Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2016-07-18 21:22:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2016-04-12 18:57:30.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2016-07-18 21:23:00.000000000 +0200 @@ -1,0 +2,11 @@ +Tue Jul 12 09:20:56 UTC 2016 - [email protected] + +- Added patches: + * tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch + * tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch + * tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch + - Upstream commits to fix CVE-2016-5314 [bsc#984831], + CVE-2016-5316 [bsc#984837], CVE-2016-5317 [bsc#984842], + CVE-2016-5320 [bsc#984808] and CVE-2016-5875 [bsc#987351] + +------------------------------------------------------------------- New: ---- tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.6nHO8k/_old 2016-07-18 21:23:01.000000000 +0200 +++ /var/tmp/diff_new_pack.6nHO8k/_new 2016-07-18 21:23:01.000000000 +0200 @@ -37,6 +37,11 @@ Patch4: tiff-4.0.6-CVE-2015-8782.patch # Patch5: tiff-4.0.6-CVE-2016-3186.patch +# +Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch +Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch +Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch + BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool @@ -103,6 +108,9 @@ %patch3 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build CFLAGS="%{optflags} -fPIE" ++++++ tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch ++++++ --- tiff-4.0.6/libtiff/tif_luv.c 2015-08-29 00:16:22.554966897 +0200 +++ tiff-4.0.6/libtiff/tif_luv.c 2016-07-12 10:15:05.008194511 +0200 @@ -1243,6 +1243,14 @@ assert(sp != NULL); assert(td->td_photometric == PHOTOMETRIC_LOGL); + if( td->td_samplesperpixel != 1 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Sorry, can not handle LogL image with %s=%d", + "Samples/pixel", td->td_samplesperpixel); + return 0; + } + /* for some reason, we can't do this in TIFFInitLogL16 */ if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN) sp->user_datafmt = LogL16GuessDataFmt(td); ++++++ tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch ++++++ --- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 +++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-07-12 10:11:52.444459447 +0200 @@ -457,6 +457,7 @@ typedef struct { TIFFPredictorState predict; z_stream stream; + tmsize_t tbuf_size; /* only set/used on reading for now */ uint16 *tbuf; uint16 stride; int state; @@ -692,6 +693,7 @@ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); + sp->tbuf_size = tbuf_size; if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { @@ -781,6 +783,12 @@ TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); return (0); } + /* Check that we will not fill more than what was allocated */ + if ((tmsize_t)sp->stream.avail_out > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); + return (0); + } do { int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); if (state == Z_STREAM_END) { ++++++ tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch ++++++ --- tiff-4.0.6/libtiff/tif_read.c 2015-08-29 00:16:22.656727936 +0200 +++ tiff-4.0.6/libtiff/tif_read.c 2016-07-12 10:16:48.693897925 +0200 @@ -38,6 +38,8 @@ static int TIFFCheckRead(TIFF*, int); static tmsize_t TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,const char* module); +static tmsize_t +TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* module); #define NOSTRIP ((uint32)(-1)) /* undefined state */ #define NOTILE ((uint32)(-1)) /* undefined state */ @@ -350,6 +352,24 @@ stripsize=TIFFVStripSize(tif,rows); if (stripsize==0) return((tmsize_t)(-1)); + + /* shortcut to avoid an extra memcpy() */ + if( td->td_compression == COMPRESSION_NONE && + size!=(tmsize_t)(-1) && size >= stripsize && + !isMapped(tif) && + ((tif->tif_flags&TIFF_NOREADRAW)==0) ) + { + if (TIFFReadRawStrip1(tif, strip, buf, stripsize, module) != stripsize) + return ((tmsize_t)(-1)); + + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits(buf,stripsize); + + (*tif->tif_postdecode)(tif,buf,stripsize); + return (stripsize); + } + if ((size!=(tmsize_t)(-1))&&(size<stripsize)) stripsize=size; if (!TIFFFillStrip(tif,strip)) @@ -661,6 +681,24 @@ (unsigned long) tile, (unsigned long) td->td_nstrips); return ((tmsize_t)(-1)); } + + /* shortcut to avoid an extra memcpy() */ + if( td->td_compression == COMPRESSION_NONE && + size!=(tmsize_t)(-1) && size >= tilesize && + !isMapped(tif) && + ((tif->tif_flags&TIFF_NOREADRAW)==0) ) + { + if (TIFFReadRawTile1(tif, tile, buf, tilesize, module) != tilesize) + return ((tmsize_t)(-1)); + + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits(buf,tilesize); + + (*tif->tif_postdecode)(tif,buf,tilesize); + return (tilesize); + } + if (size == (tmsize_t)(-1)) size = tilesize; else if (size > tilesize) --- tiff-4.0.6/libtiff/tif_write.c 2015-08-29 00:16:22.761805698 +0200 +++ tiff-4.0.6/libtiff/tif_write.c 2016-07-12 10:16:48.693897925 +0200 @@ -258,6 +258,23 @@ tif->tif_rawcp = tif->tif_rawdata; tif->tif_flags &= ~TIFF_POSTENCODE; + + /* shortcut to avoid an extra memcpy() */ + if( td->td_compression == COMPRESSION_NONE ) + { + /* swab if needed - note that source buffer will be altered */ + tif->tif_postdecode( tif, (uint8*) data, cc ); + + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits((uint8*) data, cc); + + if (cc > 0 && + !TIFFAppendToStrip(tif, strip, (uint8*) data, cc)) + return ((tmsize_t) -1); + return (cc); + } + sample = (uint16)(strip / td->td_stripsperimage); if (!(*tif->tif_preencode)(tif, sample)) return ((tmsize_t) -1); @@ -431,9 +448,7 @@ tif->tif_flags |= TIFF_CODERSETUP; } tif->tif_flags &= ~TIFF_POSTENCODE; - sample = (uint16)(tile/td->td_stripsperimage); - if (!(*tif->tif_preencode)(tif, sample)) - return ((tmsize_t)(-1)); + /* * Clamp write amount to the tile size. This is mostly * done so that callers can pass in some large number @@ -442,6 +457,25 @@ if ( cc < 1 || cc > tif->tif_tilesize) cc = tif->tif_tilesize; + /* shortcut to avoid an extra memcpy() */ + if( td->td_compression == COMPRESSION_NONE ) + { + /* swab if needed - note that source buffer will be altered */ + tif->tif_postdecode( tif, (uint8*) data, cc ); + + if (!isFillOrder(tif, td->td_fillorder) && + (tif->tif_flags & TIFF_NOBITREV) == 0) + TIFFReverseBits((uint8*) data, cc); + + if (cc > 0 && + !TIFFAppendToStrip(tif, tile, (uint8*) data, cc)) + return ((tmsize_t) -1); + return (cc); + } + + sample = (uint16)(tile/td->td_stripsperimage); + if (!(*tif->tif_preencode)(tif, sample)) + return ((tmsize_t)(-1)); /* swab if needed - note that source buffer will be altered */ tif->tif_postdecode( tif, (uint8*) data, cc );
