Hello community,

here is the log from the commit of package tiff for openSUSE:Factory checked in 
at 2016-09-05 21:16:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tiff (Old)
 and      /work/SRC/openSUSE:Factory/.tiff.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tiff"

Changes:
--------
--- /work/SRC/openSUSE:Factory/tiff/tiff.changes        2016-07-18 
21:23:00.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes   2016-09-05 
21:17:03.000000000 +0200
@@ -1,0 +2,12 @@
+Thu Sep  1 14:35:57 UTC 2016 - fst...@suse.com
+
+- Added patches:
+  * tiff-4.0.6-CVE-2016-3623.patch
+  * tiff-4.0.6-CVE-2016-3945.patch
+  * tiff-4.0.6-CVE-2016-3990.patch
+  * tiff-4.0.6-CVE-2016-3991.patch
+    - Upstream commits to fix CVE-2016-3623 [bsc#974618],
+      CVE-2016-3945 [bsc#974614], CVE-2016-3990 [bsc#975069],
+         CVE-2016-3991 [bsc#975070]
+
+-------------------------------------------------------------------

New:
----
  tiff-4.0.6-CVE-2016-3623.patch
  tiff-4.0.6-CVE-2016-3945.patch
  tiff-4.0.6-CVE-2016-3990.patch
  tiff-4.0.6-CVE-2016-3991.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tiff.spec ++++++
--- /var/tmp/diff_new_pack.Wjy1cP/_old  2016-09-05 21:17:05.000000000 +0200
+++ /var/tmp/diff_new_pack.Wjy1cP/_new  2016-09-05 21:17:05.000000000 +0200
@@ -41,6 +41,11 @@
 Patch6:         
tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch
 Patch7:         
tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
 Patch8:         
tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch
+#
+Patch9:         tiff-4.0.6-CVE-2016-3623.patch
+Patch10:        tiff-4.0.6-CVE-2016-3945.patch
+Patch11:        tiff-4.0.6-CVE-2016-3990.patch
+Patch12:        tiff-4.0.6-CVE-2016-3991.patch
 
 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel
@@ -111,6 +116,10 @@
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
 
 %build
 CFLAGS="%{optflags} -fPIE"

++++++ tiff-4.0.6-CVE-2016-3623.patch ++++++
--- tiff-4.0.6/tools/rgb2ycbcr.c        2015-08-29 00:17:08.195093258 +0200
+++ tiff-4.0.6/tools/rgb2ycbcr.c        2016-09-01 16:23:31.472089246 +0200
@@ -95,9 +95,13 @@
                        break;
                case 'h':
                        horizSubSampling = atoi(optarg);
+            if( horizSubSampling != 1 && horizSubSampling != 2 && 
horizSubSampling != 4 )
+                usage(-1);
                        break;
                case 'v':
                        vertSubSampling = atoi(optarg);
+            if( vertSubSampling != 1 && vertSubSampling != 2 && 
vertSubSampling != 4 )
+                usage(-1);
                        break;
                case 'r':
                        rowsperstrip = atoi(optarg);
++++++ tiff-4.0.6-CVE-2016-3945.patch ++++++
--- tiff-4.0.6/tools/tiff2rgba.c        2015-08-29 00:17:08.259977702 +0200
+++ tiff-4.0.6/tools/tiff2rgba.c        2016-09-01 16:05:40.451318911 +0200
@@ -147,6 +147,7 @@
     uint32  row, col;
     uint32  *wrk_line;
     int            ok = 1;
+    uint32  rastersize, wrk_linesize;
 
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -163,7 +164,13 @@
     /*
      * Allocate tile buffer
      */
-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+    rastersize = tile_width * tile_height * sizeof (uint32);
+    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+    {
+       TIFFError(TIFFFileName(in), "Integer overflow when calculating raster 
buffer");
+       exit(-1);
+    }
+    raster = (uint32*)_TIFFmalloc(rastersize);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -173,7 +180,13 @@
      * Allocate a scanline buffer for swapping during the vertical
      * mirroring pass.
      */
-    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+    wrk_linesize = tile_width * sizeof (uint32);
+    if (tile_width != wrk_linesize / sizeof (uint32))
+    {
+        TIFFError(TIFFFileName(in), "Integer overflow when calculating 
wrk_line buffer");
+       exit(-1);
+    }
+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
     if (!wrk_line) {
         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
         ok = 0;
@@ -249,6 +262,7 @@
     uint32  row;
     uint32  *wrk_line;
     int            ok = 1;
+    uint32  rastersize, wrk_linesize;
 
     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -263,7 +277,13 @@
     /*
      * Allocate strip buffer
      */
-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+    rastersize = width * rowsperstrip * sizeof (uint32);
+    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+    {
+       TIFFError(TIFFFileName(in), "Integer overflow when calculating raster 
buffer");
+       exit(-1);
+    }
+    raster = (uint32*)_TIFFmalloc(rastersize);
     if (raster == 0) {
         TIFFError(TIFFFileName(in), "No space for raster buffer");
         return (0);
@@ -273,7 +293,13 @@
      * Allocate a scanline buffer for swapping during the vertical
      * mirroring pass.
      */
-    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+    wrk_linesize = width * sizeof (uint32);
+    if (width != wrk_linesize / sizeof (uint32))
+    {
+        TIFFError(TIFFFileName(in), "Integer overflow when calculating 
wrk_line buffer");
+       exit(-1);
+    }
+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
     if (!wrk_line) {
         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
         ok = 0;
++++++ tiff-4.0.6-CVE-2016-3990.patch ++++++
--- tiff-4.0.6/libtiff/tif_pixarlog.c   2015-08-29 00:16:22.630733284 +0200
+++ tiff-4.0.6/libtiff/tif_pixarlog.c   2016-09-01 16:12:07.226933631 +0200
@@ -1131,6 +1131,13 @@
        }
 
        llen = sp->stride * td->td_imagewidth;
+    /* Check against the number of elements (of size uint16) of sp->tbuf */
+    if( n > (tmsize_t)(td->td_rowsperstrip * llen) )
+    {
+        TIFFErrorExt(tif->tif_clientdata, module,
+                     "Too many input bytes provided");
+        return 0;
+    }
 
        for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
                switch (sp->user_datafmt)  {
Only in tiff-4.0.6/libtiff: tif_pixarlog.c.orig
++++++ tiff-4.0.6-CVE-2016-3991.patch ++++++
--- tiff-4.0.6/tools/tiffcrop.c 2015-08-29 00:17:08.312151629 +0200
+++ tiff-4.0.6/tools/tiffcrop.c 2016-09-01 16:21:40.874478425 +0200
@@ -798,6 +798,11 @@
     }
 
   tile_buffsize = tilesize;
+  if (tilesize == 0 || tile_rowsize == 0)
+  {
+     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is 
zero");
+     exit(-1);
+  }
 
   if (tilesize < (tsize_t)(tl * tile_rowsize))
     {
@@ -807,6 +812,11 @@
               tilesize, tl * tile_rowsize);
 #endif
     tile_buffsize = tl * tile_rowsize;
+    if (tl != (tile_buffsize / tile_rowsize))
+    {
+       TIFFError("readContigTilesIntoBuffer", "Integer overflow when 
calculating buffer size.");
+        exit(-1);
+    }
     } 
 
   tilebuf = _TIFFmalloc(tile_buffsize);
@@ -1210,6 +1220,12 @@
       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
       return 1;
 
+  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
+  {
+    TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile 
width, or tile length is zero");
+    exit(-1);
+  }
+  
   tile_buffsize = tilesize;
   if (tilesize < (tsize_t)(tl * tile_rowsize))
     {
@@ -1219,6 +1235,11 @@
               tilesize, tl * tile_rowsize);
 #endif
     tile_buffsize = tl * tile_rowsize;
+    if (tl != tile_buffsize / tile_rowsize)
+    {
+       TIFFError("writeBufferToContigTiles", "Integer overflow when 
calculating buffer size");
+       exit(-1);
+    }
     }
 
   tilebuf = _TIFFmalloc(tile_buffsize);
@@ -5945,12 +5966,27 @@
     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
 
     tile_rowsize  = TIFFTileRowSize(in);      
+    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
+    {
+       TIFFError("loadImage", "File appears to be tiled, but the number of 
tiles, tile size, or tile rowsize is zero.");
+       exit(-1);
+    }
     buffsize = tlsize * ntiles;
-
+    if (tlsize != (buffsize / ntiles))
+    {
+       TIFFError("loadImage", "Integer overflow when calculating buffer size");
+       exit(-1);
+    }
         
     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
       {
       buffsize = ntiles * tl * tile_rowsize;
+      if (ntiles != (buffsize / tl / tile_rowsize))
+      {
+       TIFFError("loadImage", "Integer overflow when calculating buffer size");
+       exit(-1);
+      }
+      
 #ifdef DEBUG2
       TIFFError("loadImage",
                "Tilesize %u is too small, using ntiles * tilelength * 
tilerowsize %lu",
@@ -5965,12 +6001,29 @@
     }
   else
     {
+    uint32 buffsize_check;
     readunit = STRIP;
     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
     stsize = TIFFStripSize(in);
     nstrips = TIFFNumberOfStrips(in);
-    buffsize = stsize * nstrips;
+    if (nstrips == 0 || stsize == 0)
+    {
+       TIFFError("loadImage", "File appears to be striped, but the number of 
stipes or stripe size is zero.");
+       exit(-1);
+    }
     
+    buffsize = stsize * nstrips;
+    if (stsize != (buffsize / nstrips))
+    {
+       TIFFError("loadImage", "Integer overflow when calculating buffer size");
+       exit(-1);
+    }
+    buffsize_check = ((length * width * spp * bps) + 7);
+    if (length != ((buffsize_check - 7) / width / spp / bps))
+    {
+       TIFFError("loadImage", "Integer overflow detected.");
+       exit(-1);
+    }
     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
       {
       buffsize =  ((length * width * spp * bps) + 7) / 8;

Reply via email to