Hello community, here is the log from the commit of package tiff.683 for openSUSE:12.2:Update checked in at 2012-08-06 11:12:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/tiff.683 (Old) and /work/SRC/openSUSE:12.2:Update/.tiff.683.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff.683", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-08-03 19:43:57.387656292 +0200 +++ /work/SRC/openSUSE:12.2:Update/.tiff.683.new/tiff.changes 2012-08-06 11:12:06.000000000 +0200 @@ -0,0 +1,509 @@ +------------------------------------------------------------------- +Mon Jul 23 09:52:50 UTC 2012 - [email protected] + +- fixed CVE-2012-3401 [bnc#770816] + +------------------------------------------------------------------- +Thu Jun 28 10:16:29 UTC 2012 - [email protected] + +- RGBA is packed in host order, use the right macros to unpack + and verify in raw_decode test. + +------------------------------------------------------------------- +Wed Jun 20 09:29:37 UTC 2012 - [email protected] + +- updated to 4.0.2: [bnc#767852] [bnc#767854] + tif_getimage.c: added support for _SEPARATED CMYK images. + tif_getimage.c: Added support for greyscale + alpha. + Added TIFFCreateCustomDirectory() and TIFFCreateEXIFDirectory() functions. + tif_print.c: Lots of fixes around printing corrupt or hostile input. + Improve handling of corrupt ycbcrsubsampling values. + tif_unix.c: use strerror to get meaningful error messages. + tif_jpeg.c: fix serious bugs in JPEGDecodeRaw(). + tif_jpeg.c: Fix size overflow (zdi-can-1221,CVE-2012-1173). + tiff2pdf: Defend against integer overflows while calculating required + buffer sizes (CVE-2012-2113). + +------------------------------------------------------------------- +Tue Apr 10 17:37:25 UTC 2012 - [email protected] + +- Fix building on older targets from SUSE 10.0 to current. +- Add jbig support + +------------------------------------------------------------------- +Thu Mar 29 09:51:49 UTC 2012 - [email protected] + +- Add lzma support +- Implement %check +- Drop visibility patch because it breaks compilation + +------------------------------------------------------------------- +Wed Mar 28 18:06:34 UTC 2012 - [email protected] + +- change package name libtiff4 to libtiff5. + library number is 5 actually. + +------------------------------------------------------------------- +Wed Mar 28 17:29:16 UTC 2012 - [email protected] + +- Update to 4.0.1 + * configure.ac + - Add libtiff private dependency on -llzma for pkg-config + - Add support for using library symbol versioning on + ELF systems with the GNU linker. + * libtiff/tif_win32.c: Eliminate some minor 64-bit warnings in + tif_win32.c + * libtiff/tif_jpeg.c: Extra caution for case where sp is NULL. + * libtiff/tif_dir.c, libtiff/tif_dirread.c: Extra caution around + assumption tag fetching is always successful. + * libtiff/tiffio.h: Use double-underbar syntax in GCC printf + attribute specification to lessen the risk of accidental macro + substitution. + * Update automake used to 1.11.3. + +------------------------------------------------------------------- +Wed Mar 28 12:12:23 UTC 2012 - [email protected] + +- license update: HPND + tiff license most akin to spdx recognised + http://www.spdx.org/licenses/HPND + +------------------------------------------------------------------- +Tue Jan 10 01:21:45 UTC 2012 - [email protected] + +- remove libjpeg-devel and zlib-devel from libtiff-devel + requires as they are _not_ required to use the library. + Now, this _will_ break packages with wrong buildrequires + for good. + +------------------------------------------------------------------- +Tue Jan 10 00:55:53 UTC 2012 - [email protected] + +- Hide private symbols using gcc visibility, this has been + applied only to functions that the source code clearly states + that are internal to the library. +- Run spec cleaner + +------------------------------------------------------------------- +Wed Nov 23 09:31:16 UTC 2011 - [email protected] + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Fri Aug 5 21:09:33 UTC 2011 - [email protected] + +- Do not use -fno-strict-aliasing, no longer needed + and will probably slow down the code. +- Fix self-obsoletion warning + +------------------------------------------------------------------- +Thu Apr 14 14:02:12 CEST 2011 - [email protected] + +- updated to 3.9.5: + * fixed integer overflow CVE-2010-4665 + * fixed buffer overflow in ojpeg decoder + * upstreamed: + - oob-read.patch + - CVE-2011-0192.patch + - getimage-64bit.patch + - CVE-2011-1167.patch + - scanlinesize.patch + +------------------------------------------------------------------- +Thu Mar 31 21:49:49 CEST 2011 - [email protected] + +- fixed regression caused by previous update [bnc#682871] + * modified CVE-2011-0192.patch +- fixed buffer overflow in thunder decoder [bnc#683337] + * added CVE-2011-1167.patch + +------------------------------------------------------------------- +Thu Feb 17 15:40:54 CET 2011 - [email protected] + +- fixed buffer overflow [bnc#672510] + * CVE-2011-0192.patch + +------------------------------------------------------------------- +Mon Sep 6 14:56:09 CEST 2010 - [email protected] + +- fixed "Possibly exploitable memory corruption issue in libtiff" + (see http://bugzilla.maptools.org/show_bug.cgi?id=2228) + [bnc#624215] + * scanlinesize.patch +- fixed crash while using libjpeg7 and higher + * dont-fancy-upsampling.patch + +------------------------------------------------------------------- +Mon Jul 12 16:36:48 CEST 2010 - [email protected] + +- updated to 3.9.4: fixes CVE-2010-2065 -- obsoletes + * integer-overflow.patch + * NULL-deref.patch +- fixes CVE-2010-2067 + +------------------------------------------------------------------- +Wed Jun 23 10:32:01 CEST 2010 - [email protected] + +- fixed CVE-2010-2065 + * integer-overflow.patch + * NULL-deref.patch +- fixed out of bounds read + * oob-read.patch +- fixed CVE-2010-2233 + * getimage-64bit.patch +- [bnc#612879] + +------------------------------------------------------------------- +Mon Apr 26 15:07:09 CEST 2010 - [email protected] + +- fixed tiff2pdf output [bnc#599475] + +------------------------------------------------------------------- +Fri Mar 26 08:49:41 UTC 2010 - [email protected] + +- fixed typo + +------------------------------------------------------------------- +Tue Mar 16 13:37:23 CET 2010 - [email protected] + +- updated to 3.9.2: fixed many CVE's and obsoletes almost all + our patches (see ChangeLog for details) + +------------------------------------------------------------------- +Tue Dec 15 19:38:18 CET 2009 - [email protected] + +- add baselibs.conf as a source +- enable parallel building + +------------------------------------------------------------------- +Thu Aug 6 14:02:07 CEST 2009 - [email protected] + +- fixed integer overflows [bnc#519796] + * CVE-2009-2347.patch + +------------------------------------------------------------------- +Thu Jul 2 16:33:02 CEST 2009 - [email protected] + +- fixed lzw overflow CVE-2009-2285 [bnc#518698] + +------------------------------------------------------------------- +Wed Feb 4 15:49:04 CET 2009 - [email protected] + +- fixed an endless loop on invalid images + (bnc#444079) CVE-2008-1586 + +------------------------------------------------------------------- +Tue Jan 13 16:19:37 CET 2009 - [email protected] + ++++ 312 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.tiff.683.new/tiff.changes New: ---- README.SUSE baselibs.conf tiff-4.0.2-CVE-2012-3401.patch tiff-4.0.2-dont-fancy-upsampling.patch tiff-4.0.2-seek.patch tiff-4.0.2-tiff2pdf-colors.patch tiff-4.0.2.tar.bz2 tiff-bigendian.patch tiff.changes tiff.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ # # spec file for package tiff # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: tiff BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool %if 0%{?suse_version} > 1030 BuildRequires: lzma-devel %endif %if 0%{?suse_version} <= 1000 BuildRequires: pkgconfig %endif %if 0%{?suse_version} > 1000 BuildRequires: pkg-config %endif BuildRequires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: tiff-64bit %endif %if 0%{?suse_version} > 1210 BuildRequires: libjbig-devel %endif Version: 4.0.2 Release: 0 Summary: Tools for Converting from and to the Tiff Format License: HPND Group: Productivity/Graphics/Convertors Url: http://www.remotesensing.org/libtiff Source: tiff-%{version}.tar.bz2 Source2: README.SUSE Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf-colors.patch Patch9: tiff-%{version}-dont-fancy-upsampling.patch Patch10: tiff-bigendian.patch Patch11: tiff-%{version}-CVE-2012-3401.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package contains the library and support programs for the TIFF image format. %package -n libtiff5 Summary: The Tiff Library (with JPEG and compression support) Group: System/Libraries Provides: libtiff = %{version} # bug437293 %ifarch ppc64 Obsoletes: libtiff-64bit %endif # %description -n libtiff5 This package includes the tiff libraries. To link a program with libtiff, you will have to add -ljpeg and -lz to include the necessary libjpeg and libz in the linking process. %package -n libtiff-devel Summary: Development Tools for Programs which will use the libtiff Library Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libstdc++-devel Requires: libtiff5 = %{version} # bug437293 %ifarch ppc64 Obsoletes: tiff-devel-64bit %endif # %description -n libtiff-devel This package contains the header files and static libraries for developing programs which will manipulate TIFF format image files using the libtiff library. %prep %setup -q %patch2 -p1 %patch3 -p1 %patch9 -p1 %patch10 -p1 %patch11 %build %configure --disable-static --with-pic make %{?_smp_mflags} %install mkdir -p %{buildroot}/{%{_mandir}/{man1,man3},usr/{bin,lib,include}} %makeinstall for f in `find %{buildroot}/%{_mandir} -type f -print ` ; do if [ `wc -l <$f` -eq 1 ] && grep -q "^\.so " $f ; then linkto=`sed -e "s|^\.so ||" $f` [ -f "`dirname $f`/$linkto" ] && ln -sf "$linkto" $f fi done cp %{SOURCE2} . rm -rf %{buildroot}%{_datadir}/doc/tiff* rm -f %{buildroot}/%{_libdir}/*.la find html -name "Makefile*" | xargs rm %check cd test make %{?_smp_mflags} check %post -n libtiff5 -p /sbin/ldconfig %postun -n libtiff5 -p /sbin/ldconfig %files %defattr(-,root,root) %{_bindir}/* %doc html %doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE %doc %{_mandir}/man1/* %files -n libtiff5 %defattr(-,root,root) %doc README COPYRIGHT README.SUSE %{_libdir}/*.so.* %files -n libtiff-devel %defattr(-,root,root) %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %doc %{_mandir}/man3/* %changelog ++++++ README.SUSE ++++++ The documentation for tiff programs and library is in package tiff in directory /usr/share/doc/packages/tiff.++++++ baselibs.conf ++++++ libtiff5 obsoletes "libtiff-<targettype> <= <version>" provides "libtiff-<targettype> = <version>" libtiff-devel requires -libtiff-<targettype> requires "libtiff5-<targettype> = <version>" ++++++ tiff-4.0.2-CVE-2012-3401.patch ++++++ Index: tools/tiff2pdf.c =================================================================== --- tools/tiff2pdf.c.orig +++ tools/tiff2pdf.c @@ -1066,6 +1066,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* "Can't set directory %u of input file %s", i, TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; return; } if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ ++++++ tiff-4.0.2-dont-fancy-upsampling.patch ++++++ diff -urN tiff-4.0.1.orig/libtiff/tif_jpeg.c tiff-4.0.1/libtiff/tif_jpeg.c --- tiff-4.0.1.orig/libtiff/tif_jpeg.c 2012-03-29 01:03:15.680848289 +0800 +++ tiff-4.0.1/libtiff/tif_jpeg.c 2012-03-29 01:09:09.212428534 +0800 @@ -1175,6 +1175,7 @@ if (downsampled_output) { /* Need to use raw-data interface to libjpeg */ sp->cinfo.d.raw_data_out = TRUE; + sp->cinfo.d.do_fancy_upsampling = FALSE; tif->tif_decoderow = DecodeRowError; tif->tif_decodestrip = JPEGDecodeRaw; tif->tif_decodetile = JPEGDecodeRaw; ++++++ tiff-4.0.2-seek.patch ++++++ Index: tiff-4.0.1/libtiff/tiffiop.h =================================================================== --- tiff-4.0.1.orig/libtiff/tiffiop.h +++ tiff-4.0.1/libtiff/tiffiop.h @@ -213,7 +213,7 @@ struct tiff { #define TIFFWriteFile(tif, buf, size) \ ((*(tif)->tif_writeproc)((tif)->tif_clientdata,(buf),(size))) #define TIFFSeekFile(tif, off, whence) \ - ((*(tif)->tif_seekproc)((tif)->tif_clientdata,(off),(whence))) + ((tif)->tif_seekproc?((*(tif)->tif_seekproc)((tif)->tif_clientdata,(toff_t)(off),whence)):0) #define TIFFCloseFile(tif) \ ((*(tif)->tif_closeproc)((tif)->tif_clientdata)) #define TIFFGetFileSize(tif) \ ++++++ tiff-4.0.2-tiff2pdf-colors.patch ++++++ diff -urN tiff-4.0.1.orig/tools/tiff2pdf.c tiff-4.0.1/tools/tiff2pdf.c --- tiff-4.0.1.orig/tools/tiff2pdf.c 2012-03-29 01:03:15.656848587 +0800 +++ tiff-4.0.1/tools/tiff2pdf.c 2012-03-29 01:03:27.591699381 +0800 @@ -4991,7 +4991,7 @@ if(t2p->tiff_photometric != PHOTOMETRIC_YCBCR) { written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); - written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 0 >>\n", 24); + written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 1 >>\n", 24); } break; #endif ++++++ tiff-bigendian.patch ++++++ --- tiff-4.0.2/test/raw_decode.c.xx 2012-06-28 11:48:43.000000000 +0200 +++ tiff-4.0.2/test/raw_decode.c 2012-06-28 12:15:46.000000000 +0200 @@ -85,9 +85,9 @@ static int check_rgba_pixel( int pixel, int red, int green, int blue, int alpha, unsigned char *buffer ) { /* RGBA images are upside down - adjust for normal ordering */ int adjusted_pixel = pixel % 128 + (127 - (pixel/128)) * 128; - unsigned char *rgba = buffer + 4 * adjusted_pixel; - - if( rgba[0] == red && rgba[1] == green && rgba[2] == blue && rgba[3] == alpha ) { + unsigned int *rgba = (unsigned int*)(buffer + 4 * adjusted_pixel); + + if( TIFFGetR(*rgba) == red && TIFFGetG(*rgba) == green && TIFFGetB(*rgba) == blue && TIFFGetA(*rgba) == alpha ) { return 0; } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
