commit tiff for openSUSE:11.3
Hello community, here is the log from the commit of package tiff for openSUSE:11.3 checked in at Fri Apr 15 17:04:30 CEST 2011. --- old-versions/11.3/UPDATES/all/tiff/tiff.changes 2011-03-31 23:07:33.0 +0200 +++ 11.3/tiff/tiff.changes 2011-04-14 16:51:30.0 +0200 @@ -1,0 +2,7 @@ +Thu Apr 14 16:48:26 CEST 2011 - pgaj...@suse.cz + +- fixed following vulnerabilities: + * integer overflow CVE-2010-4665 [bnc#687442] + * buffer overflow CVE-2009-5022 [bnc#687441] + +--- calling whatdependson for 11.3-i586 New: tiff-3.9.2-CVE-2009-5022.patch tiff-3.9.2-CVE-2010-4665.patch Other differences: -- ++ tiff.spec ++ --- /var/tmp/diff_new_pack.1Vaf5w/_old 2011-04-15 17:03:57.0 +0200 +++ /var/tmp/diff_new_pack.1Vaf5w/_new 2011-04-15 17:03:57.0 +0200 @@ -29,7 +29,7 @@ # Url:http://www.remotesensing.org/libtiff/ Version:3.9.2 -Release:5. +Release:5. Summary:Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2:README.SUSE @@ -46,6 +46,8 @@ Patch11:tiff-%{version}-CVE-2011-0192.patch Patch12:tiff-%{version}-CVE-2011-0191.patch Patch13:tiff-3.9.2-CVE-2011-1167.patch +Patch14:tiff-3.9.2-CVE-2010-4665.patch +Patch15:tiff-3.9.2-CVE-2009-5022.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -117,6 +119,8 @@ %patch11 %patch12 %patch13 +%patch14 +%patch15 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++ tiff-3.9.2-CVE-2009-5022.patch ++ http://bugzilla.maptools.org/show_bug.cgi?id=1999#c2 and diff between 3.9.5 and 3.9.4 Index: tiff-3.9.4/libtiff/tif_ojpeg.c === --- libtiff/tif_ojpeg.c +++ libtiff/tif_ojpeg.c @@ -1555,6 +1555,11 @@ OJPEGReadHeaderInfoSecStreamSof(TIFF* ti TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width"); return(0); } +if ((uint32)p>sp->strile_width) +{ +TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width"); +return(0); +} sp->sof_x=p; } /* Nf: Number of image components in frame */ ++ tiff-3.9.2-CVE-2010-4665.patch ++ http://bugzilla.maptools.org/attachment.cgi?id=398 Make tiffdump more paranoid about checking the count field of a directory entry. diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c --- tools/tiffdump.c2010-06-08 14:50:44.0 -0400 +++ tools/tiffdump.c2010-06-22 12:51:42.207932477 -0400 @@ -46,6 +46,7 @@ # include #endif +#define TIFFSafeMultiply(t,v,m) t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) #include "tiffio.h" #ifndef O_BINARY @@ -317,7 +318,7 @@ printf(">\n"); continue; } - space = dp->tdir_count * datawidth[dp->tdir_type]; + space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); if (space <= 0) { printf(">\n"); Error("Invalid count for tag %u", dp->tdir_tag); @@ -709,7 +710,7 @@ w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); cc = dir->tdir_count * w; if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 - && read(fd, cp, cc) != -1) { + && read(fd, cp, cc) == cc) { if (swabflag) { switch (dir->tdir_type) { case TIFF_SHORT: Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit tiff for openSUSE:11.3
Hello community, here is the log from the commit of package tiff for openSUSE:11.3 checked in at Fri Apr 1 10:48:24 CEST 2011. --- old-versions/11.3/UPDATES/all/tiff/tiff.changes 2011-03-03 09:29:00.0 +0100 +++ 11.3/tiff/tiff.changes 2011-03-31 23:07:33.0 +0200 @@ -1,0 +2,8 @@ +Thu Mar 31 10:33:24 CEST 2011 - pgaj...@suse.cz + +- fixed regression caused by previous update [bnc#682871] + * modified CVE-2011-0192.patch +- fixed buffer overflow in thunder decoder [bnc#683337] + * added CVE-2011-1167.patch + +--- calling whatdependson for 11.3-i586 New: tiff-3.9.2-CVE-2011-1167.patch Other differences: -- ++ tiff.spec ++ --- /var/tmp/diff_new_pack.V55Fxf/_old 2011-04-01 10:47:38.0 +0200 +++ /var/tmp/diff_new_pack.V55Fxf/_new 2011-04-01 10:47:38.0 +0200 @@ -29,7 +29,7 @@ # Url:http://www.remotesensing.org/libtiff/ Version:3.9.2 -Release:5. +Release:5. Summary:Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2:README.SUSE @@ -45,6 +45,7 @@ Patch10:tiff-%{version}-dont-fancy-upsampling.patch Patch11:tiff-%{version}-CVE-2011-0192.patch Patch12:tiff-%{version}-CVE-2011-0191.patch +Patch13:tiff-3.9.2-CVE-2011-1167.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -115,6 +116,7 @@ %patch10 -p1 %patch11 %patch12 +%patch13 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++ tiff-3.9.2-CVE-2011-0192.patch ++ --- /var/tmp/diff_new_pack.V55Fxf/_old 2011-04-01 10:47:38.0 +0200 +++ /var/tmp/diff_new_pack.V55Fxf/_new 2011-04-01 10:47:38.0 +0200 @@ -1,15 +1,29 @@ -Index: libtiff/tif_fax3.h -=== libtiff/tif_fax3.h.orig -+++ libtiff/tif_fax3.h -@@ -478,6 +478,10 @@ done1d: \ +Protect against a fax VL(n) codeword commanding a move left. Without +this, a malicious input file can generate an indefinitely large series +of runs without a0 ever reaching the right margin, thus overrunning +our buffer of run lengths. Per CVE-2011-0192. This is a modified +version of a patch proposed by Drew Yao of Apple Product Security. +It adds an unexpected() report, and disallows the equality case except +for the first run of a line, since emitting a run without increasing a0 +still allows buffer overrun. (We have to allow it for the first run to +cover the case of encoding a zero-length run at start of line using VL.) + +http://bugzilla.maptools.org/show_bug.cgi?id=2297 + +diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h +--- libtiff/tif_fax3.h 2010-06-08 14:50:42.0 -0400 libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500 +@@ -478,6 +478,12 @@ break; \ case S_VL: \ CHECK_b1; \ -+if (b1 <= (int) (a0 + TabEnt->Param)) { \ -+ unexpected("VL", a0); \ -+ goto eol2d; \ -+} \ ++ if (b1 <= (int) (a0 + TabEnt->Param)) { \ ++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ ++ unexpected("VL", a0); \ ++ goto eol2d; \ ++ } \ ++ } \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= *--pb;\ break; \ + ++ tiff-3.9.2-CVE-2011-1167.patch ++ Index: libtiff/tif_thunder.c === --- libtiff/tif_thunder.c.orig +++ libtiff/tif_thunder.c @@ -25,6 +25,7 @@ */ #include "tiffiop.h" +#include #ifdef THUNDER_SUPPORT /* * TIFF Library. @@ -55,12 +56,32 @@ static const int twobitdeltas[4] = { 0, 1, 0, -1 }; static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; -#defineSETPIXEL(op, v) { \ - lastpixel = (v) & 0xf; \ - if (npixels++ & 1) \ - *op++ |= lastpixel; \ - else \ +#defineSETPIXEL(op, v) {
commit tiff for openSUSE:11.3
Hello community, here is the log from the commit of package tiff for openSUSE:11.3 checked in at Mon Mar 14 15:35:44 CET 2011. --- old-versions/11.3/UPDATES/all/tiff/tiff.changes 2010-09-06 15:24:42.0 +0200 +++ 11.3/tiff/tiff.changes 2011-03-03 09:29:00.0 +0100 @@ -1,0 +2,7 @@ +Thu Feb 17 15:54:23 CET 2011 - pgaj...@suse.cz + +- fixed buffer overflows [bnc#672510] + * CVE-2011-0192.patch + * CVE-2011-0191.patch + +--- calling whatdependson for 11.3-i586 New: tiff-3.9.2-CVE-2011-0191.patch tiff-3.9.2-CVE-2011-0192.patch Other differences: -- ++ tiff.spec ++ --- /var/tmp/diff_new_pack.Fxcrht/_old 2011-03-14 15:35:24.0 +0100 +++ /var/tmp/diff_new_pack.Fxcrht/_new 2011-03-14 15:35:24.0 +0100 @@ -1,7 +1,7 @@ # -# spec file for package tiff (Version 3.9.2) +# spec file for package tiff # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ # Url:http://www.remotesensing.org/libtiff/ Version:3.9.2 -Release:5. +Release:5. Summary:Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2:README.SUSE @@ -43,6 +43,8 @@ Patch8: tiff-%{version}-dirread-oob-unknown-tags.patch Patch9: tiff-%{version}-scanlinesize.patch Patch10:tiff-%{version}-dont-fancy-upsampling.patch +Patch11:tiff-%{version}-CVE-2011-0192.patch +Patch12:tiff-%{version}-CVE-2011-0191.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -111,6 +113,8 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 +%patch12 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++ tiff-3.9.2-CVE-2011-0191.patch ++ Index: libtiff/tif_dir.c === --- libtiff/tif_dir.c.orig +++ libtiff/tif_dir.c @@ -370,6 +370,10 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va case TIFFTAG_YCBCRSUBSAMPLING: td->td_ycbcrsubsampling[0] = (uint16) va_arg(ap, int); td->td_ycbcrsubsampling[1] = (uint16) va_arg(ap, int); +if (td->td_ycbcrsubsampling[0] > 4) + td->td_ycbcrsubsampling[0] = (td->td_compression == 7) ? 1 : 2; +if (td->td_ycbcrsubsampling[1] > 4) + td->td_ycbcrsubsampling[1] = (td->td_compression == 7) ? 1 : 2; break; case TIFFTAG_TRANSFERFUNCTION: v = (td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1; ++ tiff-3.9.2-CVE-2011-0192.patch ++ Index: libtiff/tif_fax3.h === --- libtiff/tif_fax3.h.orig +++ libtiff/tif_fax3.h @@ -478,6 +478,10 @@ done1d: \ break; \ case S_VL: \ CHECK_b1; \ +if (b1 <= (int) (a0 + TabEnt->Param)) { \ + unexpected("VL", a0); \ + goto eol2d; \ +} \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= *--pb;\ break; \ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org