diff options
author | tron <tron@pkgsrc.org> | 2010-08-04 17:48:22 +0000 |
---|---|---|
committer | tron <tron@pkgsrc.org> | 2010-08-04 17:48:22 +0000 |
commit | a6abed6f78ef13be516de23a95a9b2450702f78d (patch) | |
tree | 1368247758f187479629969bd30836a1963df3cf /graphics/tiff | |
parent | e0edaf4444797c5e1955071d66e1706109bd193d (diff) | |
download | pkgsrc-a6abed6f78ef13be516de23a95a9b2450702f78d.tar.gz |
Add patches from either libtiff's or Red Hat's Bugzilla which fix the
following vulnerabilities:
- CVE-2010-2233
- CVE-2010-2482
- CVE-2010-2483
- CVE-2010-2595
- CVE-2010-2597
There is no patch for CVE-2010-2596 yet. But it is low risk (an assertion
gets triggered) and cannot be exploited after the above vulnerabilities
are fixed (at least if I understood correctly).
No butcher was involved in fixing this package.
Diffstat (limited to 'graphics/tiff')
-rw-r--r-- | graphics/tiff/Makefile | 3 | ||||
-rw-r--r-- | graphics/tiff/distinfo | 7 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-aa | 59 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-ab | 19 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-ac | 32 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-ad | 31 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-ae | 47 |
7 files changed, 196 insertions, 2 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index 6eeed6dac21..f92fc4c9ab1 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.96 2010/06/16 13:56:41 drochner Exp $ +# $NetBSD: Makefile,v 1.97 2010/08/04 17:48:22 tron Exp $ DISTNAME= tiff-3.9.4 +PKGREVISION= 1 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://libtiff.maptools.org/dl/ diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index 83ec59227f1..92a8e3875ab 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,5 +1,10 @@ -$NetBSD: distinfo,v 1.48 2010/06/16 13:56:41 drochner Exp $ +$NetBSD: distinfo,v 1.49 2010/08/04 17:48:22 tron Exp $ SHA1 (tiff-3.9.4.tar.gz) = a4e32d55afbbcabd0391a9c89995e8e8a19961de RMD160 (tiff-3.9.4.tar.gz) = 3e0a74b6294297c16fb983ad68056a1dfbbdb1de Size (tiff-3.9.4.tar.gz) = 1436968 bytes +SHA1 (patch-aa) = 0ed02eb18454f4d91bf2fad6b9262bc442cd0822 +SHA1 (patch-ab) = 66101ec437ff222d629120e52e2011ea5b36dca0 +SHA1 (patch-ac) = 7211eebf68e73790ac1263efb16943e59cbffa95 +SHA1 (patch-ad) = bae790a9309967f874987f1da57e5f93a67094e1 +SHA1 (patch-ae) = 33dd5e9307a55273e9aaacdd7f5f9aea51aa5adc diff --git a/graphics/tiff/patches/patch-aa b/graphics/tiff/patches/patch-aa new file mode 100644 index 00000000000..52c8cf04fda --- /dev/null +++ b/graphics/tiff/patches/patch-aa @@ -0,0 +1,59 @@ +$NetBSD: patch-aa,v 1.19 2010/08/04 17:48:22 tron Exp $ + +Fix for CVE-2010-2233 taken from here ... + +http://bugzilla.maptools.org/show_bug.cgi?id=2207 + +... and for CVE-2010-2483 taken from here: + +https://bugzilla.redhat.com/show_bug.cgi?id=603081 + +--- libtiff/tif_getimage.c.orig 2010-06-08 19:50:42.000000000 +0100 ++++ libtiff/tif_getimage.c 2010-08-04 18:20:24.000000000 +0100 +@@ -1846,6 +1846,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 6; + cp2 = cp+w+toskew; +@@ -1872,8 +1873,8 @@ + cp2 ++ ; + pp += 6; + } +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } +@@ -1939,6 +1940,7 @@ + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32* cp2; ++ int32 incr = 2*toskew+w; + (void) y; + fromskew = (fromskew / 2) * 4; + cp2 = cp+w+toskew; +@@ -1953,8 +1955,8 @@ + cp2 ++; + pp += 4; + } while (--x); +- cp += toskew*2+w; +- cp2 += toskew*2+w; ++ cp += incr; ++ cp2 += incr; + pp += fromskew; + h-=2; + } +@@ -2397,7 +2399,7 @@ + } + break; + case PHOTOMETRIC_YCBCR: +- if (img->bitspersample == 8) ++ if ((img->bitspersample==8) && (img->samplesperpixel==3)) + { + if (initYCbCrConversion(img)!=0) + { diff --git a/graphics/tiff/patches/patch-ab b/graphics/tiff/patches/patch-ab new file mode 100644 index 00000000000..f13f9d1d7e3 --- /dev/null +++ b/graphics/tiff/patches/patch-ab @@ -0,0 +1,19 @@ +$NetBSD: patch-ab,v 1.20 2010/08/04 17:48:22 tron Exp $ + +Fix for CVE-2010-2482 taken from here: + +http://bugzilla.maptools.org/show_bug.cgi?id=1996 + +--- libtiff/tif_ojpeg.c.orig 2010-06-09 00:29:51.000000000 +0100 ++++ libtiff/tif_ojpeg.c 2010-08-04 18:14:07.000000000 +0100 +@@ -1920,6 +1920,10 @@ + sp->in_buffer_file_pos=0; + else + { ++ if (sp->tif->tif_dir.td_stripbytecount == 0) { ++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); ++ return(0); ++ } + sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; + if (sp->in_buffer_file_togo==0) + sp->in_buffer_file_pos=0; diff --git a/graphics/tiff/patches/patch-ac b/graphics/tiff/patches/patch-ac new file mode 100644 index 00000000000..65fbceb8b2d --- /dev/null +++ b/graphics/tiff/patches/patch-ac @@ -0,0 +1,32 @@ +$NetBSD: patch-ac,v 1.22 2010/08/04 17:48:22 tron Exp $ + +Fix for CVE-2010-2482 taken from here: + +http://bugzilla.maptools.org/show_bug.cgi?id=1996 + +--- tools/tiffsplit.c.orig 2010-06-08 19:50:44.000000000 +0100 ++++ tools/tiffsplit.c 2010-08-04 18:14:07.000000000 +0100 +@@ -237,7 +237,10 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); ++ return (0); ++ } + for (s = 0; s < ns; s++) { + if (bytecounts[s] > (uint32)bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); +@@ -267,7 +270,10 @@ + ttile_t t, nt = TIFFNumberOfTiles(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); ++ return (0); ++ } + for (t = 0; t < nt; t++) { + if (bytecounts[t] > (uint32) bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); diff --git a/graphics/tiff/patches/patch-ad b/graphics/tiff/patches/patch-ad new file mode 100644 index 00000000000..7853405d121 --- /dev/null +++ b/graphics/tiff/patches/patch-ad @@ -0,0 +1,31 @@ +$NetBSD: patch-ad,v 1.16 2010/08/04 17:48:22 tron Exp $ + +Patch for CVE-2010-2595 taken from here: + +http://bugzilla.maptools.org/show_bug.cgi?id=2208 + +--- libtiff/tif_color.c.orig 2010-06-08 19:50:41.000000000 +0100 ++++ libtiff/tif_color.c 2010-08-04 18:24:14.000000000 +0100 +@@ -183,13 +183,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* diff --git a/graphics/tiff/patches/patch-ae b/graphics/tiff/patches/patch-ae new file mode 100644 index 00000000000..65caa3d5dba --- /dev/null +++ b/graphics/tiff/patches/patch-ae @@ -0,0 +1,47 @@ +$NetBSD: patch-ae,v 1.11 2010/08/04 17:48:22 tron Exp $ + +Fix for CVE-2010-2597 taken from here: + +http://bugzilla.maptools.org/show_bug.cgi?id=2215 + +--- libtiff/tif_strip.c.orig 2010-06-08 19:50:43.000000000 +0100 ++++ libtiff/tif_strip.c 2010-08-04 18:35:46.000000000 +0100 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { +@@ -234,9 +234,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +@@ -308,9 +308,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |