Hello community, here is the log from the commit of package tiff checked in at Fri Sep 5 20:56:15 CEST 2008. -------- --- tiff/tiff.changes 2008-05-18 10:37:14.000000000 +0200 +++ tiff/tiff.changes 2008-08-19 17:46:38.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Aug 19 17:45:10 CEST 2008 - nadvornik@suse.cz + +- fixed buffer overflows in LZW code (CVE-2008-2327) [bnc#414946] + +------------------------------------------------------------------- New: ---- tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.E12093/_old 2008-09-05 20:42:22.000000000 +0200 +++ /var/tmp/diff_new_pack.E12093/_new 2008-09-05 20:42:22.000000000 +0200 @@ -2,9 +2,16 @@ # spec file for package tiff (Version 3.8.2) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -18,7 +25,7 @@ AutoReqProv: on Url: http://www.remotesensing.org/libtiff/ Version: 3.8.2 -Release: 106 +Release: 128 Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source1: jpegint.h @@ -26,6 +33,8 @@ Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf.patch Patch4: tiff-%{version}-tiffsplit-CVE-2006-2656.patch +Patch5: tiff-%{version}-tif_lzw.c-CVE-2008-2327.patch +Patch6: tiff-%{version}-tif_lzw.c-CVE-2008-2327-2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -75,6 +84,8 @@ %patch2 %patch3 %patch4 +%patch5 +%patch6 cp %{S:1} libtiff find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 @@ -125,6 +136,8 @@ %doc %{_mandir}/man3/* %changelog +* Tue Aug 19 2008 nadvornik@suse.cz +- fixed buffer overflows in LZW code (CVE-2008-2327) [bnc#414946] * Sun May 18 2008 coolo@suse.de - fix rename of xxbit packages * Thu Apr 10 2008 ro@suse.de ++++++ tiff-3.8.2-tif_lzw.c-CVE-2008-2327-2.patch ++++++ --- libtiff/tif_lzw.c +++ libtiff/tif_lzw.c @@ -237,6 +237,11 @@ sp->dec_codetab[code].length = 1; sp->dec_codetab[code].next = NULL; } while (code--); + /* + * Zero-out the unused entries + */ + _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, + (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); } return (1); } @@ -416,6 +421,13 @@ NextCode(tif, sp, bp, code, GetNextCode); if (code == CODE_EOI) break; + + if (code == CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); + return (0); + } *op++ = (char)code, occ--; oldcodep = sp->dec_codetab + code; continue; @@ -613,6 +625,12 @@ NextCode(tif, sp, bp, code, GetNextCodeCompat); if (code == CODE_EOI) break; + if (code == CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); + return (0); + } *op++ = code, occ--; oldcodep = sp->dec_codetab + code; continue; ++++++ tiff-3.8.2-tif_lzw.c-CVE-2008-2327.patch ++++++ --- libtiff/tif_lzw.c +++ libtiff/tif_lzw.c @@ -408,6 +408,8 @@ break; if (code == CODE_CLEAR) { free_entp = sp->dec_codetab + CODE_FIRST; + _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); nbits = BITS_MIN; nbitsmask = MAXCODE(BITS_MIN); maxcodep = sp->dec_codetab + nbitsmask-1; @@ -604,6 +606,7 @@ break; if (code == CODE_CLEAR) { free_entp = sp->dec_codetab + CODE_FIRST; + _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); nbits = BITS_MIN; nbitsmask = MAXCODE(BITS_MIN); maxcodep = sp->dec_codetab + nbitsmask; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org