pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2017Q1]: pkgsrc/graphics/tiff Pullup ticket #5406 - requested ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/717e2122c58b
branches: pkgsrc-2017Q1
changeset: 360366:717e2122c58b
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Thu May 11 17:47:20 2017 +0000
description:
Pullup ticket #5406 - requested by sevan
graphics/tiff: security fix
Revisions pulled up:
- graphics/tiff/Makefile 1.130-1.135
- graphics/tiff/distinfo 1.76-1.81
- graphics/tiff/patches/patch-libtiff_tif__luv.c 1.1
- graphics/tiff/patches/patch-libtiff_tif__pixarlog.c 1.1
- graphics/tiff/patches/patch-libtiff_tif__strip.c 1.1
- graphics/tiff/patches/patch-libtiff_tif_dirread.c 1.3
- graphics/tiff/patches/patch-libtiff_tif_ojpeg.c 1.2
- graphics/tiff/patches/patch-libtiff_tif_read.c 1.2
- graphics/tiff/patches/patch-libtiff_tiffiop.h 1.3
- graphics/tiff/patches/patch-tools_tiff2pdf.c 1.3
- graphics/tiff/patches/patch-tools_tiffcp.c 1.3
---
Module Name: pkgsrc
Committed By: he
Date: Sat May 6 20:34:40 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
Added Files:
pkgsrc/graphics/tiff/patches: patch-tools_tiff2pdf.c
Log Message:
Fix CVE-2016-10094, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2640
and https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: he
Date: Sat May 6 21:02:00 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
Added Files:
pkgsrc/graphics/tiff/patches: patch-libtiff_tif__luv.c
patch-libtiff_tif__pixarlog.c
Log Message:
Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
and
https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: he
Date: Sat May 6 21:29:17 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dirread.c
Added Files:
pkgsrc/graphics/tiff/patches: patch-libtiff_tif__strip.c
Log Message:
Fix CVE-2016-10270, ref.
http://bugzilla.maptools.org/show_bug.cgi?id=2608
https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: he
Date: Sat May 6 21:37:16 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
pkgsrc/graphics/tiff/patches: patch-tools_tiffcp.c
Log Message:
Fix CVE-2016-10268, ref.
http://bugzilla.maptools.org/show_bug.cgi?id=2598
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: he
Date: Sun May 7 21:32:30 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
pkgsrc/graphics/tiff/patches: patch-libtiff_tif_read.c
Added Files:
pkgsrc/graphics/tiff/patches: patch-libtiff_tiffiop.h
Log Message:
Fix CVE-2016-10266 ref.
http://bugzilla.maptools.org/show_bug.cgi?id=2596
https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: he
Date: Sun May 7 21:52:16 UTC 2017
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
pkgsrc/graphics/tiff/patches: patch-libtiff_tif_ojpeg.c
Log Message:
Fix CVE-2016-10267 ref.
http://bugzilla.maptools.org/show_bug.cgi?id=2611
https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
Bump PKGREVISION.
diffstat:
graphics/tiff/Makefile | 4 +-
graphics/tiff/distinfo | 15 +++-
graphics/tiff/patches/patch-libtiff_tif__luv.c | 56 +++++++++++++++++
graphics/tiff/patches/patch-libtiff_tif__pixarlog.c | 41 +++++++++++++
graphics/tiff/patches/patch-libtiff_tif__strip.c | 24 +++++++
graphics/tiff/patches/patch-libtiff_tif_dirread.c | 66 ++++++++++++++++++++-
graphics/tiff/patches/patch-libtiff_tif_ojpeg.c | 45 ++++++++++++-
graphics/tiff/patches/patch-libtiff_tif_read.c | 17 ++++-
graphics/tiff/patches/patch-libtiff_tiffiop.h | 19 ++++++
graphics/tiff/patches/patch-tools_tiff2pdf.c | 16 +++++
graphics/tiff/patches/patch-tools_tiffcp.c | 17 +++++-
11 files changed, 303 insertions(+), 17 deletions(-)
diffs (truncated from 451 to 300 lines):
diff -r b228d9ad013a -r 717e2122c58b graphics/tiff/Makefile
--- a/graphics/tiff/Makefile Thu May 11 17:40:24 2017 +0000
+++ b/graphics/tiff/Makefile Thu May 11 17:47:20 2017 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.125.4.2 2017/05/06 15:08:52 bsiegert Exp $
+# $NetBSD: Makefile,v 1.125.4.3 2017/05/11 17:47:20 bsiegert Exp $
DISTNAME= tiff-4.0.7
-PKGREVISION= 5
+PKGREVISION= 11
CATEGORIES= graphics
MASTER_SITES= ftp://download.osgeo.org/libtiff/
diff -r b228d9ad013a -r 717e2122c58b graphics/tiff/distinfo
--- a/graphics/tiff/distinfo Thu May 11 17:40:24 2017 +0000
+++ b/graphics/tiff/distinfo Thu May 11 17:47:20 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.71.4.2 2017/05/06 15:08:52 bsiegert Exp $
+$NetBSD: distinfo,v 1.71.4.3 2017/05/11 17:47:20 bsiegert Exp $
SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,16 +6,21 @@
Size (tiff-4.0.7.tar.gz) = 2076392 bytes
SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
+SHA1 (patch-libtiff_tif__luv.c) = c2e8ce7474119ffa02d226932ad6c8c2b230062c
+SHA1 (patch-libtiff_tif__pixarlog.c) = ad16681cf3fcb5fded048eb70c0a93f1b6447147
+SHA1 (patch-libtiff_tif__strip.c) = f7dc7b24378d0541a8f3bcc3cad78ea2d6ae14d7
SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7
-SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d
+SHA1 (patch-libtiff_tif_dirread.c) = f6d442da817457d7ac801a3005e21c357ac31f8a
SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb
SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6
SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc
-SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939
-SHA1 (patch-libtiff_tif_read.c) = 85674d2e222846e3971301ce2fb7ebe02f54b9b2
+SHA1 (patch-libtiff_tif_ojpeg.c) = 1c43555434525157c1783de4802af4508c5113a4
+SHA1 (patch-libtiff_tif_read.c) = d43b10fa74a51da21f44abb7bd0251b88e8a702b
SHA1 (patch-libtiff_tif_unix.c) = c8312771e567f90de0f77ac8eb66ed5c36e35617
SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc
SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c
+SHA1 (patch-libtiff_tiffiop.h) = 1100e55483da58037fa3f4168fffdfcbc5407456
SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f
-SHA1 (patch-tools_tiffcp.c) = 42573d15fc66655a09e9227213b0929238f7e651
+SHA1 (patch-tools_tiff2pdf.c) = ce7a3e77c27ad3cabaa33b5da61cbd1b27f187d1
+SHA1 (patch-tools_tiffcp.c) = bd6abd9dc6e044ff04d761d999fabfb0919ba0db
SHA1 (patch-tools_tiffcrop.c) = 1d729028fb8c05de958424234d5cc2808acc9b25
diff -r b228d9ad013a -r 717e2122c58b graphics/tiff/patches/patch-libtiff_tif__luv.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif__luv.c Thu May 11 17:47:20 2017 +0000
@@ -0,0 +1,56 @@
+$NetBSD: patch-libtiff_tif__luv.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $
+
+Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
+and
+https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
+
+--- libtiff/tif_luv.c.orig 2016-09-08 13:23:57.000000000 +0000
++++ libtiff/tif_luv.c
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+
+ struct logLuvState {
++ int encoder_state; /* 1 if encoder correctly initialized */
+ int user_datafmt; /* user data format */
+ int encode_meth; /* encoding method */
+ int pixel_size; /* bytes per pixel */
+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
+ td->td_photometric, "must be either LogLUV or LogL");
+ break;
+ }
++ sp->encoder_state = 1;
+ return (1);
+ notsupported:
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@ notsupported:
+ static void
+ LogLuvClose(TIFF* tif)
+ {
++ LogLuvState* sp = (LogLuvState*) tif->tif_data;
+ TIFFDirectory *td = &tif->tif_dir;
+
++ assert(sp != 0);
+ /*
+ * For consistency, we always want to write out the same
+ * bitspersample and sampleformat for our TIFF file,
+ * regardless of the data format being used by the application.
+ * Since this routine is called after tags have been set but
+ * before they have been recorded in the file, we reset them here.
++ * Note: this is really a nasty approach. See PixarLogClose
+ */
+- td->td_samplesperpixel =
+- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+- td->td_bitspersample = 16;
+- td->td_sampleformat = SAMPLEFORMAT_INT;
++ if( sp->encoder_state )
++ {
++ /* See PixarLogClose. Might avoid issues with tags whose size depends
++ * on those below, but not completely sure this is enough. */
++ td->td_samplesperpixel =
++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
++ td->td_bitspersample = 16;
++ td->td_sampleformat = SAMPLEFORMAT_INT;
++ }
+ }
+
+ static void
diff -r b228d9ad013a -r 717e2122c58b graphics/tiff/patches/patch-libtiff_tif__pixarlog.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c Thu May 11 17:47:20 2017 +0000
@@ -0,0 +1,41 @@
+$NetBSD: patch-libtiff_tif__pixarlog.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $
+
+Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604
+and
+https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
+
+--- libtiff/tif_pixarlog.c.orig 2016-09-23 22:56:06.000000000 +0000
++++ libtiff/tif_pixarlog.c
+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
+ static void
+ PixarLogClose(TIFF* tif)
+ {
++ PixarLogState* sp = (PixarLogState*) tif->tif_data;
+ TIFFDirectory *td = &tif->tif_dir;
+
++ assert(sp != 0);
+ /* In a really sneaky (and really incorrect, and untruthful, and
+ * troublesome, and error-prone) maneuver that completely goes against
+ * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
+ * readers that don't know about PixarLog, or how to set
+ * the PIXARLOGDATFMT pseudo-tag.
+ */
+- td->td_bitspersample = 8;
+- td->td_sampleformat = SAMPLEFORMAT_UINT;
++
++ if (sp->state&PLSTATE_INIT) {
++ /* We test the state to avoid an issue such as in
++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604
++ * What appends in that case is that the bitspersample is 1 and
++ * a TransferFunction is set. The size of the TransferFunction
++ * depends on 1<<bitspersample. So if we increase it, an access
++ * out of the buffer will happen at directory flushing.
++ * Another option would be to clear those targs.
++ */
++ td->td_bitspersample = 8;
++ td->td_sampleformat = SAMPLEFORMAT_UINT;
++ }
+ }
+
+ static void
diff -r b228d9ad013a -r 717e2122c58b graphics/tiff/patches/patch-libtiff_tif__strip.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif__strip.c Thu May 11 17:47:20 2017 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-libtiff_tif__strip.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $
+
+Fix CVE-2016-10270, ref.
+http://bugzilla.maptools.org/show_bug.cgi?id=2608
+https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
+
+--- libtiff/tif_strip.c.orig 2016-11-10 02:12:36.000000000 +0000
++++ libtiff/tif_strip.c
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
+ TIFFDirectory *td = &tif->tif_dir;
+ uint32 nstrips;
+
+- /* If the value was already computed and store in td_nstrips, then return it,
+- since ChopUpSingleUncompressedStrip might have altered and resized the
+- since the td_stripbytecount and td_stripoffset arrays to the new value
+- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+- tif_dirread.c ~line 3612.
+- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+- if( td->td_nstrips )
+- return td->td_nstrips;
+-
+ nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff -r b228d9ad013a -r 717e2122c58b graphics/tiff/patches/patch-libtiff_tif_dirread.c
--- a/graphics/tiff/patches/patch-libtiff_tif_dirread.c Thu May 11 17:40:24 2017 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirread.c Thu May 11 17:47:20 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.4 2017/05/11 17:47:20 bsiegert Exp $
CVE-2017-7596
CVE-2017-7597
@@ -8,7 +8,13 @@
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
---- libtiff/tif_dirread.c.orig 2017-05-05 18:56:15.000000000 +0000
+and
+
+CVE-2016-10270
+http://bugzilla.maptools.org/show_bug.cgi?id=2608
+https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
+
+--- libtiff/tif_dirread.c.orig 2016-11-18 02:42:46.000000000 +0000
+++ libtiff/tif_dirread.c
@@ -40,6 +40,7 @@
*/
@@ -58,3 +64,59 @@
*value=0.0;
else
*value=(double)((int32)m.i[0])/(double)m.i[1];
+@@ -5502,8 +5516,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ uint64 rowblockbytes;
+ uint64 stripbytes;
+ uint32 strip;
+- uint64 nstrips64;
+- uint32 nstrips32;
++ uint32 nstrips;
+ uint32 rowsperstrip;
+ uint64* newcounts;
+ uint64* newoffsets;
+@@ -5534,18 +5547,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ return;
+
+ /*
+- * never increase the number of strips in an image
++ * never increase the number of rows per strip
+ */
+ if (rowsperstrip >= td->td_rowsperstrip)
+ return;
+- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
++ if( nstrips == 0 )
+ return;
+- nstrips32 = (uint32)nstrips64;
+
+- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripByteCounts\" array");
+- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripOffsets\" array");
+ if (newcounts == NULL || newoffsets == NULL) {
+ /*
+@@ -5562,18 +5574,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ * Fill the strip information arrays with new bytecounts and offsets
+ * that reflect the broken-up format.
+ */
+- for (strip = 0; strip < nstrips32; strip++) {
++ for (strip = 0; strip < nstrips; strip++) {
+ if (stripbytes > bytecount)
+ stripbytes = bytecount;
+ newcounts[strip] = stripbytes;
+- newoffsets[strip] = offset;
++ newoffsets[strip] = stripbytes ? offset : 0;
+ offset += stripbytes;
+ bytecount -= stripbytes;
+ }
+ /*
+ * Replace old single strip info with multi-strip info.
+ */
+- td->td_stripsperimage = td->td_nstrips = nstrips32;
++ td->td_stripsperimage = td->td_nstrips = nstrips;
+ TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+
+ _TIFFfree(td->td_stripbytecount);
diff -r b228d9ad013a -r 717e2122c58b graphics/tiff/patches/patch-libtiff_tif_ojpeg.c
--- a/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c Thu May 11 17:40:24 2017 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c Thu May 11 17:47:20 2017 +0000
@@ -1,13 +1,48 @@
-$NetBSD: patch-libtiff_tif_ojpeg.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $
+$NetBSD: patch-libtiff_tif_ojpeg.c,v 1.1.2.3 2017/05/11 17:47:20 bsiegert Exp $
CVE-2017-7594
http://bugzilla.maptools.org/show_bug.cgi?id=2659
https://github.com/vadz/libtiff/commit/8283e4d1b7e5
https://github.com/vadz/libtiff/commit/2ea32f7372b6
---- libtiff/tif_ojpeg.c.orig 2017-05-03 22:08:50.000000000 +0000
+CVE-2016-10267
+http://bugzilla.maptools.org/show_bug.cgi?id=2611
+https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
+
+--- libtiff/tif_ojpeg.c.orig 2016-09-08 13:23:57.000000000 +0000
+++ libtiff/tif_ojpeg.c
-@@ -1782,7 +1782,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF*
+@@ -244,6 +244,7 @@ typedef enum {
+
+ typedef struct {
+ TIFF* tif;
++ int decoder_ok;
+ #ifndef LIBJPEG_ENCAP_EXTERNAL
+ JMP_BUF exit_jmpbuf;
+ #endif
+@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
+ }
+ sp->write_curstrile++;
+ }
++ sp->decoder_ok = 1;
+ return(1);
+ }
Home |
Main Index |
Thread Index |
Old Index