Add security patches & bump rev.

via FreeBSD bz #216658 https://nvd.nist.gov/vuln/detail/CVE-2017-5225 http://bugzilla.maptools.org/show_bug.cgi?id=2656 http://bugzilla.maptools.org/show_bug.cgi?id=2657 https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7 https://nvd.nist.gov/vuln/detail/CVE-2017-7592 http://bugzilla.maptools.org/show_bug.cgi?id=2658 https://github.com/vadz/libtiff/commit/48780b4fcc42 https://nvd.nist.gov/vuln/detail/CVE-2017-7593 http://bugzilla.maptools.org/show_bug.cgi?id=2651 https://github.com/vadz/libtiff/commit/d60332057b95 https://nvd.nist.gov/vuln/detail/CVE-2017-7594 http://bugzilla.maptools.org/show_bug.cgi?id=2659 https://github.com/vadz/libtiff/commit/8283e4d1b7e5 https://github.com/vadz/libtiff/commit/2ea32f7372b6 https://nvd.nist.gov/vuln/detail/CVE-2017-7595 https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122 https://nvd.nist.gov/vuln/detail/CVE-2017-7598 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 https://nvd.nist.gov/vuln/detail/CVE-2017-7601 https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490 https://nvd.nist.gov/vuln/detail/CVE-2017-7602 https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
author: sevan <sevan@pkgsrc.org> 2017-05-03 23:00:59 +0000
committer: sevan <sevan@pkgsrc.org> 2017-05-03 23:00:59 +0000
commit: ef54f13f05370f2e9be97f54a7f8a91090ff14b7 (patch)
tree: 06756c6333b57f6e87fb01e565368f639579774e /graphics/tiff
parent: 7d9747643673369ee800f1d9e821c8366d912f97 (diff)
download: pkgsrc-ef54f13f05370f2e9be97f54a7f8a91090ff14b7.tar.gz
11 files changed, 313 insertions, 3 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 8c98605807a..594ebe22081 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.125 2016/11/23 13:51:29 he Exp $
+# $NetBSD: Makefile,v 1.126 2017/05/03 23:00:59 sevan Exp $
 
 DISTNAME=	tiff-4.0.7
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://download.osgeo.org/libtiff/
 
diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo
index cc4a68fc26b..4e87c3df173 100644
--- a/graphics/tiff/distinfo
+++ b/graphics/tiff/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.71 2016/11/23 13:51:29 he Exp $
+$NetBSD: distinfo,v 1.72 2017/05/03 23:00:59 sevan Exp $
 
 SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648
 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb
@@ -6,4 +6,13 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981d
 Size (tiff-4.0.7.tar.gz) = 2076392 bytes
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d
+SHA1 (patch-libtiff_tif_dirread.c) = 5c92e2c65a5d95f444f039955ee1afbafeccf5db
+SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6
+SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc
+SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939
+SHA1 (patch-libtiff_tif_read.c) = 85674d2e222846e3971301ce2fb7ebe02f54b9b2
+SHA1 (patch-libtiff_tif_unix.c) = c8312771e567f90de0f77ac8eb66ed5c36e35617
+SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc
+SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c
 SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f
+SHA1 (patch-tools_tiffcp.c) = fa4846cfb5a52eedfb6dc4ed1306f45e3988ddc3
diff --git a/graphics/tiff/patches/patch-libtiff_tif_dirread.c b/graphics/tiff/patches/patch-libtiff_tif_dirread.c
new file mode 100644
index 00000000000..9f688f115ae
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_dirread.c
@@ -0,0 +1,31 @@
+$NetBSD: patch-libtiff_tif_dirread.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+CVE-2017-7598
+https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
+
+--- libtiff/tif_dirread.c.orig	2016-11-18 02:42:46.000000000 +0000
++++ libtiff/tif_dirread.c
+@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+ 		m.l = direntry->tdir_offset.toff_long8;
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabArrayOfLong(m.i,2);
+-	if (m.i[0]==0)
++        /* Not completely sure what we should do when m.i[1]==0, but some */
++        /* sanitizers do not like division by 0.0: */
++        /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++	if (m.i[0]==0 || m.i[1]==0)
+ 		*value=0.0;
+ 	else
+ 		*value=(double)m.i[0]/(double)m.i[1];
+@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFRead
+ 		m.l=direntry->tdir_offset.toff_long8;
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabArrayOfLong(m.i,2);
+-	if ((int32)m.i[0]==0)
++        /* Not completely sure what we should do when m.i[1]==0, but some */
++        /* sanitizers do not like division by 0.0: */
++        /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++	if ((int32)m.i[0]==0 || m.i[1]==0)
+ 		*value=0.0;
+ 	else
+ 		*value=(double)((int32)m.i[0])/(double)m.i[1];
diff --git a/graphics/tiff/patches/patch-libtiff_tif_getimage.c b/graphics/tiff/patches/patch-libtiff_tif_getimage.c
new file mode 100644
index 00000000000..89bf66e1fc7
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_getimage.c
@@ -0,0 +1,17 @@
+$NetBSD: patch-libtiff_tif_getimage.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+https://nvd.nist.gov/vuln/detail/CVE-2017-7592
+http://bugzilla.maptools.org/show_bug.cgi?id=2658
+https://github.com/vadz/libtiff/commit/48780b4fcc42
+
+--- libtiff/tif_getimage.c.orig	2016-11-18 02:47:45.000000000 +0000
++++ libtiff/tif_getimage.c
+@@ -1305,7 +1305,7 @@ DECLAREContigPutFunc(putagreytile)
+     while (h-- > 0) {
+ 	for (x = w; x-- > 0;)
+         {
+-            *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1);
++            *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1);
+             pp += samplesperpixel;
+         }
+ 	cp += toskew;
diff --git a/graphics/tiff/patches/patch-libtiff_tif_jpeg.c b/graphics/tiff/patches/patch-libtiff_tif_jpeg.c
new file mode 100644
index 00000000000..ac654a5b945
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_jpeg.c
@@ -0,0 +1,31 @@
+$NetBSD: patch-libtiff_tif_jpeg.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+CVE-2017-7595
+https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
+
+CVE-2017-7601
+https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
+
+--- libtiff/tif_jpeg.c.orig	2017-05-03 22:26:09.000000000 +0000
++++ libtiff/tif_jpeg.c
+@@ -1626,6 +1626,20 @@ JPEGSetupEncode(TIFF* tif)
+ 	case PHOTOMETRIC_YCBCR:
+ 		sp->h_sampling = td->td_ycbcrsubsampling[0];
+ 		sp->v_sampling = td->td_ycbcrsubsampling[1];
++                if( sp->h_sampling == 0 || sp->v_sampling == 0 )
++                {
++                    TIFFErrorExt(tif->tif_clientdata, module,
++                            "Invalig horizontal/vertical sampling value");
++                    return (0);
++                }
++                if( td->td_bitspersample > 16 )
++                {
++                    TIFFErrorExt(tif->tif_clientdata, module,
++                                 "BitsPerSample %d not allowed for JPEG",
++                                 td->td_bitspersample);
++                    return (0);
++                }
++
+ 		/*
+ 		 * A ReferenceBlackWhite field *must* be present since the
+ 		 * default value is inappropriate for YCbCr.  Fill in the
diff --git a/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c b/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c
new file mode 100644
index 00000000000..a27697b31e4
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c
@@ -0,0 +1,42 @@
+$NetBSD: patch-libtiff_tif_ojpeg.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+CVE-2017-7594
+http://bugzilla.maptools.org/show_bug.cgi?id=2659
+https://github.com/vadz/libtiff/commit/8283e4d1b7e5
+https://github.com/vadz/libtiff/commit/2ea32f7372b6
+
+--- libtiff/tif_ojpeg.c.orig	2017-05-03 22:08:50.000000000 +0000
++++ libtiff/tif_ojpeg.c
+@@ -1782,7 +1782,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF*
+ 			TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); 
+ 			p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+ 			if (p!=64)
++                        {
++                                _TIFFfree(ob);
+ 				return(0);
++                        }
+ 			sp->qtable[m]=ob;
+ 			sp->sof_tq[m]=m;
+ 		}
+@@ -1846,7 +1849,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF
+ 				rb[sizeof(uint32)+5+n]=o[n];
+ 			p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ 			if (p!=q)
++                        {
++                                _TIFFfree(rb);
+ 				return(0);
++                        }
+ 			sp->dctable[m]=rb;
+ 			sp->sos_tda[m]=(m<<4);
+ 		}
+@@ -1910,7 +1916,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF
+ 				rb[sizeof(uint32)+5+n]=o[n];
+ 			p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ 			if (p!=q)
++                        {
++                                _TIFFfree(rb);
+ 				return(0);
++                        }
+ 			sp->actable[m]=rb;
+ 			sp->sos_tda[m]=(sp->sos_tda[m]|m);
+ 		}
diff --git a/graphics/tiff/patches/patch-libtiff_tif_read.c b/graphics/tiff/patches/patch-libtiff_tif_read.c
new file mode 100644
index 00000000000..4f1ac394a40
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_read.c
@@ -0,0 +1,57 @@
+$NetBSD: patch-libtiff_tif_read.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+CVE-2017-7593
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://github.com/vadz/libtiff/commit/d60332057b95
+
+CVE-2017-7602
+https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
+
+--- libtiff/tif_read.c.orig	2017-05-03 22:31:30.000000000 +0000
++++ libtiff/tif_read.c
+@@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 stri
+ 			return ((tmsize_t)(-1));
+ 		}
+ 	} else {
+-		tmsize_t ma,mb;
++		tmsize_t ma;
+ 		tmsize_t n;
+-		ma=(tmsize_t)td->td_stripoffset[strip];
+-		mb=ma+size;
+-		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+-			n=0;
+-		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+-			n=tif->tif_size-ma;
+-		else
+-			n=size;
++		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
++                    ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
++                {
++                    n=0;
++                }
++                else if( ma > TIFF_TMSIZE_T_MAX - size )
++                {
++                    n=0;
++                }
++                else
++                {
++                    tmsize_t mb=ma+size;
++                    if (mb>tif->tif_size)
++                            n=tif->tif_size-ma;
++                    else
++                            n=size;
++                }
+ 		if (n!=size) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+@@ -976,7 +985,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp,
+ 				 "Invalid buffer size");
+ 		    return (0);
+ 		}
+-		tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++		/* Initialize to zero to avoid uninitialized buffers in case of */
++                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++		tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ 		tif->tif_flags |= TIFF_MYBUFFER;
+ 	}
+ 	if (tif->tif_rawdata == NULL) {
diff --git a/graphics/tiff/patches/patch-libtiff_tif_unix.c b/graphics/tiff/patches/patch-libtiff_tif_unix.c
new file mode 100644
index 00000000000..f531662f125
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_unix.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-libtiff_tif_unix.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+CVE-2017-7593
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://github.com/vadz/libtiff/commit/d60332057b95
+
+--- libtiff/tif_unix.c.orig	2015-08-28 22:16:22.000000000 +0000
++++ libtiff/tif_unix.c
+@@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s)
+ 	return (malloc((size_t) s));
+ }
+ 
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++    if( nmemb == 0 || siz == 0 )
++        return ((void *) NULL);
++
++    return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff --git a/graphics/tiff/patches/patch-libtiff_tif_win32.c b/graphics/tiff/patches/patch-libtiff_tif_win32.c
new file mode 100644
index 00000000000..a5b29cff74d
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tif_win32.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-libtiff_tif_win32.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+CVE-2017-7593
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://github.com/vadz/libtiff/commit/d60332057b95
+
+--- libtiff/tif_win32.c.orig	2015-08-28 22:16:22.000000000 +0000
++++ libtiff/tif_win32.c
+@@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s)
+ 	return (malloc((size_t) s));
+ }
+ 
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++    if( nmemb == 0 || siz == 0 )
++        return ((void *) NULL);
++
++    return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff --git a/graphics/tiff/patches/patch-libtiff_tiffio.h b/graphics/tiff/patches/patch-libtiff_tiffio.h
new file mode 100644
index 00000000000..94ddbc30e55
--- /dev/null
+++ b/graphics/tiff/patches/patch-libtiff_tiffio.h
@@ -0,0 +1,16 @@
+$NetBSD: patch-libtiff_tiffio.h,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+CVE-2017-7593
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://github.com/vadz/libtiff/commit/d60332057b95
+
+--- libtiff/tiffio.h.orig	2016-01-24 15:39:51.000000000 +0000
++++ libtiff/tiffio.h
+@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODEC
+  */
+ 
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
diff --git a/graphics/tiff/patches/patch-tools_tiffcp.c b/graphics/tiff/patches/patch-tools_tiffcp.c
new file mode 100644
index 00000000000..968cb1f26f6
--- /dev/null
+++ b/graphics/tiff/patches/patch-tools_tiffcp.c
@@ -0,0 +1,61 @@
+$NetBSD: patch-tools_tiffcp.c,v 1.1 2017/05/03 23:00:59 sevan Exp $
+
+CVE-2017-5225
+http://bugzilla.maptools.org/show_bug.cgi?id=2656
+http://bugzilla.maptools.org/show_bug.cgi?id=2657
+https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
+
+--- tools/tiffcp.c.orig	2016-10-12 01:45:17.000000000 +0000
++++ tools/tiffcp.c
+@@ -592,7 +592,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+-	uint16 bitspersample, samplesperpixel = 1;
++	uint16 bitspersample = 1, samplesperpixel = 1;
+ 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ 	copyFunc cf;
+ 	uint32 width, length;
+@@ -1068,6 +1068,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
+ 	register uint32 n;
+ 	uint32 row;
+ 	tsample_t s;
++        uint16 bps = 0;
++
++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps != 8 )
++        {
++            TIFFError(TIFFFileName(in),
++                      "Error, can only handle BitsPerSample=8 in %s",
++                      "cpContig2SeparateByRow");
++            return 0;
++        }
+ 
+ 	inbuf = _TIFFmalloc(scanlinesizein);
+ 	outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1121,6 +1131,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
+ 	register uint32 n;
+ 	uint32 row;
+ 	tsample_t s;
++        uint16 bps = 0;
++
++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps != 8 )
++        {
++            TIFFError(TIFFFileName(in),
++                      "Error, can only handle BitsPerSample=8 in %s",
++                      "cpSeparate2ContigByRow");
++            return 0;
++        }
+ 
+ 	inbuf = _TIFFmalloc(scanlinesizein);
+ 	outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1763,7 +1783,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16
+ 	uint32 w, l, tw, tl;
+ 	int bychunk;
+ 
+-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ 		fprintf(stderr,
+ 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
author	sevan <sevan@pkgsrc.org>	2017-05-03 23:00:59 +0000
committer	sevan <sevan@pkgsrc.org>	2017-05-03 23:00:59 +0000
commit	ef54f13f05370f2e9be97f54a7f8a91090ff14b7 (patch)
tree	06756c6333b57f6e87fb01e565368f639579774e /graphics/tiff
parent	7d9747643673369ee800f1d9e821c8366d912f97 (diff)
download	pkgsrc-ef54f13f05370f2e9be97f54a7f8a91090ff14b7.tar.gz