pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/tiff SECURITY: Update libtiff to 4.0.4beta to...
details: https://anonhg.NetBSD.org/pkgsrc/rev/6f55a3d41aca
branches: trunk
changeset: 649038:6f55a3d41aca
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Sun Mar 29 14:47:03 2015 +0000
description:
SECURITY: Update libtiff to 4.0.4beta to fix
CVE-2014-8127
CVE-2014-8128
CVE-2014-8129
CVE-2014-8130 (likely)
Remaining unfixed vulnerabilities: CVE-2014-9655, CVE-2015-1547 (but
these are unfixed upstream AFAICS).
ok wiz
diffstat:
graphics/tiff/Makefile | 5 +-
graphics/tiff/PLIST | 4 +-
graphics/tiff/distinfo | 12 +-
graphics/tiff/patches/patch-CVE-2012-4564 | 33 --
graphics/tiff/patches/patch-CVE-2013-1960_1961 | 295 -------------------------
graphics/tiff/patches/patch-CVE-2013-4231 | 31 --
graphics/tiff/patches/patch-CVE-2013-4243 | 45 ---
7 files changed, 9 insertions(+), 416 deletions(-)
diffs (truncated from 466 to 300 lines):
diff -r 371e9e2069b6 -r 6f55a3d41aca graphics/tiff/Makefile
--- a/graphics/tiff/Makefile Sun Mar 29 13:10:58 2015 +0000
+++ b/graphics/tiff/Makefile Sun Mar 29 14:47:03 2015 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.117 2014/10/09 14:06:37 wiz Exp $
+# $NetBSD: Makefile,v 1.118 2015/03/29 14:47:03 bsiegert Exp $
-DISTNAME= tiff-4.0.3
-PKGREVISION= 6
+DISTNAME= tiff-4.0.4beta
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://libtiff.maptools.org/dl/
diff -r 371e9e2069b6 -r 6f55a3d41aca graphics/tiff/PLIST
--- a/graphics/tiff/PLIST Sun Mar 29 13:10:58 2015 +0000
+++ b/graphics/tiff/PLIST Sun Mar 29 14:47:03 2015 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.17 2012/10/01 18:11:29 adam Exp $
+@comment $NetBSD: PLIST,v 1.18 2015/03/29 14:47:03 bsiegert Exp $
bin/bmp2tiff
bin/fax2ps
bin/fax2tiff
@@ -246,3 +246,5 @@
share/doc/tiff/html/v4.0.0.html
share/doc/tiff/html/v4.0.1.html
share/doc/tiff/html/v4.0.2.html
+share/doc/tiff/html/v4.0.3.html
+share/doc/tiff/html/v4.0.4beta.html
diff -r 371e9e2069b6 -r 6f55a3d41aca graphics/tiff/distinfo
--- a/graphics/tiff/distinfo Sun Mar 29 13:10:58 2015 +0000
+++ b/graphics/tiff/distinfo Sun Mar 29 14:47:03 2015 +0000
@@ -1,10 +1,6 @@
-$NetBSD: distinfo,v 1.62 2013/09/21 18:47:05 dholland Exp $
+$NetBSD: distinfo,v 1.63 2015/03/29 14:47:03 bsiegert Exp $
-SHA1 (tiff-4.0.3.tar.gz) = 652e97b78f1444237a82cbcfe014310e776eb6f0
-RMD160 (tiff-4.0.3.tar.gz) = eacd725fb3c299682c1c2e508049d98acd170f31
-Size (tiff-4.0.3.tar.gz) = 2051630 bytes
-SHA1 (patch-CVE-2012-4564) = bda3b26e431e8234e5afd984a086c980a8eb6c41
-SHA1 (patch-CVE-2013-1960_1961) = b815edbeeb1eb23ce2633060dd390985dec794f3
-SHA1 (patch-CVE-2013-4231) = bc1420583b9c4b0a34d26142bc35b6d0d26af529
-SHA1 (patch-CVE-2013-4243) = e5d37df64620451f9a34a3f6c14825873db9c1bd
+SHA1 (tiff-4.0.4beta.tar.gz) = 987568b81f6c40653eb79386fa0e163f3c6ab6fb
+RMD160 (tiff-4.0.4beta.tar.gz) = 0f7c47bad8d6d9cd75d3bf42abf0a6133c1ea129
+Size (tiff-4.0.4beta.tar.gz) = 2098962 bytes
SHA1 (patch-configure) = 1fb9ef790a59ac9c1396dd8e962c75946e2c998a
diff -r 371e9e2069b6 -r 6f55a3d41aca graphics/tiff/patches/patch-CVE-2012-4564
--- a/graphics/tiff/patches/patch-CVE-2012-4564 Sun Mar 29 13:10:58 2015 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-$NetBSD: patch-CVE-2012-4564,v 1.1 2012/11/05 12:41:48 drochner Exp $
-
-see https://bugzilla.redhat.com/show_bug.cgi?id=871700
-
---- tools/ppm2tiff.c.orig 2010-04-10 19:22:34.000000000 +0000
-+++ tools/ppm2tiff.c
-@@ -89,6 +89,7 @@ main(int argc, char* argv[])
- int c;
- extern int optind;
- extern char* optarg;
-+ tmsize_t scanline_size;
-
- if (argc < 2) {
- fprintf(stderr, "%s: Too few arguments\n", argv[0]);
-@@ -237,8 +238,16 @@ main(int argc, char* argv[])
- }
- if (TIFFScanlineSize(out) > linebytes)
- buf = (unsigned char *)_TIFFmalloc(linebytes);
-- else
-- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+ else {
-+ scanline_size = TIFFScanlineSize(out);
-+ if (scanline_size != 0)
-+ buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+ else {
-+ fprintf(stderr, "%s: scanline size overflow\n",infile);
-+ (void) TIFFClose(out);
-+ exit(-2);
-+ }
-+ }
- if (resolution > 0) {
- TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
- TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff -r 371e9e2069b6 -r 6f55a3d41aca graphics/tiff/patches/patch-CVE-2013-1960_1961
--- a/graphics/tiff/patches/patch-CVE-2013-1960_1961 Sun Mar 29 13:10:58 2015 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,295 +0,0 @@
-$NetBSD: patch-CVE-2013-1960_1961,v 1.2 2013/08/15 14:58:46 drochner Exp $
-
-see https://bugzilla.redhat.com/show_bug.cgi?id=952131
-and https://bugzilla.redhat.com/show_bug.cgi?id=952158
-
-also fixes CVE-2013-4232
-see http://bugzilla.maptools.org/show_bug.cgi?id=2449
-
---- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200
-+++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200
-@@ -512,9 +512,9 @@ SetNameLabel()
- Arg args[1];
-
- if (tfMultiPage)
-- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
-+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
- else
-- strcpy(buffer, fileName);
-+ snprintf(buffer, sizeof(buffer), "%s", fileName);
- XtSetArg(args[0], XtNlabel, buffer);
- XtSetValues(labelWidget, args, 1);
- }
---- libtiff/tif_codec.c.orig 2010-12-14 15:18:28.000000000 +0100
-+++ libtiff/tif_codec.c 2013-05-02 16:27:43.000000000 +0200
-@@ -108,7 +108,8 @@ _notConfigured(TIFF* tif)
- const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
- char compression_code[20];
-
-- sprintf( compression_code, "%d", tif->tif_dir.td_compression );
-+ snprintf(compression_code, sizeof(compression_code), "%d",
-+ tif->tif_dir.td_compression );
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "%s compression support is not configured",
- c ? c->name : compression_code );
---- libtiff/tif_dirinfo.c.orig 2012-08-19 18:56:34.000000000 +0200
-+++ libtiff/tif_dirinfo.c 2013-05-02 16:27:43.000000000 +0200
-@@ -711,7 +711,7 @@ _TIFFCreateAnonField(TIFF *tif, uint32 t
- * note that this name is a special sign to TIFFClose() and
- * _TIFFSetupFields() to free the field
- */
-- sprintf(fld->field_name, "Tag %d", (int) tag);
-+ snprintf(fld->field_name, 32, "Tag %d", (int) tag);
-
- return fld;
- }
---- tools/rgb2ycbcr.c.orig 2011-05-31 19:03:16.000000000 +0200
-+++ tools/rgb2ycbcr.c 2013-05-02 16:27:43.000000000 +0200
-@@ -332,7 +332,8 @@ tiffcvt(TIFF* in, TIFF* out)
- TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
- { char buf[2048];
- char *cp = strrchr(TIFFFileName(in), '/');
-- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
-+ snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
-+ cp ? cp+1 : TIFFFileName(in));
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
- }
- TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
---- tools/tiff2bw.c.orig 2010-07-08 18:10:24.000000000 +0200
-+++ tools/tiff2bw.c 2013-05-02 16:27:43.000000000 +0200
-@@ -205,7 +205,7 @@ main(int argc, char* argv[])
- }
- }
- TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
-- sprintf(thing, "B&W version of %s", argv[optind]);
-+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
- outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
---- tools/tiff2pdf.c.orig 2012-07-26 02:56:43.000000000 +0000
-+++ tools/tiff2pdf.c
-@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p
- TIFFFileName(input));
- t2p->t2p_error = T2P_ERR_ERROR;
- _TIFFfree(buffer);
-+ return(0);
- } else {
- buffer=samplebuffer;
- t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
-@@ -3341,33 +3342,56 @@ int t2p_process_jpeg_strip(
- uint32 height){
-
- tsize_t i=0;
-- uint16 ri =0;
-- uint16 v_samp=1;
-- uint16 h_samp=1;
-- int j=0;
--
-- i++;
--
-- while(i<(*striplength)){
-+
-+ while (i < *striplength) {
-+ tsize_t datalen;
-+ uint16 ri;
-+ uint16 v_samp;
-+ uint16 h_samp;
-+ int j;
-+ int ncomp;
-+
-+ /* marker header: one or more FFs */
-+ if (strip[i] != 0xff)
-+ return(0);
-+ i++;
-+ while (i < *striplength && strip[i] == 0xff)
-+ i++;
-+ if (i >= *striplength)
-+ return(0);
-+ /* SOI is the only pre-SOS marker without a length word */
-+ if (strip[i] == 0xd8)
-+ datalen = 0;
-+ else {
-+ if ((*striplength - i) <= 2)
-+ return(0);
-+ datalen = (strip[i+1] << 8) | strip[i+2];
-+ if (datalen < 2 || datalen >= (*striplength - i))
-+ return(0);
-+ }
- switch( strip[i] ){
-- case 0xd8:
-- /* SOI - start of image */
-+ case 0xd8: /* SOI - start of image */
- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
- *bufferoffset+=2;
-- i+=2;
- break;
-- case 0xc0:
-- case 0xc1:
-- case 0xc3:
-- case 0xc9:
-- case 0xca:
-+ case 0xc0: /* SOF0 */
-+ case 0xc1: /* SOF1 */
-+ case 0xc3: /* SOF3 */
-+ case 0xc9: /* SOF9 */
-+ case 0xca: /* SOF10 */
- if(no==0){
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- for(j=0;j<buffer[*bufferoffset+9];j++){
-- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
-- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
-- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
-- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ ncomp = buffer[*bufferoffset+9];
-+ if (ncomp < 1 || ncomp > 4)
-+ return(0);
-+ v_samp=1;
-+ h_samp=1;
-+ for(j=0;j<ncomp;j++){
-+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
-+ if( (samp>>4) > h_samp)
-+ h_samp = (samp>>4);
-+ if( (samp & 0x0f) > v_samp)
-+ v_samp = (samp & 0x0f);
- }
- v_samp*=8;
- h_samp*=8;
-@@ -3381,45 +3405,43 @@ int t2p_process_jpeg_strip(
- (unsigned char) ((height>>8) & 0xff);
- buffer[*bufferoffset+6]=
- (unsigned char) (height & 0xff);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
--
-+ *bufferoffset+=datalen+2;
-+ /* insert a DRI marker */
- buffer[(*bufferoffset)++]=0xff;
- buffer[(*bufferoffset)++]=0xdd;
- buffer[(*bufferoffset)++]=0x00;
- buffer[(*bufferoffset)++]=0x04;
- buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
- buffer[(*bufferoffset)++]= ri & 0xff;
-- } else {
-- i+=strip[i+2]+2;
- }
- break;
-- case 0xc4:
-- case 0xdb:
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
-+ case 0xc4: /* DHT */
-+ case 0xdb: /* DQT */
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ *bufferoffset+=datalen+2;
- break;
-- case 0xda:
-+ case 0xda: /* SOS */
- if(no==0){
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
-- *bufferoffset+=strip[i+2]+2;
-- i+=strip[i+2]+2;
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+ *bufferoffset+=datalen+2;
- } else {
- buffer[(*bufferoffset)++]=0xff;
- buffer[(*bufferoffset)++]=
- (unsigned char)(0xd0 | ((no-1)%8));
-- i+=strip[i+2]+2;
- }
-- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
-- *bufferoffset+=(*striplength)-i-1;
-+ i += datalen + 1;
-+ /* copy remainder of strip */
-+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
-+ *bufferoffset+= *striplength - i;
- return(1);
- default:
-- i+=strip[i+2]+2;
-+ /* ignore any other marker */
-+ break;
- }
-+ i += datalen + 1;
Home |
Main Index |
Thread Index |
Old Index