commit tiff for openSUSE:11.3
Hello community,
here is the log from the commit of package tiff for openSUSE:11.3
checked in at Fri Apr 15 17:04:30 CEST 2011.
--- old-versions/11.3/UPDATES/all/tiff/tiff.changes 2011-03-31
23:07:33.0 +0200
+++ 11.3/tiff/tiff.changes 2011-04-14 16:51:30.0 +0200
@@ -1,0 +2,7 @@
+Thu Apr 14 16:48:26 CEST 2011 - pgaj...@suse.cz
+
+- fixed following vulnerabilities:
+ * integer overflow CVE-2010-4665 [bnc#687442]
+ * buffer overflow CVE-2009-5022 [bnc#687441]
+
+---
calling whatdependson for 11.3-i586
New:
tiff-3.9.2-CVE-2009-5022.patch
tiff-3.9.2-CVE-2010-4665.patch
Other differences:
--
++ tiff.spec ++
--- /var/tmp/diff_new_pack.1Vaf5w/_old 2011-04-15 17:03:57.0 +0200
+++ /var/tmp/diff_new_pack.1Vaf5w/_new 2011-04-15 17:03:57.0 +0200
@@ -29,7 +29,7 @@
#
Url:http://www.remotesensing.org/libtiff/
Version:3.9.2
-Release:5.
+Release:5.
Summary:Tools for Converting from and to the Tiff Format
Source: tiff-%{version}.tar.bz2
Source2:README.SUSE
@@ -46,6 +46,8 @@
Patch11:tiff-%{version}-CVE-2011-0192.patch
Patch12:tiff-%{version}-CVE-2011-0191.patch
Patch13:tiff-3.9.2-CVE-2011-1167.patch
+Patch14:tiff-3.9.2-CVE-2010-4665.patch
+Patch15:tiff-3.9.2-CVE-2009-5022.patch
# FYI: this issue is solved another way
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -117,6 +119,8 @@
%patch11
%patch12
%patch13
+%patch14
+%patch15
find -type d -name "CVS" | xargs rm -rfv
find -type d | xargs chmod 755
++ tiff-3.9.2-CVE-2009-5022.patch ++
http://bugzilla.maptools.org/show_bug.cgi?id=1999#c2 and diff between 3.9.5 and
3.9.4
Index: tiff-3.9.4/libtiff/tif_ojpeg.c
===
--- libtiff/tif_ojpeg.c
+++ libtiff/tif_ojpeg.c
@@ -1555,6 +1555,11 @@ OJPEGReadHeaderInfoSecStreamSof(TIFF* ti
TIFFErrorExt(tif->tif_clientdata,module,"JPEG
compressed data indicates unexpected width");
return(0);
}
+if ((uint32)p>sp->strile_width)
+{
+TIFFErrorExt(tif->tif_clientdata,module,"JPEG
compressed data image width exceeds expected image width");
+return(0);
+}
sp->sof_x=p;
}
/* Nf: Number of image components in frame */
++ tiff-3.9.2-CVE-2010-4665.patch ++
http://bugzilla.maptools.org/attachment.cgi?id=398
Make tiffdump more paranoid about checking the count field of a directory
entry.
diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
--- tools/tiffdump.c2010-06-08 14:50:44.0 -0400
+++ tools/tiffdump.c2010-06-22 12:51:42.207932477 -0400
@@ -46,6 +46,7 @@
# include
#endif
+#define TIFFSafeMultiply(t,v,m) t)m != (t)0) && (((t)((v*m)/m)) == (t)v))
? (t)(v*m) : (t)0)
#include "tiffio.h"
#ifndef O_BINARY
@@ -317,7 +318,7 @@
printf(">\n");
continue;
}
- space = dp->tdir_count * datawidth[dp->tdir_type];
+ space = TIFFSafeMultiply(int, dp->tdir_count,
datawidth[dp->tdir_type]);
if (space <= 0) {
printf(">\n");
Error("Invalid count for tag %u", dp->tdir_tag);
@@ -709,7 +710,7 @@
w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
cc = dir->tdir_count * w;
if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
- && read(fd, cp, cc) != -1) {
+ && read(fd, cp, cc) == cc) {
if (swabflag) {
switch (dir->tdir_type) {
case TIFF_SHORT:
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit tiff for openSUSE:11.3
Hello community,
here is the log from the commit of package tiff for openSUSE:11.3
checked in at Fri Apr 1 10:48:24 CEST 2011.
--- old-versions/11.3/UPDATES/all/tiff/tiff.changes 2011-03-03
09:29:00.0 +0100
+++ 11.3/tiff/tiff.changes 2011-03-31 23:07:33.0 +0200
@@ -1,0 +2,8 @@
+Thu Mar 31 10:33:24 CEST 2011 - pgaj...@suse.cz
+
+- fixed regression caused by previous update [bnc#682871]
+ * modified CVE-2011-0192.patch
+- fixed buffer overflow in thunder decoder [bnc#683337]
+ * added CVE-2011-1167.patch
+
+---
calling whatdependson for 11.3-i586
New:
tiff-3.9.2-CVE-2011-1167.patch
Other differences:
--
++ tiff.spec ++
--- /var/tmp/diff_new_pack.V55Fxf/_old 2011-04-01 10:47:38.0 +0200
+++ /var/tmp/diff_new_pack.V55Fxf/_new 2011-04-01 10:47:38.0 +0200
@@ -29,7 +29,7 @@
#
Url:http://www.remotesensing.org/libtiff/
Version:3.9.2
-Release:5.
+Release:5.
Summary:Tools for Converting from and to the Tiff Format
Source: tiff-%{version}.tar.bz2
Source2:README.SUSE
@@ -45,6 +45,7 @@
Patch10:tiff-%{version}-dont-fancy-upsampling.patch
Patch11:tiff-%{version}-CVE-2011-0192.patch
Patch12:tiff-%{version}-CVE-2011-0191.patch
+Patch13:tiff-3.9.2-CVE-2011-1167.patch
# FYI: this issue is solved another way
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -115,6 +116,7 @@
%patch10 -p1
%patch11
%patch12
+%patch13
find -type d -name "CVS" | xargs rm -rfv
find -type d | xargs chmod 755
++ tiff-3.9.2-CVE-2011-0192.patch ++
--- /var/tmp/diff_new_pack.V55Fxf/_old 2011-04-01 10:47:38.0 +0200
+++ /var/tmp/diff_new_pack.V55Fxf/_new 2011-04-01 10:47:38.0 +0200
@@ -1,15 +1,29 @@
-Index: libtiff/tif_fax3.h
-===
libtiff/tif_fax3.h.orig
-+++ libtiff/tif_fax3.h
-@@ -478,6 +478,10 @@ done1d:
\
+Protect against a fax VL(n) codeword commanding a move left. Without
+this, a malicious input file can generate an indefinitely large series
+of runs without a0 ever reaching the right margin, thus overrunning
+our buffer of run lengths. Per CVE-2011-0192. This is a modified
+version of a patch proposed by Drew Yao of Apple Product Security.
+It adds an unexpected() report, and disallows the equality case except
+for the first run of a line, since emitting a run without increasing a0
+still allows buffer overrun. (We have to allow it for the first run to
+cover the case of encoding a zero-length run at start of line using VL.)
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2297
+
+diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
+--- libtiff/tif_fax3.h 2010-06-08 14:50:42.0 -0400
libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500
+@@ -478,6 +478,12 @@
break; \
case S_VL: \
CHECK_b1; \
-+if (b1 <= (int) (a0 + TabEnt->Param)) { \
-+ unexpected("VL", a0); \
-+ goto eol2d; \
-+} \
++ if (b1 <= (int) (a0 + TabEnt->Param)) { \
++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \
++ unexpected("VL", a0); \
++ goto eol2d; \
++ } \
++ } \
SETVALUE(b1 - a0 - TabEnt->Param); \
b1 -= *--pb;\
break; \
+
++ tiff-3.9.2-CVE-2011-1167.patch ++
Index: libtiff/tif_thunder.c
===
--- libtiff/tif_thunder.c.orig
+++ libtiff/tif_thunder.c
@@ -25,6 +25,7 @@
*/
#include "tiffiop.h"
+#include
#ifdef THUNDER_SUPPORT
/*
* TIFF Library.
@@ -55,12 +56,32 @@
static const int twobitdeltas[4] = { 0, 1, 0, -1 };
static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
-#defineSETPIXEL(op, v) { \
- lastpixel = (v) & 0xf; \
- if (npixels++ & 1) \
- *op++ |= lastpixel; \
- else \
+#defineSETPIXEL(op, v) {
commit tiff for openSUSE:11.3
Hello community,
here is the log from the commit of package tiff for openSUSE:11.3
checked in at Mon Mar 14 15:35:44 CET 2011.
--- old-versions/11.3/UPDATES/all/tiff/tiff.changes 2010-09-06
15:24:42.0 +0200
+++ 11.3/tiff/tiff.changes 2011-03-03 09:29:00.0 +0100
@@ -1,0 +2,7 @@
+Thu Feb 17 15:54:23 CET 2011 - pgaj...@suse.cz
+
+- fixed buffer overflows [bnc#672510]
+ * CVE-2011-0192.patch
+ * CVE-2011-0191.patch
+
+---
calling whatdependson for 11.3-i586
New:
tiff-3.9.2-CVE-2011-0191.patch
tiff-3.9.2-CVE-2011-0192.patch
Other differences:
--
++ tiff.spec ++
--- /var/tmp/diff_new_pack.Fxcrht/_old 2011-03-14 15:35:24.0 +0100
+++ /var/tmp/diff_new_pack.Fxcrht/_new 2011-03-14 15:35:24.0 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package tiff (Version 3.9.2)
+# spec file for package tiff
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +29,7 @@
#
Url:http://www.remotesensing.org/libtiff/
Version:3.9.2
-Release:5.
+Release:5.
Summary:Tools for Converting from and to the Tiff Format
Source: tiff-%{version}.tar.bz2
Source2:README.SUSE
@@ -43,6 +43,8 @@
Patch8: tiff-%{version}-dirread-oob-unknown-tags.patch
Patch9: tiff-%{version}-scanlinesize.patch
Patch10:tiff-%{version}-dont-fancy-upsampling.patch
+Patch11:tiff-%{version}-CVE-2011-0192.patch
+Patch12:tiff-%{version}-CVE-2011-0191.patch
# FYI: this issue is solved another way
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -111,6 +113,8 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11
+%patch12
find -type d -name "CVS" | xargs rm -rfv
find -type d | xargs chmod 755
++ tiff-3.9.2-CVE-2011-0191.patch ++
Index: libtiff/tif_dir.c
===
--- libtiff/tif_dir.c.orig
+++ libtiff/tif_dir.c
@@ -370,6 +370,10 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
case TIFFTAG_YCBCRSUBSAMPLING:
td->td_ycbcrsubsampling[0] = (uint16) va_arg(ap, int);
td->td_ycbcrsubsampling[1] = (uint16) va_arg(ap, int);
+if (td->td_ycbcrsubsampling[0] > 4)
+ td->td_ycbcrsubsampling[0] = (td->td_compression == 7) ? 1 :
2;
+if (td->td_ycbcrsubsampling[1] > 4)
+ td->td_ycbcrsubsampling[1] = (td->td_compression == 7) ? 1 :
2;
break;
case TIFFTAG_TRANSFERFUNCTION:
v = (td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1;
++ tiff-3.9.2-CVE-2011-0192.patch ++
Index: libtiff/tif_fax3.h
===
--- libtiff/tif_fax3.h.orig
+++ libtiff/tif_fax3.h
@@ -478,6 +478,10 @@ done1d:
\
break; \
case S_VL: \
CHECK_b1; \
+if (b1 <= (int) (a0 + TabEnt->Param)) { \
+ unexpected("VL", a0); \
+ goto eol2d; \
+} \
SETVALUE(b1 - a0 - TabEnt->Param); \
b1 -= *--pb;\
break; \
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
