[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: 53cfbff2eb33daf68de4a26712be94e2a7fa7c10 Author: Michael Vetter iodoru org> AuthorDate: Wed Feb 22 15:28:54 2023 + Commit: Sam James gentoo org> CommitDate: Wed Feb 22 16:23:17 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53cfbff2 media-libs/tiff: Fix several CVEs Fixes: * CVE-2023-0795 https://gitlab.com/libtiff/libtiff/-/issues/493 * CVE-2023-0796 https://gitlab.com/libtiff/libtiff/-/issues/499 * CVE-2023-0797 https://gitlab.com/libtiff/libtiff/-/issues/495 * CVE-2023-0798 https://gitlab.com/libtiff/libtiff/-/issues/492 * CVE-2023-0799 https://gitlab.com/libtiff/libtiff/-/issues/494 * CVE-2023-0800 https://gitlab.com/libtiff/libtiff/-/issues/496 * CVE-2023-0801 https://gitlab.com/libtiff/libtiff/-/issues/498 * CVE-2023-0802 https://gitlab.com/libtiff/libtiff/-/issues/500 * CVE-2023-0803 https://gitlab.com/libtiff/libtiff/-/issues/501 * CVE-2023-0804 https://gitlab.com/libtiff/libtiff/-/issues/497 Bug: https://bugs.gentoo.org/895900 Signed-off-by: Michael Vetter iodoru.org> Closes: https://github.com/gentoo/gentoo/pull/29721 Signed-off-by: Sam James gentoo.org> ...CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch | 287 + ...CVE-2023-0802-CVE-2023-0803-CVE-2023-0804.patch | 131 ++ media-libs/tiff/tiff-4.5.0-r2.ebuild | 92 +++ 3 files changed, 510 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.5.0-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch b/media-libs/tiff/files/tiff-4.5.0-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch new file mode 100644 index ..70a9b8269ec5 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.5.0-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch @@ -0,0 +1,287 @@ +Index: tiff-4.5.0/tools/tiffcrop.c +=== +Upstream commits: +https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 +https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 +From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 3 Feb 2023 15:31:31 +0100 +Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() + fix#520 rotateImage() set up a new buffer and calculates its size + individually. Therefore, seg_buffs[] size needs to be updated accordingly. + Before this fix, the seg_buffs buffer size was calculated with a different + formula than within rotateImage(). + +Closes #520. +--- + tools/tiffcrop.c | 36 + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 7db69883..f8b66188 100644 +--- a/tools/tiffcrop.c b/tools/tiffcrop.c +@@ -577,7 +577,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **); ++ unsigned char **, size_t *); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -7243,7 +7243,7 @@ static int correct_orientation(struct image_data *image, + } + + if (rotateImage(rotation, image, &image->width, &image->length, +-work_buff_ptr)) ++work_buff_ptr, NULL)) + { + TIFFError("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -8563,8 +8563,12 @@ static int processCropSelections(struct image_data *image, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can + reallocate the buffer */ + { ++/* rotateImage() set up a new buffer and calculates its size ++ * individually. Therefore, seg_buffs size needs to be updated ++ * accordingly. */ ++size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +-&crop->combined_length, &crop_buff)) ++&crop->combined_length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %" PRIu32 +@@ -8573,9 +8577,7 @@ static int processCropSelections(struct image_data *image, + return (-1); + } + seg_buffs[0].buffer = crop_buff; +-seg_buffs[0].size = +-(((crop->combined_width * image->bps + 7) / 8) * image->spp) *
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: 7ebadfbb4602052047e063e83e78cf398d2610c5 Author: Michael Vetter iodoru org> AuthorDate: Wed Feb 22 15:28:54 2023 + Commit: Sam James gentoo org> CommitDate: Wed Feb 22 16:21:38 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ebadfbb media-libs/tiff: Fix several CVEs Fixes: * CVE-2023-0795 https://gitlab.com/libtiff/libtiff/-/issues/493 * CVE-2023-0796 https://gitlab.com/libtiff/libtiff/-/issues/499 * CVE-2023-0797 https://gitlab.com/libtiff/libtiff/-/issues/495 * CVE-2023-0798 https://gitlab.com/libtiff/libtiff/-/issues/492 * CVE-2023-0799 https://gitlab.com/libtiff/libtiff/-/issues/494 * CVE-2023-0800 https://gitlab.com/libtiff/libtiff/-/issues/496 * CVE-2023-0801 https://gitlab.com/libtiff/libtiff/-/issues/498 * CVE-2023-0802 https://gitlab.com/libtiff/libtiff/-/issues/500 * CVE-2023-0803 https://gitlab.com/libtiff/libtiff/-/issues/501 * CVE-2023-0804 https://gitlab.com/libtiff/libtiff/-/issues/497 Bug: https://github.com/gentoo/gentoo/pull/29721 Signed-off-by: Michael Vetter iodoru.org> Closes: https://github.com/gentoo/gentoo/pull/29721 Signed-off-by: Sam James gentoo.org> ...CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch | 287 + ...CVE-2023-0802-CVE-2023-0803-CVE-2023-0804.patch | 131 ++ media-libs/tiff/tiff-4.5.0-r2.ebuild | 92 +++ 3 files changed, 510 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.5.0-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch b/media-libs/tiff/files/tiff-4.5.0-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch new file mode 100644 index ..70a9b8269ec5 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.5.0-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0798-CVE-2023-0799.patch @@ -0,0 +1,287 @@ +Index: tiff-4.5.0/tools/tiffcrop.c +=== +Upstream commits: +https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 +https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 +From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 3 Feb 2023 15:31:31 +0100 +Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() + fix#520 rotateImage() set up a new buffer and calculates its size + individually. Therefore, seg_buffs[] size needs to be updated accordingly. + Before this fix, the seg_buffs buffer size was calculated with a different + formula than within rotateImage(). + +Closes #520. +--- + tools/tiffcrop.c | 36 + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 7db69883..f8b66188 100644 +--- a/tools/tiffcrop.c b/tools/tiffcrop.c +@@ -577,7 +577,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **); ++ unsigned char **, size_t *); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -7243,7 +7243,7 @@ static int correct_orientation(struct image_data *image, + } + + if (rotateImage(rotation, image, &image->width, &image->length, +-work_buff_ptr)) ++work_buff_ptr, NULL)) + { + TIFFError("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -8563,8 +8563,12 @@ static int processCropSelections(struct image_data *image, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can + reallocate the buffer */ + { ++/* rotateImage() set up a new buffer and calculates its size ++ * individually. Therefore, seg_buffs size needs to be updated ++ * accordingly. */ ++size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +-&crop->combined_length, &crop_buff)) ++&crop->combined_length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %" PRIu32 +@@ -8573,9 +8577,7 @@ static int processCropSelections(struct image_data *image, + return (-1); + } + seg_buffs[0].buffer = crop_buff; +-seg_buffs[0].size = +-(((crop->combined_width * image->bps + 7) / 8) * i
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: d63be024fb77b02effd31c92cd79e55013118447 Author: Sam James gentoo org> AuthorDate: Sat Dec 10 04:09:36 2022 + Commit: Sam James gentoo org> CommitDate: Sat Dec 10 04:09:36 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d63be024 media-libs/tiff: add 4.5.0_rc1 (unkeyworded) Bug: https://bugs.gentoo.org/856478 Signed-off-by: Sam James gentoo.org> media-libs/tiff/Manifest | 2 + .../tiff-4.5.0_rc1-skip-tools-tests-multilib.patch | 52 + media-libs/tiff/tiff-4.5.0_rc1.ebuild | 89 ++ 3 files changed, 143 insertions(+) diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest index acd45d9a7287..ddbf4132f425 100644 --- a/media-libs/tiff/Manifest +++ b/media-libs/tiff/Manifest @@ -1,2 +1,4 @@ DIST tiff-4.4.0.tar.xz 1929292 BLAKE2B d05a2fb293557d1e7cdec116c65c8338d7714af7b6abd8dd3bb2b476d62e044adc7d6c298843649d63c6bc09f6ce4660ee23638f9beb716937ccf236c2829dcf SHA512 c9611faadc9b1199f3aba9a43bfa160c77c11558d1fa358b42115ed78db73c8387531c0668cc9021842c58f1c02f8d84264d3600e1039dfe6f866822ad91cff9 DIST tiff-4.4.0.tar.xz.sig 310 BLAKE2B 00dc8ff9c232ec4cca8b294659e6379b9bb512b58cd3d2f9231e7c10111510ac56aff3c6fc133a47f9fafc27595e099297c25940414495d8ea7f5a75aa43e9d2 SHA512 4ffdcbf5a8ce4a3be543d0ad43101ddcdb6ef22c3da5768c86660a40cc0cab48032a65c5e7bb0667f43d55dad5aa09dc0df302e2f9dbc9f24b8ccac643a0408c +DIST tiff-4.5.0rc1.tar.xz 2314664 BLAKE2B da6bdd79348a9626d8523903b43388cc963a86d8527ffb58fd8fcc09b1aae5d7317ccfcc8cf6b2515267b3b559d327db256303e70039b12552ae87c120ee7beb SHA512 244a98142f0d18eb5b531dceb265d2444021c628e886912dbfb33e1d23e5444e350b5487bd8f94e3fbafd993dcb5e490c6f78c1426601e903ad2bbe4bc41953c +DIST tiff-4.5.0rc1.tar.xz.sig 310 BLAKE2B b1b7ecb1f04e446cf7622df0ecff1482ca6175f4206350e9698488e2aaca64112ff41adcd8c5b817efbea947ffaec54258f87c9e932badc3c7493391960dc715 SHA512 8b2cc1d0c01d4f40f1c4c0827dbb12508d533f6c98e59cb9876a33b89fd4bbbfc8ccced3f27536d3bc00b5ae286e6b919b1468462396da38112dfc34c4ade3e0 diff --git a/media-libs/tiff/files/tiff-4.5.0_rc1-skip-tools-tests-multilib.patch b/media-libs/tiff/files/tiff-4.5.0_rc1-skip-tools-tests-multilib.patch new file mode 100644 index ..831afd287226 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.5.0_rc1-skip-tools-tests-multilib.patch @@ -0,0 +1,52 @@ +https://gitlab.com/libtiff/libtiff/-/merge_requests/334 + +From e7605b93b12c2bf3c864910c23ac976045b5a05a Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Sat, 21 May 2022 01:01:35 +0100 +Subject: [PATCH 1/2] test (autotools): skip script tests if tools aren't built + +In Gentoo, we avoid building the tools for multilib (32-bit, x86) builds on +amd64/x86_64 because we only need the library to keep binary applications working. + +This causes a test failure in e.g. tiffcp-thumbnail.sh as the 'thumbnail' +binary isn't built. Skip it if unavailable. + +Fixes: https://gitlab.com/libtiff/libtiff/-/issues/421 +--- a/test/Makefile.am b/test/Makefile.am +@@ -55,13 +55,14 @@ XFAIL_TESTS = + CLEANFILES = test_packbits.tif o-* + + if HAVE_JPEG ++if TIFF_TOOLS + JPEG_DEPENDENT_CHECK_PROG=raw_decode + JPEG_DEPENDENT_TESTSCRIPTS=\ + tiff2rgba-quad-tile.jpg.sh \ + tiff2rgba-ojpeg_zackthecat_subsamp22_single_strip.sh \ + tiff2rgba-ojpeg_chewey_subsamp21_multi_strip.sh \ + tiff2rgba-ojpeg_single_strip_no_rowsperstrip.sh +- ++endif + else + JPEG_DEPENDENT_CHECK_PROG= + JPEG_DEPENDENT_TESTSCRIPTS= +@@ -76,6 +77,7 @@ check_PROGRAMS = \ + endif + + # Test scripts to execute ++if TIFF_TOOLS + TESTSCRIPTS = \ + ppm2tiff_pbm.sh \ + ppm2tiff_pgm.sh \ +@@ -156,6 +158,9 @@ TESTSCRIPTS = \ + testfax4.sh \ + testdeflatelaststripextradata.sh \ + $(JPEG_DEPENDENT_TESTSCRIPTS) ++else ++TESTSCRIPTS= ++endif + + # This list should contain the references files + # from the 'refs' subdirectory +-- +GitLab diff --git a/media-libs/tiff/tiff-4.5.0_rc1.ebuild b/media-libs/tiff/tiff-4.5.0_rc1.ebuild new file mode 100644 index ..fd1df52b1205 --- /dev/null +++ b/media-libs/tiff/tiff-4.5.0_rc1.ebuild @@ -0,0 +1,89 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +QA_PKGCONFIG_VERSION="$(ver_cut 1-3)" + +# Release signer can vary per version but not clear if others will be doing +# them in future, so gone with Even Rouault for now as he does other geosci +# stuff too like PROJ, GDAL. Previous release manager of TIFF was +# GraphicsMagick maintainer Bob Friesenhahn. Please be careful when verifying +# who made releases. +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/rouault.asc +inherit autotools multilib-minimal verify-sig libtool flag-o-matic + +MY_P="${P/_rc/rc}" +DESCRIPTION="Tag Image File Format (TIFF) library" +HOMEPAGE="http://libtiff.maptools.org"; +SRC_URI="https://download.osgeo.org/libtiff/${MY_P}.tar.xz"; +SRC_URI+=" verify-sig? (
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: 33944343462c9aa5a0a23b4a296074d0bc62c5c2 Author: Sam James gentoo org> AuthorDate: Thu Dec 1 07:15:54 2022 + Commit: Sam James gentoo org> CommitDate: Thu Dec 1 07:16:56 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33944343 media-libs/tiff: backport fix for hylafaxplus regression Closes: https://bugs.gentoo.org/883641 Signed-off-by: Sam James gentoo.org> .../files/tiff-4.4.0-hylafaxplus-regression.patch | 34 +++ media-libs/tiff/tiff-4.4.0-r2.ebuild | 102 + 2 files changed, 136 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.4.0-hylafaxplus-regression.patch b/media-libs/tiff/files/tiff-4.4.0-hylafaxplus-regression.patch new file mode 100644 index ..c640f6e1b1a7 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.4.0-hylafaxplus-regression.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/883641 +https://gitlab.com/libtiff/libtiff/-/issues/489 +https://gitlab.com/libtiff/libtiff/-/commit/72de8fd00be8a583a6b16cc0b700105020d249ba + +From 72de8fd00be8a583a6b16cc0b700105020d249ba Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 29 Nov 2022 14:57:27 +0100 +Subject: [PATCH] TIFFWriteRawStrip(): restore capabilities to append data in + the current strip (fixes #489) + +This fixes a regression of libtiff 4.4.0 +--- a/libtiff/tif_write.c b/libtiff/tif_write.c +@@ -341,10 +341,13 @@ TIFFWriteRawStrip(TIFF* tif, uint32_t strip, void* data, tmsize_t cc) + return ((tmsize_t) -1); + } + +- tif->tif_curstrip = strip; ++if (tif->tif_curstrip != strip) ++{ ++tif->tif_curstrip = strip; + +- /* this informs TIFFAppendToStrip() we have changed or reset strip */ +- tif->tif_curoff = 0; ++/* this informs TIFFAppendToStrip() we have changed or reset strip */ ++tif->tif_curoff = 0; ++} + + if (td->td_stripsperimage == 0) { + TIFFErrorExtR(tif, module,"Zero strips per image"); +-- +GitLab + + diff --git a/media-libs/tiff/tiff-4.4.0-r2.ebuild b/media-libs/tiff/tiff-4.4.0-r2.ebuild new file mode 100644 index ..f485be1f583a --- /dev/null +++ b/media-libs/tiff/tiff-4.4.0-r2.ebuild @@ -0,0 +1,102 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +QA_PKGCONFIG_VERSION="$(ver_cut 1-3)" + +# Release signer can vary per version but not clear if others will be doing +# them in future, so gone with Even Rouault for now as he does other geosci +# stuff too like PROJ, GDAL. Previous release manager of TIFF was +# GraphicsMagick maintainer Bob Friesenhahn. Please be careful when verifying +# who made releases. +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/rouault.asc +inherit multilib-minimal verify-sig libtool flag-o-matic + +MY_P="${P/_rc/rc}" +DESCRIPTION="Tag Image File Format (TIFF) library" +HOMEPAGE="http://libtiff.maptools.org"; +SRC_URI="https://download.osgeo.org/libtiff/${MY_P}.tar.xz"; +SRC_URI+=" verify-sig? ( https://download.osgeo.org/libtiff/${MY_P}.tar.xz.sig )" +S="${WORKDIR}/${PN}-$(ver_cut 1-3)" + +LICENSE="libtiff" +SLOT="0" +if [[ ${PV} != *_rc* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +fi +IUSE="+cxx jbig jpeg lzma static-libs test webp zlib zstd" +RESTRICT="!test? ( test )" + +# bug #483132 +REQUIRED_USE="test? ( jpeg )" + +RDEPEND="jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] ) + jpeg? ( media-libs/libjpeg-turbo:=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1[${MULTILIB_USEDEP}] ) + webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] ) + zstd? ( >=app-arch/zstd-1.3.7-r1:=[${MULTILIB_USEDEP}] )" +DEPEND="${RDEPEND}" +BDEPEND="verify-sig? ( sec-keys/openpgp-keys-evenrouault )" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/tiffconf.h +) + +PATCHES=( + "${FILESDIR}"/${PN}-4.4.0_rc1-skip-thumbnail-test.patch + "${FILESDIR}"/${P}-hylafaxplus-regression.patch +) + +src_prepare() { + default + + # Added to fix cross-compilation + elibtoolize +} + +multilib_src_configure() { + append-lfs-flags + + local myeconfargs=( + --without-x + --with-docdir="${EPREFIX}"/usr/share/doc/${PF} + $(use_enable cxx) + $(use_enable jbig) + $(use_enable jpeg) + $(use_enable lzma) + $(use_enable static-libs static) + $(use_enable webp) + $(use_enable zlib) + $(use_enable zstd) + ) + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" + + # Remove components (like tools) that are irrelevant for the multilib + # bui
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: 36b1b60543df094492afcbdea67a49a9157635d1 Author: Mikle Kolyada gentoo org> AuthorDate: Sun Nov 3 13:46:15 2019 + Commit: Mikle Kolyada gentoo org> CommitDate: Sun Nov 3 13:46:15 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36b1b605 media-libs/tiff: Drop insecure Package-Manager: Portage-2.3.76, Repoman-2.3.16 Signed-off-by: Mikle Kolyada gentoo.org> ...ferOverflow-ChopUpSingleUncompressedStrip.patch | 33 - ...ferOverflow-ChopUpSingleUncompressedStrip.patch | 26 --- media-libs/tiff/tiff-4.0.10-r1.ebuild | 86 -- media-libs/tiff/tiff-4.0.10.ebuild | 83 - 4 files changed, 228 deletions(-) diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch deleted file mode 100644 index a45ee342f77..000 --- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://codereview.chromium.org/2284063002 -https://crbug.com/618267 -https://pdfium.googlesource.com/pdfium/+/master/libtiff/ - -Author: tracy_jiang -Date: Mon Aug 29 13:42:56 2016 -0700 - -Fix for #618267. Adding a method to determine if multiplication has -overflow. - a/libtiff/tif_aux.c -+++ b/libtiff/tif_aux.c -@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, - /* -* XXX: Check for integer overflow. -*/ -- if (nmemb && elem_size && bytes / elem_size == nmemb) -+ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) - cp = _TIFFrealloc(buffer, bytes); - - if (cp == NULL) { a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -315,6 +315,9 @@ typedef size_t TIFFIOSize_t; - #define _TIFF_off_t off_t - #endif - -+#include -+#define _TIFFIfMultiplicationOverflow(op1, op2) ((op1) > SSIZE_MAX / (op2)) -+ - #if defined(__cplusplus) - extern "C" { - #endif diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch deleted file mode 100644 index 35f59b9bffd..000 --- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch +++ /dev/null @@ -1,26 +0,0 @@ -https://codereview.chromium.org/2405693002 -https://crbug.com/654169 -https://pdfium.googlesource.com/pdfium/+/master/libtiff/ - -Author: stackexploit -Date: Mon Oct 10 10:58:25 2016 -0700 - -libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip. - -The patch (https://codereview.chromium.org/2284063002) for Issue 618267 -was insufficient. The integer overflow still could be triggered and could -lead to heap buffer overflow. - -This CL strengthens integer overflow check in function _TIFFCheckRealloc. - a/libtiff/tif_aux.c -+++ b/libtiff/tif_aux.c -@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, - /* -* XXX: Check for integer overflow. -*/ -- if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) -+ if (nmemb > 0 && elem_size > 0 && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) - cp = _TIFFrealloc(buffer, bytes); - - if (cp == NULL) { diff --git a/media-libs/tiff/tiff-4.0.10-r1.ebuild b/media-libs/tiff/tiff-4.0.10-r1.ebuild deleted file mode 100644 index 3a79093c5f7..000 --- a/media-libs/tiff/tiff-4.0.10-r1.ebuild +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright 1999-2019 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit autotools libtool multilib-minimal - -DESCRIPTION="Tag Image File Format (TIFF) library" -HOMEPAGE="http://libtiff.maptools.org"; -SRC_URI="https://download.osgeo.org/libtiff/${P}.tar.gz"; - -LICENSE="libtiff" -SLOT="0" -KEYWORDS="alpha amd64 ~arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~riscv s390 ~sh sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="+cxx jbig jpeg lzma static-libs test webp zlib zstd" - -RDEPEND=" - jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] ) - jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) - lzma? ( >=app-arch/xz-utils-5.0.5-r1[${MULTILIB_USEDEP}] ) - webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] ) - zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] ) - zstd? ( >=app-arch/zstd-1.3.7-r1:=[${MULTILIB_USEDEP}] ) -" -DEPEND="${RDEPEND}" - -REQUIRED_USE="test? ( jpeg )" #483132 - -PATCHES=( - "${FILESDIR}"/${PN}-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch - "${FILESDIR}"/${PN}-4.0.7-pdfium-0008-HeapBufferO
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: 6f50c6e9a116c3d950db0cd2e131893aca2f1cf2 Author: Mattias Nissler chromium org> AuthorDate: Tue Sep 3 10:25:18 2019 + Commit: Aaron Bauman gentoo org> CommitDate: Tue Sep 3 19:45:36 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f50c6e9 media-libs/tiff: Pull in patch for CVE-2019-14973 Bug: https://bugs.gentoo.org/693394 Signed-off-by: Mattias Nissler chromium.org> Closes: https://github.com/gentoo/gentoo/pull/12851 Signed-off-by: Aaron Bauman gentoo.org> 0.10-CVE-2019-14973-fix-integer-overflow.patch | 395 + media-libs/tiff/tiff-4.0.10-r2.ebuild | 85 + 2 files changed, 480 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch new file mode 100644 index 000..cbcbfd9d7f0 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-14973-fix-integer-overflow.patch @@ -0,0 +1,395 @@ +From 6ebfcac47224d3b8661c501967d495135449883e Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 10 Aug 2019 18:25:03 +0200 +Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other + implementation-defined behaviour (CVE-2019-14973) + +_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow +in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus +signed), which was especially easily triggered on 32-bit builds (with recent +enough compilers that assume that signed multiplication cannot overflow, since +this is undefined behaviour by the C standard). The original issue which lead to +this fix was trigged from tif_fax3.c + +There were also unsafe (implementation defied), and broken in practice on 64bit +builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing +(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known +at that time exploits, but are better to fix in a more bullet-proof way. +Or similarly use of (int64)uint64_var <= 0. + +--- a/libtiff/tif_aux.c b/libtiff/tif_aux.c +@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) + return bytes; + } + ++tmsize_t ++_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) ++{ ++if( first <= 0 || second <= 0 ) ++{ ++if( tif != NULL && where != NULL ) ++{ ++TIFFErrorExt(tif->tif_clientdata, where, ++"Invalid argument to _TIFFMultiplySSize() in %s", where); ++} ++return 0; ++} ++ ++if( first > TIFF_TMSIZE_T_MAX / second ) ++{ ++if( tif != NULL && where != NULL ) ++{ ++TIFFErrorExt(tif->tif_clientdata, where, ++"Integer overflow in %s", where); ++} ++return 0; ++} ++return first * second; ++} ++ ++tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) ++{ ++if( val > (uint64)TIFF_TMSIZE_T_MAX ) ++{ ++if( tif != NULL && module != NULL ) ++{ ++TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); ++} ++return 0; ++} ++return (tmsize_t)val; ++} ++ + void* + _TIFFCheckRealloc(TIFF* tif, void* buffer, + tmsize_t nmemb, tmsize_t elem_size, const char* what) + { + void* cp = NULL; +- tmsize_t bytes = nmemb * elem_size; +- ++tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); + /* +- * XXX: Check for integer overflow. ++ * Check for integer overflow. +*/ +- if (nmemb && elem_size && bytes / elem_size == nmemb) +- cp = _TIFFrealloc(buffer, bytes); ++ if (count != 0) ++ { ++ cp = _TIFFrealloc(buffer, count); ++ } + + if (cp == NULL) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +--- a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint32 leftmost_tw; + + tilesize = TIFFTileSize(tif); +- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); ++ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); + if (bufsize == 0) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); + return (0); + } + +@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint16 colorchannels; + + stripsize = TIFFStripSize(tif); +- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); ++ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); + if (bufsize == 0) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: 1408d12740a4cd2a6d71fe5f52386d9d77128645 Author: Aaron Bauman gentoo org> AuthorDate: Mon Aug 5 00:03:19 2019 + Commit: Aaron Bauman gentoo org> CommitDate: Mon Aug 5 00:12:00 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1408d127 media-libs/tiff: revbump to address open security bugs * This commit addresses 3 outstanding security issues reported by the individuals listed below. * This commit involved cherry-picking the patches and adding a revbump as the original PR's renamed the original ebuild and kept stable keywords. Bug: https://bugs.gentoo.org/639700 Bug: https://bugs.gentoo.org/690732 Closes: https://github.com/gentoo/gentoo/pull/12543 Closes: https://github.com/gentoo/gentoo/pull/11743 Reported-by: Benjamin Gordon chromium.org> Reported-by: Allen Webb google.com> Signed-off-by: Aaron Bauman gentoo.org> ...-2018-17000-tif_dirwrite-null-dereference.patch | 33 + .../tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch | 48 0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch | 73 ++ media-libs/tiff/tiff-4.0.10-r1.ebuild | 86 ++ 4 files changed, 240 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch new file mode 100644 index 000..321c6a428af --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch @@ -0,0 +1,33 @@ +https://crbug.com/901306 + +commit 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 +Author: Thomas Bernard +Date: Tue Jan 29 11:21:47 2019 +0100 + +TIFFWriteDirectoryTagTransferfunction() : fix NULL dereferencing + +http://bugzilla.maptools.org/show_bug.cgi?id=2833 + +we must check the pointer is not NULL before memcmp() the memory + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index c15a28dbd8fcb99b81fa5a1d44fcbcda881f42a7..ef30c869d30e210d90be16ce91f44087925fbad3 100644 +--- a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir + n=3; + if (n==3) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + n=2; + } + if (n==2) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[1] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + n=1; + } + if (n==0) diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch new file mode 100644 index 000..38d020fec24 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch @@ -0,0 +1,48 @@ +https://crbug.com/923647 + +commit ae0bed1fe530a82faf2e9ea1775109dbf301a971 +Merge: 933784a1 0c74a9f4 +Author: Even Rouault +Date: Sat Feb 2 14:46:05 2019 + + +Merge branch 'master' into 'master' + +Fix for simple memory leak that was assigned CVE-2019-6128. + +See merge request libtiff/libtiff!50 + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644 +--- a/tools/pal2rgb.c b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &i
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: afb651b9908c9fd2d24a8e347e152bc195b486bc Author: Mike Frysinger chromium org> AuthorDate: Tue May 29 01:02:58 2018 + Commit: Mike Frysinger gentoo org> CommitDate: Tue May 29 01:03:54 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afb651b9 media-libs/tiff: add upstream fix for CVE-2017-18013 #645982 Bug: https://bugs.gentoo.org/645982 .../tiff/files/tiff-4.0.9-CVE-2017-18013.patch | 39 +++ media-libs/tiff/tiff-4.0.9-r4.ebuild | 81 ++ 2 files changed, 120 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.0.9-CVE-2017-18013.patch b/media-libs/tiff/files/tiff-4.0.9-CVE-2017-18013.patch new file mode 100644 index 000..2db890aef90 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.9-CVE-2017-18013.patch @@ -0,0 +1,39 @@ +https://bugs.gentoo.org/645982 +https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 + +From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer + dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +--- + libtiff/tif_print.c | 8 + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 9959d353b1f9..8deceb2b054d 100644 +--- a/libtiff/tif_print.c b/libtiff/tif_print.c +@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, "%3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, "%3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +2.16.1 + diff --git a/media-libs/tiff/tiff-4.0.9-r4.ebuild b/media-libs/tiff/tiff-4.0.9-r4.ebuild new file mode 100644 index 000..4787ecd348e --- /dev/null +++ b/media-libs/tiff/tiff-4.0.9-r4.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit autotools libtool ltprune multilib-minimal + +DESCRIPTION="Tag Image File Format (TIFF) library" +HOMEPAGE="http://libtiff.maptools.org"; +SRC_URI="http://download.osgeo.org/libtiff/${P}.tar.gz + ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"; + +LICENSE="libtiff" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x64-solaris ~x86-solaris" +IUSE="+cxx jbig jpeg lzma static-libs test zlib" + +RDEPEND="jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) + jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:=[${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1:=[${MULTILIB_USEDEP}] )" +DEPEND="${RDEPEND}" + +REQUIRED_USE="test? ( jpeg )" #483132 + +PATCHES=( + "${FILESDIR}"/${PN}-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch + "${FILESDIR}"/${P}-CVE-2017-9935.patch #624696 + "${FILESDIR}"/${P}-CVE-2017-9935-fix-incorrect-type.patch #624696 + "${FILESDIR}"/${P}-CVE-2017-18013.patch #645982 + "${FILESDIR}"/${P}-CVE-2018-5784.patch #645730 +) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/tiffconf.h +) + +src_prepare() { + default + + # tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7 + sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die + + eautoreconf +} + +multilib_src_configure() { + local myeconfargs=( + --without-x + $(use_enable cxx) + $(use_enable jbig) + $(use_enable jpeg) + $(use_enable lzma) + $(use_enable static-libs static) + $(use_enable zlib) + ) + ECONF_SOURCE="${S}" econf
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: b5f874c2b8cbbdb0eb013c1543ef3aaddbe67903 Author: Michael Vetter iodoru org> AuthorDate: Tue Feb 20 14:18:53 2018 + Commit: Lars Wendler gentoo org> CommitDate: Tue Feb 20 14:29:48 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5f874c2 media-libs/tiff: Fix CVE-2018-5784 Patch is upstream commit: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef Bug: https://bugs.gentoo.org/645730 Package-Manager: Portage-2.3.19, Repoman-2.3.6 Closes: https://github.com/gentoo/gentoo/pull/7237 .../tiff/files/tiff-4.0.9-CVE-2018-5784.patch | 128 + media-libs/tiff/tiff-4.0.9-r3.ebuild | 84 ++ 2 files changed, 212 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.0.9-CVE-2018-5784.patch b/media-libs/tiff/files/tiff-4.0.9-CVE-2018-5784.patch new file mode 100644 index 000..56d0f4b0687 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.9-CVE-2018-5784.patch @@ -0,0 +1,128 @@ +From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001 +From: Nathan Baker +Date: Tue, 6 Feb 2018 10:13:57 -0500 +Subject: [PATCH] Fix for bug 2772 + +It is possible to craft a TIFF document where the IFD list is circular, +leading to an infinite loop while traversing the chain. The libtiff +directory reader has a failsafe that will break out of this loop after +reading 65535 directory entries, but it will continue processing, +consuming time and resources to process what is essentially a bogus TIFF +document. + +This change fixes the above behavior by breaking out of processing when +a TIFF document has >= 65535 directories and terminating with an error. +--- + contrib/addtiffo/tif_overview.c | 14 +- + tools/tiff2pdf.c| 10 ++ + tools/tiffcrop.c| 13 +++-- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c +index c61ffbb..03b3573 100644 +--- a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c +@@ -65,6 +65,8 @@ + # define MAX(a,b) ((a>b) ? a : b) + #endif + ++#define TIFF_DIR_MAX 65534 ++ + void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, + int (*)(double,void*), void * ); + +@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + { + toff_tnBaseDirOffset; + toff_tnOffset; ++tdir_tiNumDir; + + (void) bUseSubIFDs; + +@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + return 0; + + TIFFWriteDirectory( hTIFF ); +-TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); ++iNumDir = TIFFNumberOfDirectories(hTIFF); ++if( iNumDir > TIFF_DIR_MAX ) ++{ ++TIFFErrorExt( TIFFClientdata(hTIFF), ++ "TIFF_WriteOverview", ++ "File `%s' has too many directories.\n", ++ TIFFFileName(hTIFF) ); ++exit(-1); ++} ++TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); + + nOffset = TIFFCurrentDirOffset( hTIFF ); + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 984ef65..832a247 100644 +--- a/tools/tiff2pdf.c b/tools/tiff2pdf.c +@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); + + #define PS_UNIT_SIZE 72.0F + ++#define TIFF_DIR_MAX65534 ++ + /* This type is of PDF color spaces. */ + typedef enum { + T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ +@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); ++ if(directorycount > TIFF_DIR_MAX) { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "TIFF contains too many directories, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); + if(t2p->tiff_pages==NULL){ + TIFFError( +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 91a38f6..e466dae 100644 +--- a/tools/tiffcrop.c b/tools/tiffcrop.c +@@ -215,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + #define DUMP_TEXT 1 + #define DUMP_RAW2 + ++#define TIFF_DIR_MAX 65534 ++ + /* Offsets into buffer for margins and fixed width and length segments */ + struct offset { + uint32 tmargin; +@@ -2232,7 +2234,7 @@ main(int argc, char* argv[]) + pageNum = -1; + else + total_images = 0; +- /* read multiple input files and write to output file(s) */ ++ /* Read multiple input files and write to output file(s) */ + while (optind < argc - 1) + { + in = TIFFOpen (argv[optind], "r"); +@@ -224
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: 249ac401ff26eaed63135c2732186a1f98e13eb0 Author: Lars Wendler gentoo org> AuthorDate: Sun Nov 19 20:51:35 2017 + Commit: Lars Wendler gentoo org> CommitDate: Sun Nov 19 20:52:26 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=249ac401 media-libs/tiff: Removed old. Package-Manager: Portage-2.3.14, Repoman-2.3.6 media-libs/tiff/Manifest | 1 - .../tiff/files/tiff-4.0.7-CVE-2016-10266.patch | 46 .../tiff/files/tiff-4.0.7-CVE-2016-10267.patch | 53 .../tiff/files/tiff-4.0.7-CVE-2017-5225.patch | 74 -- media-libs/tiff/files/tiff-4.0.7-bug2130.patch | 112 - media-libs/tiff/files/tiff-4.0.7-bug2535.patch | 54 media-libs/tiff/files/tiff-4.0.7-bug2594.patch | 28 --- media-libs/tiff/files/tiff-4.0.7-bug2597.patch | 41 --- media-libs/tiff/files/tiff-4.0.7-bug2598.patch | 31 --- media-libs/tiff/files/tiff-4.0.7-bug2599.patch | 54 media-libs/tiff/files/tiff-4.0.7-bug2604.patch | 108 media-libs/tiff/files/tiff-4.0.7-bug2605.patch | 55 media-libs/tiff/files/tiff-4.0.7-bug2607.patch | 41 --- media-libs/tiff/files/tiff-4.0.7-bug2608.patch | 104 media-libs/tiff/files/tiff-4.0.7-bug2610.patch | 46 media-libs/tiff/files/tiff-4.0.7-bug2619.patch | 46 media-libs/tiff/files/tiff-4.0.7-bug2620.patch | 29 --- media-libs/tiff/files/tiff-4.0.7-bug2621.patch | 49 media-libs/tiff/files/tiff-4.0.7-bug2627.patch | 59 - media-libs/tiff/files/tiff-4.0.7-bug2631.patch | 34 --- .../tiff/files/tiff-4.0.7-bug2633-bug2634.patch| 41 --- media-libs/tiff/files/tiff-4.0.7-bug2635.patch | 33 --- media-libs/tiff/files/tiff-4.0.7-bug2638.patch | 29 --- media-libs/tiff/files/tiff-4.0.7-bug2639.patch | 58 - media-libs/tiff/files/tiff-4.0.7-bug2640.patch | 28 --- ...iff-4.0.7-bug2642-bug2643-bug2646-bug2647.patch | 278 - media-libs/tiff/files/tiff-4.0.7-bug2644.patch | 45 media-libs/tiff/files/tiff-4.0.7-bug2648.patch | 33 --- media-libs/tiff/files/tiff-4.0.7-bug2650-2.patch | 26 -- media-libs/tiff/files/tiff-4.0.7-bug2650.patch | 54 media-libs/tiff/files/tiff-4.0.7-bug2651.patch | 86 --- media-libs/tiff/files/tiff-4.0.7-bug2653.patch | 33 --- media-libs/tiff/files/tiff-4.0.7-bug2658.patch | 33 --- media-libs/tiff/files/tiff-4.0.7-bug2659-2.patch | 41 --- media-libs/tiff/files/tiff-4.0.7-bug2659.patch | 34 --- media-libs/tiff/files/tiff-4.0.7-bug2665.patch | 43 media-libs/tiff/files/tiff-4.0.7-fax2tiff.patch| 39 --- .../tiff/files/tiff-4.0.7-hylafax-hack.patch | 38 --- media-libs/tiff/tiff-4.0.7-r3.ebuild | 121 - media-libs/tiff/tiff-4.0.7.ebuild | 73 -- 40 files changed, 2231 deletions(-) diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest index bee82d59f00..2b2df775d4e 100644 --- a/media-libs/tiff/Manifest +++ b/media-libs/tiff/Manifest @@ -1,4 +1,3 @@ DIST tiff-3.9.7.tar.gz 1468097 SHA256 f5d64dd4ce61c55f5e9f6dc3920fbe5a41e02c2e607da7117a35eb5c320cef6a SHA512 ca89584a9ffa33b4986e4bc2165043cec239896f1f0ab73db00818d0442b570efaa6345b2ed422e884202324d359713df849bf14782bb0cf3b959655febddd77 WHIRLPOOL c06b35da66c365c1fe7f0e6e06a400e139d3e2b5b280aa764015c2f0383a6191ffb3d335cdf2211b687bbb0caacf641be409148986a9813dfde5822a650a9b1c -DIST tiff-4.0.7.tar.gz 2076392 SHA256 9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019 SHA512 941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc WHIRLPOOL 3090a0d8a5ad3595c97888edab3c48379175cad993567d20be5f397b1c5c1d21012de55c5da5e664ee483d294fe9eb5f3464e14f564fb79c1357094ff67e313d DIST tiff-4.0.8.tar.gz 2065574 SHA256 59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910 SHA512 5d010ec4ce37aca733f7ab7db9f432987b0cd21664bd9d99452a146833c40f0d1e7309d1870b0395e947964134d5cfeb1366181e761fe353ad585803ff3d6be6 WHIRLPOOL 13fce447c586fef080c6201f0f5b010bc8b0e096bc9b806ab3b80eb6a672c789f88b5fc34a51585aa7072bb8407ecc958d1d7824fad379f86968f051de2fa96d DIST tiff-4.0.9.tar.gz 2305681 SHA256 6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd SHA512 04f3d5eefccf9c1a0393659fe27f331108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd WHIRLPOOL e67378d8d7c17d892e5f075d4e13aa299042a9f989fd6051b23d986518a11f2bbbcb13f491d87da6e6455aa28df2cce0fb65761237e256ac2e37889272f2ddf7 diff --git a/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch b/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch deleted file mode 100644 index 67e0ca41c99..000 --- a/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch +++ /dev/null @@ -1,46 +0,0 @@ -http://bugzilla.maptools.org/show_bug.cgi?id=2596 - -From d752
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: e85f99863e467882ba64febcec829ace775de1ea Author: Lars Wendler gentoo org> AuthorDate: Mon May 22 07:34:15 2017 + Commit: Lars Wendler gentoo org> CommitDate: Mon May 22 07:35:18 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e85f9986 media-libs/tiff: Removed old. Package-Manager: Portage-2.3.6, Repoman-2.3.2 media-libs/tiff/Manifest | 1 - .../tiff/files/tiff-4.0.6-gif2tiff_removal.patch | 47 - media-libs/tiff/tiff-4.0.6-r1.ebuild | 73 - media-libs/tiff/tiff-4.0.6.ebuild | 69 - media-libs/tiff/tiff-4.0.7-r1.ebuild | 113 - 5 files changed, 303 deletions(-) diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest index bbc633fbc04..882ad79ea91 100644 --- a/media-libs/tiff/Manifest +++ b/media-libs/tiff/Manifest @@ -1,4 +1,3 @@ DIST tiff-3.9.7.tar.gz 1468097 SHA256 f5d64dd4ce61c55f5e9f6dc3920fbe5a41e02c2e607da7117a35eb5c320cef6a SHA512 ca89584a9ffa33b4986e4bc2165043cec239896f1f0ab73db00818d0442b570efaa6345b2ed422e884202324d359713df849bf14782bb0cf3b959655febddd77 WHIRLPOOL c06b35da66c365c1fe7f0e6e06a400e139d3e2b5b280aa764015c2f0383a6191ffb3d335cdf2211b687bbb0caacf641be409148986a9813dfde5822a650a9b1c -DIST tiff-4.0.6.tar.gz 2192991 SHA256 4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c SHA512 2c8dbb9f82a7722bfe8cb6fcfcf67472beb692f1b7dafaf322759e7016dad1bc58457c0f03db50aa5bd088fef2b37358fcbc1524e20e9e14a9620373fdf8 WHIRLPOOL 809e61a22f7d6dfdf81917a084678ec39ed3cff4e03184d61c67501946d3fab0645cb3fe800d9249771879ee91245085e123349f68340bb63bd18024db8e03a6 DIST tiff-4.0.7.tar.gz 2076392 SHA256 9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019 SHA512 941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc WHIRLPOOL 3090a0d8a5ad3595c97888edab3c48379175cad993567d20be5f397b1c5c1d21012de55c5da5e664ee483d294fe9eb5f3464e14f564fb79c1357094ff67e313d DIST tiff-4.0.8.tar.gz 2065574 SHA256 59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910 SHA512 5d010ec4ce37aca733f7ab7db9f432987b0cd21664bd9d99452a146833c40f0d1e7309d1870b0395e947964134d5cfeb1366181e761fe353ad585803ff3d6be6 WHIRLPOOL 13fce447c586fef080c6201f0f5b010bc8b0e096bc9b806ab3b80eb6a672c789f88b5fc34a51585aa7072bb8407ecc958d1d7824fad379f86968f051de2fa96d diff --git a/media-libs/tiff/files/tiff-4.0.6-gif2tiff_removal.patch b/media-libs/tiff/files/tiff-4.0.6-gif2tiff_removal.patch deleted file mode 100644 index ea5c2c32714..000 --- a/media-libs/tiff/files/tiff-4.0.6-gif2tiff_removal.patch +++ /dev/null @@ -1,47 +0,0 @@ -# Removing vulnerable gif2tiff (CVE-2016-5102) -# Upstream seems to no longer ship this tool with >=tiff-4.0.7 versions. - -http://bugzilla.maptools.org/show_bug.cgi?id=2552 -https://bugzilla.redhat.com/show_bug.cgi?id=1343407 -https://bugs.gentoo.org/585274 - tiff-4.0.6/man/Makefile.am -+++ tiff-4.0.6/man/Makefile.am -@@ -27,7 +27,6 @@ - bmp2tiff.1 \ - fax2ps.1 \ - fax2tiff.1 \ -- gif2tiff.1 \ - pal2rgb.1 \ - ppm2tiff.1 \ - ras2tiff.1 \ tiff-4.0.6/test/Makefile.am -+++ tiff-4.0.6/test/Makefile.am -@@ -68,7 +68,6 @@ - TESTSCRIPTS = \ - bmp2tiff_palette.sh \ - bmp2tiff_rgb.sh \ -- gif2tiff.sh \ - ppm2tiff_pbm.sh \ - ppm2tiff_pgm.sh \ - ppm2tiff_ppm.sh \ tiff-4.0.6/tools/Makefile.am -+++ tiff-4.0.6/tools/Makefile.am -@@ -34,7 +34,6 @@ - bmp2tiff \ - fax2ps \ - fax2tiff \ -- gif2tiff \ - pal2rgb \ - ppm2tiff \ - ras2tiff \ -@@ -73,9 +72,6 @@ - fax2tiff_SOURCES = fax2tiff.c - fax2tiff_LDADD = $(LIBTIFF) $(LIBPORT) - --gif2tiff_SOURCES = gif2tiff.c --gif2tiff_LDADD = $(LIBTIFF) $(LIBPORT) -- - pal2rgb_SOURCES = pal2rgb.c - pal2rgb_LDADD = $(LIBTIFF) $(LIBPORT) - diff --git a/media-libs/tiff/tiff-4.0.6-r1.ebuild b/media-libs/tiff/tiff-4.0.6-r1.ebuild deleted file mode 100644 index 7ae3d8b1033..000 --- a/media-libs/tiff/tiff-4.0.6-r1.ebuild +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 -inherit autotools eutils libtool multilib-minimal - -DESCRIPTION="Tag Image File Format (TIFF) library" -HOMEPAGE="http://libtiff.maptools.org"; -SRC_URI="http://download.osgeo.org/libtiff/${P}.tar.gz - ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"; - -LICENSE="libtiff" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x64-solaris ~x86-solaris" -IUSE="+cxx jbig jpeg lzma static-libs test zlib" - -RDEPEND="jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) - jbig? ( >=media-libs/jbigkit-2
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: f383efc4136c911abc8542073a34f2cc6038ee3a Author: Mike Frysinger gentoo org> AuthorDate: Wed Apr 12 19:13:34 2017 + Commit: Mike Frysinger gentoo org> CommitDate: Wed Apr 12 19:25:37 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f383efc4 media-libs/tiff: update pdfium patches to be more portable Put helper funcs in the private headers, and stick to older C standards. ...ferOverflow-ChopUpSingleUncompressedStrip.patch | 23 +++--- ...-4.0.7-pdfium-0013-validate-refblackwhite.patch | 5 +++-- .../{tiff-4.0.7-r2.ebuild => tiff-4.0.7-r3.ebuild} | 0 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch index f573fd9deb3..a45ee342f77 100644 --- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -19,16 +19,15 @@ overflow. cp = _TIFFrealloc(buffer, bytes); if (cp == NULL) { a/libtiff/tiffio.h -+++ b/libtiff/tiffio.h -@@ -298,6 +298,10 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c); - extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); - extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c); - extern void _TIFFfree(void* p); -+#include -+static inline int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) { -+ return op1 > SSIZE_MAX / op2; -+} +--- a/libtiff/tiffiop.h b/libtiff/tiffiop.h +@@ -315,6 +315,9 @@ typedef size_t TIFFIOSize_t; + #define _TIFF_off_t off_t + #endif - /* - ** Stuff, related to tag handling and creating custom tags. ++#include ++#define _TIFFIfMultiplicationOverflow(op1, op2) ((op1) > SSIZE_MAX / (op2)) ++ + #if defined(__cplusplus) + extern "C" { + #endif diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch index 47a3db06431..d98ff9d0f25 100644 --- a/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch @@ -24,11 +24,12 @@ them to the default provided by the TIFF spec v6. #include /* -@@ -426,6 +426,14 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) +@@ -426,6 +426,15 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) case TIFFTAG_REFERENCEBLACKWHITE: /* XXX should check for null range */ _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); -+ for (int i = 0; i < 6; i++) { ++ int i; ++ for (i = 0; i < 6; i++) { + if (isnan(td->td_refblackwhite[i])) { + if (i % 2 == 0) + td->td_refblackwhite[i] = 0; diff --git a/media-libs/tiff/tiff-4.0.7-r2.ebuild b/media-libs/tiff/tiff-4.0.7-r3.ebuild similarity index 100% rename from media-libs/tiff/tiff-4.0.7-r2.ebuild rename to media-libs/tiff/tiff-4.0.7-r3.ebuild
[gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
commit: 9108af32a69a8d05b8d03b3b9adb9e0a7a5783bb Author: Mike Frysinger chromium org> AuthorDate: Mon Apr 10 21:42:58 2017 + Commit: Mike Frysinger gentoo org> CommitDate: Mon Apr 10 21:45:14 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9108af32 media-libs/tiff: pull in pdfium security patches 0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch | 20 ...ferOverflow-ChopUpSingleUncompressedStrip.patch | 34 ++ ...iff-4.0.7-pdfium-0007-uninitialized-value.patch | 26 + ...ferOverflow-ChopUpSingleUncompressedStrip.patch | 26 + ...-4.0.7-pdfium-0013-validate-refblackwhite.patch | 41 +++ 7-pdfium-0017-safe_skews_in_gtTileContig.patch | 97 + ...ium-0018-fix-leak-in-PredictorSetupDecode.patch | 27 + .../tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch | 29 + media-libs/tiff/tiff-4.0.7-r2.ebuild | 121 + 9 files changed, 421 insertions(+) diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch new file mode 100644 index 000..afb0151f963 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0005-Leak-TIFFFetchStripThing.patch @@ -0,0 +1,20 @@ +https://codereview.chromium.org/2204793002 +https://crbug.com/633387 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: thestig +Date: Mon Aug 1 19:36:27 2016 -0700 + +Fix a memory leak in libtiff. + +--- a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +@@ -5372,6 +5372,8 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) + static const char module[] = "TIFFFetchStripThing"; + enum TIFFReadDirEntryErr err; + uint64* data; ++ _TIFFfree(*lpp); ++ *lpp = 0; + err=TIFFReadDirEntryLong8Array(tif,dir,&data); + if (err!=TIFFReadDirEntryErrOk) + { diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 000..f573fd9deb3 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch @@ -0,0 +1,34 @@ +https://codereview.chromium.org/2284063002 +https://crbug.com/618267 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: tracy_jiang +Date: Mon Aug 29 13:42:56 2016 -0700 + +Fix for #618267. Adding a method to determine if multiplication has +overflow. + +--- a/libtiff/tif_aux.c b/libtiff/tif_aux.c +@@ -69,7 +69,7 @@ _TIFFCheckRealloc(TIFF* tif, void* buffer, + /* +* XXX: Check for integer overflow. +*/ +- if (nmemb && elem_size && bytes / elem_size == nmemb) ++ if (nmemb && elem_size && !_TIFFIfMultiplicationOverflow(nmemb, elem_size)) + cp = _TIFFrealloc(buffer, bytes); + + if (cp == NULL) { +--- a/libtiff/tiffio.h b/libtiff/tiffio.h +@@ -298,6 +298,10 @@ extern void _TIFFmemset(void* p, int v, tmsize_t c); + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); + extern int _TIFFmemcmp(const void* p1, const void* p2, tmsize_t c); + extern void _TIFFfree(void* p); ++#include ++static inline int _TIFFIfMultiplicationOverflow(tmsize_t op1, tmsize_t op2) { ++ return op1 > SSIZE_MAX / op2; ++} + + /* + ** Stuff, related to tag handling and creating custom tags. diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch new file mode 100644 index 000..ab5627f5c16 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.7-pdfium-0007-uninitialized-value.patch @@ -0,0 +1,26 @@ +https://codereview.chromium.org/2389993002 +https://crbug.com/651632 +https://pdfium.googlesource.com/pdfium/+/master/libtiff/ + +Author: dsinclair +Date: Mon Oct 3 13:59:57 2016 -0700 + +Fix potentially uninitialized value. + +Depending on what ReadOK does it's possible for |dircount16| to be used without +being initialized. The read code calls back into PDFium specific code which then +calls into the stream reading code. + +Initialize the value to be sure it is set. + +--- a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +@@ -4443,7 +4443,7 @@ TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, + static const char module[] = "TIFFFetchDirectory"; + + void* origdir; +- uint16 dircount16; ++ uint16 dircount16 = 0; + uint32 dirsize; + TIFFDirEntry* dir; + uint8* ma; diff --git a/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch b/media-libs/tiff/files/tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch new file mode 100644 index 000..35f59b9bffd --- /dev/