commit tiff for openSUSE:Factory
Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at Fri Jun 25 20:48:20 CEST 2010. -------- --- tiff/tiff.changes 2010-04-26 15:09:26.000000000 +0200 +++ tiff/tiff.changes 2010-06-23 17:50:17.000000000 +0200 @@ -1,0 +2,12 @@ +Wed Jun 23 10:32:01 CEST 2010 - pgajdos@suse.cz + +- fixed CVE-2010-2065 + * integer-overflow.patch + * NULL-deref.patch +- fixed out of bounds read + * oob-read.patch +- fixed CVE-2010-2233 + * getimage-64bit.patch +- [bnc#612879] + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- tiff-3.9.2-NULL-deref.patch tiff-3.9.2-getimage-64bit.patch tiff-3.9.2-integer-overflow.patch tiff-3.9.2-oob-read.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.EbBRw0/_old 2010-06-25 20:45:01.000000000 +0200 +++ /var/tmp/diff_new_pack.EbBRw0/_new 2010-06-25 20:45:01.000000000 +0200 @@ -29,13 +29,17 @@ # Url: http://www.remotesensing.org/libtiff/ Version: 3.9.2 -Release: 3 +Release: 4 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2: README.SUSE Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf-colors.patch +Patch4: tiff-%{version}-NULL-deref.patch +Patch5: tiff-%{version}-integer-overflow.patch +Patch6: tiff-%{version}-oob-read.patch +Patch7: tiff-%{version}-getimage-64bit.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -97,6 +101,10 @@ %setup -q %patch2 %patch3 -p1 +%patch4 +%patch5 +%patch6 -p1 +%patch7 -p1 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++++++ tiff-3.9.2-NULL-deref.patch ++++++ Index: libtiff/tif_ojpeg.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v retrieving revision 1.24.2.5 retrieving revision 1.24.2.6 diff -u -p -r1.24.2.5 -r1.24.2.6 --- libtiff/tif_ojpeg.c 8 Jun 2010 18:50:42 -0000 1.24.2.5 +++ libtiff/tif_ojpeg.c 8 Jun 2010 23:29:51 -0000 1.24.2.6 @@ -1909,6 +1909,10 @@ OJPEGReadBufferFill(OJPEGState* sp) sp->in_buffer_source=osibsEof; else { + if (sp->tif->tif_dir.td_stripoffset == 0) { + TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip offsets are missing"); + return(0); + } sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile]; if (sp->in_buffer_file_pos!=0) { ++++++ tiff-3.9.2-getimage-64bit.patch ++++++ diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c --- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 +++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-10 15:07:28.000000000 -0400 @@ -1846,6 +1846,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr22tile) { uint32* cp2; + int32 incr = 2*toskew+w; (void) y; fromskew = (fromskew / 2) * 6; cp2 = cp+w+toskew; @@ -1872,8 +1873,8 @@ cp2 ++ ; pp += 6; } - cp += toskew*2+w; - cp2 += toskew*2+w; + cp += incr; + cp2 += incr; pp += fromskew; h-=2; } @@ -1939,6 +1940,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr12tile) { uint32* cp2; + int32 incr = 2*toskew+w; (void) y; fromskew = (fromskew / 2) * 4; cp2 = cp+w+toskew; @@ -1953,8 +1955,8 @@ cp2 ++; pp += 4; } while (--x); - cp += toskew*2+w; - cp2 += toskew*2+w; + cp += incr; + cp2 += incr; pp += fromskew; h-=2; } ++++++ tiff-3.9.2-integer-overflow.patch ++++++ Index: libtiff/tif_read.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v retrieving revision 1.16.2.1 retrieving revision 1.16.2.2 diff -u -p -r1.16.2.1 -r1.16.2.2 --- libtiff/tif_read.c 8 Jun 2010 18:50:43 -0000 1.16.2.1 +++ libtiff/tif_read.c 8 Jun 2010 23:29:51 -0000 1.16.2.2 @@ -609,7 +610,7 @@ TIFFReadBufferSetup(TIFF* tif, tdata_t b tif->tif_rawdata = (tidata_t) _TIFFmalloc(tif->tif_rawdatasize); tif->tif_flags |= TIFF_MYBUFFER; } - if (tif->tif_rawdata == NULL) { + if ((tif->tif_rawdata == NULL) || (tif->tif_rawdatasize == 0)) { TIFFErrorExt(tif->tif_clientdata, module, "%s: No space for data buffer at scanline %ld", tif->tif_name, (long) tif->tif_row); ++++++ tiff-3.9.2-oob-read.patch ++++++ diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c --- tiff-3.9.2.orig/libtiff/tif_getimage.c 2009-08-30 12:21:46.000000000 -0400 +++ tiff-3.9.2/libtiff/tif_getimage.c 2010-06-11 12:06:47.000000000 -0400 @@ -2397,7 +2397,7 @@ } break; case PHOTOMETRIC_YCBCR: - if (img->bitspersample == 8) + if ((img->bitspersample==8) && (img->samplesperpixel==3)) { if (initYCbCrConversion(img)!=0) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de