pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2018Q3]: pkgsrc/graphics/tiff Pullup ticket #5867 - requested ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/1b4a054faa5d
branches:  pkgsrc-2018Q3
changeset: 334113:1b4a054faa5d
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Mon Oct 29 14:49:32 2018 +0000

description:
Pullup ticket #5867 - requested by spz
graphics/tiff: security fix

Revisions pulled up:
- graphics/tiff/Makefile                                        1.143
- graphics/tiff/distinfo                                        1.92
- graphics/tiff/patches/patch-CVE-2017-11613                    1.1
- graphics/tiff/patches/patch-CVE-2017-18013                    1.1
- graphics/tiff/patches/patch-CVE-2018-10963                    1.1
- graphics/tiff/patches/patch-CVE-2018-17100                    1.1
- graphics/tiff/patches/patch-CVE-2018-17101                    1.1
- graphics/tiff/patches/patch-CVE-2018-5784                     1.1

---
   Module Name: pkgsrc
   Committed By:        spz
   Date:                Sun Oct 28 09:45:07 UTC 2018

   Modified Files:
        pkgsrc/graphics/tiff: Makefile distinfo
   Added Files:
        pkgsrc/graphics/tiff/patches: patch-CVE-2017-11613 patch-CVE-2017-18013
            patch-CVE-2018-10963 patch-CVE-2018-17100 patch-CVE-2018-17101
            patch-CVE-2018-5784

   Log Message:
   patches from upstream for
   CVE-2017-11613 CVE-2017-18013 CVE-2018-5784 CVE-2018-10963
   CVE-2018-17100 CVE-2018-17101

diffstat:

 graphics/tiff/Makefile                     |    4 +-
 graphics/tiff/distinfo                     |    8 +-
 graphics/tiff/patches/patch-CVE-2017-11613 |  113 +++++++++++++++++++++++++++++
 graphics/tiff/patches/patch-CVE-2017-18013 |   24 ++++++
 graphics/tiff/patches/patch-CVE-2018-10963 |   20 +++++
 graphics/tiff/patches/patch-CVE-2018-17100 |   30 +++++++
 graphics/tiff/patches/patch-CVE-2018-17101 |   56 ++++++++++++++
 graphics/tiff/patches/patch-CVE-2018-5784  |  110 ++++++++++++++++++++++++++++
 8 files changed, 362 insertions(+), 3 deletions(-)

diffs (truncated from 411 to 300 lines):

diff -r d0b26099c77b -r 1b4a054faa5d graphics/tiff/Makefile
--- a/graphics/tiff/Makefile    Mon Oct 29 14:37:32 2018 +0000
+++ b/graphics/tiff/Makefile    Mon Oct 29 14:49:32 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.141.4.1 2018/10/26 07:02:55 spz Exp $
+# $NetBSD: Makefile,v 1.141.4.2 2018/10/29 14:49:32 bsiegert Exp $
 
 DISTNAME=      tiff-4.0.9
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 
diff -r d0b26099c77b -r 1b4a054faa5d graphics/tiff/distinfo
--- a/graphics/tiff/distinfo    Mon Oct 29 14:37:32 2018 +0000
+++ b/graphics/tiff/distinfo    Mon Oct 29 14:49:32 2018 +0000
@@ -1,10 +1,16 @@
-$NetBSD: distinfo,v 1.90.4.1 2018/10/26 07:02:55 spz Exp $
+$NetBSD: distinfo,v 1.90.4.2 2018/10/29 14:49:32 bsiegert Exp $
 
 SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296
 RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3
 SHA512 (tiff-4.0.9.tar.gz) = 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd
 Size (tiff-4.0.9.tar.gz) = 2305681 bytes
+SHA1 (patch-CVE-2017-11613) = 76db7d185ef5b82e7136ce451432e3e4b0cc5c12
+SHA1 (patch-CVE-2017-18013) = ebfdfb964aeafb3d8af2f7ad151270d8133f3e96
 SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610
+SHA1 (patch-CVE-2018-10963) = 564b65546c0e63a00d87ef9bb9d9cc8c5ca5a4ee
+SHA1 (patch-CVE-2018-17100) = 85290ca7d806087e640b1a6f5c3de5dda9c2060e
+SHA1 (patch-CVE-2018-17101) = 02039854f7c79d5937d585ca3e6355a7f41b7d1a
+SHA1 (patch-CVE-2018-5784) = 26e2c196b4150958dd37b33c1900c5baa6188661
 SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3
diff -r d0b26099c77b -r 1b4a054faa5d graphics/tiff/patches/patch-CVE-2017-11613
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2017-11613        Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,113 @@
+$NetBSD: patch-CVE-2017-11613,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for CVE-2017-11613 taken from upstream git repo
+
+--- libtiff/tif_dirread.c.orig 2017-09-16 19:07:56.000000000 +0000
++++ libtiff/tif_dirread.c
+@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+ 
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+ 
+@@ -3507,6 +3508,35 @@ static void TIFFReadDirEntryOutputErr(TI
+ }
+ 
+ /*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++    switch (photometric) {
++      case PHOTOMETRIC_PALETTE:
++      case PHOTOMETRIC_MINISWHITE:
++      case PHOTOMETRIC_MINISBLACK:
++          return 1;
++      case PHOTOMETRIC_YCBCR:
++      case PHOTOMETRIC_RGB:
++      case PHOTOMETRIC_CIELAB:
++          return 3;
++      case PHOTOMETRIC_SEPARATED:
++      case PHOTOMETRIC_MASK:
++          return 4;
++      case PHOTOMETRIC_LOGL:
++      case PHOTOMETRIC_LOGLUV:
++      case PHOTOMETRIC_CFA:
++      case PHOTOMETRIC_ITULAB:
++      case PHOTOMETRIC_ICCLAB:
++      default:
++          return 0;
++    }
++}
++      
++/*
+  * Read the next TIFF directory from a file and convert it to the internal
+  * format. We read directories sequentially.
+  */
+@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
+       uint32 fii=FAILED_FII;
+         toff_t nextdiroff;
+     int bitspersample_read = FALSE;
++      int color_channels;
+ 
+       tif->tif_diroff=tif->tif_nextdiroff;
+       if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
+                       }
+               }
+       }
++
++      /*
++       * Make sure all non-color channels are extrasamples.
++       * If it's not the case, define them as such.
++       */
++      color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++      if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++              uint16 old_extrasamples;
++              uint16 *new_sampleinfo;
++
++              TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++                  "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++                  "Defining non-color channels as ExtraSamples.");
++
++              old_extrasamples = tif->tif_dir.td_extrasamples;
++              tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++              // sampleinfo should contain information relative to these new extra samples
++              new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++              if (!new_sampleinfo) {
++                  TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++                              "temporary new sampleinfo array (%d 16 bit elements)",
++                              tif->tif_dir.td_extrasamples);
++                  goto bad;
++              }
++
++              memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++              _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++              _TIFFfree(new_sampleinfo);
++      }
++
+       /*
+        * Verify Palette image has a Colormap.
+        */
+@@ -5698,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+         if( nstrips == 0 )
+             return;
+ 
++        /* If we are going to allocate a lot of memory, make sure that the */
++      /* file is as big as needed */
++      if( tif->tif_mode == O_RDONLY &&
++          nstrips > 1000000 &&
++          (offset >= TIFFGetFileSize(tif) ||
++           stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
++      {
++          return;
++      }
++
+       newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+                               "for chopped \"StripByteCounts\" array");
+       newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff -r d0b26099c77b -r 1b4a054faa5d graphics/tiff/patches/patch-CVE-2017-18013
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2017-18013        Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2017-18013,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for patch-CVE-2017-18013 from upstream git repo
+
+--- libtiff/tif_print.c.orig   2016-11-25 17:26:23.000000000 +0000
++++ libtiff/tif_print.c        2018-10-09 17:35:21.544815948 +0000
+@@ -667,13 +667,13 @@
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                       fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
+                           (unsigned long) s,
+-                          (unsigned __int64) td->td_stripoffset[s],
+-                          (unsigned __int64) td->td_stripbytecount[s]);
++                          td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++                          td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+                       fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
+                           (unsigned long) s,
+-                          (unsigned long long) td->td_stripoffset[s],
+-                          (unsigned long long) td->td_stripbytecount[s]);
++                          td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++                          td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+       }
+ }
diff -r d0b26099c77b -r 1b4a054faa5d graphics/tiff/patches/patch-CVE-2018-10963
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-10963        Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2018-10963,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+patch for CVE-2018-10963 from upstream git repo
+
+--- libtiff/tif_dirwrite.c.orig        2017-08-29 13:39:48.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi
+                                                               }
+                                                               break;
+                                                       default:
+-                                                              assert(0);   /* we should never get here */
+-                                                              break;
++                                                              TIFFErrorExt(tif->tif_clientdata,module,
++                                                              "Cannot write tag %d (%s)",
++                                                              TIFFFieldTag(o),
++                                                              o->field_name ? o->field_name : "unknown");
++                                                                                                                                              goto bad;
+                                               }
+                                       }
+                               }
diff -r d0b26099c77b -r 1b4a054faa5d graphics/tiff/patches/patch-CVE-2018-17100
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-17100        Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-CVE-2018-17100,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+Patch for CVE-2018-17100 from upstream git repo
+
+--- tools/ppm2tiff.c.orig      2015-08-28 22:17:08.000000000 +0000
++++ tools/ppm2tiff.c   2018-10-09 17:20:10.068567016 +0000
+@@ -72,16 +72,17 @@
+       exit(-2);
+ }
+ 
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-      tmsize_t bytes = m1 * m2;
+-
+-      if (m1 && bytes / m1 != m2)
+-              bytes = 0;
++      if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++          return 0;
+ 
+-      return bytes;
+-}
++      return m1 * m2;
++}  
+ 
+ int
+ main(int argc, char* argv[])
diff -r d0b26099c77b -r 1b4a054faa5d graphics/tiff/patches/patch-CVE-2018-17101
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-17101        Mon Oct 29 14:49:32 2018 +0000
@@ -0,0 +1,56 @@
+$NetBSD: patch-CVE-2018-17101,v 1.1.2.2 2018/10/29 14:49:32 bsiegert Exp $
+
+Patch for CVE-2018-17101 from upstream git repo
+
+--- tools/pal2rgb.c.orig       2015-08-28 22:17:08.000000000 +0000
++++ tools/pal2rgb.c
+@@ -391,7 +392,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
++    {
++      if( p->tag == TIFFTAG_GROUP3OPTIONS )
++      {
++          uint16 compression;
++          if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                  compression != COMPRESSION_CCITTFAX3 )
++              continue;
++      }
++      if( p->tag == TIFFTAG_GROUP4OPTIONS )
++      {
++          uint16 compression;
++          if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                  compression != COMPRESSION_CCITTFAX4 )
++              continue;
++      }
+       cpTag(in, out, p->tag, p->count, p->type);
++    }
+ }
+ #undef NTAGS
+ 
+--- tools/tiff2bw.c.orig       2017-11-01 13:41:58.000000000 +0000
++++ tools/tiff2bw.c
+@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
++    {
++        if( p->tag == TIFFTAG_GROUP3OPTIONS )
++      {
++          uint16 compression;
++          if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                  compression != COMPRESSION_CCITTFAX3 )
++              continue;
++      }
++      if( p->tag == TIFFTAG_GROUP4OPTIONS )
++      {
++          uint16 compression;
++          if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                  compression != COMPRESSION_CCITTFAX4 )
++              continue;
++      }
+       cpTag(in, out, p->tag, p->count, p->type);
++    }
+ }
+ #undef NTAGS
+ 
diff -r d0b26099c77b -r 1b4a054faa5d graphics/tiff/patches/patch-CVE-2018-5784
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-CVE-2018-5784 Mon Oct 29 14:49:32 2018 +0000



Home | Main Index | Thread Index | Old Index