;
        else
                *value=(double)((int32)m.i[0])/(double)m.i[1];
+@@ -5502,8 +5516,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+       uint64 rowblockbytes;
+       uint64 stripbytes;
+       uint32 strip;
+-      uint64 nstrips64;
+-      uint32 nstrips32;
++      uint32 nstrips;
+       uint32 rowsperstrip;
+       uint64* newcounts;
+       uint64* newoffsets;
+@@ -5534,18 +5547,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+           return;
+ 
+       /*
+-       * never increase the number of strips in an image
++       * never increase the number of rows per strip
+        */
+       if (rowsperstrip >= td->td_rowsperstrip)
+               return;
+-      nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+-      if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
++      nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
++      if( nstrips == 0 )
+           return;
+-      nstrips32 = (uint32)nstrips64;
+ 
+-      newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++      newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+                               "for chopped \"StripByteCounts\" array");
+-      newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++      newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+                               "for chopped \"StripOffsets\" array");
+       if (newcounts == NULL || newoffsets == NULL) {
+               /*
+@@ -5562,18 +5574,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+        * Fill the strip information arrays with new bytecounts and offsets
+        * that reflect the broken-up format.
+        */
+-      for (strip = 0; strip < nstrips32; strip++) {
++      for (strip = 0; strip < nstrips; strip++) {
+               if (stripbytes > bytecount)
+                       stripbytes = bytecount;
+               newcounts[strip] = stripbytes;
+-              newoffsets[strip] = offset;
++              newoffsets[strip] = stripbytes ? offset : 0;
+               offset += stripbytes;
+               bytecount -= stripbytes;
+       }
+       /*
+        * Replace old single strip info with multi-strip info.
+        */
+-      td->td_stripsperimage = td->td_nstrips = nstrips32;
++      td->td_stripsperimage = td->td_nstrips = nstrips;
+       TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+       _TIFFfree(td->td_stripbytecount);
Index: pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c
diff -u pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.3 pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.4
--- pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.3   Sat May  6 15:08:52 2017
+++ pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c   Thu May 11 17:47:20 2017
@@ -1,4 +1,4 @@
-$NetBSD: patch-tools_tiffcp.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $
+$NetBSD: patch-tools_tiffcp.c,v 1.2.2.4 2017/05/11 17:47:20 bsiegert Exp $
 
 CVE-2017-5225
 http://bugzilla.maptools.org/show_bug.cgi?id=2656
@@ -11,6 +11,12 @@ CVE-2016-10093
 http://bugzilla.maptools.org/show_bug.cgi?id=2610
 https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
 
+and
+
+CVE-2016-10268
+http://bugzilla.maptools.org/show_bug.cgi?id=2598
+https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
+
 --- tools/tiffcp.c.orig        2016-10-12 01:45:17.000000000 +0000
 +++ tools/tiffcp.c
 @@ -592,7 +592,7 @@ static     copyFunc pickCopyFunc(TIFF*, TIFF
@@ -22,6 +28,15 @@ https://github.com/vadz/libtiff/commit/7
        uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
        copyFunc cf;
        uint32 width, length;
+@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips)
+               tstrip_t s, ns = TIFFNumberOfStrips(in);
+               uint32 row = 0;
+               _TIFFmemset(buf, 0, stripsize);
+-              for (s = 0; s < ns; s++) {
++              for (s = 0; s < ns && row < imagelength; s++) {
+                       tsize_t cc = (row + rowsperstrip > imagelength) ?
+                           TIFFVStripSize(in, imagelength - row) : stripsize;
+                       if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
 @@ -1068,6 +1068,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
        register uint32 n;
        uint32 row;

Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c
diff -u pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c:1.1.2.2 pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c:1.1.2.3
--- pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c:1.1.2.2      Sat May  6 15:01:21 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c      Thu May 11 17:47:20 2017
@@ -1,13 +1,48 @@
-$NetBSD: patch-libtiff_tif_ojpeg.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: patch-libtiff_tif_ojpeg.c,v 1.1.2.3 2017/05/11 17:47:20 bsiegert Exp $
 
 CVE-2017-7594
 http://bugzilla.maptools.org/show_bug.cgi?id=2659
 https://github.com/vadz/libtiff/commit/8283e4d1b7e5
 https://github.com/vadz/libtiff/commit/2ea32f7372b6
 
---- libtiff/tif_ojpeg.c.orig   2017-05-03 22:08:50.000000000 +0000
+CVE-2016-10267
+http://bugzilla.maptools.org/show_bug.cgi?id=2611
+https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
+
+--- libtiff/tif_ojpeg.c.orig   2016-09-08 13:23:57.000000000 +0000
 +++ libtiff/tif_ojpeg.c
-@@ -1782,7 +1782,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF*
+@@ -244,6 +244,7 @@ typedef enum {
+ 
+ typedef struct {
+       TIFF* tif;
++      int decoder_ok;
+       #ifndef LIBJPEG_ENCAP_EXTERNAL
+       JMP_BUF exit_jmpbuf;
+       #endif
+@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
+               }
+               sp->write_curstrile++;
+       }
++      sp->decoder_ok = 1;
+       return(1);
+ }
+ 
+@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)
+ static int
+ OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
+ {
++      static const char module[]="OJPEGDecode";
+       OJPEGState* sp=(OJPEGState*)tif->tif_data;
+       (void)s;
++      if( !sp->decoder_ok )
++      {
++          TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
++          return 0;
++        }
+       if (sp->libjpeg_jpeg_query_style==0)
+       {
+               if (OJPEGDecodeRaw(tif,buf,cc)==0)
+@@ -1782,7 +1790,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF*
                        TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); 
                        p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
                        if (p!=64)
@@ -18,7 +53,7 @@ https://github.com/vadz/libtiff/commit/2
                        sp->qtable[m]=ob;
                        sp->sof_tq[m]=m;
                }
-@@ -1846,7 +1849,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF
+@@ -1846,7 +1857,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF
                                rb[sizeof(uint32)+5+n]=o[n];
                        p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
                        if (p!=q)
@@ -29,7 +64,7 @@ https://github.com/vadz/libtiff/commit/2
                        sp->dctable[m]=rb;
                        sp->sos_tda[m]=(m<<4);
                }
-@@ -1910,7 +1916,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF
+@@ -1910,7 +1924,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF
                                rb[sizeof(uint32)+5+n]=o[n];
                        p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
                        if (p!=q)
Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c
diff -u pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c:1.1.2.2 pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c:1.1.2.3
--- pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c:1.1.2.2       Sat May  6 15:01:21 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c       Thu May 11 17:47:20 2017
@@ -1,4 +1,4 @@
-$NetBSD: patch-libtiff_tif_read.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: patch-libtiff_tif_read.c,v 1.1.2.3 2017/05/11 17:47:20 bsiegert Exp $
 
 CVE-2017-7593
 http://bugzilla.maptools.org/show_bug.cgi?id=2651
@@ -7,8 +7,21 @@ https://github.com/vadz/libtiff/commit/d
 CVE-2017-7602
 https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
 
---- libtiff/tif_read.c.orig    2017-05-03 22:31:30.000000000 +0000
+CVE-2016-10266
+http://bugzilla.maptools.org/show_bug.cgi?id=2596
+https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
+
+--- libtiff/tif_read.c.orig    2016-07-13 13:28:17.000000000 +0000
 +++ libtiff/tif_read.c
+@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 s
+       rowsperstrip=td->td_rowsperstrip;
+       if (rowsperstrip>td->td_imagelength)
+               rowsperstrip=td->td_imagelength;
+-      stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
++      stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
+       stripinplane=(strip%stripsperplane);
+       plane=(uint16)(strip/stripsperplane);
+       rows=td->td_imagelength-stripinplane*rowsperstrip;
 @@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 stri
                        return ((tmsize_t)(-1));
                }

Added files:

Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c:1.1.2.2
--- /dev/null   Thu May 11 17:47:20 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c       Thu May 11 17:47:20 2017
@@ -0,0 +1,56 @@
+$NetBSD: patch-libtiff_tif__luv.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $
+
+Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
+and
+https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
+
+--- libtiff/tif_luv.c.orig     2016-09-08 13:23:57.000000000 +0000
++++ libtiff/tif_luv.c
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+ 
+ struct logLuvState {
++      int                     encoder_state;  /* 1 if encoder correctly initialized */
+       int                     user_datafmt;   /* user data format */
+       int                     encode_meth;    /* encoding method */
+       int                     pixel_size;     /* bytes per pixel */
+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
+                   td->td_photometric, "must be either LogLUV or LogL");
+               break;
+       }
++      sp->encoder_state = 1;
+       return (1);
+ notsupported:
+       TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@ notsupported:
+ static void
+ LogLuvClose(TIFF* tif)
+ {
++      LogLuvState* sp = (LogLuvState*) tif->tif_data;
+       TIFFDirectory *td = &tif->tif_dir;
+ 
++      assert(sp != 0);
+       /*
+        * For consistency, we always want to write out the same
+        * bitspersample and sampleformat for our TIFF file,
+        * regardless of the data format being used by the application.
+        * Since this routine is called after tags have been set but
+        * before they have been recorded in the file, we reset them here.
++       * Note: this is really a nasty approach. See PixarLogClose
+        */
+-      td->td_samplesperpixel =
+-          (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+-      td->td_bitspersample = 16;
+-      td->td_sampleformat = SAMPLEFORMAT_INT;
++      if( sp->encoder_state )
++      {
++          /* See PixarLogClose. Might avoid issues with tags whose size depends
++           * on those below, but not completely sure this is enough. */
++          td->td_samplesperpixel =
++              (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
++          td->td_bitspersample = 16;
++          td->td_sampleformat = SAMPLEFORMAT_INT;
++      }
+ }
+ 
+ static void
Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c:1.1.2.2
--- /dev/null   Thu May 11 17:47:20 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c  Thu May 11 17:47:20 2017
@@ -0,0 +1,41 @@
+$NetBSD: patch-libtiff_tif__pixarlog.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $
+
+Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
+and
+https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
+
+--- libtiff/tif_pixarlog.c.orig        2016-09-23 22:56:06.000000000 +0000
++++ libtiff/tif_pixarlog.c
+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
+ static void
+ PixarLogClose(TIFF* tif)
+ {
++      PixarLogState* sp = (PixarLogState*) tif->tif_data;
+       TIFFDirectory *td = &tif->tif_dir;
+ 
++      assert(sp != 0);
+       /* In a really sneaky (and really incorrect, and untruthful, and
+        * troublesome, and error-prone) maneuver that completely goes against
+        * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
+        * readers that don't know about PixarLog, or how to set
+        * the PIXARLOGDATFMT pseudo-tag.
+        */
+-      td->td_bitspersample = 8;
+-      td->td_sampleformat = SAMPLEFORMAT_UINT;
++
++      if (sp->state&PLSTATE_INIT) {
++          /* We test the state to avoid an issue such as in
++           * http://bugzilla.maptools.org/show_bug.cgi?id=2604
++           * What appends in that case is that the bitspersample is 1 and
++           * a TransferFunction is set. The size of the TransferFunction
++           * depends on 1<<bitspersample. So if we increase it, an access
++           * out of the buffer will happen at directory flushing.
++           * Another option would be to clear those targs. 
++           */
++          td->td_bitspersample = 8;
++          td->td_sampleformat = SAMPLEFORMAT_UINT;
++      }
+ }
+ 
+ static void
Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__strip.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__strip.c:1.1.2.2
--- /dev/null   Thu May 11 17:47:20 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__strip.c     Thu May 11 17:47:20 2017
@@ -0,0 +1,24 @@
+$NetBSD: patch-libtiff_tif__strip.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $
+
+Fix CVE-2016-10270, ref.
+http://bugzilla.maptools.org/show_bug.cgi?id=2608
+https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
+
+--- libtiff/tif_strip.c.orig   2016-11-10 02:12:36.000000000 +0000
++++ libtiff/tif_strip.c
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
+       TIFFDirectory *td = &tif->tif_dir;
+       uint32 nstrips;
+ 
+-    /* If the value was already computed and store in td_nstrips, then return it,
+-       since ChopUpSingleUncompressedStrip might have altered and resized the
+-       since the td_stripbytecount and td_stripoffset arrays to the new value
+-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+-       tif_dirread.c ~line 3612.
+-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+-    if( td->td_nstrips )
+-        return td->td_nstrips;
+-
+       nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+            TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+       if (td->td_planarconfig == PLANARCONFIG_SEPARATE)

Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h:1.3.2.2
--- /dev/null   Thu May 11 17:47:20 2017
+++ pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h        Thu May 11 17:47:20 2017
@@ -0,0 +1,19 @@
+$NetBSD: patch-libtiff_tiffiop.h,v 1.3.2.2 2017/05/11 17:47:20 bsiegert Exp $
+
+CVE-2016-10266
+http://bugzilla.maptools.org/show_bug.cgi?id=2596
+https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
+
+--- libtiff/tiffiop.h.orig     2016-01-24 15:39:51.000000000 +0000
++++ libtiff/tiffiop.h
+@@ -250,6 +250,10 @@ struct tiff {
+ #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+                          ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+                          0U)
++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
++#define TIFFhowmany_32_maxuint_compat(x, y) \
++                         (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
+ #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
+ #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
+ #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
Index: pkgsrc/graphics/tiff/patches/patch-tools_tiff2pdf.c
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-tools_tiff2pdf.c:1.3.2.2
--- /dev/null   Thu May 11 17:47:20 2017
+++ pkgsrc/graphics/tiff/patches/patch-tools_tiff2pdf.c Thu May 11 17:47:20 2017
@@ -0,0 +1,16 @@
+$NetBSD: patch-tools_tiff2pdf.c,v 1.3.2.2 2017/05/11 17:47:20 bsiegert Exp $
+
+Fix CVE-2016-10094, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2640
+and https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76
+
+--- tools/tiff2pdf.c.orig      2016-11-12 14:58:09.000000000 +0000
++++ tools/tiff2pdf.c
+@@ -2895,7 +2895,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P
+                               return(0);
+                       }
+                       if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+-                              if (count >= 4) {
++                              if (count > 4) {
+                     /* Ignore EOI marker of JpegTables */
+                                       _TIFFmemcpy(buffer, jpt, count - 2);
+                                       bufferoffset += count - 2;



Home | Main Index | Thread Index | Old Index