commit tiff for openSUSE:11.2
Hello community, here is the log from the commit of package tiff for openSUSE:11.2 checked in at Fri Apr 15 17:03:36 CEST 2011. --- old-versions/11.2/UPDATES/all/tiff/tiff.changes 2011-03-31 23:07:12.0 +0200 +++ 11.2/tiff/tiff.changes 2011-04-14 16:51:09.0 +0200 @@ -1,0 +2,5 @@ +Thu Apr 14 16:49:14 CEST 2011 - pgaj...@suse.cz + +- fixed integer overflow CVE-2010-4665 [bnc#687442] + +--- calling whatdependson for 11.2-i586 New: tiff-3.8.2-CVE-2010-4665.patch Other differences: -- ++ tiff.spec ++ --- /var/tmp/diff_new_pack.3E2k0s/_old 2011-04-15 17:03:12.0 +0200 +++ /var/tmp/diff_new_pack.3E2k0s/_new 2011-04-15 17:03:12.0 +0200 @@ -29,7 +29,7 @@ # Url:http://www.remotesensing.org/libtiff/ Version:3.8.2 -Release:145. +Release:145. Summary:Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source1:jpegint.h @@ -47,6 +47,7 @@ Patch12:tiff-%{version}-CVE-2011-0192.patch Patch13:tiff-%{version}-CVE-2011-0191.patch Patch14:tiff-3.8.2-CVE-2011-1167.patch +Patch15:tiff-3.8.2-CVE-2010-4665.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -116,6 +117,7 @@ %patch12 %patch13 %patch14 +%patch15 cp %{S:1} libtiff find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++ tiff-3.8.2-CVE-2010-4665.patch ++ http://bugzilla.maptools.org/attachment.cgi?id=398 Make tiffdump more paranoid about checking the count field of a directory entry. diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c --- tools/tiffdump.c2010-06-08 14:50:44.0 -0400 +++ tools/tiffdump.c2010-06-22 12:51:42.207932477 -0400 @@ -46,6 +46,7 @@ # include #endif +#define TIFFSafeMultiply(t,v,m) t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) #include "tiffio.h" #ifndef O_BINARY @@ -317,7 +318,7 @@ printf(">\n"); continue; } - space = dp->tdir_count * datawidth[dp->tdir_type]; + space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); if (space <= 0) { printf(">\n"); Error("Invalid count for tag %u", dp->tdir_tag); @@ -709,7 +710,7 @@ w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); cc = dir->tdir_count * w; if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 - && read(fd, cp, cc) != -1) { + && read(fd, cp, cc) == cc) { if (swabflag) { switch (dir->tdir_type) { case TIFF_SHORT: Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit tiff for openSUSE:11.2
Hello community, here is the log from the commit of package tiff for openSUSE:11.2 checked in at Fri Apr 1 10:44:47 CEST 2011. --- old-versions/11.2/UPDATES/all/tiff/tiff.changes 2011-03-03 09:28:25.0 +0100 +++ 11.2/tiff/tiff.changes 2011-03-31 23:07:12.0 +0200 @@ -1,0 +2,8 @@ +Thu Mar 31 12:31:31 CEST 2011 - pgaj...@suse.cz + +- fixed regression caused by previous update [bnc#682871] + * modified CVE-2011-0192.patch +- fixed buffer overflow in thunder decoder [bnc#683337] + * added CVE-2011-1167.patch + +--- calling whatdependson for 11.2-i586 New: tiff-3.8.2-CVE-2011-1167.patch Other differences: -- ++ tiff.spec ++ --- /var/tmp/diff_new_pack.Pf4nDC/_old 2011-04-01 10:44:31.0 +0200 +++ /var/tmp/diff_new_pack.Pf4nDC/_new 2011-04-01 10:44:31.0 +0200 @@ -29,7 +29,7 @@ # Url:http://www.remotesensing.org/libtiff/ Version:3.8.2 -Release:145. +Release:145. Summary:Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source1:jpegint.h @@ -46,6 +46,7 @@ Patch11:tiff-%{version}-CVE-2010-1411.patch Patch12:tiff-%{version}-CVE-2011-0192.patch Patch13:tiff-%{version}-CVE-2011-0191.patch +Patch14:tiff-3.8.2-CVE-2011-1167.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -114,6 +115,7 @@ %patch11 -p1 %patch12 %patch13 +%patch14 cp %{S:1} libtiff find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++ tiff-3.8.2-CVE-2011-0192.patch ++ --- /var/tmp/diff_new_pack.Pf4nDC/_old 2011-04-01 10:44:31.0 +0200 +++ /var/tmp/diff_new_pack.Pf4nDC/_new 2011-04-01 10:44:31.0 +0200 @@ -1,15 +1,29 @@ -Index: libtiff/tif_fax3.h -=== libtiff/tif_fax3.h.orig -+++ libtiff/tif_fax3.h -@@ -478,6 +478,10 @@ done1d: \ +Protect against a fax VL(n) codeword commanding a move left. Without +this, a malicious input file can generate an indefinitely large series +of runs without a0 ever reaching the right margin, thus overrunning +our buffer of run lengths. Per CVE-2011-0192. This is a modified +version of a patch proposed by Drew Yao of Apple Product Security. +It adds an unexpected() report, and disallows the equality case except +for the first run of a line, since emitting a run without increasing a0 +still allows buffer overrun. (We have to allow it for the first run to +cover the case of encoding a zero-length run at start of line using VL.) + +http://bugzilla.maptools.org/show_bug.cgi?id=2297 + +diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h +--- libtiff/tif_fax3.h 2010-06-08 14:50:42.0 -0400 libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500 +@@ -478,6 +478,12 @@ break; \ case S_VL: \ CHECK_b1; \ -+if (b1 <= (int) (a0 + TabEnt->Param)) { \ -+ unexpected("VL", a0); \ -+ goto eol2d; \ -+} \ ++ if (b1 <= (int) (a0 + TabEnt->Param)) { \ ++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ ++ unexpected("VL", a0); \ ++ goto eol2d; \ ++ } \ ++ } \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= *--pb;\ break; \ + ++ tiff-3.8.2-CVE-2011-1167.patch ++ Index: libtiff/tif_thunder.c === --- libtiff/tif_thunder.c.orig +++ libtiff/tif_thunder.c @@ -25,6 +25,7 @@ */ #include "tiffiop.h" +#include #ifdef THUNDER_SUPPORT /* * TIFF Library. @@ -55,12 +56,32 @@ static const int twobitdeltas[4] = { 0, 1, 0, -1 }; static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; -#defineSETPIXEL(op, v) { \ - lastpixel = (v) & 0xf; \ - if (npixels++ & 1) \ - *op++ |= lastpixel; \ - else \ +#defineSETPIXEL(op, v) { \ + lastpixel = (v) & 0xf;\ +if ( npixels
commit tiff for openSUSE:11.2
Hello community, here is the log from the commit of package tiff for openSUSE:11.2 checked in at Mon Mar 14 15:35:09 CET 2011. --- old-versions/11.2/UPDATES/all/tiff/tiff.changes 2010-05-24 11:09:18.0 +0200 +++ 11.2/tiff/tiff.changes 2011-03-03 09:28:25.0 +0100 @@ -1,0 +2,7 @@ +Thu Feb 17 16:17:08 CET 2011 - pgaj...@suse.cz + +- fixed buffer overflows [bnc#672510] + * CVE-2011-0192.patch + * CVE-2011-0191.patch + +--- calling whatdependson for 11.2-i586 New: tiff-3.8.2-CVE-2011-0191.patch tiff-3.8.2-CVE-2011-0192.patch Other differences: -- ++ tiff.spec ++ --- /var/tmp/diff_new_pack.sQV9RL/_old 2011-03-14 15:30:09.0 +0100 +++ /var/tmp/diff_new_pack.sQV9RL/_new 2011-03-14 15:30:09.0 +0100 @@ -1,7 +1,7 @@ # -# spec file for package tiff (Version 3.8.2) +# spec file for package tiff # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ # Url:http://www.remotesensing.org/libtiff/ Version:3.8.2 -Release:145. +Release:145. Summary:Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source1:jpegint.h @@ -44,6 +44,8 @@ Patch9: tiff-3.8.2-lzw-CVE-2009-2285.patch Patch10:tiff-%{version}-CVE-2009-2347.patch Patch11:tiff-%{version}-CVE-2010-1411.patch +Patch12:tiff-%{version}-CVE-2011-0192.patch +Patch13:tiff-%{version}-CVE-2011-0191.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -110,6 +112,8 @@ %patch9 %patch10 -p1 %patch11 -p1 +%patch12 +%patch13 cp %{S:1} libtiff find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++ tiff-3.8.2-CVE-2011-0191.patch ++ Index: libtiff/tif_dir.c === --- libtiff/tif_dir.c.orig +++ libtiff/tif_dir.c @@ -370,6 +370,10 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va case TIFFTAG_YCBCRSUBSAMPLING: td->td_ycbcrsubsampling[0] = (uint16) va_arg(ap, int); td->td_ycbcrsubsampling[1] = (uint16) va_arg(ap, int); +if (td->td_ycbcrsubsampling[0] > 4) + td->td_ycbcrsubsampling[0] = (td->td_compression == 7) ? 1 : 2; +if (td->td_ycbcrsubsampling[1] > 4) + td->td_ycbcrsubsampling[1] = (td->td_compression == 7) ? 1 : 2; break; case TIFFTAG_TRANSFERFUNCTION: v = (td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1; ++ tiff-3.8.2-CVE-2011-0192.patch ++ Index: libtiff/tif_fax3.h === --- libtiff/tif_fax3.h.orig +++ libtiff/tif_fax3.h @@ -478,6 +478,10 @@ done1d: \ break; \ case S_VL: \ CHECK_b1; \ +if (b1 <= (int) (a0 + TabEnt->Param)) { \ + unexpected("VL", a0); \ + goto eol2d; \ +} \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= *--pb;\ break; \ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org