pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2018Q3]: pkgsrc/graphics/tiff Pullup ticket #5867 - requested ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/310b55b5c6e2
branches: pkgsrc-2018Q3
changeset: 314496:310b55b5c6e2
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Mon Oct 29 14:49:32 2018 +0000
description:
Pullup ticket #5867 - requested by spz
graphics/tiff: security fix
Revisions pulled up:
- graphics/tiff/Makefile 1.143
- graphics/tiff/distinfo 1.92
- graphics/tiff/patches/patch-CVE-2017-11613 1.1
- graphics/tiff/patches/patch-CVE-2017-18013 1.1
- graphics/tiff/patches/patch-CVE-2018-10963 1.1
- graphics/tiff/patches/patch-CVE-2018-17100 1.1
- graphics/tiff/patches/patch-CVE-2018-17101 1.1
- graphics/tiff/patches/patch-CVE-2018-5784 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Oct 28 09:45:07 UTC 2018
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
Added Files:
pkgsrc/graphics/tiff/patches: patch-CVE-2017-11613 patch-CVE-2017-18013
patch-CVE-2018-10963 patch-CVE-2018-17100 patch-CVE-2018-17101
patch-CVE-2018-5784
Log Message:
patches from upstream for
CVE-2017-11613 CVE-2017-18013 CVE-2018-5784 CVE-2018-10963
CVE-2018-17100 CVE-2018-17101
diffstat:
graphics/tiff/Makefile | 4 +-
graphics/tiff/distinfo | 8 +-
graphics/tiff/patches/patch-CVE-2017-11613 | 113 +++++++++++++++++++++++++++++
graphics/tiff/patches/patch-CVE-2017-18013 | 24 ++++++
graphics/tiff/patches/patch-CVE-2018-10963 | 20 +++++
graphics/tiff/patches/patch-CVE-2018-17100 | 30 +++++++
graphics/tiff/patches/patch-CVE-2018-17101 | 56 ++++++++++++++
graphics/tiff/patches/patch-CVE-2018-5784 | 110 ++++++++++++++++++++++++++++
8 files changed, 362 insertions(+), 3 deletions(-)
diffs (truncated from 411 to 300 lines):
diff -r 6d68286e711c -r 310b55b5c6e2 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile Mon Oct 29 14:37:32 2018 +0000
+++ b/graphics/tiff/Makefile Mon Oct 29 14:49:32 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.141.4.1 2018/10/26 07:02:55 spz Exp $
+# $NetBSD: Makefile,v 1.141.4.2 2018/10/29 14:49:32 bsiegert Exp $
DISTNAME= tiff-4.0.9
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= graphics
MASTER_SITES= ftp://download.osgeo.org/libtiff/
diff -r 6d68286e711c -r 310b55b5c6e2 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo Mon Oct 29 14:37:32 2018 +0000
+++ b/graphics/tiff/distinfo Mon Oct 29 14:49:32 2018 +0000
@@ -1,10 +1,16 @@
-$NetBSD: distinfo,v 1.90.4.1 2018/10/26 07:02:55 spz Exp $
+$NetBSD: distinfo,v 1.90.4.2 2018/10/29 14:49:32 bsiegert Exp $
SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296
RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3
SHA512 (tiff-4.0.9.tar.gz) = 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd
Size (tiff-4.0.9.tar.gz) = 2305681 bytes
+SHA1 (patch-CVE-2017-11613) = 76db7d185ef5b82e7136ce451432e3e4b0cc5c12
+SHA1 (patch-CVE-2017-18013) = ebfdfb964aeafb3d8af2f7ad151270d8133f3e96
SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610
+SHA1 (patch-CVE-2018-10963) = 564b65546c0e63a00d87ef9bb9d9cc8c5ca5a4ee
+SHA1 (patch-CVE-2018-17100) = 85290ca7d806087e640b1a6f5c3de5dda9c2060e
+SHA1 (patch-CVE-2018-17101) = 02039854f7c79d5937d585ca3e6355a7f41b7d1a
+SHA1 (patch-CVE-2018-5784) = 26e2c196b4150958dd37b33c1900c5baa6188661
SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc
SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3
diff -r 6d68286e711c -r 310b55b5c6e2 graphics/tiff/patches/patch-CVE-2017-11613
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2017-11613 Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,113 @@
+$NetBSD: patch-CVE-2017-11613,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for CVE-2017-11613 taken from upstream git repo
+
+--- libtiff/tif_dirread.c.orig 2017-09-16 19:07:56.000000000 +0000
++++ libtiff/tif_dirread.c
+@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+
+@@ -3507,6 +3508,35 @@ static void TIFFReadDirEntryOutputErr(TI
+ }
+
+ /*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++ switch (photometric) {
++ case PHOTOMETRIC_PALETTE:
++ case PHOTOMETRIC_MINISWHITE:
++ case PHOTOMETRIC_MINISBLACK:
++ return 1;
++ case PHOTOMETRIC_YCBCR:
++ case PHOTOMETRIC_RGB:
++ case PHOTOMETRIC_CIELAB:
++ return 3;
++ case PHOTOMETRIC_SEPARATED:
++ case PHOTOMETRIC_MASK:
++ return 4;
++ case PHOTOMETRIC_LOGL:
++ case PHOTOMETRIC_LOGLUV:
++ case PHOTOMETRIC_CFA:
++ case PHOTOMETRIC_ITULAB:
++ case PHOTOMETRIC_ICCLAB:
++ default:
++ return 0;
++ }
++}
++
++/*
+ * Read the next TIFF directory from a file and convert it to the internal
+ * format. We read directories sequentially.
+ */
+@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
+ uint32 fii=FAILED_FII;
+ toff_t nextdiroff;
+ int bitspersample_read = FALSE;
++ int color_channels;
+
+ tif->tif_diroff=tif->tif_nextdiroff;
+ if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
+ }
+ }
+ }
++
++ /*
++ * Make sure all non-color channels are extrasamples.
++ * If it's not the case, define them as such.
++ */
++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++ uint16 old_extrasamples;
++ uint16 *new_sampleinfo;
++
++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++ "Defining non-color channels as ExtraSamples.");
++
++ old_extrasamples = tif->tif_dir.td_extrasamples;
++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++ // sampleinfo should contain information relative to these new extra samples
++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++ if (!new_sampleinfo) {
++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++ "temporary new sampleinfo array (%d 16 bit elements)",
++ tif->tif_dir.td_extrasamples);
++ goto bad;
++ }
++
++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++ _TIFFfree(new_sampleinfo);
++ }
++
+ /*
+ * Verify Palette image has a Colormap.
+ */
+@@ -5698,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ if( nstrips == 0 )
+ return;
+
++ /* If we are going to allocate a lot of memory, make sure that the */
++ /* file is as big as needed */
++ if( tif->tif_mode == O_RDONLY &&
++ nstrips > 1000000 &&
++ (offset >= TIFFGetFileSize(tif) ||
++ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
++ {
++ return;
++ }
++
+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripByteCounts\" array");
+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff -r 6d68286e711c -r 310b55b5c6e2 graphics/tiff/patches/patch-CVE-2017-18013
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2017-18013 Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2017-18013,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for patch-CVE-2017-18013 from upstream git repo
+
+--- libtiff/tif_print.c.orig 2016-11-25 17:26:23.000000000 +0000
++++ libtiff/tif_print.c 2018-10-09 17:35:21.544815948 +0000
+@@ -667,13 +667,13 @@
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
+ (unsigned long) s,
+- (unsigned __int64) td->td_stripoffset[s],
+- (unsigned __int64) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ fprintf(fd, " %3lu: [%8llu, %8llu]\n",
+ (unsigned long) s,
+- (unsigned long long) td->td_stripoffset[s],
+- (unsigned long long) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ }
+ }
diff -r 6d68286e711c -r 310b55b5c6e2 graphics/tiff/patches/patch-CVE-2018-10963
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-10963 Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2018-10963,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for CVE-2018-10963 from upstream git repo
+
+--- libtiff/tif_dirwrite.c.orig 2017-08-29 13:39:48.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi
+ }
+ break;
+ default:
+- assert(0); /* we should never get here */
+- break;
++ TIFFErrorExt(tif->tif_clientdata,module,
++ "Cannot write tag %d (%s)",
++ TIFFFieldTag(o),
++ o->field_name ? o->field_name : "unknown");
++ goto bad;
+ }
+ }
+ }
diff -r 6d68286e711c -r 310b55b5c6e2 graphics/tiff/patches/patch-CVE-2018-17100
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-17100 Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-CVE-2018-17100,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+Patch for CVE-2018-17100 from upstream git repo
+
+--- tools/ppm2tiff.c.orig 2015-08-28 22:17:08.000000000 +0000
++++ tools/ppm2tiff.c 2018-10-09 17:20:10.068567016 +0000
+@@ -72,16 +72,17 @@
+ exit(-2);
+ }
+
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+- tmsize_t bytes = m1 * m2;
+-
+- if (m1 && bytes / m1 != m2)
+- bytes = 0;
++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++ return 0;
+
+- return bytes;
+-}
++ return m1 * m2;
++}
+
+ int
+ main(int argc, char* argv[])
diff -r 6d68286e711c -r 310b55b5c6e2 graphics/tiff/patches/patch-CVE-2018-17101
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-17101 Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,56 @@
+$NetBSD: patch-CVE-2018-17101,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+Patch for CVE-2018-17101 from upstream git repo
+
+--- tools/pal2rgb.c.orig 2015-08-28 22:17:08.000000000 +0000
++++ tools/pal2rgb.c
+@@ -391,7 +392,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
+ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+--- tools/tiff2bw.c.orig 2017-11-01 13:41:58.000000000 +0000
++++ tools/tiff2bw.c
+@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
+ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
diff -r 6d68286e711c -r 310b55b5c6e2 graphics/tiff/patches/patch-CVE-2018-5784
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-5784 Mon Oct 29 14:49:32 2018 +0000
Home |
Main Index |
Thread Index |
Old Index