summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordrochner <drochner@pkgsrc.org>2013-05-02 14:52:44 +0000
committerdrochner <drochner@pkgsrc.org>2013-05-02 14:52:44 +0000
commit5304cb683146fb48e6d1072a9d28bf044e39fada (patch)
treee29b118486c978b27984a0db3b589b4043d62838
parent772794876711e3ea191d1a0087e733fc7af81795 (diff)
downloadpkgsrc-5304cb683146fb48e6d1072a9d28bf044e39fada.tar.gz
add patches from Redhat to fix possible buffer overflows in the
"tiff2pdf" tool by crafted TIFF image files (CVE-2013-1960/61) bump PKGREV
-rw-r--r--graphics/tiff/Makefile4
-rw-r--r--graphics/tiff/distinfo3
-rw-r--r--graphics/tiff/patches/patch-CVE-2013-1960_1961284
3 files changed, 288 insertions, 3 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 9c8ad31eea9..861e2ba71e5 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.111 2013/04/06 14:58:19 rodent Exp $
+# $NetBSD: Makefile,v 1.112 2013/05/02 14:52:44 drochner Exp $
DISTNAME= tiff-4.0.3
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://libtiff.maptools.org/dl/
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index b74a06ffef1..144e149f221 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.59 2012/11/05 12:41:48 drochner Exp $
+$NetBSD: distinfo,v 1.60 2013/05/02 14:52:44 drochner Exp $
SHA1 (tiff-4.0.3.tar.gz) = 652e97b78f1444237a82cbcfe014310e776eb6f0
RMD160 (tiff-4.0.3.tar.gz) = eacd725fb3c299682c1c2e508049d98acd170f31
Size (tiff-4.0.3.tar.gz) = 2051630 bytes
SHA1 (patch-CVE-2012-4564) = bda3b26e431e8234e5afd984a086c980a8eb6c41
+SHA1 (patch-CVE-2013-1960_1961) = dff40e975426a6df2ba27383d22b5f8f4275a443
SHA1 (patch-configure) = 1fb9ef790a59ac9c1396dd8e962c75946e2c998a
diff --git a/graphics/tiff/patches/patch-CVE-2013-1960_1961 b/graphics/tiff/patches/patch-CVE-2013-1960_1961
new file mode 100644
index 00000000000..7e63de2c56c
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2013-1960_1961
@@ -0,0 +1,284 @@
+$NetBSD: patch-CVE-2013-1960_1961,v 1.1 2013/05/02 14:52:44 drochner Exp $
+
+see https://bugzilla.redhat.com/show_bug.cgi?id=952131
+and https://bugzilla.redhat.com/show_bug.cgi?id=952158
+
+--- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200
++++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200
+@@ -512,9 +512,9 @@ SetNameLabel()
+ Arg args[1];
+
+ if (tfMultiPage)
+- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
++ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
+ else
+- strcpy(buffer, fileName);
++ snprintf(buffer, sizeof(buffer), "%s", fileName);
+ XtSetArg(args[0], XtNlabel, buffer);
+ XtSetValues(labelWidget, args, 1);
+ }
+--- libtiff/tif_codec.c.orig 2010-12-14 15:18:28.000000000 +0100
++++ libtiff/tif_codec.c 2013-05-02 16:27:43.000000000 +0200
+@@ -108,7 +108,8 @@ _notConfigured(TIFF* tif)
+ const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
+ char compression_code[20];
+
+- sprintf( compression_code, "%d", tif->tif_dir.td_compression );
++ snprintf(compression_code, sizeof(compression_code), "%d",
++ tif->tif_dir.td_compression );
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "%s compression support is not configured",
+ c ? c->name : compression_code );
+--- libtiff/tif_dirinfo.c.orig 2012-08-19 18:56:34.000000000 +0200
++++ libtiff/tif_dirinfo.c 2013-05-02 16:27:43.000000000 +0200
+@@ -711,7 +711,7 @@ _TIFFCreateAnonField(TIFF *tif, uint32 t
+ * note that this name is a special sign to TIFFClose() and
+ * _TIFFSetupFields() to free the field
+ */
+- sprintf(fld->field_name, "Tag %d", (int) tag);
++ snprintf(fld->field_name, 32, "Tag %d", (int) tag);
+
+ return fld;
+ }
+--- tools/rgb2ycbcr.c.orig 2011-05-31 19:03:16.000000000 +0200
++++ tools/rgb2ycbcr.c 2013-05-02 16:27:43.000000000 +0200
+@@ -332,7 +332,8 @@ tiffcvt(TIFF* in, TIFF* out)
+ TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
+ { char buf[2048];
+ char *cp = strrchr(TIFFFileName(in), '/');
+- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
++ snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
++ cp ? cp+1 : TIFFFileName(in));
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
+ }
+ TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+--- tools/tiff2bw.c.orig 2010-07-08 18:10:24.000000000 +0200
++++ tools/tiff2bw.c 2013-05-02 16:27:43.000000000 +0200
+@@ -205,7 +205,7 @@ main(int argc, char* argv[])
+ }
+ }
+ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
+- sprintf(thing, "B&W version of %s", argv[optind]);
++ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
+ outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+--- tools/tiff2pdf.c.orig 2013-05-02 16:27:43.000000000 +0200
++++ tools/tiff2pdf.c 2013-05-02 16:32:49.000000000 +0200
+@@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip(
+ uint32 height){
+
+ tsize_t i=0;
+- uint16 ri =0;
+- uint16 v_samp=1;
+- uint16 h_samp=1;
+- int j=0;
+-
+- i++;
+-
+- while(i<(*striplength)){
++
++ while (i < *striplength) {
++ tsize_t datalen;
++ uint16 ri;
++ uint16 v_samp;
++ uint16 h_samp;
++ int j;
++ int ncomp;
++
++ /* marker header: one or more FFs */
++ if (strip[i] != 0xff)
++ return(0);
++ i++;
++ while (i < *striplength && strip[i] == 0xff)
++ i++;
++ if (i >= *striplength)
++ return(0);
++ /* SOI is the only pre-SOS marker without a length word */
++ if (strip[i] == 0xd8)
++ datalen = 0;
++ else {
++ if ((*striplength - i) <= 2)
++ return(0);
++ datalen = (strip[i+1] << 8) | strip[i+2];
++ if (datalen < 2 || datalen >= (*striplength - i))
++ return(0);
++ }
+ switch( strip[i] ){
+- case 0xd8:
+- /* SOI - start of image */
++ case 0xd8: /* SOI - start of image */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ *bufferoffset+=2;
+- i+=2;
+ break;
+- case 0xc0:
+- case 0xc1:
+- case 0xc3:
+- case 0xc9:
+- case 0xca:
++ case 0xc0: /* SOF0 */
++ case 0xc1: /* SOF1 */
++ case 0xc3: /* SOF3 */
++ case 0xc9: /* SOF9 */
++ case 0xca: /* SOF10 */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- for(j=0;j<buffer[*bufferoffset+9];j++){
+- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
+- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
+- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ ncomp = buffer[*bufferoffset+9];
++ if (ncomp < 1 || ncomp > 4)
++ return(0);
++ v_samp=1;
++ h_samp=1;
++ for(j=0;j<ncomp;j++){
++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
++ if( (samp>>4) > h_samp)
++ h_samp = (samp>>4);
++ if( (samp & 0x0f) > v_samp)
++ v_samp = (samp & 0x0f);
+ }
+ v_samp*=8;
+ h_samp*=8;
+@@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip(
+ (unsigned char) ((height>>8) & 0xff);
+ buffer[*bufferoffset+6]=
+ (unsigned char) (height & 0xff);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
+-
++ *bufferoffset+=datalen+2;
++ /* insert a DRI marker */
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=0xdd;
+ buffer[(*bufferoffset)++]=0x00;
+ buffer[(*bufferoffset)++]=0x04;
+ buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ buffer[(*bufferoffset)++]= ri & 0xff;
+- } else {
+- i+=strip[i+2]+2;
+ }
+ break;
+- case 0xc4:
+- case 0xdb:
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ case 0xc4: /* DHT */
++ case 0xdb: /* DQT */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ break;
+- case 0xda:
++ case 0xda: /* SOS */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ } else {
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=
+ (unsigned char)(0xd0 | ((no-1)%8));
+- i+=strip[i+2]+2;
+ }
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+- *bufferoffset+=(*striplength)-i-1;
++ i += datalen + 1;
++ /* copy remainder of strip */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
++ *bufferoffset+= *striplength - i;
+ return(1);
+ default:
+- i+=strip[i+2]+2;
++ /* ignore any other marker */
++ break;
+ }
++ i += datalen + 1;
+ }
+-
+
++ /* failed to find SOS marker */
+ return(0);
+ }
+ #endif
+--- tools/tiff2ps.c.orig 2011-05-31 19:10:18.000000000 +0200
++++ tools/tiff2ps.c 2013-05-02 16:27:43.000000000 +0200
+@@ -1781,8 +1781,8 @@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui
+ imageOp = "imagemask";
+
+ (void)strcpy(im_x, "0");
+- (void)sprintf(im_y, "%lu", (long) h);
+- (void)sprintf(im_h, "%lu", (long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
++ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
+ tile_width = w;
+ tile_height = h;
+ if (TIFFIsTiled(tif)) {
+@@ -1803,7 +1803,7 @@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui
+ }
+ if (tile_height < h) {
+ fputs("/im_y 0 def\n", fd);
+- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
+ }
+ } else {
+ repeat_count = tf_numberstrips;
+@@ -1815,7 +1815,7 @@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui
+ fprintf(fd, "/im_h %lu def\n",
+ (unsigned long) tile_height);
+ (void)strcpy(im_h, "im_h");
+- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
+ }
+ }
+
+--- tools/tiffcrop.c.orig 2010-12-14 15:18:28.000000000 +0100
++++ tools/tiffcrop.c 2013-05-02 16:27:43.000000000 +0200
+@@ -2077,7 +2077,7 @@ update_output_file (TIFF **tiffout, char
+ return 1;
+ }
+
+- sprintf (filenum, "-%03d%s", findex, export_ext);
++ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
+ filenum[14] = '\0';
+ strncat (exportname, filenum, 15);
+ }
+@@ -2230,8 +2230,8 @@ main(int argc, char* argv[])
+
+ /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes
+ fewer than PATH_MAX */
+- memset (temp_filename, '\0', PATH_MAX + 1);
+- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
++ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
++ dump.infilename, dump_images,
+ (dump.format == DUMP_TEXT) ? "txt" : "raw");
+ if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
+ {
+@@ -2249,8 +2249,8 @@ main(int argc, char* argv[])
+
+ /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes
+ fewer than PATH_MAX */
+- memset (temp_filename, '\0', PATH_MAX + 1);
+- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
++ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
++ dump.outfilename, dump_images,
+ (dump.format == DUMP_TEXT) ? "txt" : "raw");
+ if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
+ {
+--- tools/tiffdither.c.orig 2010-03-10 19:56:50.000000000 +0100
++++ tools/tiffdither.c 2013-05-02 16:27:43.000000000 +0200
+@@ -260,7 +260,7 @@ main(int argc, char* argv[])
+ TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
+ else
+ CopyField(TIFFTAG_FILLORDER, shortv);
+- sprintf(thing, "Dithered B&W version of %s", argv[optind]);
++ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ CopyField(TIFFTAG_PHOTOMETRIC, shortv);
+ CopyField(TIFFTAG_ORIENTATION, shortv);