Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2016-12-02 16:37:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2016-10-14 03:37:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2016-12-02 16:37:12.000000000 +0100 @@ -1,0 +2,245 @@ +Tue Nov 29 08:45:11 UTC 2016 - fst...@suse.com + +- Upgrade to upstream release 4.0.7 + * libtiff/tif_aux.c + + Fix crash in TIFFVGetFieldDefaulted() when requesting + Predictor tag and that the zip/lzw codec is not configured. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591 + * libtiff/tif_compress.c + + Make TIFFNoDecode() return 0 to indicate an error and make + upper level read routines treat it accordingly. (linked to the + test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517) + * libtiff/tif_dir.c + + Discard values of SMinSampleValue and SMaxSampleValue when + they have been read and the value of SamplesPerPixel is + changed afterwards (like when reading a OJPEG compressed image + with a missing SamplesPerPixel tag, and whose photometric is + RGB or YCbCr, forcing SamplesPerPixel being 3). Otherwise when + rewriting the directory (for example with tiffset, we will + expect 3 values whereas the array had been allocated with just + one), thus causing a out of bound read access. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2500 + (CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, bsc#974840) + * libtiff/tif_dirread.c + + In TIFFFetchNormalTag(), do not dereference NULL pointer when + values of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII + access are 0-byte arrays. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression + introduced by previous fix done on 2016-11-11 for + CVE-2016-9297, bsc#1010161). Assigned as CVE-2016-9448, + bsc#1011103 + + In TIFFFetchNormalTag(), make sure that values of tags with + TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are null + terminated, to avoid potential read outside buffer in + _TIFFPrintField(). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2590 + (CVE-2016-9297, bsc#1010161) + + Initialize doubledata at line 3693 to NULL to please MSVC 2013 + + Prevent reading ColorMap or TransferFunction if + BitsPerPixel > 24, so as to avoid huge memory allocation and + file read attempts + + Reject images with OJPEG compression that have no + TileOffsets/StripOffsets tag, when OJPEG compression is + disabled. Prevent null pointer dereference in + TIFFReadRawStrip1() and other functions that expect + td_stripbytecount to be non NULL. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2585 + + When compiled with DEFER_STRILE_LOAD, fix regression, when + reading a one-strip file without a StripByteCounts tag. + + Workaround false positive warning of Clang Static Analyzer + about null pointer dereference in TIFFCheckDirOffset(). + * libtiff/tif_dirwrite.c + + Avoid null pointer dereference on td_stripoffset when writing + directory, if FIELD_STRIPOFFSETS was artificially set for a + hack case in OJPEG case. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2500 + (CVE-2014-8127, bsc#914890, duplicate: CVE-2016-3658, + bsc#974840) + + Fix truncation to 32 bit of file offsets in TIFFLinkDirectory() + and TIFFWriteDirectorySec() when aligning directory offsets on + an even offset (affects BigTIFF). + * libtiff/tif_dumpmode.c + + DumpModeEncode() should return 0 in case of failure so that + the above mentionned functions detect the error. + * libtiff/tif_fax3.c + + remove dead assignment in Fax3PutEOLgdal(). + * libtiff/tif_fax3.h + + make Param member of TIFFFaxTabEnt structure a uint16 to + reduce size of the binary. + * libtiff/tif_getimage.c + + Fix out-of-bound reads in TIFFRGBAImage interface in case of + unsupported values of SamplesPerPixel/ExtraSamples for + LogLUV/CIELab. Add explicit call to TIFFRGBAImageOK() in + TIFFRGBAImageBegin(). Fix CVE-2015-8665 and CVE-2015-8683. + + Fix some benign warnings which appear in 64-bit compilation + under Microsoft Visual Studio of the form "Arithmetic + overflow: 32-bit value is shifted, then cast to 64-bit value. + Results might not be an expected value." + + TIFFRGBAImageOK: Reject attempts to read floating point images. + * libtiff/tif_luv.c + + Fix potential out-of-bound writes in decode functions in non + debug builds by replacing assert()s by regular if checks + (http://bugzilla.maptools.org/show_bug.cgi?id=2522). Fix + potential out-of-bound reads in case of short input data. + + Validate that for COMPRESSION_SGILOG and PHOTOMETRIC_LOGL, + there is only one sample per pixel. Avoid potential invalid + memory write on corrupted/unexpected images when using the + TIFFRGBAImageBegin() interface + * libtiff/tif_next.c + + Fix potential out-of-bound write in NeXTDecode() + (http://bugzilla.maptools.org/show_bug.cgi?id=2508) + * libtiff/tif_pixarlog.c + + Avoid zlib error messages to pass a NULL string to %s + formatter, which is undefined behaviour in sprintf(). + + Fix out-of-bounds write vulnerabilities in heap allocated + buffers. Reported as MSVR 35094. + + Fix potential buffer write overrun in PixarLogDecode() on + corrupted/unexpected images (CVE-2016-5875, bsc#987351) + + Fix write buffer overflow in PixarLogEncode if more input + samples are provided than expected by PixarLogSetupEncode. + Idea based on libtiff-CVE-2016-3990.patch from + libtiff-4.0.3-25.el7_2.src.rpm, but with different and simpler + check. (http://bugzilla.maptools.org/show_bug.cgi?id=2544, + bsc#975069) + * libtiff/tif_predict.c + + PredictorSetup: Enforce bits-per-sample requirements of + floating point predictor (3). Fixes CVE-2016-3622 "Divide By + Zero in the tiff2rgba tool." (bsc#974449) + * libtiff/tif_predict.h, libtiff/tif_predict.c + + Replace assertions by runtime checks to avoid assertions in + debug mode, or buffer overflows in release mode. Can happen + when dealing with unusual tile size like YCbCr with + subsampling. Reported as MSVR 35105. + * libtiff/tif_read.c + + Fix out-of-bounds read on memory-mapped files in + TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset + is beyond tmsize_t max value + + Make TIFFReadEncodedStrip() and TIFFReadEncodedTile() directly + use user provided buffer when no compression (and other + conditions) to save a memcpy(). + * libtiff/tif_strip.c + + Make TIFFNumberOfStrips() return the td->td_nstrips value when + it is non-zero, instead of recomputing it. This is needed in + TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read + outsize of array in tiffsplit (or other utilities using + TIFFNumberOfStrips()). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2587 + (CVE-2016-9273, bsc#1010163) + * libtiff/tif_write.c + + Fix issue in error code path of TIFFFlushData1() that didn't + reset the tif_rawcc and tif_rawcp members. I'm not completely + sure if that could happen in practice outside of the odd + behaviour of t2p_seekproc() of tiff2pdf). The report points + that a better fix could be to check the return value of + TIFFFlushData1() in places where it isn't done currently, but + it seems this patch is enough. Reported as MSVR 35095. + + Make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() + directly use user provided buffer when no compression to save + a memcpy(). + + TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() should + return -1 in case of failure of tif_encodestrip() as documented + * tools/fax2tiff.c + + Fix segfault when specifying -r without argument. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2572 + * tools/Makefile.am + + The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, + sgisv, and ycbcr are completely removed from the distribution. + The libtiff tools rgb2ycbcr and thumbnail are only built in + the build tree for testing. Old files are put in new 'archive' + subdirectory of the source repository, but not in + distribution archives. These changes are made in order to + lessen the maintenance burden. + * tools/rgb2ycbcr.c + + Validate values of -v and -h parameters to avoid potential + divide by zero. Fixes CVE-2016-3623, bsc#974618 + (http://bugzilla.maptools.org/show_bug.cgi?id=2569) + * tools/tiff2bw.c + + Fix weight computation that could result of color value + overflow (no security implication). Fix + http://bugzilla.maptools.org/show_bug.cgi?id=2550. + * tools/tiff2pdf.c + + Avoid undefined behaviour related to overlapping of source and + destination buffer in memcpy() call in + t2p_sample_rgbaa_to_rgb() Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2577 + + Fix out-of-bounds write vulnerabilities in heap allocate buffer + in t2p_process_jpeg_strip(). Reported as MSVR 35098. + + Fix potential integer overflows on 32 bit builds in + t2p_read_tiff_size() Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2576 + + Fix read -largely- outsize of buffer in + t2p_readwrite_pdf_image_tile(), causing crash, when reading a + JPEG compressed image with TIFFTAG_JPEGTABLES length being one. + Reported as MSVR 35101. CVE-2016-9453, bsc#1011107 + + Fix write buffer overflow of 2 bytes on JPEG compressed images. + Reported as TALOS-CAN-0187, CVE-2016-5652, bsc#1007280. Also + prevents writing 2 extra uninitialized bytes to the file + stream. + * tools/tiff2rgba.c + + Fix integer overflow in size of allocated buffer, when -b mode + is enabled, that could result in out-of-bounds write. Based + initially on patch tiff-CVE-2016-3945.patch from + libtiff-4.0.3-25.el7_2.src.rpm, with correction for invalid + tests that rejected valid files. + (http://bugzilla.maptools.org/show_bug.cgi?id=2545, bsc#974614) + * tools/tiffcp.c + + Fix out-of-bounds write on tiled images with odd tile width vs + image width. Reported as MSVR 35103. + + Fix read of undefined variable in case of missing required + tags. Found on test case of MSVR 35100. + * tools/tiffcrop.c + + Avoid access outside of stack allocated array on a tiled + separate TIFF with more than 8 samples per pixel. + (CVE-2016-5321, CVE-2016-5323, + http://bugzilla.maptools.org/show_bug.cgi?id=2558, + http://bugzilla.maptools.org/show_bug.cgi?id=2559, bsc#984813, + bsc#984815) + + Fix memory leak in (recent) error code path. Fixes Coverity ++++ 48 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/tiff/tiff.changes ++++ and /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes Old: ---- tiff-4.0.4-uninitialized_mem_NeXTDecode.patch tiff-4.0.6-CVE-2015-7554.patch tiff-4.0.6-CVE-2015-8782.patch tiff-4.0.6-CVE-2016-3186.patch tiff-4.0.6-CVE-2016-3623.patch tiff-4.0.6-CVE-2016-3945.patch tiff-4.0.6-CVE-2016-3990.patch tiff-4.0.6-CVE-2016-3991.patch tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch tiff-4.0.6.tar.gz New: ---- tiff-4.0.7-CVE-2015-7554.patch tiff-4.0.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.viBwVJ/_old 2016-12-02 16:37:14.000000000 +0100 +++ /var/tmp/diff_new_pack.viBwVJ/_new 2016-12-02 16:37:14.000000000 +0100 @@ -17,7 +17,7 @@ Name: tiff -Version: 4.0.6 +Version: 4.0.7 Release: 0 Summary: Tools for Converting from and to the Tiff Format License: HPND @@ -30,25 +30,7 @@ # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2508 -Patch2: tiff-4.0.4-uninitialized_mem_NeXTDecode.patch -# http://bugzilla.maptools.org/show_bug.cgi?id=2499 -Patch3: tiff-4.0.6-CVE-2015-7554.patch -# http://bugzilla.maptools.org/show_bug.cgi?id=2522 -Patch4: tiff-4.0.6-CVE-2015-8782.patch -# -Patch5: tiff-4.0.6-CVE-2016-3186.patch -# -Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch -Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch -Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch -# -Patch9: tiff-4.0.6-CVE-2016-3623.patch -Patch10: tiff-4.0.6-CVE-2016-3945.patch -Patch11: tiff-4.0.6-CVE-2016-3990.patch -Patch12: tiff-4.0.6-CVE-2016-3991.patch -# -Patch13: tiff-4.0.6-tools-tiffcrop.c-fix-various-out-of-bounds-write-vul.patch -Patch14: tiff-4.0.6-libtiff-tif_getimage.c-TIFFRGBAImageOK-Reject-attemp.patch +Patch3: tiff-4.0.7-CVE-2015-7554.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -112,19 +94,7 @@ %setup -q %patch0 -p1 %patch1 -p1 -%patch2 %patch3 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 %build CFLAGS="%{optflags} -fPIE" @@ -147,8 +117,9 @@ find html -name "Makefile*" | xargs rm %check -cd test -make %{?_smp_mflags} check +for i in tools tests; do + cd $i && make %{?_smp_mflags} check +done %post -n libtiff5 -p /sbin/ldconfig ++++++ tiff-4.0.6-CVE-2015-7554.patch -> tiff-4.0.7-CVE-2015-7554.patch ++++++ --- /work/SRC/openSUSE:Factory/tiff/tiff-4.0.6-CVE-2015-7554.patch 2016-02-03 10:19:03.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff-4.0.7-CVE-2015-7554.patch 2016-12-02 16:37:12.000000000 +0100 @@ -13,6 +13,6 @@ { TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL }, { TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, - { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", &tiffFieldArray }, + { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, ++++++ tiff-4.0.6.tar.gz -> tiff-4.0.7.tar.gz ++++++ ++++ 15020 lines of diff (skipped)