Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2016-09-05 21:16:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2016-07-18 21:23:00.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2016-09-05 21:17:03.000000000 +0200 @@ -1,0 +2,12 @@ +Thu Sep 1 14:35:57 UTC 2016 - fst...@suse.com + +- Added patches: + * tiff-4.0.6-CVE-2016-3623.patch + * tiff-4.0.6-CVE-2016-3945.patch + * tiff-4.0.6-CVE-2016-3990.patch + * tiff-4.0.6-CVE-2016-3991.patch + - Upstream commits to fix CVE-2016-3623 [bsc#974618], + CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069], + CVE-2016-3991 [bsc#975070] + +------------------------------------------------------------------- New: ---- tiff-4.0.6-CVE-2016-3623.patch tiff-4.0.6-CVE-2016-3945.patch tiff-4.0.6-CVE-2016-3990.patch tiff-4.0.6-CVE-2016-3991.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.Wjy1cP/_old 2016-09-05 21:17:05.000000000 +0200 +++ /var/tmp/diff_new_pack.Wjy1cP/_new 2016-09-05 21:17:05.000000000 +0200 @@ -41,6 +41,11 @@ Patch6: tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch Patch7: tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch Patch8: tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch +# +Patch9: tiff-4.0.6-CVE-2016-3623.patch +Patch10: tiff-4.0.6-CVE-2016-3945.patch +Patch11: tiff-4.0.6-CVE-2016-3990.patch +Patch12: tiff-4.0.6-CVE-2016-3991.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -111,6 +116,10 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 %build CFLAGS="%{optflags} -fPIE" ++++++ tiff-4.0.6-CVE-2016-3623.patch ++++++ --- tiff-4.0.6/tools/rgb2ycbcr.c 2015-08-29 00:17:08.195093258 +0200 +++ tiff-4.0.6/tools/rgb2ycbcr.c 2016-09-01 16:23:31.472089246 +0200 @@ -95,9 +95,13 @@ break; case 'h': horizSubSampling = atoi(optarg); + if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) + usage(-1); break; case 'v': vertSubSampling = atoi(optarg); + if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) + usage(-1); break; case 'r': rowsperstrip = atoi(optarg); ++++++ tiff-4.0.6-CVE-2016-3945.patch ++++++ --- tiff-4.0.6/tools/tiff2rgba.c 2015-08-29 00:17:08.259977702 +0200 +++ tiff-4.0.6/tools/tiff2rgba.c 2016-09-01 16:05:40.451318911 +0200 @@ -147,6 +147,7 @@ uint32 row, col; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -163,7 +164,13 @@ /* * Allocate tile buffer */ - raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); + rastersize = tile_width * tile_height * sizeof (uint32); + if (tile_width != (rastersize / tile_height) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -173,7 +180,13 @@ * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + wrk_linesize = tile_width * sizeof (uint32); + if (tile_width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; @@ -249,6 +262,7 @@ uint32 row; uint32 *wrk_line; int ok = 1; + uint32 rastersize, wrk_linesize; TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); @@ -263,7 +277,13 @@ /* * Allocate strip buffer */ - raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); + rastersize = width * rowsperstrip * sizeof (uint32); + if (width != (rastersize / rowsperstrip) / sizeof( uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); + exit(-1); + } + raster = (uint32*)_TIFFmalloc(rastersize); if (raster == 0) { TIFFError(TIFFFileName(in), "No space for raster buffer"); return (0); @@ -273,7 +293,13 @@ * Allocate a scanline buffer for swapping during the vertical * mirroring pass. */ - wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + wrk_linesize = width * sizeof (uint32); + if (width != wrk_linesize / sizeof (uint32)) + { + TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); + exit(-1); + } + wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); if (!wrk_line) { TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); ok = 0; ++++++ tiff-4.0.6-CVE-2016-3990.patch ++++++ --- tiff-4.0.6/libtiff/tif_pixarlog.c 2015-08-29 00:16:22.630733284 +0200 +++ tiff-4.0.6/libtiff/tif_pixarlog.c 2016-09-01 16:12:07.226933631 +0200 @@ -1131,6 +1131,13 @@ } llen = sp->stride * td->td_imagewidth; + /* Check against the number of elements (of size uint16) of sp->tbuf */ + if( n > (tmsize_t)(td->td_rowsperstrip * llen) ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Too many input bytes provided"); + return 0; + } for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { switch (sp->user_datafmt) { Only in tiff-4.0.6/libtiff: tif_pixarlog.c.orig ++++++ tiff-4.0.6-CVE-2016-3991.patch ++++++ --- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200 +++ tiff-4.0.6/tools/tiffcrop.c 2016-09-01 16:21:40.874478425 +0200 @@ -798,6 +798,11 @@ } tile_buffsize = tilesize; + if (tilesize == 0 || tile_rowsize == 0) + { + TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); + exit(-1); + } if (tilesize < (tsize_t)(tl * tile_rowsize)) { @@ -807,6 +812,11 @@ tilesize, tl * tile_rowsize); #endif tile_buffsize = tl * tile_rowsize; + if (tl != (tile_buffsize / tile_rowsize)) + { + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(-1); + } } tilebuf = _TIFFmalloc(tile_buffsize); @@ -1210,6 +1220,12 @@ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) return 1; + if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) + { + TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); + exit(-1); + } + tile_buffsize = tilesize; if (tilesize < (tsize_t)(tl * tile_rowsize)) { @@ -1219,6 +1235,11 @@ tilesize, tl * tile_rowsize); #endif tile_buffsize = tl * tile_rowsize; + if (tl != tile_buffsize / tile_rowsize) + { + TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); + exit(-1); + } } tilebuf = _TIFFmalloc(tile_buffsize); @@ -5945,12 +5966,27 @@ TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); tile_rowsize = TIFFTileRowSize(in); + if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) + { + TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); + exit(-1); + } buffsize = tlsize * ntiles; - + if (tlsize != (buffsize / ntiles)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) { buffsize = ntiles * tl * tile_rowsize; + if (ntiles != (buffsize / tl / tile_rowsize)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } + #ifdef DEBUG2 TIFFError("loadImage", "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", @@ -5965,12 +6001,29 @@ } else { + uint32 buffsize_check; readunit = STRIP; TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); stsize = TIFFStripSize(in); nstrips = TIFFNumberOfStrips(in); - buffsize = stsize * nstrips; + if (nstrips == 0 || stsize == 0) + { + TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); + exit(-1); + } + buffsize = stsize * nstrips; + if (stsize != (buffsize / nstrips)) + { + TIFFError("loadImage", "Integer overflow when calculating buffer size"); + exit(-1); + } + buffsize_check = ((length * width * spp * bps) + 7); + if (length != ((buffsize_check - 7) / width / spp / bps)) + { + TIFFError("loadImage", "Integer overflow detected."); + exit(-1); + } if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) { buffsize = ((length * width * spp * bps) + 7) / 8;