Hello community,
here is the log from the commit of package tiff for openSUSE:Factory checked in
at 2013-05-03 13:52:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tiff (Old)
and /work/SRC/openSUSE:Factory/.tiff.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff"
Changes:
--------
--- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2013-04-05
17:14:02.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2013-05-03
13:52:31.000000000 +0200
@@ -1,0 +2,7 @@
+Tue Apr 30 13:20:50 UTC 2013 - pgaj...@suse.com
+
+- security update
+ * CVE-2013-1961.patch [bnc#818117]
+ * CVE-2013-1960.patch [bnc#817573]
+
+-------------------------------------------------------------------
New:
----
tiff-4.0.3-CVE-2013-1960.patch
tiff-4.0.3-CVE-2013-1961.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tiff.spec ++++++
--- /var/tmp/diff_new_pack.ei8ngK/_old 2013-05-03 13:52:32.000000000 +0200
+++ /var/tmp/diff_new_pack.ei8ngK/_new 2013-05-03 13:52:32.000000000 +0200
@@ -50,6 +50,8 @@
Patch1: tiff-%{version}-seek.patch
Patch2: tiff-%{version}-tiff2pdf-colors.patch
Patch3: tiff-%{version}-CVE-2012-4564.patch
+Patch4: tiff-%{version}-CVE-2013-1961.patch
+Patch5: tiff-%{version}-CVE-2013-1960.patch
# FYI: this issue is solved another way
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -97,6 +99,8 @@
%patch1 -p1
%patch2 -p1
%patch3
+%patch4
+%patch5
%build
%configure --disable-static --with-pic
++++++ tiff-4.0.3-CVE-2013-1960.patch ++++++
https://bugzilla.novell.com/show_bug.cgi?id=817573#c1
CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in
t2_process_jpeg_strip()
=======================================================================================
A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image
to a PDF document conversion tool, of libtiff, a library of functions for
manipulating TIFF (Tagged Image File Format) image format files, performed
write of TIFF image content into particular PDF document file, in the
tp_process_jpeg_strip() function. A remote attacker could provide a
specially-crafted TIFF image format file, that when processed by tiff2pdf would
lead to tiff2pdf executable crash or, potentially, arbitrary code execution
with the privileges of the user running the tiff2pdf binary.
Index: tools/tiff2pdf.c
===================================================================
--- tools/tiff2pdf.c.orig
+++ tools/tiff2pdf.c
@@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip(
uint32 height){
tsize_t i=0;
- uint16 ri =0;
- uint16 v_samp=1;
- uint16 h_samp=1;
- int j=0;
-
- i++;
-
- while(i<(*striplength)){
+
+ while (i < *striplength) {
+ tsize_t datalen;
+ uint16 ri;
+ uint16 v_samp;
+ uint16 h_samp;
+ int j;
+ int ncomp;
+
+ /* marker header: one or more FFs */
+ if (strip[i] != 0xff)
+ return(0);
+ i++;
+ while (i < *striplength && strip[i] == 0xff)
+ i++;
+ if (i >= *striplength)
+ return(0);
+ /* SOI is the only pre-SOS marker without a length word */
+ if (strip[i] == 0xd8)
+ datalen = 0;
+ else {
+ if ((*striplength - i) <= 2)
+ return(0);
+ datalen = (strip[i+1] << 8) | strip[i+2];
+ if (datalen < 2 || datalen >= (*striplength - i))
+ return(0);
+ }
switch( strip[i] ){
- case 0xd8:
- /* SOI - start of image */
+ case 0xd8: /* SOI - start of image */
_TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i-1]), 2);
*bufferoffset+=2;
- i+=2;
break;
- case 0xc0:
- case 0xc1:
- case 0xc3:
- case 0xc9:
- case 0xca:
+ case 0xc0: /* SOF0 */
+ case 0xc1: /* SOF1 */
+ case 0xc3: /* SOF3 */
+ case 0xc9: /* SOF9 */
+ case 0xca: /* SOF10 */
if(no==0){
- _TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i-1]), strip[i+2]+2);
- for(j=0;j<buffer[*bufferoffset+9];j++){
- if(
(buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
- h_samp =
(buffer[*bufferoffset+11+(2*j)]>>4);
- if(
(buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
- v_samp =
(buffer[*bufferoffset+11+(2*j)] & 0x0f);
+ _TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i-1]), datalen+2);
+ ncomp = buffer[*bufferoffset+9];
+ if (ncomp < 1 || ncomp > 4)
+ return(0);
+ v_samp=1;
+ h_samp=1;
+ for(j=0;j<ncomp;j++){
+ uint16 samp =
buffer[*bufferoffset+11+(3*j)];
+ if( (samp>>4) > h_samp)
+ h_samp = (samp>>4);
+ if( (samp & 0x0f) > v_samp)
+ v_samp = (samp & 0x0f);
}
v_samp*=8;
h_samp*=8;
@@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip(
(unsigned char) ((height>>8) & 0xff);
buffer[*bufferoffset+6]=
(unsigned char) (height & 0xff);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
-
+ *bufferoffset+=datalen+2;
+ /* insert a DRI marker */
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=0xdd;
buffer[(*bufferoffset)++]=0x00;
buffer[(*bufferoffset)++]=0x04;
buffer[(*bufferoffset)++]=(ri >> 8) &
0xff;
buffer[(*bufferoffset)++]= ri & 0xff;
- } else {
- i+=strip[i+2]+2;
}
break;
- case 0xc4:
- case 0xdb:
- _TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i-1]), strip[i+2]+2);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
+ case 0xc4: /* DHT */
+ case 0xdb: /* DQT */
+ _TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
break;
- case 0xda:
+ case 0xda: /* SOS */
if(no==0){
- _TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i-1]), strip[i+2]+2);
- *bufferoffset+=strip[i+2]+2;
- i+=strip[i+2]+2;
+ _TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
} else {
buffer[(*bufferoffset)++]=0xff;
buffer[(*bufferoffset)++]=
(unsigned char)(0xd0 | ((no-1)%8));
- i+=strip[i+2]+2;
}
- _TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i-1]), (*striplength)-i-1);
- *bufferoffset+=(*striplength)-i-1;
+ i += datalen + 1;
+ /* copy remainder of strip */
+ _TIFFmemcpy(&(buffer[*bufferoffset]),
&(strip[i]), *striplength - i);
+ *bufferoffset+= *striplength - i;
return(1);
default:
- i+=strip[i+2]+2;
+ /* ignore any other marker */
+ break;
}
+ i += datalen + 1;
}
-
+ /* failed to find SOS marker */
return(0);
}
#endif
++++++ tiff-4.0.3-CVE-2013-1961.patch ++++++
++++ 774 lines (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
