diff options
author | sevan <sevan@pkgsrc.org> | 2017-05-05 20:14:05 +0000 |
---|---|---|
committer | sevan <sevan@pkgsrc.org> | 2017-05-05 20:14:05 +0000 |
commit | 67b83f2ec1363b1622ce306f12af7a92b0b94254 (patch) | |
tree | c4167e19cb086a20d53c97a36f7dfc2be65fbc70 /graphics/tiff | |
parent | d9122eaba34bf1495369e91b85d281aff7ef423f (diff) | |
download | pkgsrc-67b83f2ec1363b1622ce306f12af7a92b0b94254.tar.gz |
CVE-2017-7596
CVE-2017-7597
CVE-2017-7599
CVE-2017-7600
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Dependency for applying advisory patch.
+http://bugzilla.maptools.org/show_bug.cgi?id=2535
+https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d
Bump rev.
Diffstat (limited to 'graphics/tiff')
-rw-r--r-- | graphics/tiff/Makefile | 4 | ||||
-rw-r--r-- | graphics/tiff/distinfo | 8 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif_dir.c | 63 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif_dirread.c | 37 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif_dirwrite.c | 192 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-tools_tiffcrop.c | 15 |
6 files changed, 308 insertions, 11 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index c44c4d632ca..2197fa80358 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.128 2017/05/05 20:06:02 he Exp $ +# $NetBSD: Makefile,v 1.129 2017/05/05 20:14:05 sevan Exp $ DISTNAME= tiff-4.0.7 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= graphics MASTER_SITES= ftp://download.osgeo.org/libtiff/ diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index c99854119be..5e924a9f053 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.74 2017/05/05 20:06:02 he Exp $ +$NetBSD: distinfo,v 1.75 2017/05/05 20:14:05 sevan Exp $ SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb @@ -6,7 +6,9 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981d Size (tiff-4.0.7.tar.gz) = 2076392 bytes SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d -SHA1 (patch-libtiff_tif_dirread.c) = 5c92e2c65a5d95f444f039955ee1afbafeccf5db +SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7 +SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d +SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6 SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939 @@ -16,4 +18,4 @@ SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f SHA1 (patch-tools_tiffcp.c) = 42573d15fc66655a09e9227213b0929238f7e651 -SHA1 (patch-tools_tiffcrop.c) = 68ccbde2dc447dfbfb3e15a5c9cfaf2538f27e60 +SHA1 (patch-tools_tiffcrop.c) = 1d729028fb8c05de958424234d5cc2808acc9b25 diff --git a/graphics/tiff/patches/patch-libtiff_tif_dir.c b/graphics/tiff/patches/patch-libtiff_tif_dir.c new file mode 100644 index 00000000000..05551f99e0f --- /dev/null +++ b/graphics/tiff/patches/patch-libtiff_tif_dir.c @@ -0,0 +1,63 @@ +$NetBSD: patch-libtiff_tif_dir.c,v 1.1 2017/05/05 20:14:05 sevan Exp $ + +CVE-2017-7596 +CVE-2017-7597 +CVE-2017-7599 +CVE-2017-7600 +https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 + +--- libtiff/tif_dir.c.orig 2016-10-29 23:03:18.000000000 +0000 ++++ libtiff/tif_dir.c +@@ -31,6 +31,7 @@ + * (and also some miscellaneous stuff) + */ + #include "tiffiop.h" ++#include <float.h> + + /* + * These are used in the backwards compatibility code... +@@ -154,6 +155,15 @@ bad: + return (0); + } + ++static float TIFFClampDoubleToFloat( double val ) ++{ ++ if( val > FLT_MAX ) ++ return FLT_MAX; ++ if( val < -FLT_MAX ) ++ return -FLT_MAX; ++ return (float)val; ++} ++ + static int + _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + { +@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va + dblval = va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; +- td->td_xresolution = (float) dblval; ++ td->td_xresolution = TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); + if( dblval < 0 ) + goto badvaluedouble; +- td->td_yresolution = (float) dblval; ++ td->td_yresolution = TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va + td->td_planarconfig = (uint16) v; + break; + case TIFFTAG_XPOSITION: +- td->td_xposition = (float) va_arg(ap, double); ++ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); + break; + case TIFFTAG_YPOSITION: +- td->td_yposition = (float) va_arg(ap, double); ++ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); + break; + case TIFFTAG_RESOLUTIONUNIT: + v = (uint16) va_arg(ap, uint16_vap); diff --git a/graphics/tiff/patches/patch-libtiff_tif_dirread.c b/graphics/tiff/patches/patch-libtiff_tif_dirread.c index 9f688f115ae..52f9d9ad26a 100644 --- a/graphics/tiff/patches/patch-libtiff_tif_dirread.c +++ b/graphics/tiff/patches/patch-libtiff_tif_dirread.c @@ -1,11 +1,40 @@ -$NetBSD: patch-libtiff_tif_dirread.c,v 1.1 2017/05/03 23:00:59 sevan Exp $ +$NetBSD: patch-libtiff_tif_dirread.c,v 1.2 2017/05/05 20:14:05 sevan Exp $ +CVE-2017-7596 +CVE-2017-7597 CVE-2017-7598 +CVE-2017-7599 +CVE-2017-7600 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 +https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 ---- libtiff/tif_dirread.c.orig 2016-11-18 02:42:46.000000000 +0000 +--- libtiff/tif_dirread.c.orig 2017-05-05 18:56:15.000000000 +0000 +++ libtiff/tif_dirread.c -@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFRead +@@ -40,6 +40,7 @@ + */ + + #include "tiffiop.h" ++#include <float.h> + + #define IGNORE 0 /* tag placeholder used below */ + #define FAILED_FII ((uint32) -1) +@@ -2406,7 +2407,14 @@ static enum TIFFReadDirEntryErr TIFFRead + ma=(double*)origdata; + mb=data; + for (n=0; n<count; n++) +- *mb++=(float)(*ma++); ++ { ++ double val = *ma++; ++ if( val > FLT_MAX ) ++ val = FLT_MAX; ++ else if( val < -FLT_MAX ) ++ val = -FLT_MAX; ++ *mb++=(float)val; ++ } + } + break; + } +@@ -2872,7 +2880,10 @@ static enum TIFFReadDirEntryErr TIFFRead m.l = direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong(m.i,2); @@ -17,7 +46,7 @@ https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 *value=0.0; else *value=(double)m.i[0]/(double)m.i[1]; -@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFRead +@@ -2900,7 +2911,10 @@ static enum TIFFReadDirEntryErr TIFFRead m.l=direntry->tdir_offset.toff_long8; if (tif->tif_flags&TIFF_SWAB) TIFFSwabArrayOfLong(m.i,2); diff --git a/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c b/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c new file mode 100644 index 00000000000..2181abf395c --- /dev/null +++ b/graphics/tiff/patches/patch-libtiff_tif_dirwrite.c @@ -0,0 +1,192 @@ +$NetBSD: patch-libtiff_tif_dirwrite.c,v 1.1 2017/05/05 20:14:05 sevan Exp $ + +Dependency for applying advisory patch below without creating a variant. +http://bugzilla.maptools.org/show_bug.cgi?id=2535 +https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d + +CVE-2017-7596 +CVE-2017-7597 +CVE-2017-7599 +CVE-2017-7600 +https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 + +--- libtiff/tif_dirwrite.c.orig 2017-05-05 18:56:07.000000000 +0000 ++++ libtiff/tif_dirwrite.c +@@ -30,6 +30,7 @@ + * Directory Write Support Routines. + */ + #include "tiffiop.h" ++#include <float.h> + + #ifdef HAVE_IEEEFP + #define TIFFCvtNativeToIEEEFloat(tif, n, fp) +@@ -939,6 +940,69 @@ bad: + return(0); + } + ++static float TIFFClampDoubleToFloat( double val ) ++{ ++ if( val > FLT_MAX ) ++ return FLT_MAX; ++ if( val < -FLT_MAX ) ++ return -FLT_MAX; ++ return (float)val; ++} ++ ++static int8 TIFFClampDoubleToInt8( double val ) ++{ ++ if( val > 127 ) ++ return 127; ++ if( val < -128 || val != val ) ++ return -128; ++ return (int8)val; ++} ++ ++static int16 TIFFClampDoubleToInt16( double val ) ++{ ++ if( val > 32767 ) ++ return 32767; ++ if( val < -32768 || val != val ) ++ return -32768; ++ return (int16)val; ++} ++ ++static int32 TIFFClampDoubleToInt32( double val ) ++{ ++ if( val > 0x7FFFFFFF ) ++ return 0x7FFFFFFF; ++ if( val < -0x7FFFFFFF-1 || val != val ) ++ return -0x7FFFFFFF-1; ++ return (int32)val; ++} ++ ++static uint8 TIFFClampDoubleToUInt8( double val ) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 255 || val != val ) ++ return 255; ++ return (uint8)val; ++} ++ ++static uint16 TIFFClampDoubleToUInt16( double val ) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 65535 || val != val ) ++ return 65535; ++ return (uint16)val; ++} ++ ++static uint32 TIFFClampDoubleToUInt32( double val ) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val != val ) ++ return 0xFFFFFFFFU; ++ return (uint32)val; ++} ++ + static int + TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value) + { +@@ -959,7 +1023,7 @@ TIFFWriteDirectoryTagSampleformatArray(T + if (tif->tif_dir.td_bitspersample<=32) + { + for (i = 0; i < count; ++i) +- ((float*)conv)[i] = (float)value[i]; ++ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); + ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); + } + else +@@ -971,19 +1035,19 @@ TIFFWriteDirectoryTagSampleformatArray(T + if (tif->tif_dir.td_bitspersample<=8) + { + for (i = 0; i < count; ++i) +- ((int8*)conv)[i] = (int8)value[i]; ++ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]); + ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv); + } + else if (tif->tif_dir.td_bitspersample<=16) + { + for (i = 0; i < count; ++i) +- ((int16*)conv)[i] = (int16)value[i]; ++ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]); + ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv); + } + else + { + for (i = 0; i < count; ++i) +- ((int32*)conv)[i] = (int32)value[i]; ++ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]); + ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv); + } + break; +@@ -991,19 +1055,19 @@ TIFFWriteDirectoryTagSampleformatArray(T + if (tif->tif_dir.td_bitspersample<=8) + { + for (i = 0; i < count; ++i) +- ((uint8*)conv)[i] = (uint8)value[i]; ++ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]); + ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv); + } + else if (tif->tif_dir.td_bitspersample<=16) + { + for (i = 0; i < count; ++i) +- ((uint16*)conv)[i] = (uint16)value[i]; ++ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]); + ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv); + } + else + { + for (i = 0; i < count; ++i) +- ((uint32*)conv)[i] = (uint32)value[i]; ++ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]); + ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv); + } + break; +@@ -2094,15 +2158,25 @@ TIFFWriteDirectoryTagCheckedSlong8Array( + static int + TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value) + { ++ static const char module[] = "TIFFWriteDirectoryTagCheckedRational"; + uint32 m[2]; +- assert(value>=0.0); + assert(sizeof(uint32)==4); +- if (value<=0.0) ++ if( value < 0 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal"); ++ return 0; ++ } ++ else if( value != value ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal"); ++ return 0; ++ } ++ else if (value==0.0) + { + m[0]=0; + m[1]=1; + } +- else if (value==(double)(uint32)value) ++ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value) + { + m[0]=(uint32)value; + m[1]=1; +@@ -2143,12 +2217,13 @@ TIFFWriteDirectoryTagCheckedRationalArra + } + for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++) + { +- if (*na<=0.0) ++ if (*na<=0.0 || *na != *na) + { + nb[0]=0; + nb[1]=1; + } +- else if (*na==(float)(uint32)(*na)) ++ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU && ++ *na==(float)(uint32)(*na)) + { + nb[0]=(uint32)(*na); + nb[1]=1; diff --git a/graphics/tiff/patches/patch-tools_tiffcrop.c b/graphics/tiff/patches/patch-tools_tiffcrop.c index 9c3a6230d84..026b4659a6b 100644 --- a/graphics/tiff/patches/patch-tools_tiffcrop.c +++ b/graphics/tiff/patches/patch-tools_tiffcrop.c @@ -1,8 +1,11 @@ $NetBSD$ -Fix for CVE-2016-10092, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2620 -and +CVE-2016-10092 +http://bugzilla.maptools.org/show_bug.cgi?id=2620 https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a +Fix double free +http://bugzilla.maptools.org/show_bug.cgi?id=2535 +https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d --- tools/tiffcrop.c.orig 2016-11-19 01:45:30.000000000 +0000 +++ tools/tiffcrop.c @@ -15,3 +18,11 @@ https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a } return 1; +@@ -7986,7 +7986,6 @@ writeCroppedImage(TIFF *in, TIFF *out, s + if (!TIFFWriteDirectory(out)) + { + TIFFError("","Failed to write IFD for page number %d", pagenum); +- TIFFClose(out); + return (-1); + } + |