Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2022-11-15 13:18:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Tue Nov 15 13:18:18 2022 rev:87 rq:1035628 version:4.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2022-10-18 12:44:49.221699212 +0200 +++ /work/SRC/openSUSE:Factory/.tiff.new.1597/tiff.changes 2022-11-15 13:21:04.128690285 +0100 @@ -1,0 +2,20 @@ +Mon Nov 14 11:54:03 UTC 2022 - Michael Vetter <mvet...@suse.com> + +- security update: + * CVE-2022-3970 [bsc#1205392] + + tiff-CVE-2022-3970.patch + +------------------------------------------------------------------- +Sun Nov 13 20:42:25 UTC 2022 - Michael Vetter <mvet...@suse.com> + +- security update: + * CVE-2022-3597 [bsc#1204641] + * CVE-2022-3626 [bsc#1204644] + * CVE-2022-3627 [bsc#1204645] + + tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch + * CVE-2022-3599 [bsc#1204643] + + tiff-CVE-2022-3599.patch + * CVE-2022-3598 [bsc#1204642] + + tiff-CVE-2022-3598.patch + +------------------------------------------------------------------- New: ---- tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch tiff-CVE-2022-3598.patch tiff-CVE-2022-3599.patch tiff-CVE-2022-3970.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.8vXg7p/_old 2022-11-15 13:21:04.636692908 +0100 +++ /var/tmp/diff_new_pack.8vXg7p/_new 2022-11-15 13:21:04.644692949 +0100 @@ -36,6 +36,10 @@ Patch2: tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch Patch3: tiff-CVE-2022-34526.patch Patch4: tiff-CVE-2022-2519,CVE-2022-2520,CVE-2022-2521.patch +Patch5: tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch +Patch6: tiff-CVE-2022-3599.patch +Patch7: tiff-CVE-2022-3598.patch +Patch8: tiff-CVE-2022-3970.patch BuildRequires: gcc-c++ BuildRequires: libjbig-devel BuildRequires: libjpeg-devel @@ -78,6 +82,10 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build CFLAGS="%{optflags} -fPIE" ++++++ tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch ++++++ Index: tiff-4.4.0/tools/tiffcrop.c =================================================================== --- tiff-4.4.0.orig/tools/tiffcrop.c +++ tiff-4.4.0/tools/tiffcrop.c @@ -108,8 +108,10 @@ * lower level, scanline level routines. Debug reports a limited set * of messages to monitor progress without enabling dump logs. * - * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. + * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. * In no case should the options be applied to a given selection successively. + * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. */ static char tiffcrop_version_id[] = "2.5"; @@ -781,8 +783,10 @@ static const char usage_info[] = " The four debug/dump options are independent, though it makes little sense to\n" " specify a dump file without specifying a detail level.\n" "\n" -"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" +"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" " In no case should the options be applied to a given selection successively.\n" +"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options\n" +" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.\n" "\n" ; @@ -2138,9 +2142,20 @@ void process_command_opts (int argc, ch R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; if (XY + Z + R + S > 1) { - TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); exit(EXIT_FAILURE); } + + /* Check for not allowed combination: + * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. +. */ + if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { + TIFFError("tiffcrop input error", + "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); + exit(EXIT_FAILURE); + } + } /* end process_command_opts */ /* Start a new output file if one has not been previously opened or @@ -2411,6 +2426,7 @@ main(int argc, char* argv[]) exit (EXIT_FAILURE); } + /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ if (crop.selections > 0) { if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) @@ -2427,6 +2443,7 @@ main(int argc, char* argv[]) exit (EXIT_FAILURE); } } + /* Format and write selected image parts to output file(s). */ if (page.mode == PAGE_MODE_NONE) { /* Whole image or sections not based on output page size */ if (crop.selections > 0) ++++++ tiff-CVE-2022-3598.patch ++++++ ++++ 640 lines (skipped) ++++++ tiff-CVE-2022-3599.patch ++++++ Index: tiff-4.4.0/libtiff/tif_dir.c =================================================================== --- tiff-4.4.0.orig/libtiff/tif_dir.c +++ tiff-4.4.0/libtiff/tif_dir.c @@ -136,32 +136,31 @@ setExtraSamples(TIFF* tif, va_list ap, u } /* - * Confirm we have "samplesperpixel" ink names separated by \0. Returns + * Count ink names separated by \0. Returns * zero if the ink names are not as expected. */ -static uint32_t -checkInkNamesString(TIFF* tif, uint32_t slen, const char* s) +static uint16_t +countInkNamesString(TIFF *tif, uint32_t slen, const char *s) { - TIFFDirectory* td = &tif->tif_dir; - uint16_t i = td->td_samplesperpixel; + uint16_t i = 0; + const char *ep = s + slen; + const char *cp = s; if (slen > 0) { - const char* ep = s+slen; - const char* cp = s; - for (; i > 0; i--) { + do { for (; cp < ep && *cp != '\0'; cp++) {} if (cp >= ep) goto bad; cp++; /* skip \0 */ - } - return ((uint32_t)(cp - s)); + i++; + } while (cp < ep); + return (i); } bad: TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", - "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16, - tif->tif_name, - td->td_samplesperpixel, - (uint16_t)(td->td_samplesperpixel-i)); + "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink", + tif->tif_name, slen, i); + return (0); } @@ -475,13 +474,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); break; case TIFFTAG_INKNAMES: - v = (uint16_t) va_arg(ap, uint16_vap); - s = va_arg(ap, char*); - v = checkInkNamesString(tif, v, s); - status = v > 0; - if( v > 0 ) { - _TIFFsetNString(&td->td_inknames, s, v); - td->td_inknameslen = v; +{ + v = (uint16_t) va_arg(ap, uint16_vap); + s = va_arg(ap, char*); + uint16_t ninksinstring; + ninksinstring = countInkNamesString(tif, v, s); + status = ninksinstring > 0; + if(ninksinstring > 0 ) { + _TIFFsetNString(&td->td_inknames, s, v); + td->td_inknameslen = v; + /* Set NumberOfInks to the value ninksinstring */ + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) + { + if (td->td_numberofinks != ninksinstring) { + TIFFErrorExt(tif->tif_clientdata, module, + "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"", + tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); + td->td_numberofinks = ninksinstring; + } + } else { + td->td_numberofinks = ninksinstring; + TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); + } + if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) + { + if (td->td_numberofinks != td->td_samplesperpixel) { + TIFFErrorExt(tif->tif_clientdata, module, + "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", + tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); + } + } + } + } + break; + case TIFFTAG_NUMBEROFINKS: + v = (uint16_t)va_arg(ap, uint16_vap); + /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ + if (TIFFFieldSet(tif, FIELD_INKNAMES)) + { + if (v != td->td_numberofinks) { + TIFFErrorExt(tif->tif_clientdata, module, + "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")", + tif->tif_name, fip->field_name, v, td->td_numberofinks); + /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ + status = 0; + } + } else { + td->td_numberofinks = (uint16_t)v; + if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) + { + if (td->td_numberofinks != td->td_samplesperpixel) { + TIFFErrorExt(tif->tif_clientdata, module, + "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", + tif->tif_name, fip->field_name, v, td->td_samplesperpixel); + } + } } break; case TIFFTAG_PERSAMPLE: @@ -916,34 +963,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, standard_tag = 0; } - if( standard_tag == TIFFTAG_NUMBEROFINKS ) - { - int i; - for (i = 0; i < td->td_customValueCount; i++) { - uint16_t val; - TIFFTagValue *tv = td->td_customValues + i; - if (tv->info->field_tag != standard_tag) - continue; - if( tv->value == NULL ) - return 0; - val = *(uint16_t *)tv->value; - /* Truncate to SamplesPerPixel, since the */ - /* setting code for INKNAMES assume that there are SamplesPerPixel */ - /* inknames. */ - /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ - if( val > td->td_samplesperpixel ) - { - TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", - "Truncating NumberOfInks from %u to %"PRIu16, - val, td->td_samplesperpixel); - val = td->td_samplesperpixel; - } - *va_arg(ap, uint16_t*) = val; - return 1; - } - return 0; - } - switch (standard_tag) { case TIFFTAG_SUBFILETYPE: *va_arg(ap, uint32_t*) = td->td_subfiletype; @@ -1124,6 +1143,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, case TIFFTAG_INKNAMES: *va_arg(ap, const char**) = td->td_inknames; break; + case TIFFTAG_NUMBEROFINKS: + *va_arg(ap, uint16_t *) = td->td_numberofinks; + break; default: { int i; Index: tiff-4.4.0/libtiff/tif_dir.h =================================================================== --- tiff-4.4.0.orig/libtiff/tif_dir.h +++ tiff-4.4.0/libtiff/tif_dir.h @@ -117,6 +117,7 @@ typedef struct { /* CMYK parameters */ int td_inknameslen; char* td_inknames; + uint16_t td_numberofinks; /* number of inks in InkNames string */ int td_customValueCount; TIFFTagValue *td_customValues; @@ -174,6 +175,7 @@ typedef struct { #define FIELD_TRANSFERFUNCTION 44 #define FIELD_INKNAMES 46 #define FIELD_SUBIFD 49 +#define FIELD_NUMBEROFINKS 50 /* FIELD_CUSTOM (see tiffio.h) 65 */ /* end of support for well-known tags; codec-private tags follow */ #define FIELD_CODEC 66 /* base of codec-private tags */ Index: tiff-4.4.0/libtiff/tif_dirinfo.c =================================================================== --- tiff-4.4.0.orig/libtiff/tif_dirinfo.c +++ tiff-4.4.0/libtiff/tif_dirinfo.c @@ -114,7 +114,7 @@ tiffFields[] = { { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, - { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, + { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, Index: tiff-4.4.0/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.4.0.orig/libtiff/tif_dirwrite.c +++ tiff-4.4.0/libtiff/tif_dirwrite.c @@ -708,6 +708,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) goto bad; } + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) + { + if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) + goto bad; + } if (TIFFFieldSet(tif,FIELD_SUBIFD)) { if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) Index: tiff-4.4.0/libtiff/tif_print.c =================================================================== --- tiff-4.4.0.orig/libtiff/tif_print.c +++ tiff-4.4.0/libtiff/tif_print.c @@ -401,6 +401,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, } fputs("\n", fd); } + if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { + fprintf(fd, " NumberOfInks: %d\n", + td->td_numberofinks); + } if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { fprintf(fd, " Thresholding: "); switch (td->td_threshholding) { ++++++ tiff-CVE-2022-3970.patch ++++++ Index: tiff-4.4.0/libtiff/tif_getimage.c =================================================================== --- tiff-4.4.0.orig/libtiff/tif_getimage.c +++ tiff-4.4.0/libtiff/tif_getimage.c @@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t return( ok ); for( i_row = 0; i_row < read_ysize; i_row++ ) { - memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, - raster + (read_ysize - i_row - 1) * read_xsize, + memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, + raster + (size_t)(read_ysize - i_row - 1) * read_xsize, read_xsize * sizeof(uint32_t) ); - _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, + _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, 0, sizeof(uint32_t) * (tile_xsize - read_xsize) ); } for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { - _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, + _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, 0, sizeof(uint32_t) * tile_xsize ); }