add patches from upstream CVS and Redhat bugzilla to fix buffer overflow

and use-after-free problems in the "gif2tiff" and "tiff2pdf" command line tools (the library is not affected) (CVE-2013-4231, CVE-2013-4232, CVE-2013-4244) bump PKGREV
author: drochner <drochner> 2013-08-15 14:58:46 +0000
committer: drochner <drochner> 2013-08-15 14:58:46 +0000
commit: 8277bc66a66db6aaa384792ed7acefb060888f00 (patch)
tree: 78f9c99193277010612026ca8c5b1e828cc03740 /graphics/tiff
parent: 3d8810f63523f623c206a7263f288c9a7e18aed8 (diff)
download: pkgsrc-8277bc66a66db6aaa384792ed7acefb060888f00.tar.gz
4 files changed, 52 insertions, 9 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 861e2ba71e5..e22b62c5904 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.112 2013/05/02 14:52:44 drochner Exp $
+# $NetBSD: Makefile,v 1.113 2013/08/15 14:58:46 drochner Exp $
 
 DISTNAME=	tiff-4.0.3
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://libtiff.maptools.org/dl/
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index 144e149f221..3a5b6aedcbe 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.60 2013/05/02 14:52:44 drochner Exp $
+$NetBSD: distinfo,v 1.61 2013/08/15 14:58:46 drochner Exp $
 
 SHA1 (tiff-4.0.3.tar.gz) = 652e97b78f1444237a82cbcfe014310e776eb6f0
 RMD160 (tiff-4.0.3.tar.gz) = eacd725fb3c299682c1c2e508049d98acd170f31
 Size (tiff-4.0.3.tar.gz) = 2051630 bytes
 SHA1 (patch-CVE-2012-4564) = bda3b26e431e8234e5afd984a086c980a8eb6c41
-SHA1 (patch-CVE-2013-1960_1961) = dff40e975426a6df2ba27383d22b5f8f4275a443
+SHA1 (patch-CVE-2013-1960_1961) = b815edbeeb1eb23ce2633060dd390985dec794f3
+SHA1 (patch-CVE-2013-4231) = bc1420583b9c4b0a34d26142bc35b6d0d26af529
 SHA1 (patch-configure) = 1fb9ef790a59ac9c1396dd8e962c75946e2c998a
diff --git a/graphics/tiff/patches/patch-CVE-2013-1960_1961 b/graphics/tiff/patches/patch-CVE-2013-1960_1961
index 7e63de2c56c..4d2c1dee7c9 100644
--- a/graphics/tiff/patches/patch-CVE-2013-1960_1961
+++ b/graphics/tiff/patches/patch-CVE-2013-1960_1961
@@ -1,8 +1,11 @@
-$NetBSD: patch-CVE-2013-1960_1961,v 1.1 2013/05/02 14:52:44 drochner Exp $
+$NetBSD: patch-CVE-2013-1960_1961,v 1.2 2013/08/15 14:58:46 drochner Exp $
 
 see https://bugzilla.redhat.com/show_bug.cgi?id=952131
 and https://bugzilla.redhat.com/show_bug.cgi?id=952158
 
+also fixes CVE-2013-4232
+see http://bugzilla.maptools.org/show_bug.cgi?id=2449
+
 --- contrib/dbs/xtiff/xtiff.c.orig	2010-06-08 20:55:15.000000000 +0200
 +++ contrib/dbs/xtiff/xtiff.c	2013-05-02 16:27:43.000000000 +0200
 @@ -512,9 +512,9 @@ SetNameLabel()
@@ -63,9 +66,17 @@ and https://bugzilla.redhat.com/show_bug.cgi?id=952158
  	TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
  	TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
  	outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
---- tools/tiff2pdf.c.orig	2013-05-02 16:27:43.000000000 +0200
-+++ tools/tiff2pdf.c	2013-05-02 16:32:49.000000000 +0200
-@@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip(
+--- tools/tiff2pdf.c.orig	2012-07-26 02:56:43.000000000 +0000
++++ tools/tiff2pdf.c
+@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p
+ 					TIFFFileName(input));
+ 				t2p->t2p_error = T2P_ERR_ERROR;
+ 			  _TIFFfree(buffer);
++			  return(0);
+ 			} else {
+ 				buffer=samplebuffer;
+ 				t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
+@@ -3341,33 +3342,56 @@ int t2p_process_jpeg_strip(
  	uint32 height){
  
  	tsize_t i=0;
@@ -144,7 +155,7 @@ and https://bugzilla.redhat.com/show_bug.cgi?id=952158
  					}
  					v_samp*=8;
  					h_samp*=8;
-@@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip(
+@@ -3381,45 +3405,43 @@ int t2p_process_jpeg_strip(
                                            (unsigned char) ((height>>8) & 0xff);
  					buffer[*bufferoffset+6]=
                                              (unsigned char) (height & 0xff);
diff --git a/graphics/tiff/patches/patch-CVE-2013-4231 b/graphics/tiff/patches/patch-CVE-2013-4231
new file mode 100644
index 00000000000..0916dfd5818
--- /dev/null
+++ b/graphics/tiff/patches/patch-CVE-2013-4231
@@ -0,0 +1,31 @@
+$NetBSD: patch-CVE-2013-4231,v 1.1 2013/08/15 14:58:46 drochner Exp $
+
+see http://bugzilla.maptools.org/show_bug.cgi?id=2450
+
+also fixes CVE-2013-4244
+see https://bugzilla.redhat.com/show_bug.cgi?id=996468
+
+--- tools/gif2tiff.c.orig	2010-12-15 03:52:53.000000000 +0000
++++ tools/gif2tiff.c
+@@ -333,6 +333,10 @@ readraster(void)
+     int status = 1;
+ 
+     datasize = getc(infile);
++
++    if (datasize > 12)
++	return 0;
++
+     clear = 1 << datasize;
+     eoi = clear + 1;
+     avail = clear + 2;
+@@ -398,6 +402,10 @@ process(register int code, unsigned char
+     }
+ 
+     if (oldcode == -1) {
++	if (code >= clear) {
++	    fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
++	    return 0;
++	}
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+ 	return 1;
author	drochner <drochner>	2013-08-15 14:58:46 +0000
committer	drochner <drochner>	2013-08-15 14:58:46 +0000
commit	8277bc66a66db6aaa384792ed7acefb060888f00 (patch)
tree	78f9c99193277010612026ca8c5b1e828cc03740 /graphics/tiff
parent	3d8810f63523f623c206a7263f288c9a7e18aed8 (diff)
download	pkgsrc-8277bc66a66db6aaa384792ed7acefb060888f00.tar.gz