fix CVE-2014-8128, CVE-2016-5318, CVE-2015-7554 & CVE-2016-10095

per http://bugzilla.maptools.org/show_bug.cgi?id=2580 also CVE-2017-9147 (http://bugzilla.maptools.org/show_bug.cgi?id=2693)
author: tez <tez@pkgsrc.org> 2017-06-21 01:08:33 +0000
committer: tez <tez@pkgsrc.org> 2017-06-21 01:08:33 +0000
commit: 088e14657e1d4e1f548617793af95570c08ad9b4 (patch)
tree: 7ba723401c2a75620cd0c9b1b45678ed4371074f /graphics/tiff
parent: 78548ee691a1f7bbd16f4fc88bb01d23d20db151 (diff)
download: pkgsrc-088e14657e1d4e1f548617793af95570c08ad9b4.tar.gz
5 files changed, 204 insertions, 2 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 6e21c5a3d7c..7c124773047 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.136 2017/05/29 13:44:05 he Exp $
+# $NetBSD: Makefile,v 1.137 2017/06/21 01:08:33 tez Exp $
 
 DISTNAME=	tiff-4.0.8
+PKGREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://download.osgeo.org/libtiff/
 
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index ec7639020b9..65f10f36a37 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,7 +1,10 @@
-$NetBSD: distinfo,v 1.82 2017/05/29 13:44:05 he Exp $
+$NetBSD: distinfo,v 1.83 2017/06/21 01:08:33 tez Exp $
 
 SHA1 (tiff-4.0.8.tar.gz) = 88717c97480a7976c94d23b6d9ed4ac74715267f
 RMD160 (tiff-4.0.8.tar.gz) = 0d8bc26c98035810c73b8f876f76dc48efba7da8
 SHA512 (tiff-4.0.8.tar.gz) = 5d010ec4ce37aca733f7ab7db9f432987b0cd21664bd9d99452a146833c40f0d1e7309d1870b0395e947964134d5cfeb1366181e761fe353ad585803ff3d6be6
 Size (tiff-4.0.8.tar.gz) = 2065574 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
+SHA1 (patch-libtiff_tif_dir.h) = f4790fc1a671d1404974e0fa99b36e77653f3b87
+SHA1 (patch-libtiff_tif_dirinfo.c) = 9acbc2912ff9e1636d94dfdfe6f0b3d593eed95a
+SHA1 (patch-libtiff_tif_dirread.c) = 87176772a12c1eb4d0ff801ad9d4e7f368c64c44
diff --git a/graphics/tiff/patches/patch-libtiff_tif_dir.h b/graphics/tiff/patches/patch-libtiff_tif_dir.h
new file mode 100644
index 00000000000..0843667d28c
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_dir.h
@@ -0,0 +1,31 @@
+$NetBSD: patch-libtiff_tif_dir.h,v 1.1 2017/06/21 01:08:33 tez Exp $
+
+fix CVE-2014-8128, CVE-2016-5318, CVE-2015-7554 & CVE-2016-10095
+per http://bugzilla.maptools.org/show_bug.cgi?id=2580
+
+also CVE-2017-9147
+(http://bugzilla.maptools.org/show_bug.cgi?id=2693)
+
+
+Index: tif_dir.h
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
+retrieving revision 1.54
+retrieving revision 1.55
+diff -w -u -b -r1.54 -r1.55
+--- libtiff/tif_dir.h.orig	18 Feb 2011 20:53:05 -0000	1.54
++++ libtiff/tif_dir.h	1 Jun 2017 12:44:04 -0000	1.55
+@@ -1,4 +1,4 @@
+-/* $Id: patch-libtiff_tif_dir.h,v 1.1 2017/06/21 01:08:33 tez Exp $ */
++/* $Id: patch-libtiff_tif_dir.h,v 1.1 2017/06/21 01:08:33 tez Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -291,6 +291,7 @@
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
++extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+ 
+ #if defined(__cplusplus)
+ }
diff --git a/graphics/tiff/patches/patch-libtiff_tif_dirinfo.c b/graphics/tiff/patches/patch-libtiff_tif_dirinfo.c
new file mode 100644
index 00000000000..5aa3871917a
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirinfo.c
@@ -0,0 +1,133 @@
+$NetBSD: patch-libtiff_tif_dirinfo.c,v 1.1 2017/06/21 01:08:33 tez Exp $
+
+fix CVE-2014-8128, CVE-2016-5318, CVE-2015-7554 & CVE-2016-10095
+per http://bugzilla.maptools.org/show_bug.cgi?id=2580
+
+also CVE-2017-9147 
+(http://bugzilla.maptools.org/show_bug.cgi?id=2693)
+
+
+Index: tif_dirinfo.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
+retrieving revision 1.126
+retrieving revision 1.127
+diff -w -u -b -r1.126 -r1.127
+--- libtiff/tif_dirinfo.c.orig	18 Nov 2016 02:52:13 -0000	1.126
++++ libtiff/tif_dirinfo.c	1 Jun 2017 12:44:04 -0000	1.127
+@@ -1,4 +1,4 @@
+-/* $Id: patch-libtiff_tif_dirinfo.c,v 1.1 2017/06/21 01:08:33 tez Exp $ */
++/* $Id: patch-libtiff_tif_dirinfo.c,v 1.1 2017/06/21 01:08:33 tez Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -956,6 +956,109 @@
+ 	return 0;
+ }
+ 
++int
++_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
++{
++	/* Filter out non-codec specific tags */
++	switch (tag) {
++	    /* Shared tags */
++	    case TIFFTAG_PREDICTOR:
++	    /* JPEG tags */
++	    case TIFFTAG_JPEGTABLES:
++	    /* OJPEG tags */
++	    case TIFFTAG_JPEGIFOFFSET:
++	    case TIFFTAG_JPEGIFBYTECOUNT:
++	    case TIFFTAG_JPEGQTABLES:
++	    case TIFFTAG_JPEGDCTABLES:
++	    case TIFFTAG_JPEGACTABLES:
++	    case TIFFTAG_JPEGPROC:
++	    case TIFFTAG_JPEGRESTARTINTERVAL:
++	    /* CCITT* */
++	    case TIFFTAG_BADFAXLINES:
++	    case TIFFTAG_CLEANFAXDATA:
++	    case TIFFTAG_CONSECUTIVEBADFAXLINES:
++	    case TIFFTAG_GROUP3OPTIONS:
++	    case TIFFTAG_GROUP4OPTIONS:
++		break;
++	    default:
++		return 1;
++	}
++	/* Check if codec specific tags are allowed for the current
++	 * compression scheme (codec) */
++	switch (tif->tif_dir.td_compression) {
++	    case COMPRESSION_LZW:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	    case COMPRESSION_PACKBITS:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_THUNDERSCAN:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_NEXT:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_JPEG:
++		if (tag == TIFFTAG_JPEGTABLES)
++		    return 1;
++		break;
++	    case COMPRESSION_OJPEG:
++		switch (tag) {
++		    case TIFFTAG_JPEGIFOFFSET:
++		    case TIFFTAG_JPEGIFBYTECOUNT:
++		    case TIFFTAG_JPEGQTABLES:
++		    case TIFFTAG_JPEGDCTABLES:
++		    case TIFFTAG_JPEGACTABLES:
++		    case TIFFTAG_JPEGPROC:
++		    case TIFFTAG_JPEGRESTARTINTERVAL:
++			return 1;
++		}
++		break;
++	    case COMPRESSION_CCITTRLE:
++	    case COMPRESSION_CCITTRLEW:
++	    case COMPRESSION_CCITTFAX3:
++	    case COMPRESSION_CCITTFAX4:
++		switch (tag) {
++		    case TIFFTAG_BADFAXLINES:
++		    case TIFFTAG_CLEANFAXDATA:
++		    case TIFFTAG_CONSECUTIVEBADFAXLINES:
++			return 1;
++		    case TIFFTAG_GROUP3OPTIONS:
++			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
++			    return 1;
++			break;
++		    case TIFFTAG_GROUP4OPTIONS:
++			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
++			    return 1;
++			break;
++		}
++		break;
++	    case COMPRESSION_JBIG:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_DEFLATE:
++	    case COMPRESSION_ADOBE_DEFLATE:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	   case COMPRESSION_PIXARLOG:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	    case COMPRESSION_SGILOG:
++	    case COMPRESSION_SGILOG24:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_LZMA:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++
++	}
++	return 0;
++}
++
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+ 
+ /*
diff --git a/graphics/tiff/patches/patch-libtiff_tif_dirread.c b/graphics/tiff/patches/patch-libtiff_tif_dirread.c
new file mode 100644
index 00000000000..c8a62efaf81
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirread.c
@@ -0,0 +1,34 @@
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.5 2017/06/21 01:08:33 tez Exp $
+
+fix CVE-2014-8128, CVE-2016-5318, CVE-2015-7554 & CVE-2016-10095
+per http://bugzilla.maptools.org/show_bug.cgi?id=2580
+
+also CVE-2017-9147 
+(http://bugzilla.maptools.org/show_bug.cgi?id=2693)
+
+
+Index: tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.208
+retrieving revision 1.209
+diff -w -u -b -r1.208 -r1.209
+--- libtiff/tif_dirread.c.orig	27 Apr 2017 15:46:22 -0000	1.208
++++ libtiff/tif_dirread.c	1 Jun 2017 12:44:04 -0000	1.209
+@@ -1,4 +1,4 @@
+-/* $Id: patch-libtiff_tif_dirread.c,v 1.5 2017/06/21 01:08:33 tez Exp $ */
++/* $Id: patch-libtiff_tif_dirread.c,v 1.5 2017/06/21 01:08:33 tez Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -3580,6 +3580,10 @@
+ 							goto bad;
+ 						dp->tdir_tag=IGNORE;
+ 						break;
++                                        default:
++                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
++                                                dp->tdir_tag=IGNORE;
++                                            break;
+ 				}
+ 			}
+ 		}
author	tez <tez@pkgsrc.org>	2017-06-21 01:08:33 +0000
committer	tez <tez@pkgsrc.org>	2017-06-21 01:08:33 +0000
commit	088e14657e1d4e1f548617793af95570c08ad9b4 (patch)
tree	7ba723401c2a75620cd0c9b1b45678ed4371074f /graphics/tiff
parent	78548ee691a1f7bbd16f4fc88bb01d23d20db151 (diff)
download	pkgsrc-088e14657e1d4e1f548617793af95570c08ad9b4.tar.gz