pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2017Q1]: pkgsrc/graphics/tiff Pullup ticket #5399 - requested ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/e19c8ef34cf0
branches:  pkgsrc-2017Q1
changeset: 360354:e19c8ef34cf0
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat May 06 15:01:21 2017 +0000

description:
Pullup ticket #5399 - requested by sevan
graphics/tiff: security fix

Revisions pulled up:
- graphics/tiff/Makefile                                        1.126
- graphics/tiff/distinfo                                        1.72
- graphics/tiff/patches/patch-libtiff_tif_dirread.c             1.1
- graphics/tiff/patches/patch-libtiff_tif_getimage.c            1.1
- graphics/tiff/patches/patch-libtiff_tif_jpeg.c                1.1
- graphics/tiff/patches/patch-libtiff_tif_ojpeg.c               1.1
- graphics/tiff/patches/patch-libtiff_tif_read.c                1.1
- graphics/tiff/patches/patch-libtiff_tif_unix.c                1.1
- graphics/tiff/patches/patch-libtiff_tif_win32.c               1.1
- graphics/tiff/patches/patch-libtiff_tiffio.h                  1.1
- graphics/tiff/patches/patch-tools_tiffcp.c                    1.1

---
   Module Name:    pkgsrc
   Committed By:   sevan
   Date:           Wed May  3 23:00:59 UTC 2017

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dirread.c
               patch-libtiff_tif_getimage.c patch-libtiff_tif_jpeg.c
               patch-libtiff_tif_ojpeg.c patch-libtiff_tif_read.c
               patch-libtiff_tif_unix.c patch-libtiff_tif_win32.c
               patch-libtiff_tiffio.h patch-tools_tiffcp.c

   Log Message:
   Add security patches & bump rev.
   via FreeBSD bz #216658

   https://nvd.nist.gov/vuln/detail/CVE-2017-5225
   http://bugzilla.maptools.org/show_bug.cgi?id=2656
   http://bugzilla.maptools.org/show_bug.cgi?id=2657
   https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7

   https://nvd.nist.gov/vuln/detail/CVE-2017-7592
   http://bugzilla.maptools.org/show_bug.cgi?id=2658
   https://github.com/vadz/libtiff/commit/48780b4fcc42

   https://nvd.nist.gov/vuln/detail/CVE-2017-7593
   http://bugzilla.maptools.org/show_bug.cgi?id=2651
   https://github.com/vadz/libtiff/commit/d60332057b95

   https://nvd.nist.gov/vuln/detail/CVE-2017-7594
   http://bugzilla.maptools.org/show_bug.cgi?id=2659
   https://github.com/vadz/libtiff/commit/8283e4d1b7e5
   https://github.com/vadz/libtiff/commit/2ea32f7372b6

   https://nvd.nist.gov/vuln/detail/CVE-2017-7595
   https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122

   https://nvd.nist.gov/vuln/detail/CVE-2017-7598
   https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8

   https://nvd.nist.gov/vuln/detail/CVE-2017-7601
   https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490

   https://nvd.nist.gov/vuln/detail/CVE-2017-7602
   https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4

diffstat:

 graphics/tiff/Makefile                             |   4 +-
 graphics/tiff/distinfo                             |  11 +++-
 graphics/tiff/patches/patch-libtiff_tif_dirread.c  |  31 +++++++++++
 graphics/tiff/patches/patch-libtiff_tif_getimage.c |  17 ++++++
 graphics/tiff/patches/patch-libtiff_tif_jpeg.c     |  31 +++++++++++
 graphics/tiff/patches/patch-libtiff_tif_ojpeg.c    |  42 +++++++++++++++
 graphics/tiff/patches/patch-libtiff_tif_read.c     |  57 ++++++++++++++++++++
 graphics/tiff/patches/patch-libtiff_tif_unix.c     |  23 ++++++++
 graphics/tiff/patches/patch-libtiff_tif_win32.c    |  23 ++++++++
 graphics/tiff/patches/patch-libtiff_tiffio.h       |  16 +++++
 graphics/tiff/patches/patch-tools_tiffcp.c         |  61 ++++++++++++++++++++++
 11 files changed, 313 insertions(+), 3 deletions(-)

diffs (truncated from 373 to 300 lines):

diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile    Mon May 01 10:05:18 2017 +0000
+++ b/graphics/tiff/Makefile    Sat May 06 15:01:21 2017 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.125 2016/11/23 13:51:29 he Exp $
+# $NetBSD: Makefile,v 1.125.4.1 2017/05/06 15:01:21 bsiegert Exp $
 
 DISTNAME=      tiff-4.0.7
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo    Mon May 01 10:05:18 2017 +0000
+++ b/graphics/tiff/distinfo    Sat May 06 15:01:21 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.71 2016/11/23 13:51:29 he Exp $
+$NetBSD: distinfo,v 1.71.4.1 2017/05/06 15:01:21 bsiegert Exp $
 
 SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,4 +6,13 @@
 Size (tiff-4.0.7.tar.gz) = 2076392 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
+SHA1 (patch-libtiff_tif_dirread.c) = 5c92e2c65a5d95f444f039955ee1afbafeccf5db
+SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6
+SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc
+SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939
+SHA1 (patch-libtiff_tif_read.c) = 85674d2e222846e3971301ce2fb7ebe02f54b9b2
+SHA1 (patch-libtiff_tif_unix.c) = c8312771e567f90de0f77ac8eb66ed5c36e35617
+SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc
+SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c
 SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f
+SHA1 (patch-tools_tiffcp.c) = fa4846cfb5a52eedfb6dc4ed1306f45e3988ddc3
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/patches/patch-libtiff_tif_dirread.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirread.c Sat May 06 15:01:21 2017 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.2 2017/05/06 15:01:21 bsiegert Exp $
+
+CVE-2017-7598
+https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
+
+--- libtiff/tif_dirread.c.orig 2016-11-18 02:42:46.000000000 +0000
++++ libtiff/tif_dirread.c
+@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+               m.l = direntry->tdir_offset.toff_long8;
+       if (tif->tif_flags&TIFF_SWAB)
+               TIFFSwabArrayOfLong(m.i,2);
+-      if (m.i[0]==0)
++        /* Not completely sure what we should do when m.i[1]==0, but some */
++        /* sanitizers do not like division by 0.0: */
++        /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++      if (m.i[0]==0 || m.i[1]==0)
+               *value=0.0;
+       else
+               *value=(double)m.i[0]/(double)m.i[1];
+@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+               m.l=direntry->tdir_offset.toff_long8;
+       if (tif->tif_flags&TIFF_SWAB)
+               TIFFSwabArrayOfLong(m.i,2);
+-      if ((int32)m.i[0]==0)
++        /* Not completely sure what we should do when m.i[1]==0, but some */
++        /* sanitizers do not like division by 0.0: */
++        /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++      if ((int32)m.i[0]==0 || m.i[1]==0)
+               *value=0.0;
+       else
+               *value=(double)((int32)m.i[0])/(double)m.i[1];
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/patches/patch-libtiff_tif_getimage.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_getimage.c        Sat May 06 15:01:21 2017 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-libtiff_tif_getimage.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+
+https://nvd.nist.gov/vuln/detail/CVE-2017-7592
+http://bugzilla.maptools.org/show_bug.cgi?id=2658
+https://github.com/vadz/libtiff/commit/48780b4fcc42
+
+--- libtiff/tif_getimage.c.orig        2016-11-18 02:47:45.000000000 +0000
++++ libtiff/tif_getimage.c
+@@ -1305,7 +1305,7 @@ DECLAREContigPutFunc(putagreytile)
+     while (h-- > 0) {
+       for (x = w; x-- > 0;)
+         {
+-            *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1);
++            *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1);
+             pp += samplesperpixel;
+         }
+       cp += toskew;
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/patches/patch-libtiff_tif_jpeg.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_jpeg.c    Sat May 06 15:01:21 2017 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-libtiff_tif_jpeg.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+
+CVE-2017-7595
+https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
+
+CVE-2017-7601
+https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
+
+--- libtiff/tif_jpeg.c.orig    2017-05-03 22:26:09.000000000 +0000
++++ libtiff/tif_jpeg.c
+@@ -1626,6 +1626,20 @@ JPEGSetupEncode(TIFF* tif)
+       case PHOTOMETRIC_YCBCR:
+               sp->h_sampling = td->td_ycbcrsubsampling[0];
+               sp->v_sampling = td->td_ycbcrsubsampling[1];
++                if( sp->h_sampling == 0 || sp->v_sampling == 0 )
++                {
++                    TIFFErrorExt(tif->tif_clientdata, module,
++                            "Invalig horizontal/vertical sampling value");
++                    return (0);
++                }
++                if( td->td_bitspersample > 16 )
++                {
++                    TIFFErrorExt(tif->tif_clientdata, module,
++                                 "BitsPerSample %d not allowed for JPEG",
++                                 td->td_bitspersample);
++                    return (0);
++                }
++
+               /*
+                * A ReferenceBlackWhite field *must* be present since the
+                * default value is inappropriate for YCbCr.  Fill in the
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/patches/patch-libtiff_tif_ojpeg.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c   Sat May 06 15:01:21 2017 +0000
@@ -0,0 +1,42 @@
+$NetBSD: patch-libtiff_tif_ojpeg.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+
+CVE-2017-7594
+http://bugzilla.maptools.org/show_bug.cgi?id=2659
+https://github.com/vadz/libtiff/commit/8283e4d1b7e5
+https://github.com/vadz/libtiff/commit/2ea32f7372b6
+
+--- libtiff/tif_ojpeg.c.orig   2017-05-03 22:08:50.000000000 +0000
++++ libtiff/tif_ojpeg.c
+@@ -1782,7 +1782,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF*
+                       TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); 
+                       p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+                       if (p!=64)
++                        {
++                                _TIFFfree(ob);
+                               return(0);
++                        }
+                       sp->qtable[m]=ob;
+                       sp->sof_tq[m]=m;
+               }
+@@ -1846,7 +1849,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF
+                               rb[sizeof(uint32)+5+n]=o[n];
+                       p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+                       if (p!=q)
++                        {
++                                _TIFFfree(rb);
+                               return(0);
++                        }
+                       sp->dctable[m]=rb;
+                       sp->sos_tda[m]=(m<<4);
+               }
+@@ -1910,7 +1916,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF
+                               rb[sizeof(uint32)+5+n]=o[n];
+                       p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+                       if (p!=q)
++                        {
++                                _TIFFfree(rb);
+                               return(0);
++                        }
+                       sp->actable[m]=rb;
+                       sp->sos_tda[m]=(sp->sos_tda[m]|m);
+               }
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/patches/patch-libtiff_tif_read.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_read.c    Sat May 06 15:01:21 2017 +0000
@@ -0,0 +1,57 @@
+$NetBSD: patch-libtiff_tif_read.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+
+CVE-2017-7593
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://github.com/vadz/libtiff/commit/d60332057b95
+
+CVE-2017-7602
+https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
+
+--- libtiff/tif_read.c.orig    2017-05-03 22:31:30.000000000 +0000
++++ libtiff/tif_read.c
+@@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 stri
+                       return ((tmsize_t)(-1));
+               }
+       } else {
+-              tmsize_t ma,mb;
++              tmsize_t ma;
+               tmsize_t n;
+-              ma=(tmsize_t)td->td_stripoffset[strip];
+-              mb=ma+size;
+-              if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+-                      n=0;
+-              else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+-                      n=tif->tif_size-ma;
+-              else
+-                      n=size;
++              if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
++                    ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
++                {
++                    n=0;
++                }
++                else if( ma > TIFF_TMSIZE_T_MAX - size )
++                {
++                    n=0;
++                }
++                else
++                {
++                    tmsize_t mb=ma+size;
++                    if (mb>tif->tif_size)
++                            n=tif->tif_size-ma;
++                    else
++                            n=size;
++                }
+               if (n!=size) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+                       TIFFErrorExt(tif->tif_clientdata, module,
+@@ -976,7 +985,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp,
+                                "Invalid buffer size");
+                   return (0);
+               }
+-              tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++              /* Initialize to zero to avoid uninitialized buffers in case of */
++                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++              tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+               tif->tif_flags |= TIFF_MYBUFFER;
+       }
+       if (tif->tif_rawdata == NULL) {
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/patches/patch-libtiff_tif_unix.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_unix.c    Sat May 06 15:01:21 2017 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-libtiff_tif_unix.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+
+CVE-2017-7593
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://github.com/vadz/libtiff/commit/d60332057b95
+
+--- libtiff/tif_unix.c.orig    2015-08-28 22:16:22.000000000 +0000
++++ libtiff/tif_unix.c
+@@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s)
+       return (malloc((size_t) s));
+ }
+ 
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++    if( nmemb == 0 || siz == 0 )
++        return ((void *) NULL);
++
++    return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/patches/patch-libtiff_tif_win32.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_win32.c   Sat May 06 15:01:21 2017 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-libtiff_tif_win32.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+
+CVE-2017-7593
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://github.com/vadz/libtiff/commit/d60332057b95
+
+--- libtiff/tif_win32.c.orig   2015-08-28 22:16:22.000000000 +0000
++++ libtiff/tif_win32.c
+@@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s)
+       return (malloc((size_t) s));
+ }
+ 
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++    if( nmemb == 0 || siz == 0 )
++        return ((void *) NULL);
++
++    return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff -r 0cc477a7a4c0 -r e19c8ef34cf0 graphics/tiff/patches/patch-libtiff_tiffio.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tiffio.h      Sat May 06 15:01:21 2017 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-libtiff_tiffio.h,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+
+CVE-2017-7593
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://github.com/vadz/libtiff/commit/d60332057b95
+
+--- libtiff/tiffio.h.orig      2016-01-24 15:39:51.000000000 +0000
++++ libtiff/tiffio.h



Home | Main Index | Thread Index | Old Index