diff options
author | drochner <drochner> | 2013-08-15 14:58:46 +0000 |
---|---|---|
committer | drochner <drochner> | 2013-08-15 14:58:46 +0000 |
commit | d1d4281a55a11105a2732900f229559c7744ef6d (patch) | |
tree | 78f9c99193277010612026ca8c5b1e828cc03740 /graphics/tiff/patches | |
parent | 31aa1b3c2406201f64edfa5926bdf5d865e5e3d7 (diff) | |
download | pkgsrc-d1d4281a55a11105a2732900f229559c7744ef6d.tar.gz |
add patches from upstream CVS and Redhat bugzilla to fix buffer overflow
and use-after-free problems in the "gif2tiff" and "tiff2pdf"
command line tools (the library is not affected)
(CVE-2013-4231, CVE-2013-4232, CVE-2013-4244)
bump PKGREV
Diffstat (limited to 'graphics/tiff/patches')
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2013-1960_1961 | 21 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2013-4231 | 31 |
2 files changed, 47 insertions, 5 deletions
diff --git a/graphics/tiff/patches/patch-CVE-2013-1960_1961 b/graphics/tiff/patches/patch-CVE-2013-1960_1961 index 7e63de2c56c..4d2c1dee7c9 100644 --- a/graphics/tiff/patches/patch-CVE-2013-1960_1961 +++ b/graphics/tiff/patches/patch-CVE-2013-1960_1961 @@ -1,8 +1,11 @@ -$NetBSD: patch-CVE-2013-1960_1961,v 1.1 2013/05/02 14:52:44 drochner Exp $ +$NetBSD: patch-CVE-2013-1960_1961,v 1.2 2013/08/15 14:58:46 drochner Exp $ see https://bugzilla.redhat.com/show_bug.cgi?id=952131 and https://bugzilla.redhat.com/show_bug.cgi?id=952158 +also fixes CVE-2013-4232 +see http://bugzilla.maptools.org/show_bug.cgi?id=2449 + --- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200 +++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200 @@ -512,9 +512,9 @@ SetNameLabel() @@ -63,9 +66,17 @@ and https://bugzilla.redhat.com/show_bug.cgi?id=952158 TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ---- tools/tiff2pdf.c.orig 2013-05-02 16:27:43.000000000 +0200 -+++ tools/tiff2pdf.c 2013-05-02 16:32:49.000000000 +0200 -@@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip( +--- tools/tiff2pdf.c.orig 2012-07-26 02:56:43.000000000 +0000 ++++ tools/tiff2pdf.c +@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + _TIFFfree(buffer); ++ return(0); + } else { + buffer=samplebuffer; + t2p->tiff_datasize *= t2p->tiff_samplesperpixel; +@@ -3341,33 +3342,56 @@ int t2p_process_jpeg_strip( uint32 height){ tsize_t i=0; @@ -144,7 +155,7 @@ and https://bugzilla.redhat.com/show_bug.cgi?id=952158 } v_samp*=8; h_samp*=8; -@@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip( +@@ -3381,45 +3405,43 @@ int t2p_process_jpeg_strip( (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); diff --git a/graphics/tiff/patches/patch-CVE-2013-4231 b/graphics/tiff/patches/patch-CVE-2013-4231 new file mode 100644 index 00000000000..0916dfd5818 --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2013-4231 @@ -0,0 +1,31 @@ +$NetBSD: patch-CVE-2013-4231,v 1.1 2013/08/15 14:58:46 drochner Exp $ + +see http://bugzilla.maptools.org/show_bug.cgi?id=2450 + +also fixes CVE-2013-4244 +see https://bugzilla.redhat.com/show_bug.cgi?id=996468 + +--- tools/gif2tiff.c.orig 2010-12-15 03:52:53.000000000 +0000 ++++ tools/gif2tiff.c +@@ -333,6 +333,10 @@ readraster(void) + int status = 1; + + datasize = getc(infile); ++ ++ if (datasize > 12) ++ return 0; ++ + clear = 1 << datasize; + eoi = clear + 1; + avail = clear + 2; +@@ -398,6 +402,10 @@ process(register int code, unsigned char + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; |