pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2019Q2]: pkgsrc/graphics/tiff Pullup ticket #6004 - requested ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/d99735ca6336
branches: pkgsrc-2019Q2
changeset: 336608:d99735ca6336
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Thu Jul 18 13:32:31 2019 +0000
description:
Pullup ticket #6004 - requested by nia
graphics/tiff: security fix
Revisions pulled up:
- graphics/tiff/Makefile 1.145
- graphics/tiff/distinfo 1.94
- graphics/tiff/patches/patch-CVE-2018-12900 1.1
- graphics/tiff/patches/patch-CVE-2018-17000 1.1
- graphics/tiff/patches/patch-CVE-2018-19210 1.1
- graphics/tiff/patches/patch-CVE-2019-6128 1.1
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Jul 17 09:25:45 UTC 2019
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
Added Files:
pkgsrc/graphics/tiff/patches: patch-CVE-2018-12900 patch-CVE-2018-17000
patch-CVE-2018-19210 patch-CVE-2019-6128
Log Message:
tiff: Apply patches from upstream's git for the following CVEs:
CVE-2018-12900 - buffer-overflow
CVE-2018-17000 - denial-of-service
CVE-2018-19210 - null-pointer-dereference
CVE-2019-6128 - memory-leak
Bump PKGREVISION.
diffstat:
graphics/tiff/Makefile | 3 +-
graphics/tiff/distinfo | 6 ++-
graphics/tiff/patches/patch-CVE-2018-12900 | 39 +++++++++++++++
graphics/tiff/patches/patch-CVE-2018-17000 | 26 ++++++++++
graphics/tiff/patches/patch-CVE-2018-19210 | 74 ++++++++++++++++++++++++++++++
graphics/tiff/patches/patch-CVE-2019-6128 | 40 ++++++++++++++++
6 files changed, 186 insertions(+), 2 deletions(-)
diffs (223 lines):
diff -r 7dec5153c061 -r d99735ca6336 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile Thu Jul 18 13:27:50 2019 +0000
+++ b/graphics/tiff/Makefile Thu Jul 18 13:32:31 2019 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.144 2018/11/10 21:14:53 maya Exp $
+# $NetBSD: Makefile,v 1.144.6.1 2019/07/18 13:32:31 bsiegert Exp $
DISTNAME= tiff-4.0.10
+PKGREVISION= 1
CATEGORIES= graphics
MASTER_SITES= https://download.osgeo.org/libtiff/
diff -r 7dec5153c061 -r d99735ca6336 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo Thu Jul 18 13:27:50 2019 +0000
+++ b/graphics/tiff/distinfo Thu Jul 18 13:32:31 2019 +0000
@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.93 2018/11/10 21:14:53 maya Exp $
+$NetBSD: distinfo,v 1.93.6.1 2019/07/18 13:32:31 bsiegert Exp $
SHA1 (tiff-4.0.10.tar.gz) = c783b80f05cdacf282aa022dc5f5b0ede5e021ae
RMD160 (tiff-4.0.10.tar.gz) = b25cc4002f2493e71763d0a465a50e9d6ee2aff0
SHA512 (tiff-4.0.10.tar.gz) = d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8
Size (tiff-4.0.10.tar.gz) = 2402867 bytes
+SHA1 (patch-CVE-2018-12900) = 31d6dcc66a293aa722d7d27b7edd48db50cf9482
+SHA1 (patch-CVE-2018-17000) = c7e4047c007a7519cfbd09125a0b3d5de48af069
+SHA1 (patch-CVE-2018-19210) = d915af6121a13aca5b30dd8506cdae49198e67b6
+SHA1 (patch-CVE-2019-6128) = cb18a950e95ceec348294178348847eeb7340bab
SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
diff -r 7dec5153c061 -r d99735ca6336 graphics/tiff/patches/patch-CVE-2018-12900
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-12900 Thu Jul 18 13:32:31 2019 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-CVE-2018-12900,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $
+
+Fixes CVE-2018-12900
+
+Upstream commit:
+https://gitlab.com/libtiff/libtiff/commit/27124e9148b2056d0e0bf4033b4924d5d2a38d01.patch
+
+--- tools/tiffcp.c.orig 2018-10-13 13:58:55.000000000 +0000
++++ tools/tiffcp.c
+@@ -41,6 +41,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include <ctype.h>
+
+@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
+ int status = 1;
+ uint32 imagew = TIFFRasterScanlineSize(in);
+ uint32 tilew = TIFFTileRowSize(in);
+- int iskew = imagew - tilew*spp;
++ int iskew;
+ tsize_t tilesize = TIFFTileSize(in);
+ tdata_t tilebuf;
+ uint8* bufp = (uint8*) buf;
+@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
++ if (spp > (INT_MAX / tilew))
++ {
++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
++ return 0;
++ }
++ iskew = imagew - tilew*spp;
+ tilebuf = _TIFFmalloc(tilesize);
+ if (tilebuf == 0)
+ return 0;
diff -r 7dec5153c061 -r d99735ca6336 graphics/tiff/patches/patch-CVE-2018-17000
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-17000 Thu Jul 18 13:32:31 2019 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-CVE-2018-17000,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $
+
+Fixes CVE-2018-17000
+
+Upstream commit:
+https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39.patch
+
+--- libtiff/tif_dirwrite.c.orig 2018-06-24 20:26:30.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TI
+ n=3;
+ if (n==3)
+ {
+- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
++ if (tif->tif_dir.td_transferfunction[2] == NULL ||
++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ n=2;
+ }
+ if (n==2)
+ {
+- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
++ if (tif->tif_dir.td_transferfunction[1] == NULL ||
++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ n=1;
+ }
+ if (n==0)
diff -r 7dec5153c061 -r d99735ca6336 graphics/tiff/patches/patch-CVE-2018-19210
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-19210 Thu Jul 18 13:32:31 2019 +0000
@@ -0,0 +1,74 @@
+$NetBSD: patch-CVE-2018-19210,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $
+
+Fixes CVE-2018-19210
+
+Upstream commits:
+https://gitlab.com/libtiff/libtiff/commit/1edeee44c8b9cb3f647ac175d434f5d9f2b03aeb.patch
+https://gitlab.com/libtiff/libtiff/commit/38ede78b13810ff0fa8e61f86ef9aa0ab2964668.patch
+
+--- libtiff/tif_dir.c.orig 2018-05-05 13:50:35.000000000 +0000
++++ libtiff/tif_dir.c
+@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, dou
+ * Install extra samples information.
+ */
+ static int
+-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
++setExtraSamples(TIFF* tif, va_list ap, uint32* v)
+ {
+ /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
+ #define EXTRASAMPLE_COREL_UNASSALPHA 999
+
+ uint16* va;
+ uint32 i;
++ TIFFDirectory* td = &tif->tif_dir;
++ static const char module[] = "setExtraSamples";
+
+ *v = (uint16) va_arg(ap, uint16_vap);
+ if ((uint16) *v > td->td_samplesperpixel)
+@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_li
+ return 0;
+ }
+ }
++
++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
++ !(td->td_samplesperpixel - td->td_extrasamples > 1))
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "ExtraSamples tag value is changing, "
++ "but TransferFunction was read with a different value. Cancelling it");
++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++ _TIFFfree(td->td_transferfunction[0]);
++ td->td_transferfunction[0] = NULL;
++ }
++
+ td->td_extrasamples = (uint16) *v;
+ _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
+ return 1;
+@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+ _TIFFfree(td->td_smaxsamplevalue);
+ td->td_smaxsamplevalue = NULL;
+ }
++ /* Test if 3 transfer functions instead of just one are now needed
++ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
++ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
++ !(td->td_samplesperpixel - td->td_extrasamples > 1))
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "SamplesPerPixel tag value is changing, "
++ "but TransferFunction was read with a different value. Cancelling it");
++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++ _TIFFfree(td->td_transferfunction[0]);
++ td->td_transferfunction[0] = NULL;
++ }
+ }
+ td->td_samplesperpixel = (uint16) v;
+ break;
+@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+ _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
+ break;
+ case TIFFTAG_EXTRASAMPLES:
+- if (!setExtraSamples(td, ap, &v))
++ if (!setExtraSamples(tif, ap, &v))
+ goto badvalue;
+ break;
+ case TIFFTAG_MATTEING:
diff -r 7dec5153c061 -r d99735ca6336 graphics/tiff/patches/patch-CVE-2019-6128
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2019-6128 Thu Jul 18 13:32:31 2019 +0000
@@ -0,0 +1,40 @@
+$NetBSD: patch-CVE-2019-6128,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $
+
+Fix for a simple memory leak that was assigned CVE-2019-6128.
+
+Upstream commit:
+https://gitlab.com/libtiff/libtiff/commit/ae0bed1fe530a82faf2e9ea1775109dbf301a971.patch
+
+--- tools/pal2rgb.c.orig 2018-10-13 13:58:55.000000000 +0000
++++ tools/pal2rgb.c
+@@ -118,12 +118,14 @@ main(int argc, char* argv[])
+ shortv != PHOTOMETRIC_PALETTE) {
+ fprintf(stderr, "%s: Expecting a palette image.\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
+ fprintf(stderr,
+ "%s: No colormap (not a valid palette image).\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ bitspersample = 0;
+@@ -131,11 +133,14 @@ main(int argc, char* argv[])
+ if (bitspersample != 8) {
+ fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ out = TIFFOpen(argv[optind+1], "w");
+- if (out == NULL)
++ if (out == NULL) {
++ (void) TIFFClose(in);
+ return (-2);
++ }
+ cpTags(in, out);
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
Home |
Main Index |
Thread Index |
Old Index