Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2019-02-13 10:18:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Wed Feb 13 10:18:13 2019 rev:77 rq:674138 version:4.0.10 Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2018-11-26 10:13:21.990220372 +0100 +++ /work/SRC/openSUSE:Factory/.tiff.new.28833/tiff.changes 2019-02-13 10:18:18.621336490 +0100 @@ -1,0 +2,27 @@ +Tue Feb 12 15:36:02 UTC 2019 - [email protected] + +- security update + * CVE-2019-7663 [bsc#1125113] + + tiff-CVE-2019-7663.patch + +------------------------------------------------------------------- +Mon Feb 4 14:04:09 UTC 2019 - [email protected] + +- security update + * CVE-2019-6128 [bsc#1121626] + + tiff-CVE-2019-6128.patch + +------------------------------------------------------------------- +Wed Jan 30 12:47:58 UTC 2019 - Petr Gajdos <[email protected]> + +- extend tiff-CVE-2018-19210.patch and rename it to + tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11] + * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606] + +------------------------------------------------------------------- +Wed Jan 30 10:12:37 UTC 2019 - Petr Gajdos <[email protected]> + +- amend tiff-CVE-2018-12900.patch: fix wrong error message + [bsc#1099257] + +------------------------------------------------------------------- Old: ---- tiff-CVE-2018-19210.patch New: ---- tiff-CVE-2018-17000,19210.patch tiff-CVE-2019-6128.patch tiff-CVE-2019-7663.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.qkwlo3/_old 2019-02-13 10:18:19.813336037 +0100 +++ /var/tmp/diff_new_pack.qkwlo3/_new 2019-02-13 10:18:19.817336035 +0100 @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -34,7 +34,14 @@ # http://bugzilla.maptools.org/show_bug.cgi?id=2798 # https://gitlab.com/libtiff/libtiff/merge_requests/44 Patch2: tiff-CVE-2018-12900.patch -Patch3: tiff-CVE-2018-19210.patch +Patch3: tiff-CVE-2018-17000,19210.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2836 +# https://gitlab.com/libtiff/libtiff/merge_requests/50 +Patch4: tiff-CVE-2019-6128.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2833 +# https://gitlab.com/libtiff/libtiff/merge_requests/54 +# https://gitlab.com/libtiff/libtiff/merge_requests/60 +Patch5: tiff-CVE-2019-7663.patch BuildRequires: gcc-c++ BuildRequires: libjbig-devel BuildRequires: libjpeg-devel @@ -75,6 +82,8 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build CFLAGS="%{optflags} -fPIE" ++++++ tiff-CVE-2018-12900.patch ++++++ --- /var/tmp/diff_new_pack.qkwlo3/_old 2019-02-13 10:18:19.853336022 +0100 +++ /var/tmp/diff_new_pack.qkwlo3/_new 2019-02-13 10:18:19.853336022 +0100 @@ -8,7 +8,7 @@ } + if (0xFFFFFFFF / tilew < spp) + { -+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps); ++ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or SamplePerPixel (%u) is too large", tilew, spp); + status = 0; + goto done; + } ++++++ tiff-CVE-2018-17000,19210.patch ++++++ Index: tiff-4.0.10/libtiff/tif_dirwrite.c =================================================================== --- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200 +++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100 @@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI } m=(1<<tif->tif_dir.td_bitspersample); n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples; + if (tif->tif_dir.td_transferfunction[2] == NULL || + tif->tif_dir.td_transferfunction[1] == NULL) + n = 1; /* * Check if the table can be written as a single column, * or if it must be written as 3 columns. Note that we diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c @@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) _TIFFfree(td->td_smaxsamplevalue); td->td_smaxsamplevalue = NULL; } + /* Test if 3 transfer functions instead of just one are now needed + See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */ + if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) && + !(td->td_samplesperpixel - td->td_extrasamples > 1)) + { + TIFFWarningExt(tif->tif_clientdata,module, + "SamplesPerPixel tag value is changing, " + "but TransferFunction was read with a different value. Cancelling it"); + TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); + _TIFFfree(td->td_transferfunction[0]); + td->td_transferfunction[0] = NULL; + } } td->td_samplesperpixel = (uint16) v; break; @@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); break; case TIFFTAG_EXTRASAMPLES: + if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) && + !(td->td_samplesperpixel - td->td_extrasamples > 1)) + { + TIFFWarningExt(tif->tif_clientdata,module, + "ExtraSamples tag value is changing, " + "but TransferFunction was read with a different value. Cancelling it"); + TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); + _TIFFfree(td->td_transferfunction[0]); + td->td_transferfunction[0] = NULL; + } if (!setExtraSamples(td, ap, &v)) goto badvalue; break; ++++++ tiff-CVE-2018-19210.patch -> tiff-CVE-2019-6128.patch ++++++ --- /work/SRC/openSUSE:Factory/tiff/tiff-CVE-2018-19210.patch 2018-11-26 10:13:21.782220616 +0100 +++ /work/SRC/openSUSE:Factory/.tiff.new.28833/tiff-CVE-2019-6128.patch 2019-02-13 10:18:18.461336551 +0100 @@ -1,14 +1,49 @@ -Index: tiff-4.0.10/libtiff/tif_dirwrite.c -=================================================================== ---- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200 -+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100 -@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI +From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001 +From: Scott Gayou <[email protected]> +Date: Wed, 23 Jan 2019 15:03:53 -0500 +Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. + +pal2rgb failed to free memory on a few errors. This was reported +here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. +--- + tools/pal2rgb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502e..9492f1cf 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); } - m=(1<<tif->tif_dir.td_bitspersample); - n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples; -+ if (tif->tif_dir.td_transferfunction[2] == NULL || -+ tif->tif_dir.td_transferfunction[1] == NULL) -+ n = 1; - /* - * Check if the table can be written as a single column, - * or if it must be written as 3 columns. Note that we + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); +-- +2.18.1 + ++++++ tiff-CVE-2018-19210.patch -> tiff-CVE-2019-7663.patch ++++++ --- /work/SRC/openSUSE:Factory/tiff/tiff-CVE-2018-19210.patch 2018-11-26 10:13:21.782220616 +0100 +++ /work/SRC/openSUSE:Factory/.tiff.new.28833/tiff-CVE-2019-7663.patch 2019-02-13 10:18:18.553336517 +0100 @@ -1,14 +1,48 @@ Index: tiff-4.0.10/libtiff/tif_dirwrite.c =================================================================== ---- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200 -+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100 -@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI +--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c ++++ tiff-4.0.10/libtiff/tif_dirwrite.c +@@ -1896,12 +1896,14 @@ TIFFWriteDirectoryTagTransferfunction(TI + n=3; + if (n==3) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + n=2; } - m=(1<<tif->tif_dir.td_bitspersample); - n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples; -+ if (tif->tif_dir.td_transferfunction[2] == NULL || -+ tif->tif_dir.td_transferfunction[1] == NULL) -+ n = 1; - /* - * Check if the table can be written as a single column, - * or if it must be written as 3 columns. Note that we + if (n==2) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[1] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + n=1; + } + if (n==0) +Index: tiff-4.0.10/tools/tiffcp.c +=================================================================== +--- tiff-4.0.10.orig/tools/tiffcp.c ++++ tiff-4.0.10/tools/tiffcp.c +@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1416,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuf + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (0x7fffffff / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; ++ + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0;
