Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2016-04-12 18:57:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2016-02-03 10:19:03.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2016-04-12 18:57:30.000000000 +0200 @@ -1,0 +2,7 @@ +Wed Apr 6 13:56:19 UTC 2016 - [email protected] + +- Added patch: + * tiff-4.0.6-CVE-2016-3186.patch + - fix CVE-2016-3186: buffer overflow in gif2tiff [bsc#973340] + +------------------------------------------------------------------- New: ---- tiff-4.0.6-CVE-2016-3186.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.Ok3itQ/_old 2016-04-12 18:57:31.000000000 +0200 +++ /var/tmp/diff_new_pack.Ok3itQ/_new 2016-04-12 18:57:31.000000000 +0200 @@ -35,6 +35,8 @@ Patch3: tiff-4.0.6-CVE-2015-7554.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2522 Patch4: tiff-4.0.6-CVE-2015-8782.patch +# +Patch5: tiff-4.0.6-CVE-2016-3186.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool @@ -100,6 +102,7 @@ %patch2 %patch3 %patch4 -p1 +%patch5 -p1 %build CFLAGS="%{optflags} -fPIE" ++++++ tiff-4.0.6-CVE-2016-3186.patch ++++++ --- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200 +++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200 @@ -349,7 +349,7 @@ int status = 1; (void) getc(infile); - while ((count = getc(infile)) && count <= 255) + while ((count = getc(infile)) && count > 0 && count <= 255) if (fread(buf, 1, count, infile) != (size_t) count) { fprintf(stderr, "short read from file %s (%s)\n", filename, strerror(errno));
