Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2015-03-09 10:04:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2014-12-25 23:19:57.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2015-03-09 10:04:40.000000000 +0100 @@ -1,0 +2,20 @@ +Thu Feb 26 13:58:54 UTC 2015 - [email protected] + +- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128, + CVE-2014-8129, CVE-2014-8130, CVE-2015-1547 + bnc#914890, bnc#916925, bnc#916927 + + erouault.2856.patch + + erouault.2857.patch + + erouault.2858.patch + + erouault.2859.patch + + erouault.2860.patch + + erouault.2861.patch + + erouault.2862.patch + + erouault.2863.patch + + erouault.2876.patch + + bfriesen.2805.patch + + tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch + + tiff-handle-TIFFTAG_PREDICTOR.patch + + tiff-dither-malloc-check.patch + +------------------------------------------------------------------- New: ---- bfriesen.2805.patch erouault.2856.patch erouault.2857.patch erouault.2858.patch erouault.2859.patch erouault.2860.patch erouault.2861.patch erouault.2862.patch erouault.2863.patch erouault.2876.patch tiff-dither-malloc-check.patch tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch tiff-handle-TIFFTAG_PREDICTOR.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.YM5Mir/_old 2015-03-09 10:04:41.000000000 +0100 +++ /var/tmp/diff_new_pack.YM5Mir/_new 2015-03-09 10:04:41.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -60,6 +60,20 @@ Patch9: tiff-4.0.3-CVE-2013-4231.patch Patch10: tiff-4.0.3-CVE-2013-4244.patch Patch11: tiff-4.0.3-CVE-2013-4243.patch +Patch12: erouault.2856.patch +Patch13: erouault.2857.patch +Patch14: erouault.2858.patch +Patch15: erouault.2859.patch +Patch16: erouault.2860.patch +Patch17: erouault.2861.patch +Patch18: erouault.2862.patch +Patch19: erouault.2863.patch +Patch20: erouault.2876.patch +Patch21: bfriesen.2805.patch +Patch22: tiff-dither-malloc-check.patch +Patch23: tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch +Patch24: tiff-handle-TIFFTAG_PREDICTOR.patch + # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -115,6 +129,19 @@ %patch9 %patch10 %patch11 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 +%patch23 +%patch24 %build CFLAGS="$RPM_OPT_FLAGS -fPIE" ++++++ bfriesen.2805.patch ++++++ --------------------- PatchSet 2805 Date: 2012/11/18 19:51:52 Author: bfriesen Branch: HEAD Tag: (none) Log: * libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not require malloc() to return NULL pointer if requested allocation size is zero. Assure that _TIFFmalloc does. Members: ChangeLog:1.924->1.925 libtiff/tif_unix.c:1.23->1.24 libtiff/tif_vms.c:1.11->1.12 libtiff/tif_win32.c:1.39->1.40 Index: libtiff/libtiff/tif_unix.c diff -u libtiff/libtiff/tif_unix.c:1.23 libtiff/libtiff/tif_unix.c:1.24 --- libtiff/libtiff/tif_unix.c:1.23 Fri Jun 1 16:40:59 2012 +++ libtiff/libtiff/tif_unix.c Sun Nov 18 12:51:52 2012 @@ -257,6 +257,9 @@ void* _TIFFmalloc(tmsize_t s) { + if (s == 0) + return ((void *) NULL); + return (malloc((size_t) s)); } ++++++ erouault.2856.patch ++++++ --------------------- PatchSet 2856 Date: 2014/12/21 17:15:31 Author: erouault Branch: HEAD Tag: (none) Log: Fix various crasher bugs on fuzzed images. * libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if BitsPerSample has not yet been read, otherwise reading it later will cause user code to crash if BitsPerSample > 1 * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * tools/tiffdump.c: fix crash due to overflow of entry count. Members: ChangeLog:1.960->1.961 libtiff/tif_dir.c:1.117->1.118 libtiff/tif_dirread.c:1.180->1.181 libtiff/tif_getimage.c:1.82->1.83 libtiff/tif_next.c:1.13->1.14 tools/bmp2tiff.c:1.23->1.24 tools/tiff2pdf.c:1.77->1.78 tools/tiffcrop.c:1.23->1.24 tools/tiffdump.c:1.28->1.29 Index: libtiff/libtiff/tif_dir.c diff -u libtiff/libtiff/tif_dir.c:1.117 libtiff/libtiff/tif_dir.c:1.118 --- libtiff/libtiff/tif_dir.c:1.117 Thu Nov 20 11:47:21 2014 +++ libtiff/libtiff/tif_dir.c Sun Dec 21 10:15:31 2014 @@ -160,6 +160,7 @@ TIFFDirectory* td = &tif->tif_dir; int status = 1; uint32 v32, i, v; + double dblval; char* s; const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); uint32 standard_tag = tag; @@ -284,10 +285,16 @@ setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); break; case TIFFTAG_XRESOLUTION: - td->td_xresolution = (float) va_arg(ap, double); + dblval = va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = (float) dblval; break; case TIFFTAG_YRESOLUTION: - td->td_yresolution = (float) va_arg(ap, double); + dblval = va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = (float) dblval; break; case TIFFTAG_PLANARCONFIG: v = (uint16) va_arg(ap, uint16_vap); @@ -694,6 +701,16 @@ va_end(ap); } return (0); +badvaluedouble: + { + const TIFFField* fip=TIFFFieldWithTag(tif,tag); + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Bad value %f for \"%s\" tag", + tif->tif_name, dblval, + fip ? fip->field_name : "Unknown"); + va_end(ap); + } + return (0); } /* Index: libtiff/libtiff/tif_dirread.c diff -u libtiff/libtiff/tif_dirread.c:1.180 libtiff/libtiff/tif_dirread.c:1.181 --- libtiff/libtiff/tif_dirread.c:1.180 Thu Nov 20 11:47:21 2014 +++ libtiff/libtiff/tif_dirread.c Sun Dec 21 10:15:31 2014 @@ -3430,6 +3430,8 @@ const TIFFField* fip; uint32 fii=FAILED_FII; toff_t nextdiroff; + int bitspersample_read = FALSE; + tif->tif_diroff=tif->tif_nextdiroff; if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) return 0; /* last offset or bad offset (IFD looping) */ @@ -3706,6 +3708,8 @@ } if (!TIFFSetField(tif,dp->tdir_tag,value)) goto bad; + if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) + bitspersample_read = TRUE; } break; case TIFFTAG_SMINSAMPLEVALUE: @@ -3763,6 +3767,19 @@ uint32 countrequired; uint32 incrementpersample; uint16* value=NULL; + /* It would be dangerous to instanciate those tag values */ + /* since if td_bitspersample has not yet been read (due to */ + /* unordered tags), it could be read afterwards with a */ + /* values greater than the default one (1), which may cause */ + /* crashes in user code */ + if( !bitspersample_read ) + { + fip = TIFFFieldWithTag(tif,dp->tdir_tag); + TIFFWarningExt(tif->tif_clientdata,module, + "Ignoring %s since BitsPerSample tag not found", + fip ? fip->field_name : "unknown tagname"); + continue; + } countpersample=(1L<<tif->tif_dir.td_bitspersample); if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) { Index: libtiff/libtiff/tif_getimage.c diff -u libtiff/libtiff/tif_getimage.c:1.82 libtiff/libtiff/tif_getimage.c:1.83 --- libtiff/libtiff/tif_getimage.c:1.82 Tue Jun 5 19:17:49 2012 +++ libtiff/libtiff/tif_getimage.c Sun Dec 21 10:15:31 2014 @@ -1,4 +1,4 @@ -/* $Id: tif_getimage.c,v 1.82 2012-06-06 00:17:49 fwarmerdam Exp $ */ +/* $Id: tif_getimage.c,v 1.83 2014-12-21 15:15:31 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -182,8 +182,23 @@ "Planarconfiguration", td->td_planarconfig); return (0); } + if( td->td_samplesperpixel != 3 ) + { + sprintf(emsg, + "Sorry, can not handle image with %s=%d", + "Samples/pixel", td->td_samplesperpixel); + return 0; + } break; case PHOTOMETRIC_CIELAB: + if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) + { + sprintf(emsg, + "Sorry, can not handle image with %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, + "Bits/sample", td->td_bitspersample); + return 0; + } break; default: sprintf(emsg, "Sorry, can not handle image with %s=%d", Index: libtiff/libtiff/tif_next.c diff -u libtiff/libtiff/tif_next.c:1.13 libtiff/libtiff/tif_next.c:1.14 --- libtiff/libtiff/tif_next.c:1.13 Wed Mar 10 13:56:48 2010 +++ libtiff/libtiff/tif_next.c Sun Dec 21 10:15:32 2014 @@ -102,6 +102,8 @@ default: { uint32 npixels = 0, grey; uint32 imagewidth = tif->tif_dir.td_imagewidth; + if( isTiled(tif) ) + imagewidth = tif->tif_dir.td_tilewidth; /* * The scanline is composed of a sequence of constant Index: libtiff/tools/bmp2tiff.c diff -u libtiff/tools/bmp2tiff.c:1.23 libtiff/tools/bmp2tiff.c:1.24 --- libtiff/tools/bmp2tiff.c:1.23 Wed Mar 10 13:56:49 2010 +++ libtiff/tools/bmp2tiff.c Sun Dec 21 10:15:32 2014 @@ -403,6 +403,13 @@ width = info_hdr.iWidth; length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; + if( width <= 0 || length <= 0 ) + { + TIFFError(infilename, + "Invalid dimensions of BMP file" ); + close(fd); + return -1; + } switch (info_hdr.iBitCount) { @@ -593,6 +600,14 @@ compr_size = file_hdr.iSize - file_hdr.iOffBits; uncompr_size = width * length; + /* Detect int overflow */ + if( uncompr_size / width != length ) + { + TIFFError(infilename, + "Invalid dimensions of BMP file" ); + close(fd); + return -1; + } comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); if (!comprbuf) { TIFFError(infilename, Index: libtiff/tools/tiff2pdf.c diff -u libtiff/tools/tiff2pdf.c:1.77 libtiff/tools/tiff2pdf.c:1.78 --- libtiff/tools/tiff2pdf.c:1.77 Tue Dec 9 21:53:30 2014 +++ libtiff/tools/tiff2pdf.c Sun Dec 21 10:15:32 2014 @@ -1167,6 +1167,15 @@ if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) && (xuint16 == PLANARCONFIG_SEPARATE ) ){ TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); + if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) + { + TIFFError( + TIFF2PDF_MODULE, + "Invalid tile count, %s", + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->tiff_tiles[i].tiles_tilecount/= xuint16; } if( t2p->tiff_tiles[i].tiles_tilecount > 0){ @@ -1552,6 +1561,22 @@ #endif break; case PHOTOMETRIC_CIELAB: + if( t2p->tiff_samplesperpixel != 3){ + TIFFError( + TIFF2PDF_MODULE, + "Unsupported samplesperpixel = %d for CIELAB", + t2p->tiff_samplesperpixel); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if( t2p->tiff_bitspersample != 8){ + TIFFError( + TIFF2PDF_MODULE, + "Invalid bitspersample = %d for CIELAB", + t2p->tiff_bitspersample); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->pdf_labrange[0]= -127; t2p->pdf_labrange[1]= 127; t2p->pdf_labrange[2]= -127; @@ -1567,6 +1592,22 @@ t2p->pdf_colorspace=T2P_CS_LAB; break; case PHOTOMETRIC_ITULAB: + if( t2p->tiff_samplesperpixel != 3){ + TIFFError( + TIFF2PDF_MODULE, + "Unsupported samplesperpixel = %d for ITULAB", + t2p->tiff_samplesperpixel); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if( t2p->tiff_bitspersample != 8){ + TIFFError( + TIFF2PDF_MODULE, + "Invalid bitspersample = %d for ITULAB", + t2p->tiff_bitspersample); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } t2p->pdf_labrange[0]=-85; t2p->pdf_labrange[1]=85; t2p->pdf_labrange[2]=-75; Index: libtiff/tools/tiffcrop.c diff -u libtiff/tools/tiffcrop.c:1.23 libtiff/tools/tiffcrop.c:1.24 --- libtiff/tools/tiffcrop.c:1.23 Sun Dec 7 17:33:06 2014 +++ libtiff/tools/tiffcrop.c Sun Dec 21 10:15:32 2014 @@ -1205,9 +1205,10 @@ tsize_t tilesize = TIFFTileSize(out); unsigned char *tilebuf = NULL; - TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); - TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); - TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); + if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || + !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || + !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) + return 1; tile_buffsize = tilesize; if (tilesize < (tsize_t)(tl * tile_rowsize)) Index: libtiff/tools/tiffdump.c diff -u libtiff/tools/tiffdump.c:1.28 libtiff/tools/tiffdump.c:1.29 --- libtiff/tools/tiffdump.c:1.28 Sat Dec 6 10:58:44 2014 +++ libtiff/tools/tiffdump.c Sun Dec 21 10:15:32 2014 @@ -374,6 +374,8 @@ void* datamem; uint64 dataoffset; int datatruncated; + int datasizeoverflow; + tag = *(uint16*)dp; if (swabflag) TIFFSwabShort(&tag); @@ -412,13 +414,14 @@ else typewidth = datawidth[type]; datasize = count*typewidth; + datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); datafits = 1; datamem = dp; dataoffset = 0; datatruncated = 0; if (!bigtiff) { - if (datasize>4) + if (datasizeoverflow || datasize>4) { uint32 dataoffset32; datafits = 0; @@ -432,7 +435,7 @@ } else { - if (datasize>8) + if (datasizeoverflow || datasize>8) { datafits = 0; datamem = NULL; @@ -442,7 +445,7 @@ } dp += sizeof(uint64); } - if (datasize>0x10000) + if (datasizeoverflow || datasize>0x10000) { datatruncated = 1; count = 0x10000/typewidth; ++++++ erouault.2857.patch ++++++ --------------------- PatchSet 2857 Date: 2014/12/21 18:28:37 Author: erouault Branch: HEAD Tag: (none) Log: * tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none. Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480) Description: fix for Debian bug #741451 tiffcp crashes when converting JPEG-encoded TIFF to a different encoding (like none or lzw). For example this will probably fail: tiffcp -c none jpeg_encoded_file.tif output.tif The reason is that when the input file contains JPEG data, the tiffcp code forces conversion to RGB space. However, the output normally inherits YCbCr subsampling parameters from the input, which leads to a smaller working buffer than necessary. The buffer is subsequently overrun inside cpStripToTile() (called from writeBufferToContigTiles). Note that the resulting TIFF file would be scrambled even if tiffcp wouldn't crash, since the output file would contain RGB data intepreted as subsampled YCbCr values. This patch fixes the problem by forcing RGB space on the output TIF if the input is JPEG-encoded and output is *not* JPEG-encoded. Author: Tomasz Buchert <[email protected]> Members: ChangeLog:1.961->1.962 tools/tiffcp.c:1.50->1.51 Index: libtiff/tools/tiffcp.c diff -u libtiff/tools/tiffcp.c:1.50 libtiff/tools/tiffcp.c:1.51 --- libtiff/tools/tiffcp.c:1.50 Tue Mar 5 22:35:09 2013 +++ libtiff/tools/tiffcp.c Sun Dec 21 11:28:37 2014 @@ -633,6 +633,12 @@ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, samplesperpixel == 1 ? PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV); + else if (input_compression == COMPRESSION_JPEG && + samplesperpixel == 3 ) { + /* RGB conversion was forced above + hence the output will be of the same type */ + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB); + } else CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT); if (fillorder != 0) ++++++ erouault.2858.patch ++++++ --------------------- PatchSet 2858 Date: 2014/12/21 19:36:36 Author: erouault Branch: HEAD Tag: (none) Log: * tools/tiff2pdf.c: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL Members: ChangeLog:1.962->1.963 tools/tiff2pdf.c:1.78->1.79 Index: libtiff/tools/tiff2pdf.c diff -u libtiff/tools/tiff2pdf.c:1.78 libtiff/tools/tiff2pdf.c:1.79 --- libtiff/tools/tiff2pdf.c:1.78 Sun Dec 21 10:15:32 2014 +++ libtiff/tools/tiff2pdf.c Sun Dec 21 12:36:36 2014 @@ -1166,7 +1166,15 @@ t2p->tiff_pages[i].page_tilecount; if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) && (xuint16 == PLANARCONFIG_SEPARATE ) ){ - TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); + if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) ) + { + TIFFError( + TIFF2PDF_MODULE, + "Missing SamplesPerPixel, %s", + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) { TIFFError( ++++++ erouault.2859.patch ++++++ --------------------- PatchSet 2859 Date: 2014/12/21 20:07:48 Author: erouault Branch: HEAD Tag: (none) Log: * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) Members: ChangeLog:1.963->1.964 libtiff/tif_next.c:1.14->1.15 Index: libtiff/libtiff/tif_next.c diff -u libtiff/libtiff/tif_next.c:1.14 libtiff/libtiff/tif_next.c:1.15 --- libtiff/libtiff/tif_next.c:1.14 Sun Dec 21 10:15:32 2014 +++ libtiff/libtiff/tif_next.c Sun Dec 21 13:07:48 2014 @@ -141,10 +141,27 @@ return (0); } +static int +NeXTPreDecode(TIFF* tif, uint16 s) +{ + static const char module[] = "NeXTPreDecode"; + TIFFDirectory *td = &tif->tif_dir; + (void)s; + + if( td->td_bitspersample != 2 ) + { + TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", + td->td_bitspersample); + return (0); + } + return (1); +} + int TIFFInitNeXT(TIFF* tif, int scheme) { (void) scheme; + tif->tif_predecode = NeXTPreDecode; tif->tif_decoderow = NeXTDecode; tif->tif_decodestrip = NeXTDecode; tif->tif_decodetile = NeXTDecode; ++++++ erouault.2860.patch ++++++ --------------------- PatchSet 2860 Date: 2014/12/21 20:52:42 Author: erouault Branch: HEAD Tag: (none) Log: * tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) Members: ChangeLog:1.964->1.965 tools/thumbnail.c:1.17->1.18 tools/tiffcmp.c:1.16->1.17 Index: libtiff/tools/thumbnail.c diff -u libtiff/tools/thumbnail.c:1.17 libtiff/tools/thumbnail.c:1.18 --- libtiff/tools/thumbnail.c:1.17 Sun Dec 7 17:33:06 2014 +++ libtiff/tools/thumbnail.c Sun Dec 21 13:52:42 2014 @@ -274,7 +274,26 @@ { struct cpTag *p; for (p = tags; p < &tags[NTAGS]; p++) - cpTag(in, out, p->tag, p->count, p->type); + { + /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ + /* if we request a tag that is defined in a codec, but that codec */ + /* isn't used */ + if( p->tag == TIFFTAG_GROUP3OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX3 ) + continue; + } + if( p->tag == TIFFTAG_GROUP4OPTIONS ) + { + uint16 compression; + if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || + compression != COMPRESSION_CCITTFAX4 ) + continue; + } + cpTag(in, out, p->tag, p->count, p->type); + } } #undef NTAGS Index: libtiff/tools/tiffcmp.c diff -u libtiff/tools/tiffcmp.c:1.16 libtiff/tools/tiffcmp.c:1.17 --- libtiff/tools/tiffcmp.c:1.16 Wed Mar 10 13:56:50 2010 +++ libtiff/tools/tiffcmp.c Sun Dec 21 13:52:42 2014 @@ -260,6 +260,7 @@ static int cmptags(TIFF* tif1, TIFF* tif2) { + uint16 compression1, compression2; CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); @@ -276,8 +277,20 @@ CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); - CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); - CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); + if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && + compression1 == COMPRESSION_CCITTFAX3 && + TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && + compression2 == COMPRESSION_CCITTFAX3 ) + { + CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); + } + if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && + compression1 == COMPRESSION_CCITTFAX4 && + TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && + compression2 == COMPRESSION_CCITTFAX4 ) + { + CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); + } CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip"); ++++++ erouault.2861.patch ++++++ --------------------- PatchSet 2861 Date: 2014/12/21 21:53:59 Author: erouault Branch: HEAD Tag: (none) Log: * tools/thumbnail.c: fix out-of-buffer write http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) Members: ChangeLog:1.965->1.966 tools/thumbnail.c:1.18->1.19 Index: libtiff/tools/thumbnail.c diff -u libtiff/tools/thumbnail.c:1.18 libtiff/tools/thumbnail.c:1.19 --- libtiff/tools/thumbnail.c:1.18 Sun Dec 21 13:52:42 2014 +++ libtiff/tools/thumbnail.c Sun Dec 21 14:53:59 2014 @@ -568,7 +568,13 @@ err -= limit; sy++; if (err >= limit) - rows[nrows++] = br + bpr*sy; + { + /* We should perhaps error loudly, but I can't make sense of that */ + /* code... */ + if( nrows == 256 ) + break; + rows[nrows++] = br + bpr*sy; + } } setrow(row, nrows, rows); row += tnw; ++++++ erouault.2862.patch ++++++ --------------------- PatchSet 2862 Date: 2014/12/21 22:04:31 Author: erouault Branch: HEAD Tag: (none) Log: * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not worth the burden for those esoteric utilities. http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) Members: ChangeLog:1.966->1.967 tools/pal2rgb.c:1.13->1.14 tools/thumbnail.c:1.19->1.20 Index: libtiff/tools/pal2rgb.c diff -u libtiff/tools/pal2rgb.c:1.13 libtiff/tools/pal2rgb.c:1.14 --- libtiff/tools/pal2rgb.c:1.13 Fri Jul 2 07:02:56 2010 +++ libtiff/tools/pal2rgb.c Sun Dec 21 15:04:31 2014 @@ -372,7 +372,7 @@ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, - { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, Index: libtiff/tools/thumbnail.c diff -u libtiff/tools/thumbnail.c:1.19 libtiff/tools/thumbnail.c:1.20 --- libtiff/tools/thumbnail.c:1.19 Sun Dec 21 14:53:59 2014 +++ libtiff/tools/thumbnail.c Sun Dec 21 15:04:31 2014 @@ -257,7 +257,7 @@ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, - { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, ++++++ erouault.2863.patch ++++++ --------------------- PatchSet 2863 Date: 2014/12/21 22:58:29 Author: erouault Branch: HEAD Tag: (none) Log: * tools/tiff2bw.c: when Photometric=RGB, the utility only works if SamplesPerPixel = 3. Enforce that http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) Members: ChangeLog:1.967->1.968 tools/tiff2bw.c:1.16->1.17 Index: libtiff/tools/tiff2bw.c diff -u libtiff/tools/tiff2bw.c:1.16 libtiff/tools/tiff2bw.c:1.17 --- libtiff/tools/tiff2bw.c:1.16 Thu May 2 09:44:29 2013 +++ libtiff/tools/tiff2bw.c Sun Dec 21 15:58:30 2014 @@ -171,6 +171,11 @@ argv[optind], samplesperpixel); return (-1); } + if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { + fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", + argv[optind], samplesperpixel); + return (-1); + } TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); if (bitspersample != 8) { fprintf(stderr, ++++++ erouault.2876.patch ++++++ --------------------- PatchSet 2876 Date: 2014/12/29 14:09:11 Author: erouault Branch: HEAD Tag: (none) Log: * libtiff/tif_next.c: add new tests to check that we don't read outside of the compressed input stream buffer. * libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height Members: ChangeLog:1.980->1.981 libtiff/tif_getimage.c:1.85->1.86 libtiff/tif_next.c:1.15->1.16 Index: libtiff/libtiff/tif_getimage.c diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86 --- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014 +++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014 @@ -1871,7 +1871,7 @@ (void) y; fromskew = (fromskew * 10) / 4; - if ((h & 3) == 0 && (w & 1) == 0) { + if ((w & 3) == 0 && (h & 1) == 0) { for (; h >= 2; h -= 2) { x = w>>2; do { @@ -1948,7 +1948,7 @@ /* XXX adjust fromskew */ do { x = w>>2; - do { + while(x>0) { int32 Cb = pp[4]; int32 Cr = pp[5]; @@ -1959,7 +1959,8 @@ cp += 4; pp += 6; - } while (--x); + x--; + } if( (w&3) != 0 ) { @@ -2050,7 +2051,7 @@ fromskew = (fromskew * 4) / 2; do { x = w>>1; - do { + while(x>0) { int32 Cb = pp[2]; int32 Cr = pp[3]; @@ -2059,7 +2060,8 @@ cp += 2; pp += 4; - } while (--x); + x --; + } if( (w&1) != 0 ) { Index: libtiff/libtiff/tif_next.c diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16 --- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014 +++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014 @@ -71,7 +71,7 @@ TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); return (0); } - for (row = buf; occ > 0; occ -= scanline, row += scanline) { + for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { n = *bp++, cc--; switch (n) { case LITERALROW: @@ -90,6 +90,8 @@ * The scanline has a literal span that begins at some * offset. */ + if( cc < 4 ) + goto bad; off = (bp[0] * 256) + bp[1]; n = (bp[2] * 256) + bp[3]; if (cc < 4+n || off+n > scanline) ++++++ tiff-dither-malloc-check.patch ++++++ Index: tools/tiffdither.c =================================================================== --- tools/tiffdither.c.orig 2015-02-18 13:06:47.972867055 +0100 +++ tools/tiffdither.c 2015-02-18 13:12:03.759562692 +0100 @@ -77,6 +77,11 @@ outlinesize = TIFFScanlineSize(out); outline = (unsigned char *) _TIFFmalloc(outlinesize); + if (! (inputline && thisline && nextline && outline)) { + fprintf(stderr, "Out of memory.\n"); + return; + } + /* * Get first line */ ++++++ tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch ++++++ Index: libtiff/tif_dirinfo.c =================================================================== --- libtiff/tif_dirinfo.c.orig 2015-02-20 10:55:07.511497649 +0100 +++ libtiff/tif_dirinfo.c 2015-02-20 18:25:36.187965859 +0100 @@ -141,6 +141,7 @@ { TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL }, { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, /* begin DNG tags */ { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, ++++++ tiff-handle-TIFFTAG_PREDICTOR.patch ++++++ Index: libtiff/tif_dirinfo.c =================================================================== --- libtiff/tif_dirinfo.c.orig 2015-02-20 18:38:55.798039584 +0100 +++ libtiff/tif_dirinfo.c 2015-02-20 18:58:50.474095885 +0100 @@ -142,6 +142,7 @@ { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, + { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL }, /* begin DNG tags */ { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
