[pkgsrc/pkgsrc-2017Q1]: pkgsrc/graphics/tiff Pullup ticket #5404 - requested ...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/pkgsrc-2017Q1]: pkgsrc/graphics/tiff Pullup ticket #5404 - requested ...
From: bsiegert <bsiegert%pkgsrc.org@localhost>
Date: Wed, 15 Jan 2020 06:55:29 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/3d09c51654af
branches:  pkgsrc-2017Q1
changeset: 360355:3d09c51654af
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat May 06 15:08:52 2017 +0000

description:
Pullup ticket #5404 - requested by sevan
graphics/tiff: security fix

Revisions pulled up:
- graphics/tiff/Makefile                                        1.127-1.129
- graphics/tiff/distinfo                                        1.73-1.75
- graphics/tiff/patches/patch-libtiff_tif_dir.c                 1.1
- graphics/tiff/patches/patch-libtiff_tif_dirread.c             1.2
- graphics/tiff/patches/patch-libtiff_tif_dirwrite.c            1.1
- graphics/tiff/patches/patch-tools_tiffcp.c                    1.2
- graphics/tiff/patches/patch-tools_tiffcrop.c                  1.1-1.2

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Fri May  5 19:16:58 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-tools_tiffcrop.c

   Log Message:
   Apply fix from upstream to fix CVE-2016-10092, ref.
   http://bugzilla.maptools.org/show_bug.cgi?id=2620 and
   https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Fri May  5 19:28:23 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: distinfo

   Log Message:
   Forgot "make mps", this one belongs to the previous update, 4.0.7nb3.

---
   Module Name:    pkgsrc
   Committed By:   he
   Date:           Fri May  5 20:06:03 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
           pkgsrc/graphics/tiff/patches: patch-tools_tiffcp.c

   Log Message:
   Apply fix for CVE-2016-10093
   http://bugzilla.maptools.org/show_bug.cgi?id=2610
   https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   sevan
   Date:           Fri May  5 20:14:05 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dirread.c
               patch-tools_tiffcrop.c
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dir.c
               patch-libtiff_tif_dirwrite.c

   Log Message:
   CVE-2017-7596
   CVE-2017-7597
   CVE-2017-7599
   CVE-2017-7600
   https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
   Dependency for applying advisory patch.
   +http://bugzilla.maptools.org/show_bug.cgi?id=2535
   +https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
   Bump rev.

diffstat:

 graphics/tiff/Makefile                             |    4 +-
 graphics/tiff/distinfo                             |    9 +-
 graphics/tiff/patches/patch-libtiff_tif_dir.c      |   63 ++++++
 graphics/tiff/patches/patch-libtiff_tif_dirread.c  |   37 +++-
 graphics/tiff/patches/patch-libtiff_tif_dirwrite.c |  192 +++++++++++++++++++++
 graphics/tiff/patches/patch-tools_tiffcp.c         |   35 +++-
 graphics/tiff/patches/patch-tools_tiffcrop.c       |   28 +++
 7 files changed, 358 insertions(+), 10 deletions(-)

diffs (truncated from 446 to 300 lines):

diff -r e19c8ef34cf0 -r 3d09c51654af graphics/tiff/Makefile
--- a/graphics/tiff/Makefile    Sat May 06 15:01:21 2017 +0000
+++ b/graphics/tiff/Makefile    Sat May 06 15:08:52 2017 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.125.4.1 2017/05/06 15:01:21 bsiegert Exp $
+# $NetBSD: Makefile,v 1.125.4.2 2017/05/06 15:08:52 bsiegert Exp $
 
 DISTNAME=      tiff-4.0.7
-PKGREVISION=   2
+PKGREVISION=   5
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 
diff -r e19c8ef34cf0 -r 3d09c51654af graphics/tiff/distinfo
--- a/graphics/tiff/distinfo    Sat May 06 15:01:21 2017 +0000
+++ b/graphics/tiff/distinfo    Sat May 06 15:08:52 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.71.4.1 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: distinfo,v 1.71.4.2 2017/05/06 15:08:52 bsiegert Exp $
 
 SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,7 +6,9 @@
 Size (tiff-4.0.7.tar.gz) = 2076392 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
-SHA1 (patch-libtiff_tif_dirread.c) = 5c92e2c65a5d95f444f039955ee1afbafeccf5db
+SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7
+SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d
+SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb
 SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6
 SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc
 SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939
@@ -15,4 +17,5 @@
 SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc
 SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c
 SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f
-SHA1 (patch-tools_tiffcp.c) = fa4846cfb5a52eedfb6dc4ed1306f45e3988ddc3
+SHA1 (patch-tools_tiffcp.c) = 42573d15fc66655a09e9227213b0929238f7e651
+SHA1 (patch-tools_tiffcrop.c) = 1d729028fb8c05de958424234d5cc2808acc9b25
diff -r e19c8ef34cf0 -r 3d09c51654af graphics/tiff/patches/patch-libtiff_tif_dir.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_dir.c     Sat May 06 15:08:52 2017 +0000
@@ -0,0 +1,63 @@
+$NetBSD: patch-libtiff_tif_dir.c,v 1.1.2.2 2017/05/06 15:08:52 bsiegert Exp $
+
+CVE-2017-7596
+CVE-2017-7597
+CVE-2017-7599
+CVE-2017-7600
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
+
+--- libtiff/tif_dir.c.orig     2016-10-29 23:03:18.000000000 +0000
++++ libtiff/tif_dir.c
+@@ -31,6 +31,7 @@
+  * (and also some miscellaneous stuff)
+  */
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ /*
+  * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@ bad:
+       return (0);
+ }
+ 
++static float TIFFClampDoubleToFloat( double val )
++{
++    if( val > FLT_MAX )
++        return FLT_MAX;
++    if( val < -FLT_MAX )
++        return -FLT_MAX;
++    return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+         dblval = va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-              td->td_xresolution = (float) dblval;
++              td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+               break;
+       case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-              td->td_yresolution = (float) dblval;
++              td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+               break;
+       case TIFFTAG_PLANARCONFIG:
+               v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+               td->td_planarconfig = (uint16) v;
+               break;
+       case TIFFTAG_XPOSITION:
+-              td->td_xposition = (float) va_arg(ap, double);
++              td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+               break;
+       case TIFFTAG_YPOSITION:
+-              td->td_yposition = (float) va_arg(ap, double);
++              td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+               break;
+       case TIFFTAG_RESOLUTIONUNIT:
+               v = (uint16) va_arg(ap, uint16_vap);
diff -r e19c8ef34cf0 -r 3d09c51654af graphics/tiff/patches/patch-libtiff_tif_dirread.c
--- a/graphics/tiff/patches/patch-libtiff_tif_dirread.c Sat May 06 15:01:21 2017 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirread.c Sat May 06 15:08:52 2017 +0000
@@ -1,11 +1,40 @@
-$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.2 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $
 
+CVE-2017-7596
+CVE-2017-7597
 CVE-2017-7598
+CVE-2017-7599
+CVE-2017-7600
 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
 
---- libtiff/tif_dirread.c.orig 2016-11-18 02:42:46.000000000 +0000
+--- libtiff/tif_dirread.c.orig 2017-05-05 18:56:15.000000000 +0000
 +++ libtiff/tif_dirread.c
-@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+@@ -40,6 +40,7 @@
+  */
+ 
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ #define IGNORE 0          /* tag placeholder used below */
+ #define FAILED_FII    ((uint32) -1)
+@@ -2406,7 +2407,14 @@ static enum TIFFReadDirEntryErr TIFFRead
+                               ma=(double*)origdata;
+                               mb=data;
+                               for (n=0; n<count; n++)
+-                                      *mb++=(float)(*ma++);
++                                {
++                                    double val = *ma++;
++                                    if( val > FLT_MAX )
++                                        val = FLT_MAX;
++                                    else if( val < -FLT_MAX )
++                                        val = -FLT_MAX;
++                                    *mb++=(float)val;
++                                }
+                       }
+                       break;
+       }
+@@ -2872,7 +2880,10 @@ static enum TIFFReadDirEntryErr TIFFRead
                m.l = direntry->tdir_offset.toff_long8;
        if (tif->tif_flags&TIFF_SWAB)
                TIFFSwabArrayOfLong(m.i,2);
@@ -17,7 +46,7 @@
                *value=0.0;
        else
                *value=(double)m.i[0]/(double)m.i[1];
-@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+@@ -2900,7 +2911,10 @@ static enum TIFFReadDirEntryErr TIFFRead
                m.l=direntry->tdir_offset.toff_long8;
        if (tif->tif_flags&TIFF_SWAB)
                TIFFSwabArrayOfLong(m.i,2);
diff -r e19c8ef34cf0 -r 3d09c51654af graphics/tiff/patches/patch-libtiff_tif_dirwrite.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c        Sat May 06 15:08:52 2017 +0000
@@ -0,0 +1,192 @@
+$NetBSD: patch-libtiff_tif_dirwrite.c,v 1.1.2.2 2017/05/06 15:08:52 bsiegert Exp $
+
+Dependency for applying advisory patch below without creating a variant.
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
+
+CVE-2017-7596
+CVE-2017-7597
+CVE-2017-7599
+CVE-2017-7600
+https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
+
+--- libtiff/tif_dirwrite.c.orig        2017-05-05 18:56:07.000000000 +0000
++++ libtiff/tif_dirwrite.c
+@@ -30,6 +30,7 @@
+  * Directory Write Support Routines.
+  */
+ #include "tiffiop.h"
++#include <float.h>
+ 
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@ bad:
+       return(0);
+ }
+ 
++static float TIFFClampDoubleToFloat( double val )
++{
++    if( val > FLT_MAX )
++        return FLT_MAX;
++    if( val < -FLT_MAX )
++        return -FLT_MAX;
++    return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++    if( val > 127 )
++        return 127;
++    if( val < -128 || val != val )
++        return -128;
++    return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++    if( val > 32767 )
++        return 32767;
++    if( val < -32768 || val != val )
++        return -32768;
++    return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++    if( val > 0x7FFFFFFF )
++        return 0x7FFFFFFF;
++    if( val < -0x7FFFFFFF-1 || val != val )
++        return -0x7FFFFFFF-1;
++    return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 255 || val != val )
++        return 255;
++    return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 65535 || val != val )
++        return 65535;
++    return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 0xFFFFFFFFU || val != val )
++        return 0xFFFFFFFFU;
++    return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@ TIFFWriteDirectoryTagSampleformatArray(T
+                       if (tif->tif_dir.td_bitspersample<=32)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((float*)conv)[i] = (float)value[i];
++                                      ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+                               ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+                       }
+                       else
+@@ -971,19 +1035,19 @@ TIFFWriteDirectoryTagSampleformatArray(T
+                       if (tif->tif_dir.td_bitspersample<=8)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((int8*)conv)[i] = (int8)value[i];
++                                      ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+                               ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+                       }
+                       else if (tif->tif_dir.td_bitspersample<=16)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((int16*)conv)[i] = (int16)value[i];
++                                      ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+                               ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+                       }
+                       else
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((int32*)conv)[i] = (int32)value[i];
++                                      ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
+                               ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
+                       }
+                       break;
+@@ -991,19 +1055,19 @@ TIFFWriteDirectoryTagSampleformatArray(T
+                       if (tif->tif_dir.td_bitspersample<=8)
+                       {
+                               for (i = 0; i < count; ++i)
+-                                      ((uint8*)conv)[i] = (uint8)value[i];
++                                      ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
+                               ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
+                       }
+                       else if (tif->tif_dir.td_bitspersample<=16)
Prev by Date: [pkgsrc/pkgsrc-2017Q1]: pkgsrc/graphics/tiff Pullup ticket #5399 - requested ...
Next by Date: [pkgsrc/pkgsrc-2017Q1]: pkgsrc/textproc/mdoclint/files Pullup ticket #5394 - ...
Previous by Thread: [pkgsrc/pkgsrc-2017Q1]: pkgsrc/graphics/tiff Pullup ticket #5399 - requested ...
Next by Thread: [pkgsrc/pkgsrc-2017Q1]: pkgsrc/textproc/mdoclint/files Pullup ticket #5394 - ...
Indexes:
Home | Main Index | Thread Index | Old Index