pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2018Q3] pkgsrc/graphics/tiff
Module Name: pkgsrc
Committed By: bsiegert
Date: Mon Oct 29 14:49:32 UTC 2018
Modified Files:
pkgsrc/graphics/tiff [pkgsrc-2018Q3]: Makefile distinfo
Added Files:
pkgsrc/graphics/tiff/patches [pkgsrc-2018Q3]: patch-CVE-2017-11613
patch-CVE-2017-18013 patch-CVE-2018-10963 patch-CVE-2018-17100
patch-CVE-2018-17101 patch-CVE-2018-5784
Log Message:
Pullup ticket #5867 - requested by spz
graphics/tiff: security fix
Revisions pulled up:
- graphics/tiff/Makefile 1.143
- graphics/tiff/distinfo 1.92
- graphics/tiff/patches/patch-CVE-2017-11613 1.1
- graphics/tiff/patches/patch-CVE-2017-18013 1.1
- graphics/tiff/patches/patch-CVE-2018-10963 1.1
- graphics/tiff/patches/patch-CVE-2018-17100 1.1
- graphics/tiff/patches/patch-CVE-2018-17101 1.1
- graphics/tiff/patches/patch-CVE-2018-5784 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Oct 28 09:45:07 UTC 2018
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
Added Files:
pkgsrc/graphics/tiff/patches: patch-CVE-2017-11613 patch-CVE-2017-18013
patch-CVE-2018-10963 patch-CVE-2018-17100 patch-CVE-2018-17101
patch-CVE-2018-5784
Log Message:
patches from upstream for
CVE-2017-11613 CVE-2017-18013 CVE-2018-5784 CVE-2018-10963
CVE-2018-17100 CVE-2018-17101
To generate a diff of this commit:
cvs rdiff -u -r1.141.4.1 -r1.141.4.2 pkgsrc/graphics/tiff/Makefile
cvs rdiff -u -r1.90.4.1 -r1.90.4.2 pkgsrc/graphics/tiff/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/graphics/tiff/patches/patch-CVE-2017-11613 \
pkgsrc/graphics/tiff/patches/patch-CVE-2017-18013 \
pkgsrc/graphics/tiff/patches/patch-CVE-2018-10963 \
pkgsrc/graphics/tiff/patches/patch-CVE-2018-17100 \
pkgsrc/graphics/tiff/patches/patch-CVE-2018-17101 \
pkgsrc/graphics/tiff/patches/patch-CVE-2018-5784
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/graphics/tiff/Makefile
diff -u pkgsrc/graphics/tiff/Makefile:1.141.4.1 pkgsrc/graphics/tiff/Makefile:1.141.4.2
--- pkgsrc/graphics/tiff/Makefile:1.141.4.1 Fri Oct 26 07:02:55 2018
+++ pkgsrc/graphics/tiff/Makefile Mon Oct 29 14:49:32 2018
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.141.4.1 2018/10/26 07:02:55 spz Exp $
+# $NetBSD: Makefile,v 1.141.4.2 2018/10/29 14:49:32 bsiegert Exp $
DISTNAME= tiff-4.0.9
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= graphics
MASTER_SITES= ftp://download.osgeo.org/libtiff/
Index: pkgsrc/graphics/tiff/distinfo
diff -u pkgsrc/graphics/tiff/distinfo:1.90.4.1 pkgsrc/graphics/tiff/distinfo:1.90.4.2
--- pkgsrc/graphics/tiff/distinfo:1.90.4.1 Fri Oct 26 07:02:55 2018
+++ pkgsrc/graphics/tiff/distinfo Mon Oct 29 14:49:32 2018
@@ -1,10 +1,16 @@
-$NetBSD: distinfo,v 1.90.4.1 2018/10/26 07:02:55 spz Exp $
+$NetBSD: distinfo,v 1.90.4.2 2018/10/29 14:49:32 bsiegert Exp $
SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296
RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3
SHA512 (tiff-4.0.9.tar.gz) = 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd
Size (tiff-4.0.9.tar.gz) = 2305681 bytes
+SHA1 (patch-CVE-2017-11613) = 76db7d185ef5b82e7136ce451432e3e4b0cc5c12
+SHA1 (patch-CVE-2017-18013) = ebfdfb964aeafb3d8af2f7ad151270d8133f3e96
SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610
+SHA1 (patch-CVE-2018-10963) = 564b65546c0e63a00d87ef9bb9d9cc8c5ca5a4ee
+SHA1 (patch-CVE-2018-17100) = 85290ca7d806087e640b1a6f5c3de5dda9c2060e
+SHA1 (patch-CVE-2018-17101) = 02039854f7c79d5937d585ca3e6355a7f41b7d1a
+SHA1 (patch-CVE-2018-5784) = 26e2c196b4150958dd37b33c1900c5baa6188661
SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc
SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3
Added files:
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2017-11613
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2017-11613:1.1.2.2
--- /dev/null Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2017-11613 Mon Oct 29 14:49:32 2018
@@ -0,0 +1,113 @@
+$NetBSD: patch-CVE-2017-11613,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for CVE-2017-11613 taken from upstream git repo
+
+--- libtiff/tif_dirread.c.orig 2017-09-16 19:07:56.000000000 +0000
++++ libtiff/tif_dirread.c
+@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+
+@@ -3507,6 +3508,35 @@ static void TIFFReadDirEntryOutputErr(TI
+ }
+
+ /*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++ switch (photometric) {
++ case PHOTOMETRIC_PALETTE:
++ case PHOTOMETRIC_MINISWHITE:
++ case PHOTOMETRIC_MINISBLACK:
++ return 1;
++ case PHOTOMETRIC_YCBCR:
++ case PHOTOMETRIC_RGB:
++ case PHOTOMETRIC_CIELAB:
++ return 3;
++ case PHOTOMETRIC_SEPARATED:
++ case PHOTOMETRIC_MASK:
++ return 4;
++ case PHOTOMETRIC_LOGL:
++ case PHOTOMETRIC_LOGLUV:
++ case PHOTOMETRIC_CFA:
++ case PHOTOMETRIC_ITULAB:
++ case PHOTOMETRIC_ICCLAB:
++ default:
++ return 0;
++ }
++}
++
++/*
+ * Read the next TIFF directory from a file and convert it to the internal
+ * format. We read directories sequentially.
+ */
+@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
+ uint32 fii=FAILED_FII;
+ toff_t nextdiroff;
+ int bitspersample_read = FALSE;
++ int color_channels;
+
+ tif->tif_diroff=tif->tif_nextdiroff;
+ if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
+ }
+ }
+ }
++
++ /*
++ * Make sure all non-color channels are extrasamples.
++ * If it's not the case, define them as such.
++ */
++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++ uint16 old_extrasamples;
++ uint16 *new_sampleinfo;
++
++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++ "Defining non-color channels as ExtraSamples.");
++
++ old_extrasamples = tif->tif_dir.td_extrasamples;
++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++ // sampleinfo should contain information relative to these new extra samples
++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++ if (!new_sampleinfo) {
++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++ "temporary new sampleinfo array (%d 16 bit elements)",
++ tif->tif_dir.td_extrasamples);
++ goto bad;
++ }
++
++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++ _TIFFfree(new_sampleinfo);
++ }
++
+ /*
+ * Verify Palette image has a Colormap.
+ */
+@@ -5698,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ if( nstrips == 0 )
+ return;
+
++ /* If we are going to allocate a lot of memory, make sure that the */
++ /* file is as big as needed */
++ if( tif->tif_mode == O_RDONLY &&
++ nstrips > 1000000 &&
++ (offset >= TIFFGetFileSize(tif) ||
++ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
++ {
++ return;
++ }
++
+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripByteCounts\" array");
+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2017-18013
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2017-18013:1.1.2.2
--- /dev/null Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2017-18013 Mon Oct 29 14:49:32 2018
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2017-18013,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for patch-CVE-2017-18013 from upstream git repo
+
+--- libtiff/tif_print.c.orig 2016-11-25 17:26:23.000000000 +0000
++++ libtiff/tif_print.c 2018-10-09 17:35:21.544815948 +0000
+@@ -667,13 +667,13 @@
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
+ (unsigned long) s,
+- (unsigned __int64) td->td_stripoffset[s],
+- (unsigned __int64) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ fprintf(fd, " %3lu: [%8llu, %8llu]\n",
+ (unsigned long) s,
+- (unsigned long long) td->td_stripoffset[s],
+- (unsigned long long) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ }
+ }
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2018-10963
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2018-10963:1.1.2.2
--- /dev/null Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2018-10963 Mon Oct 29 14:49:32 2018
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2018-10963,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for CVE-2018-10963 from upstream git repo
+
+--- libtiff/tif_dirwrite.c.orig 2017-08-29 13:39:48.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi
+ }
+ break;
+ default:
+- assert(0); /* we should never get here */
+- break;
++ TIFFErrorExt(tif->tif_clientdata,module,
++ "Cannot write tag %d (%s)",
++ TIFFFieldTag(o),
++ o->field_name ? o->field_name : "unknown");
++ goto bad;
+ }
+ }
+ }
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2018-17100
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2018-17100:1.1.2.2
--- /dev/null Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2018-17100 Mon Oct 29 14:49:32 2018
@@ -0,0 +1,30 @@
+$NetBSD: patch-CVE-2018-17100,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+Patch for CVE-2018-17100 from upstream git repo
+
+--- tools/ppm2tiff.c.orig 2015-08-28 22:17:08.000000000 +0000
++++ tools/ppm2tiff.c 2018-10-09 17:20:10.068567016 +0000
+@@ -72,16 +72,17 @@
+ exit(-2);
+ }
+
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+- tmsize_t bytes = m1 * m2;
+-
+- if (m1 && bytes / m1 != m2)
+- bytes = 0;
++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++ return 0;
+
+- return bytes;
+-}
++ return m1 * m2;
++}
+
+ int
+ main(int argc, char* argv[])
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2018-17101
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2018-17101:1.1.2.2
--- /dev/null Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2018-17101 Mon Oct 29 14:49:32 2018
@@ -0,0 +1,56 @@
+$NetBSD: patch-CVE-2018-17101,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+Patch for CVE-2018-17101 from upstream git repo
+
+--- tools/pal2rgb.c.orig 2015-08-28 22:17:08.000000000 +0000
++++ tools/pal2rgb.c
+@@ -391,7 +392,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
+ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+--- tools/tiff2bw.c.orig 2017-11-01 13:41:58.000000000 +0000
++++ tools/tiff2bw.c
+@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
+ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
Index: pkgsrc/graphics/tiff/patches/patch-CVE-2018-5784
diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-CVE-2018-5784:1.1.2.2
--- /dev/null Mon Oct 29 14:49:32 2018
+++ pkgsrc/graphics/tiff/patches/patch-CVE-2018-5784 Mon Oct 29 14:49:32 2018
@@ -0,0 +1,110 @@
+$NetBSD: patch-CVE-2018-5784,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for patch-CVE-2018-5784 from upstream git repo
+
+--- contrib/addtiffo/tif_overview.c.orig 2015-05-30 21:11:52.000000000 +0000
++++ contrib/addtiffo/tif_overview.c
+@@ -65,6 +65,8 @@
+ # define MAX(a,b) ((a>b) ? a : b)
+ #endif
+
++#define TIFF_DIR_MAX 65534
++
+ void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
+ int (*)(double,void*), void * );
+
+@@ -91,6 +93,9 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF,
+ {
+ toff_t nBaseDirOffset;
+ toff_t nOffset;
++ tdir_t iNumDir;
++
++
+
+ (void) bUseSubIFDs;
+
+@@ -147,7 +152,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF,
+ return 0;
+
+ TIFFWriteDirectory( hTIFF );
+- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
++ iNumDir = TIFFNumberOfDirectories(hTIFF);
++ if( iNumDir > TIFF_DIR_MAX )
++ {
++ TIFFErrorExt( TIFFClientdata(hTIFF),
++ "TIFF_WriteOverview",
++ "File `%s' has too many directories.\n",
++ TIFFFileName(hTIFF) );
++ exit(-1);
++ }
++ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
+
+ nOffset = TIFFCurrentDirOffset( hTIFF );
+
+--- tools/tiff2pdf.c.orig 2017-10-29 18:50:41.000000000 +0000
++++ tools/tiff2pdf.c
+@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
+
+ #define PS_UNIT_SIZE 72.0F
+
++#define TIFF_DIR_MAX 65534
++
+ /* This type is of PDF color spaces. */
+ typedef enum {
+ T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
+@@ -1047,10 +1049,18 @@ void t2p_read_tiff_init(T2P* t2p, TIFF*
+ uint16 pagen=0;
+ uint16 paged=0;
+ uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+ uint16* tiff_transferfunction[3];
+
+ directorycount=TIFFNumberOfDirectories(input);
++ if(directorycount > TIFF_DIR_MAX) {
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "TIFF contains too many directories, %s",
++ TIFFFileName(input));
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+ if(t2p->tiff_pages==NULL){
+ TIFFError(
+
+--- tools/tiffcrop.c.orig 2017-01-15 16:00:09.000000000 +0000
++++ tools/tiffcrop.c
+@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const
+ #define DUMP_TEXT 1
+ #define DUMP_RAW 2
+
++#define TIFF_DIR_MAX 65534
++
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+ uint32 tmargin;
+@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
+ pageNum = -1;
+ else
+ total_images = 0;
+- /* read multiple input files and write to output file(s) */
++ /* Read multiple input files and write to output file(s) */
+ while (optind < argc - 1)
+ {
+ in = TIFFOpen (argv[optind], "r");
+@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
+ return (-3);
+
+ /* If only one input file is specified, we can use directory count */
+- total_images = TIFFNumberOfDirectories(in);
++ total_images = TIFFNumberOfDirectories(in);
++ if (total_images > TIFF_DIR_MAX)
++ {
++ TIFFError (TIFFFileName(in), "File contains too many directories");
++ if (out != NULL)
++ (void) TIFFClose(out);
++ return (1);
++ }
+ if (image_count == 0)
+ {
+ dirnum = 0;
Home |
Main Index |
Thread Index |
Old Index