pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2018Q3] pkgsrc/graphics/tiff



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Mon Oct 29 14:49:32 UTC 2018

Modified Files:
        pkgsrc/graphics/tiff [pkgsrc-2018Q3]: Makefile distinfo
Added Files:
        pkgsrc/graphics/tiff/patches [pkgsrc-2018Q3]: patch-CVE-2017-11613
            patch-CVE-2017-18013 patch-CVE-2018-10963 patch-CVE-2018-17100
            patch-CVE-2018-17101 patch-CVE-2018-5784

Log Message:
Pullup ticket #5867 - requested by spz
graphics/tiff: security fix

Revisions pulled up:
- graphics/tiff/Makefile                                        1.143
- graphics/tiff/distinfo                                        1.92
- graphics/tiff/patches/patch-CVE-2017-11613                    1.1
- graphics/tiff/patches/patch-CVE-2017-18013                    1.1
- graphics/tiff/patches/patch-CVE-2018-10963                    1.1
- graphics/tiff/patches/patch-CVE-2018-17100                    1.1
- graphics/tiff/patches/patch-CVE-2018-17101                    1.1
- graphics/tiff/patches/patch-CVE-2018-5784                     1.1

---
   Module Name: pkgsrc
   Committed By:        spz
   Date:                Sun Oct 28 09:45:07 UTC 2018

   Modified Files:
        pkgsrc/graphics/tiff: Makefile distinfo
   Added Files:
        pkgsrc/graphics/tiff/patches: patch-CVE-2017-11613 patch-CVE-2017-18013
            patch-CVE-2018-10963 patch-CVE-2018-17100 patch-CVE-2018-17101
            patch-CVE-2018-5784

   Log Message:
   patches from upstream for
   CVE-2017-11613 CVE-2017-18013 CVE-2018-5784 CVE-2018-10963
   CVE-2018-17100 CVE-2018-17101


To generate a diff of this commit:
cvs rdiff -u -r1.141.4.1 -r1.141.4.2 pkgsrc/graphics/tiff/Makefile
cvs rdiff -u -r1.90.4.1 -r1.90.4.2 pkgsrc/graphics/tiff/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/graphics/tiff/patches/patch-CVE-2017-11613 \
    pkgsrc/graphics/tiff/patches/patch-CVE-2017-18013 \
    pkgsrc/graphics/tiff/patches/patch-CVE-2018-10963 \
    pkgsrc/graphics/tiff/patches/patch-CVE-2018-17100 \
    pkgsrc/graphics/tiff/patches/patch-CVE-2018-17101 \
    pkgsrc/graphics/tiff/patches/patch-CVE-2018-5784

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/tiff/Makefile
diff -u pkgsrc/graphics/tiff/Makefile:1.141.4.1 pkgsrc/graphics/tiff/Makefile:1.141.4.2
--- pkgsrc/graphics/tiff/Makefile:1.141.4.1     Fri Oct 26 07:02:55 2018
+++ pkgsrc/graphics/tiff/Makefile       Mon Oct 29 14:49:32 2018
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.141.4.1 2018/10/26 07:02:55 spz Exp $
+# $NetBSD: Makefile,v 1.141.4.2 2018/10/29 14:49:32 bsiegert Exp $
 
 DISTNAME=      tiff-4.0.9
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 

Index: pkgsrc/graphics/tiff/distinfo
diff -u pkgsrc/graphics/tiff/distinfo:1.90.4.1 pkgsrc/graphics/tiff/distinfo:1.90.4.2
--- pkgsrc/graphics/tiff/distinfo:1.90.4.1      Fri Oct 26 07:02:55 2018
+++ pkgsrc/graphics/tiff/distinfo       Mon Oct 29 14:49:32 2018
@@ -1,10 +1,16 @@
-$NetBSD: distinfo,v 1.90.4.1 2018/10/26 07:02:55 spz Exp $
+$NetBSD: distinfo,v 1.90.4.2 2018/10/29 14:49:32 bsiegert Exp $
 
 SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296
 RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3
 SHA512 (tiff-4.0.9.tar.gz) = 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd
 Size (tiff-4.0.9.tar.gz) = 2305681 bytes
+SHA1 (patch-CVE-2017-11613) = 76db7d185ef5b82e7136ce451432e3e4b0cc5c12
+SHA1 (patch-CVE-2017-18013) = ebfdfb964aeafb3d8af2f7ad151270d8133f3e96
 SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610
+SHA1 (patch-CVE-2018-10963) = 564b65546c0e63a00d87ef9bb9d9cc8c5ca5a4ee
+SHA1 (patch-CVE-2018-17100) = 85290ca7d806087e640b1a6f5c3de5dda9c2060e
+SHA1 (patch-CVE-2018-17101) = 02039854f7c79d5937d585ca3e6355a7f41b7d1a
+SHA1 (patch-CVE-2018-5784) = 26e2c196b4150958dd37b33c1900c5baa6188661
 SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3

Added files:

Index: pkgsrc/graphics/tiff/patches/patch-CVE-2017-11613
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2017-11613:1.1.2.2
--- /dev/null   Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2017-11613   Mon Oct 29 14:49:32 2018
@@ -0,0 +1,113 @@
+$NetBSD: patch-CVE-2017-11613,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for CVE-2017-11613 taken from upstream git repo
+
+--- libtiff/tif_dirread.c.orig 2017-09-16 19:07:56.000000000 +0000
++++ libtiff/tif_dirread.c
+@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+ 
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+ 
+@@ -3507,6 +3508,35 @@ static void TIFFReadDirEntryOutputErr(TI
+ }
+ 
+ /*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++    switch (photometric) {
++      case PHOTOMETRIC_PALETTE:
++      case PHOTOMETRIC_MINISWHITE:
++      case PHOTOMETRIC_MINISBLACK:
++          return 1;
++      case PHOTOMETRIC_YCBCR:
++      case PHOTOMETRIC_RGB:
++      case PHOTOMETRIC_CIELAB:
++          return 3;
++      case PHOTOMETRIC_SEPARATED:
++      case PHOTOMETRIC_MASK:
++          return 4;
++      case PHOTOMETRIC_LOGL:
++      case PHOTOMETRIC_LOGLUV:
++      case PHOTOMETRIC_CFA:
++      case PHOTOMETRIC_ITULAB:
++      case PHOTOMETRIC_ICCLAB:
++      default:
++          return 0;
++    }
++}
++      
++/*
+  * Read the next TIFF directory from a file and convert it to the internal
+  * format. We read directories sequentially.
+  */
+@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
+       uint32 fii=FAILED_FII;
+         toff_t nextdiroff;
+     int bitspersample_read = FALSE;
++      int color_channels;
+ 
+       tif->tif_diroff=tif->tif_nextdiroff;
+       if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
+                       }
+               }
+       }
++
++      /*
++       * Make sure all non-color channels are extrasamples.
++       * If it's not the case, define them as such.
++       */
++      color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++      if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++              uint16 old_extrasamples;
++              uint16 *new_sampleinfo;
++
++              TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++                  "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++                  "Defining non-color channels as ExtraSamples.");
++
++              old_extrasamples = tif->tif_dir.td_extrasamples;
++              tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++              // sampleinfo should contain information relative to these new extra samples
++              new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++              if (!new_sampleinfo) {
++                  TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++                              "temporary new sampleinfo array (%d 16 bit elements)",
++                              tif->tif_dir.td_extrasamples);
++                  goto bad;
++              }
++
++              memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++              _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++              _TIFFfree(new_sampleinfo);
++      }
++
+       /*
+        * Verify Palette image has a Colormap.
+        */
+@@ -5698,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+         if( nstrips == 0 )
+             return;
+ 
++        /* If we are going to allocate a lot of memory, make sure that the */
++      /* file is as big as needed */
++      if( tif->tif_mode == O_RDONLY &&
++          nstrips > 1000000 &&
++          (offset >= TIFFGetFileSize(tif) ||
++           stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
++      {
++          return;
++      }
++
+       newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+                               "for chopped \"StripByteCounts\" array");
+       newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2017-18013
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2017-18013:1.1.2.2
--- /dev/null   Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2017-18013   Mon Oct 29 14:49:32 2018
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2017-18013,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for patch-CVE-2017-18013 from upstream git repo
+
+--- libtiff/tif_print.c.orig   2016-11-25 17:26:23.000000000 +0000
++++ libtiff/tif_print.c        2018-10-09 17:35:21.544815948 +0000
+@@ -667,13 +667,13 @@
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                       fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
+                           (unsigned long) s,
+-                          (unsigned __int64) td->td_stripoffset[s],
+-                          (unsigned __int64) td->td_stripbytecount[s]);
++                          td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++                          td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+                       fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
+                           (unsigned long) s,
+-                          (unsigned long long) td->td_stripoffset[s],
+-                          (unsigned long long) td->td_stripbytecount[s]);
++                          td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++                          td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+       }
+ }
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2018-10963
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2018-10963:1.1.2.2
--- /dev/null   Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2018-10963   Mon Oct 29 14:49:32 2018
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2018-10963,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for CVE-2018-10963 from upstream git repo
+
+--- libtiff/tif_dirwrite.c.orig        2017-08-29 13:39:48.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi
+                                                               }
+                                                               break;
+                                                       default:
+-                                                              assert(0);   /* we should never get here */
+-                                                              break;
++                                                              TIFFErrorExt(tif->tif_clientdata,module,
++                                                              "Cannot write tag %d (%s)",
++                                                              TIFFFieldTag(o),
++                                                              o->field_name ? o->field_name : "unknown");
++                                                                                                                                              goto bad;
+                                               }
+                                       }
+                               }
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2018-17100
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2018-17100:1.1.2.2
--- /dev/null   Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2018-17100   Mon Oct 29 14:49:32 2018
@@ -0,0 +1,30 @@
+$NetBSD: patch-CVE-2018-17100,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+Patch for CVE-2018-17100 from upstream git repo
+
+--- tools/ppm2tiff.c.orig      2015-08-28 22:17:08.000000000 +0000
++++ tools/ppm2tiff.c   2018-10-09 17:20:10.068567016 +0000
+@@ -72,16 +72,17 @@
+       exit(-2);
+ }
+ 
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-      tmsize_t bytes = m1 * m2;
+-
+-      if (m1 && bytes / m1 != m2)
+-              bytes = 0;
++      if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++          return 0;
+ 
+-      return bytes;
+-}
++      return m1 * m2;
++}  
+ 
+ int
+ main(int argc, char* argv[])
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2018-17101
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2018-17101:1.1.2.2
--- /dev/null   Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2018-17101   Mon Oct 29 14:49:32 2018
@@ -0,0 +1,56 @@
+$NetBSD: patch-CVE-2018-17101,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+Patch for CVE-2018-17101 from upstream git repo
+
+--- tools/pal2rgb.c.orig       2015-08-28 22:17:08.000000000 +0000
++++ tools/pal2rgb.c
+@@ -391,7 +392,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
++    {
++      if( p->tag == TIFFTAG_GROUP3OPTIONS )
++      {
++          uint16 compression;
++          if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                  compression != COMPRESSION_CCITTFAX3 )
++              continue;
++      }
++      if( p->tag == TIFFTAG_GROUP4OPTIONS )
++      {
++          uint16 compression;
++          if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                  compression != COMPRESSION_CCITTFAX4 )
++              continue;
++      }
+       cpTag(in, out, p->tag, p->count, p->type);
++    }
+ }
+ #undef NTAGS
+ 
+--- tools/tiff2bw.c.orig       2017-11-01 13:41:58.000000000 +0000
++++ tools/tiff2bw.c
+@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
++    {
++        if( p->tag == TIFFTAG_GROUP3OPTIONS )
++      {
++          uint16 compression;
++          if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                  compression != COMPRESSION_CCITTFAX3 )
++              continue;
++      }
++      if( p->tag == TIFFTAG_GROUP4OPTIONS )
++      {
++          uint16 compression;
++          if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                  compression != COMPRESSION_CCITTFAX4 )
++              continue;
++      }
+       cpTag(in, out, p->tag, p->count, p->type);
++    }
+ }
+ #undef NTAGS
+ 
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2018-5784
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2018-5784:1.1.2.2
--- /dev/null   Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2018-5784    Mon Oct 29 14:49:32 2018
@@ -0,0 +1,110 @@
+$NetBSD: patch-CVE-2018-5784,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for patch-CVE-2018-5784 from upstream git repo
+
+--- contrib/addtiffo/tif_overview.c.orig       2015-05-30 21:11:52.000000000 +0000
++++ contrib/addtiffo/tif_overview.c
+@@ -65,6 +65,8 @@
+ #  define MAX(a,b)      ((a>b) ? a : b)
+ #endif
+ 
++#define TIFF_DIR_MAX  65534
++
+ void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
+                          int (*)(double,void*), void * );
+ 
+@@ -91,6 +93,9 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, 
+ {
+     toff_t    nBaseDirOffset;
+     toff_t    nOffset;
++    tdir_t    iNumDir;
++      
++      
+ 
+     (void) bUseSubIFDs;
+ 
+@@ -147,7 +152,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, 
+         return 0;
+ 
+     TIFFWriteDirectory( hTIFF );
+-    TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
++    iNumDir = TIFFNumberOfDirectories(hTIFF);
++    if( iNumDir > TIFF_DIR_MAX )
++    {
++      TIFFErrorExt( TIFFClientdata(hTIFF),
++                    "TIFF_WriteOverview",
++                    "File `%s' has too many directories.\n",
++                    TIFFFileName(hTIFF) );
++      exit(-1);
++    }
++    TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
+ 
+     nOffset = TIFFCurrentDirOffset( hTIFF );
+ 
+--- tools/tiff2pdf.c.orig      2017-10-29 18:50:41.000000000 +0000
++++ tools/tiff2pdf.c
+@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
+ 
+ #define PS_UNIT_SIZE  72.0F
+ 
++#define TIFF_DIR_MAX    65534
++
+ /* This type is of PDF color spaces. */
+ typedef enum {
+       T2P_CS_BILEVEL = 0x01,  /* Bilevel, black and white */
+@@ -1047,10 +1049,18 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* 
+       uint16 pagen=0;
+       uint16 paged=0;
+       uint16 xuint16=0;
+       uint16 tiff_transferfunctioncount=0;
+       uint16* tiff_transferfunction[3];
+ 
+       directorycount=TIFFNumberOfDirectories(input);
++      if(directorycount > TIFF_DIR_MAX) {
++              TIFFError(
++                      TIFF2PDF_MODULE,
++                      "TIFF contains too many directories, %s",
++                      TIFFFileName(input));
++              t2p->t2p_error = T2P_ERR_ERROR;
++              return;
++      }
+       t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+       if(t2p->tiff_pages==NULL){
+               TIFFError(
+
+--- tools/tiffcrop.c.orig      2017-01-15 16:00:09.000000000 +0000
++++ tools/tiffcrop.c
+@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const
+ #define DUMP_TEXT   1
+ #define DUMP_RAW    2
+ 
++#define TIFF_DIR_MAX  65534
++
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+   uint32  tmargin;
+@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
+     pageNum = -1;
+   else
+     total_images = 0;
+-  /* read multiple input files and write to output file(s) */
++  /* Read multiple input files and write to output file(s) */
+   while (optind < argc - 1)
+     {
+     in = TIFFOpen (argv[optind], "r");
+@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
+       return (-3);
+ 
+     /* If only one input file is specified, we can use directory count */
+-    total_images = TIFFNumberOfDirectories(in); 
++    total_images = TIFFNumberOfDirectories(in);
++    if (total_images > TIFF_DIR_MAX)
++      {
++      TIFFError (TIFFFileName(in), "File contains too many directories");
++      if (out != NULL)
++      (void) TIFFClose(out);
++      return (1);
++      }
+     if (image_count == 0)
+       {
+       dirnum = 0;



Home | Main Index | Thread Index | Old Index