Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2016-01-15 10:40:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2015-12-17 15:52:59.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2016-01-15 10:40:30.000000000 +0100 @@ -1,0 +2,7 @@ +Mon Jan 11 13:53:42 UTC 2016 - [email protected] + +- add tiff-4.0.4-uninitialized_mem_NeXTDecode.patch to fix + uninitialized memory in NeXTDecode (upstream bug #2508) + [bnc#942690] + +------------------------------------------------------------------- New: ---- tiff-4.0.4-uninitialized_mem_NeXTDecode.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.H0CiMd/_old 2016-01-15 10:40:31.000000000 +0100 +++ /var/tmp/diff_new_pack.H0CiMd/_new 2016-01-15 10:40:31.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,13 +29,12 @@ Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2508 +Patch2: tiff-4.0.4-uninitialized_mem_NeXTDecode.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool BuildRequires: zlib-devel -# FYI: this issue is solved another way -# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 -# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} > 1030 BuildRequires: lzma-devel @@ -94,6 +93,7 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 %build CFLAGS="%{optflags} -fPIE" ++++++ tiff-4.0.4-uninitialized_mem_NeXTDecode.patch ++++++ --- libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 +++ libtiff/tif_next.c 27 Dec 2015 16:55:20 -0000 1.17 @@ -37,7 +37,7 @@ case 0: op[0] = (unsigned char) ((v) << 6); break; \ case 1: op[0] |= (v) << 4; break; \ case 2: op[0] |= (v) << 2; break; \ - case 3: *op++ |= (v); break; \ + case 3: *op++ |= (v); op_offset++; break; \ } \ } @@ -106,6 +106,7 @@ uint32 imagewidth = tif->tif_dir.td_imagewidth; if( isTiled(tif) ) imagewidth = tif->tif_dir.td_tilewidth; + tmsize_t op_offset = 0; /* * The scanline is composed of a sequence of constant @@ -122,10 +123,15 @@ * bounds, potentially resulting in a security * issue. */ - while (n-- > 0 && npixels < imagewidth) + while (n-- > 0 && npixels < imagewidth && op_offset < scanline) SETPIXEL(op, grey); if (npixels >= imagewidth) break; + if (op_offset >= scanline ) { + TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", + (long) tif->tif_row); + return (0); + } if (cc == 0) goto bad; n = *bp++, cc--;
