Hello community,
here is the log from the commit of package tiff for openSUSE:11.3
checked in at Fri Apr 1 10:48:24 CEST 2011.
--------
--- old-versions/11.3/UPDATES/all/tiff/tiff.changes 2011-03-03 09:29:00.000000000 +0100
+++ 11.3/tiff/tiff.changes 2011-03-31 23:07:33.000000000 +0200
@@ -1,0 +2,8 @@
+Thu Mar 31 10:33:24 CEST 2011 - pgajdos@suse.cz
+
+- fixed regression caused by previous update [bnc#682871]
+ * modified CVE-2011-0192.patch
+- fixed buffer overflow in thunder decoder [bnc#683337]
+ * added CVE-2011-1167.patch
+
+-------------------------------------------------------------------
calling whatdependson for 11.3-i586
New:
----
tiff-3.9.2-CVE-2011-1167.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tiff.spec ++++++
--- /var/tmp/diff_new_pack.V55Fxf/_old 2011-04-01 10:47:38.000000000 +0200
+++ /var/tmp/diff_new_pack.V55Fxf/_new 2011-04-01 10:47:38.000000000 +0200
@@ -29,7 +29,7 @@
#
Url: http://www.remotesensing.org/libtiff/
Version: 3.9.2
-Release: 5.<RELEASE4>
+Release: 5.<RELEASE8>
Summary: Tools for Converting from and to the Tiff Format
Source: tiff-%{version}.tar.bz2
Source2: README.SUSE
@@ -45,6 +45,7 @@
Patch10: tiff-%{version}-dont-fancy-upsampling.patch
Patch11: tiff-%{version}-CVE-2011-0192.patch
Patch12: tiff-%{version}-CVE-2011-0191.patch
+Patch13: tiff-3.9.2-CVE-2011-1167.patch
# FYI: this issue is solved another way
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -115,6 +116,7 @@
%patch10 -p1
%patch11
%patch12
+%patch13
find -type d -name "CVS" | xargs rm -rfv
find -type d | xargs chmod 755
++++++ tiff-3.9.2-CVE-2011-0192.patch ++++++
--- /var/tmp/diff_new_pack.V55Fxf/_old 2011-04-01 10:47:38.000000000 +0200
+++ /var/tmp/diff_new_pack.V55Fxf/_new 2011-04-01 10:47:38.000000000 +0200
@@ -1,15 +1,29 @@
-Index: libtiff/tif_fax3.h
-===================================================================
---- libtiff/tif_fax3.h.orig
-+++ libtiff/tif_fax3.h
-@@ -478,6 +478,10 @@ done1d: \
+Protect against a fax VL(n) codeword commanding a move left. Without
+this, a malicious input file can generate an indefinitely large series
+of runs without a0 ever reaching the right margin, thus overrunning
+our buffer of run lengths. Per CVE-2011-0192. This is a modified
+version of a patch proposed by Drew Yao of Apple Product Security.
+It adds an unexpected() report, and disallows the equality case except
+for the first run of a line, since emitting a run without increasing a0
+still allows buffer overrun. (We have to allow it for the first run to
+cover the case of encoding a zero-length run at start of line using VL.)
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2297
+
+diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
+--- libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400
++++ libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500
+@@ -478,6 +478,12 @@
break; \
case S_VL: \
CHECK_b1; \
-+ if (b1 <= (int) (a0 + TabEnt->Param)) { \
-+ unexpected("VL", a0); \
-+ goto eol2d; \
-+ } \
++ if (b1 <= (int) (a0 + TabEnt->Param)) { \
++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \
++ unexpected("VL", a0); \
++ goto eol2d; \
++ } \
++ } \
SETVALUE(b1 - a0 - TabEnt->Param); \
b1 -= *--pb; \
break; \
+
++++++ tiff-3.9.2-CVE-2011-1167.patch ++++++
Index: libtiff/tif_thunder.c
===================================================================
--- libtiff/tif_thunder.c.orig
+++ libtiff/tif_thunder.c
@@ -25,6 +25,7 @@
*/
#include "tiffiop.h"
+#include