Pullup ticket 3197 - requested by tron

security patches

Revisions pulled up:
- pkgsrc/graphics/tiff/Makefile		1.97
- pkgsrc/graphics/tiff/distinfo		1.49

Files added:
pkgsrc/graphics/tiff/patches/patch-aa
pkgsrc/graphics/tiff/patches/patch-ab
pkgsrc/graphics/tiff/patches/patch-ac
pkgsrc/graphics/tiff/patches/patch-ad
pkgsrc/graphics/tiff/patches/patch-ae

-------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tron
   Date:           Wed Aug  4 17:48:22 UTC 2010

   Modified Files:
           pkgsrc/graphics/tiff: Makefile distinfo
   Added Files:
           pkgsrc/graphics/tiff/patches: patch-aa patch-ab patch-ac patch-ad
               patch-ae

   Log Message:
   Add patches from either libtiff's or Red Hat's Bugzilla which fix the
   following vulnerabilities:
   - CVE-2010-2233
   - CVE-2010-2482
   - CVE-2010-2483
   - CVE-2010-2595
   - CVE-2010-2597
   There is no patch for CVE-2010-2596 yet. But it is low risk (an assertion
   gets triggered) and cannot be exploited after the above vulnerabilities
   are fixed (at least if I understood correctly).

   No butcher was involved in fixing this package.


   To generate a diff of this commit:
   cvs rdiff -u -r1.96 -r1.97 pkgsrc/graphics/tiff/Makefile
   cvs rdiff -u -r1.48 -r1.49 pkgsrc/graphics/tiff/distinfo
   cvs rdiff -u -r0 -r1.19 pkgsrc/graphics/tiff/patches/patch-aa
   cvs rdiff -u -r0 -r1.20 pkgsrc/graphics/tiff/patches/patch-ab
   cvs rdiff -u -r0 -r1.22 pkgsrc/graphics/tiff/patches/patch-ac
   cvs rdiff -u -r0 -r1.16 pkgsrc/graphics/tiff/patches/patch-ad
   cvs rdiff -u -r0 -r1.11 pkgsrc/graphics/tiff/patches/patch-ae

7 files changed, 196 insertions, 2 deletions

diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 6eeed6dac21..8e8171e986a 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.96 2010/06/16 13:56:41 drochner Exp $
+# $NetBSD: Makefile,v 1.96.2.1 2010/08/04 21:23:39 spz Exp $
 
 DISTNAME=	tiff-3.9.4
+PKGREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://libtiff.maptools.org/dl/
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index 83ec59227f1..6e8fbd16127 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,5 +1,10 @@
-$NetBSD: distinfo,v 1.48 2010/06/16 13:56:41 drochner Exp $
+$NetBSD: distinfo,v 1.48.2.1 2010/08/04 21:23:39 spz Exp $
 
 SHA1 (tiff-3.9.4.tar.gz) = a4e32d55afbbcabd0391a9c89995e8e8a19961de
 RMD160 (tiff-3.9.4.tar.gz) = 3e0a74b6294297c16fb983ad68056a1dfbbdb1de
 Size (tiff-3.9.4.tar.gz) = 1436968 bytes
+SHA1 (patch-aa) = 0ed02eb18454f4d91bf2fad6b9262bc442cd0822
+SHA1 (patch-ab) = 66101ec437ff222d629120e52e2011ea5b36dca0
+SHA1 (patch-ac) = 7211eebf68e73790ac1263efb16943e59cbffa95
+SHA1 (patch-ad) = bae790a9309967f874987f1da57e5f93a67094e1
+SHA1 (patch-ae) = 33dd5e9307a55273e9aaacdd7f5f9aea51aa5adc
diff --git a/graphics/tiff/patches/patch-aa b/graphics/tiff/patches/patch-aa
new file mode 100644
index 00000000000..395a5d8be95
--- /dev/null
+++ b/graphics/tiff/patches/patch-aa
@@ -0,0 +1,59 @@
+$NetBSD: patch-aa,v 1.19.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2233 taken from here ...
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2207
+
+... and for CVE-2010-2483 taken from here:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=603081
+
+--- libtiff/tif_getimage.c.orig	2010-06-08 19:50:42.000000000 +0100
++++ libtiff/tif_getimage.c	2010-08-04 18:20:24.000000000 +0100
+@@ -1846,6 +1846,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ 	uint32* cp2;
++	int32 incr = 2*toskew+w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * 6;
+ 	cp2 = cp+w+toskew;
+@@ -1872,8 +1873,8 @@
+ 			cp2 ++ ;
+ 			pp += 6;
+ 		}
+-		cp += toskew*2+w;
+-		cp2 += toskew*2+w;
++		cp += incr;
++		cp2 += incr;
+ 		pp += fromskew;
+ 		h-=2;
+ 	}
+@@ -1939,6 +1940,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ 	uint32* cp2;
++	int32 incr = 2*toskew+w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * 4;
+ 	cp2 = cp+w+toskew;
+@@ -1953,8 +1955,8 @@
+ 			cp2 ++;
+ 			pp += 4;
+ 		} while (--x);
+-		cp += toskew*2+w;
+-		cp2 += toskew*2+w;
++		cp += incr;
++		cp2 += incr;
+ 		pp += fromskew;
+ 		h-=2;
+ 	}
+@@ -2397,7 +2399,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_YCBCR:
+-			if (img->bitspersample == 8)
++			if ((img->bitspersample==8) && (img->samplesperpixel==3))
+ 			{
+ 				if (initYCbCrConversion(img)!=0)
+ 				{
diff --git a/graphics/tiff/patches/patch-ab b/graphics/tiff/patches/patch-ab
new file mode 100644
index 00000000000..9f32bce9839
--- /dev/null
+++ b/graphics/tiff/patches/patch-ab
@@ -0,0 +1,19 @@
+$NetBSD: patch-ab,v 1.20.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2482 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
+--- libtiff/tif_ojpeg.c.orig	2010-06-09 00:29:51.000000000 +0100
++++ libtiff/tif_ojpeg.c	2010-08-04 18:14:07.000000000 +0100
+@@ -1920,6 +1920,10 @@
+ 							sp->in_buffer_file_pos=0;
+ 						else
+ 						{
++							if (sp->tif->tif_dir.td_stripbytecount == 0) {
++								TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
++								return(0);
++							}
+ 							sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];  
+ 							if (sp->in_buffer_file_togo==0)
+ 								sp->in_buffer_file_pos=0;
diff --git a/graphics/tiff/patches/patch-ac b/graphics/tiff/patches/patch-ac
new file mode 100644
index 00000000000..c6a87ec22c5
--- /dev/null
+++ b/graphics/tiff/patches/patch-ac
@@ -0,0 +1,32 @@
+$NetBSD: patch-ac,v 1.22.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for	CVE-2010-2482 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
+--- tools/tiffsplit.c.orig	2010-06-08 19:50:44.000000000 +0100
++++ tools/tiffsplit.c	2010-08-04 18:14:07.000000000 +0100
+@@ -237,7 +237,10 @@
+ 		tstrip_t s, ns = TIFFNumberOfStrips(in);
+ 		uint32 *bytecounts;
+ 
+-		TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
++		if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
++			fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
++			return (0);
++		}
+ 		for (s = 0; s < ns; s++) {
+ 			if (bytecounts[s] > (uint32)bufsize) {
+ 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
+@@ -267,7 +270,10 @@
+ 		ttile_t t, nt = TIFFNumberOfTiles(in);
+ 		uint32 *bytecounts;
+ 
+-		TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
++		if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
++			fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
++			return (0);
++		}
+ 		for (t = 0; t < nt; t++) {
+ 			if (bytecounts[t] > (uint32) bufsize) {
+ 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);
diff --git a/graphics/tiff/patches/patch-ad b/graphics/tiff/patches/patch-ad
new file mode 100644
index 00000000000..1141893d8b9
--- /dev/null
+++ b/graphics/tiff/patches/patch-ad
@@ -0,0 +1,31 @@
+$NetBSD: patch-ad,v 1.16.2.2 2010/08/04 21:23:39 spz Exp $
+
+Patch for CVE-2010-2595 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2208
+
+--- libtiff/tif_color.c.orig	2010-06-08 19:50:41.000000000 +0100
++++ libtiff/tif_color.c	2010-08-04 18:24:14.000000000 +0100
+@@ -183,13 +183,18 @@
+ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
+ 	       uint32 *r, uint32 *g, uint32 *b)
+ {
++	int32 i;
++
+ 	/* XXX: Only 8-bit YCbCr input supported for now */
+ 	Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
+ 
+-	*r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
+-	*g = ycbcr->clamptab[ycbcr->Y_tab[Y]
+-	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
+-	*b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
++	i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
++	*r = CLAMP(i, 0, 255);
++	i = ycbcr->Y_tab[Y]
++	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
++	*g = CLAMP(i, 0, 255);
++	i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
++	*b = CLAMP(i, 0, 255);
+ }
+ 
+ /*
diff --git a/graphics/tiff/patches/patch-ae b/graphics/tiff/patches/patch-ae
new file mode 100644
index 00000000000..933f51c650b
--- /dev/null
+++ b/graphics/tiff/patches/patch-ae
@@ -0,0 +1,47 @@
+$NetBSD: patch-ae,v 1.11.2.2 2010/08/04 21:23:39 spz Exp $
+
+Fix for CVE-2010-2597 taken from here:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2215
+
+--- libtiff/tif_strip.c.orig	2010-06-08 19:50:43.000000000 +0100
++++ libtiff/tif_strip.c	2010-08-04 18:35:46.000000000 +0100
+@@ -124,9 +124,9 @@
+ 		uint16 ycbcrsubsampling[2];
+ 		tsize_t w, scanline, samplingarea;
+ 
+-		TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
+-			      ycbcrsubsampling + 0,
+-			      ycbcrsubsampling + 1 );
++		TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++				      ycbcrsubsampling + 0,
++				      ycbcrsubsampling + 1);
+ 
+ 		samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
+ 		if (samplingarea == 0) {
+@@ -234,9 +234,9 @@
+ 		    && !isUpSampled(tif)) {
+ 			uint16 ycbcrsubsampling[2];
+ 
+-			TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+-				     ycbcrsubsampling + 0,
+-				     ycbcrsubsampling + 1);
++			TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++					      ycbcrsubsampling + 0,
++					      ycbcrsubsampling + 1);
+ 
+ 			if (ycbcrsubsampling[0] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+@@ -308,9 +308,9 @@
+ 		    && !isUpSampled(tif)) {
+ 			uint16 ycbcrsubsampling[2];
+ 
+-			TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+-				     ycbcrsubsampling + 0,
+-				     ycbcrsubsampling + 1);
++			TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++					      ycbcrsubsampling + 0,
++					      ycbcrsubsampling + 1);
+ 
+ 			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,