From 8277bc66a66db6aaa384792ed7acefb060888f00 Mon Sep 17 00:00:00 2001 From: drochner Date: Thu, 15 Aug 2013 14:58:46 +0000 Subject: add patches from upstream CVS and Redhat bugzilla to fix buffer overflow and use-after-free problems in the "gif2tiff" and "tiff2pdf" command line tools (the library is not affected) (CVE-2013-4231, CVE-2013-4232, CVE-2013-4244) bump PKGREV --- graphics/tiff/Makefile | 4 ++-- graphics/tiff/distinfo | 5 +++-- graphics/tiff/patches/patch-CVE-2013-1960_1961 | 21 ++++++++++++----- graphics/tiff/patches/patch-CVE-2013-4231 | 31 ++++++++++++++++++++++++++ 4 files changed, 52 insertions(+), 9 deletions(-) create mode 100644 graphics/tiff/patches/patch-CVE-2013-4231 (limited to 'graphics/tiff') diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index 861e2ba71e5..e22b62c5904 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.112 2013/05/02 14:52:44 drochner Exp $ +# $NetBSD: Makefile,v 1.113 2013/08/15 14:58:46 drochner Exp $ DISTNAME= tiff-4.0.3 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://libtiff.maptools.org/dl/ diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index 144e149f221..3a5b6aedcbe 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.60 2013/05/02 14:52:44 drochner Exp $ +$NetBSD: distinfo,v 1.61 2013/08/15 14:58:46 drochner Exp $ SHA1 (tiff-4.0.3.tar.gz) = 652e97b78f1444237a82cbcfe014310e776eb6f0 RMD160 (tiff-4.0.3.tar.gz) = eacd725fb3c299682c1c2e508049d98acd170f31 Size (tiff-4.0.3.tar.gz) = 2051630 bytes SHA1 (patch-CVE-2012-4564) = bda3b26e431e8234e5afd984a086c980a8eb6c41 -SHA1 (patch-CVE-2013-1960_1961) = dff40e975426a6df2ba27383d22b5f8f4275a443 +SHA1 (patch-CVE-2013-1960_1961) = b815edbeeb1eb23ce2633060dd390985dec794f3 +SHA1 (patch-CVE-2013-4231) = bc1420583b9c4b0a34d26142bc35b6d0d26af529 SHA1 (patch-configure) = 1fb9ef790a59ac9c1396dd8e962c75946e2c998a diff --git a/graphics/tiff/patches/patch-CVE-2013-1960_1961 b/graphics/tiff/patches/patch-CVE-2013-1960_1961 index 7e63de2c56c..4d2c1dee7c9 100644 --- a/graphics/tiff/patches/patch-CVE-2013-1960_1961 +++ b/graphics/tiff/patches/patch-CVE-2013-1960_1961 @@ -1,8 +1,11 @@ -$NetBSD: patch-CVE-2013-1960_1961,v 1.1 2013/05/02 14:52:44 drochner Exp $ +$NetBSD: patch-CVE-2013-1960_1961,v 1.2 2013/08/15 14:58:46 drochner Exp $ see https://bugzilla.redhat.com/show_bug.cgi?id=952131 and https://bugzilla.redhat.com/show_bug.cgi?id=952158 +also fixes CVE-2013-4232 +see http://bugzilla.maptools.org/show_bug.cgi?id=2449 + --- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200 +++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200 @@ -512,9 +512,9 @@ SetNameLabel() @@ -63,9 +66,17 @@ and https://bugzilla.redhat.com/show_bug.cgi?id=952158 TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ---- tools/tiff2pdf.c.orig 2013-05-02 16:27:43.000000000 +0200 -+++ tools/tiff2pdf.c 2013-05-02 16:32:49.000000000 +0200 -@@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip( +--- tools/tiff2pdf.c.orig 2012-07-26 02:56:43.000000000 +0000 ++++ tools/tiff2pdf.c +@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + _TIFFfree(buffer); ++ return(0); + } else { + buffer=samplebuffer; + t2p->tiff_datasize *= t2p->tiff_samplesperpixel; +@@ -3341,33 +3342,56 @@ int t2p_process_jpeg_strip( uint32 height){ tsize_t i=0; @@ -144,7 +155,7 @@ and https://bugzilla.redhat.com/show_bug.cgi?id=952158 } v_samp*=8; h_samp*=8; -@@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip( +@@ -3381,45 +3405,43 @@ int t2p_process_jpeg_strip( (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); diff --git a/graphics/tiff/patches/patch-CVE-2013-4231 b/graphics/tiff/patches/patch-CVE-2013-4231 new file mode 100644 index 00000000000..0916dfd5818 --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2013-4231 @@ -0,0 +1,31 @@ +$NetBSD: patch-CVE-2013-4231,v 1.1 2013/08/15 14:58:46 drochner Exp $ + +see http://bugzilla.maptools.org/show_bug.cgi?id=2450 + +also fixes CVE-2013-4244 +see https://bugzilla.redhat.com/show_bug.cgi?id=996468 + +--- tools/gif2tiff.c.orig 2010-12-15 03:52:53.000000000 +0000 ++++ tools/gif2tiff.c +@@ -333,6 +333,10 @@ readraster(void) + int status = 1; + + datasize = getc(infile); ++ ++ if (datasize > 12) ++ return 0; ++ + clear = 1 << datasize; + eoi = clear + 1; + avail = clear + 2; +@@ -398,6 +402,10 @@ process(register int code, unsigned char + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; -- cgit v1.2.3