Hello community,
here is the log from the commit of package tiff for openSUSE:Factory checked in at 2015-03-09 10:04:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tiff (Old)
and /work/SRC/openSUSE:Factory/.tiff.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff"
Changes:
--------
--- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2014-12-25 23:19:57.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2015-03-09 10:04:40.000000000 +0100
@@ -1,0 +2,20 @@
+Thu Feb 26 13:58:54 UTC 2015 - pgajdos@suse.com
+
+- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128,
+ CVE-2014-8129, CVE-2014-8130, CVE-2015-1547
+ bnc#914890, bnc#916925, bnc#916927
+ + erouault.2856.patch
+ + erouault.2857.patch
+ + erouault.2858.patch
+ + erouault.2859.patch
+ + erouault.2860.patch
+ + erouault.2861.patch
+ + erouault.2862.patch
+ + erouault.2863.patch
+ + erouault.2876.patch
+ + bfriesen.2805.patch
+ + tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
+ + tiff-handle-TIFFTAG_PREDICTOR.patch
+ + tiff-dither-malloc-check.patch
+
+-------------------------------------------------------------------
New:
----
bfriesen.2805.patch
erouault.2856.patch
erouault.2857.patch
erouault.2858.patch
erouault.2859.patch
erouault.2860.patch
erouault.2861.patch
erouault.2862.patch
erouault.2863.patch
erouault.2876.patch
tiff-dither-malloc-check.patch
tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
tiff-handle-TIFFTAG_PREDICTOR.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tiff.spec ++++++
--- /var/tmp/diff_new_pack.YM5Mir/_old 2015-03-09 10:04:41.000000000 +0100
+++ /var/tmp/diff_new_pack.YM5Mir/_new 2015-03-09 10:04:41.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package tiff
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -60,6 +60,20 @@
Patch9: tiff-4.0.3-CVE-2013-4231.patch
Patch10: tiff-4.0.3-CVE-2013-4244.patch
Patch11: tiff-4.0.3-CVE-2013-4243.patch
+Patch12: erouault.2856.patch
+Patch13: erouault.2857.patch
+Patch14: erouault.2858.patch
+Patch15: erouault.2859.patch
+Patch16: erouault.2860.patch
+Patch17: erouault.2861.patch
+Patch18: erouault.2862.patch
+Patch19: erouault.2863.patch
+Patch20: erouault.2876.patch
+Patch21: bfriesen.2805.patch
+Patch22: tiff-dither-malloc-check.patch
+Patch23: tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch
+Patch24: tiff-handle-TIFFTAG_PREDICTOR.patch
+
# FYI: this issue is solved another way
# http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1
# Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch
@@ -115,6 +129,19 @@
%patch9
%patch10
%patch11
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22
+%patch23
+%patch24
%build
CFLAGS="$RPM_OPT_FLAGS -fPIE"
++++++ bfriesen.2805.patch ++++++
---------------------
PatchSet 2805
Date: 2012/11/18 19:51:52
Author: bfriesen
Branch: HEAD
Tag: (none)
Log:
* libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
require malloc() to return NULL pointer if requested allocation
size is zero. Assure that _TIFFmalloc does.
Members:
ChangeLog:1.924->1.925
libtiff/tif_unix.c:1.23->1.24
libtiff/tif_vms.c:1.11->1.12
libtiff/tif_win32.c:1.39->1.40
Index: libtiff/libtiff/tif_unix.c
diff -u libtiff/libtiff/tif_unix.c:1.23 libtiff/libtiff/tif_unix.c:1.24
--- libtiff/libtiff/tif_unix.c:1.23 Fri Jun 1 16:40:59 2012
+++ libtiff/libtiff/tif_unix.c Sun Nov 18 12:51:52 2012
@@ -257,6 +257,9 @@
void*
_TIFFmalloc(tmsize_t s)
{
+ if (s == 0)
+ return ((void *) NULL);
+
return (malloc((size_t) s));
}
++++++ erouault.2856.patch ++++++
---------------------
PatchSet 2856
Date: 2014/12/21 17:15:31
Author: erouault
Branch: HEAD
Tag: (none)
Log:
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
Members:
ChangeLog:1.960->1.961
libtiff/tif_dir.c:1.117->1.118
libtiff/tif_dirread.c:1.180->1.181
libtiff/tif_getimage.c:1.82->1.83
libtiff/tif_next.c:1.13->1.14
tools/bmp2tiff.c:1.23->1.24
tools/tiff2pdf.c:1.77->1.78
tools/tiffcrop.c:1.23->1.24
tools/tiffdump.c:1.28->1.29
Index: libtiff/libtiff/tif_dir.c
diff -u libtiff/libtiff/tif_dir.c:1.117 libtiff/libtiff/tif_dir.c:1.118
--- libtiff/libtiff/tif_dir.c:1.117 Thu Nov 20 11:47:21 2014
+++ libtiff/libtiff/tif_dir.c Sun Dec 21 10:15:31 2014
@@ -160,6 +160,7 @@
TIFFDirectory* td = &tif->tif_dir;
int status = 1;
uint32 v32, i, v;
+ double dblval;
char* s;
const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
uint32 standard_tag = tag;
@@ -284,10 +285,16 @@
setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
break;
case TIFFTAG_XRESOLUTION:
- td->td_xresolution = (float) va_arg(ap, double);
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+ td->td_xresolution = (float) dblval;
break;
case TIFFTAG_YRESOLUTION:
- td->td_yresolution = (float) va_arg(ap, double);
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+ td->td_yresolution = (float) dblval;
break;
case TIFFTAG_PLANARCONFIG:
v = (uint16) va_arg(ap, uint16_vap);
@@ -694,6 +701,16 @@
va_end(ap);
}
return (0);
+badvaluedouble:
+ {
+ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Bad value %f for \"%s\" tag",
+ tif->tif_name, dblval,
+ fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ }
+ return (0);
}
/*
Index: libtiff/libtiff/tif_dirread.c
diff -u libtiff/libtiff/tif_dirread.c:1.180 libtiff/libtiff/tif_dirread.c:1.181
--- libtiff/libtiff/tif_dirread.c:1.180 Thu Nov 20 11:47:21 2014
+++ libtiff/libtiff/tif_dirread.c Sun Dec 21 10:15:31 2014
@@ -3430,6 +3430,8 @@
const TIFFField* fip;
uint32 fii=FAILED_FII;
toff_t nextdiroff;
+ int bitspersample_read = FALSE;
+
tif->tif_diroff=tif->tif_nextdiroff;
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
return 0; /* last offset or bad offset (IFD looping) */
@@ -3706,6 +3708,8 @@
}
if (!TIFFSetField(tif,dp->tdir_tag,value))
goto bad;
+ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
+ bitspersample_read = TRUE;
}
break;
case TIFFTAG_SMINSAMPLEVALUE:
@@ -3763,6 +3767,19 @@
uint32 countrequired;
uint32 incrementpersample;
uint16* value=NULL;
+ /* It would be dangerous to instanciate those tag values */
+ /* since if td_bitspersample has not yet been read (due to */
+ /* unordered tags), it could be read afterwards with a */
+ /* values greater than the default one (1), which may cause */
+ /* crashes in user code */
+ if( !bitspersample_read )
+ {
+ fip = TIFFFieldWithTag(tif,dp->tdir_tag);
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "Ignoring %s since BitsPerSample tag not found",
+ fip ? fip->field_name : "unknown tagname");
+ continue;
+ }
countpersample=(1L<<tif->tif_dir.td_bitspersample);
if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
{
Index: libtiff/libtiff/tif_getimage.c
diff -u libtiff/libtiff/tif_getimage.c:1.82 libtiff/libtiff/tif_getimage.c:1.83
--- libtiff/libtiff/tif_getimage.c:1.82 Tue Jun 5 19:17:49 2012
+++ libtiff/libtiff/tif_getimage.c Sun Dec 21 10:15:31 2014
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.82 2012-06-06 00:17:49 fwarmerdam Exp $ */
+/* $Id: tif_getimage.c,v 1.83 2014-12-21 15:15:31 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -182,8 +182,23 @@
"Planarconfiguration", td->td_planarconfig);
return (0);
}
+ if( td->td_samplesperpixel != 3 )
+ {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d",
+ "Samples/pixel", td->td_samplesperpixel);
+ return 0;
+ }
break;
case PHOTOMETRIC_CIELAB:
+ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
+ {
+ sprintf(emsg,
+ "Sorry, can not handle image with %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
break;
default:
sprintf(emsg, "Sorry, can not handle image with %s=%d",
Index: libtiff/libtiff/tif_next.c
diff -u libtiff/libtiff/tif_next.c:1.13 libtiff/libtiff/tif_next.c:1.14
--- libtiff/libtiff/tif_next.c:1.13 Wed Mar 10 13:56:48 2010
+++ libtiff/libtiff/tif_next.c Sun Dec 21 10:15:32 2014
@@ -102,6 +102,8 @@
default: {
uint32 npixels = 0, grey;
uint32 imagewidth = tif->tif_dir.td_imagewidth;
+ if( isTiled(tif) )
+ imagewidth = tif->tif_dir.td_tilewidth;
/*
* The scanline is composed of a sequence of constant
Index: libtiff/tools/bmp2tiff.c
diff -u libtiff/tools/bmp2tiff.c:1.23 libtiff/tools/bmp2tiff.c:1.24
--- libtiff/tools/bmp2tiff.c:1.23 Wed Mar 10 13:56:49 2010
+++ libtiff/tools/bmp2tiff.c Sun Dec 21 10:15:32 2014
@@ -403,6 +403,13 @@
width = info_hdr.iWidth;
length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
+ if( width <= 0 || length <= 0 )
+ {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
switch (info_hdr.iBitCount)
{
@@ -593,6 +600,14 @@
compr_size = file_hdr.iSize - file_hdr.iOffBits;
uncompr_size = width * length;
+ /* Detect int overflow */
+ if( uncompr_size / width != length )
+ {
+ TIFFError(infilename,
+ "Invalid dimensions of BMP file" );
+ close(fd);
+ return -1;
+ }
comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
if (!comprbuf) {
TIFFError(infilename,
Index: libtiff/tools/tiff2pdf.c
diff -u libtiff/tools/tiff2pdf.c:1.77 libtiff/tools/tiff2pdf.c:1.78
--- libtiff/tools/tiff2pdf.c:1.77 Tue Dec 9 21:53:30 2014
+++ libtiff/tools/tiff2pdf.c Sun Dec 21 10:15:32 2014
@@ -1167,6 +1167,15 @@
if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
+ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
+ {
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid tile count, %s",
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
}
if( t2p->tiff_tiles[i].tiles_tilecount > 0){
@@ -1552,6 +1561,22 @@
#endif
break;
case PHOTOMETRIC_CIELAB:
+ if( t2p->tiff_samplesperpixel != 3){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Unsupported samplesperpixel = %d for CIELAB",
+ t2p->tiff_samplesperpixel);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ if( t2p->tiff_bitspersample != 8){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid bitspersample = %d for CIELAB",
+ t2p->tiff_bitspersample);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->pdf_labrange[0]= -127;
t2p->pdf_labrange[1]= 127;
t2p->pdf_labrange[2]= -127;
@@ -1567,6 +1592,22 @@
t2p->pdf_colorspace=T2P_CS_LAB;
break;
case PHOTOMETRIC_ITULAB:
+ if( t2p->tiff_samplesperpixel != 3){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Unsupported samplesperpixel = %d for ITULAB",
+ t2p->tiff_samplesperpixel);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ if( t2p->tiff_bitspersample != 8){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Invalid bitspersample = %d for ITULAB",
+ t2p->tiff_bitspersample);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->pdf_labrange[0]=-85;
t2p->pdf_labrange[1]=85;
t2p->pdf_labrange[2]=-75;
Index: libtiff/tools/tiffcrop.c
diff -u libtiff/tools/tiffcrop.c:1.23 libtiff/tools/tiffcrop.c:1.24
--- libtiff/tools/tiffcrop.c:1.23 Sun Dec 7 17:33:06 2014
+++ libtiff/tools/tiffcrop.c Sun Dec 21 10:15:32 2014
@@ -1205,9 +1205,10 @@
tsize_t tilesize = TIFFTileSize(out);
unsigned char *tilebuf = NULL;
- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
+ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
+ return 1;
tile_buffsize = tilesize;
if (tilesize < (tsize_t)(tl * tile_rowsize))
Index: libtiff/tools/tiffdump.c
diff -u libtiff/tools/tiffdump.c:1.28 libtiff/tools/tiffdump.c:1.29
--- libtiff/tools/tiffdump.c:1.28 Sat Dec 6 10:58:44 2014
+++ libtiff/tools/tiffdump.c Sun Dec 21 10:15:32 2014
@@ -374,6 +374,8 @@
void* datamem;
uint64 dataoffset;
int datatruncated;
+ int datasizeoverflow;
+
tag = *(uint16*)dp;
if (swabflag)
TIFFSwabShort(&tag);
@@ -412,13 +414,14 @@
else
typewidth = datawidth[type];
datasize = count*typewidth;
+ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count);
datafits = 1;
datamem = dp;
dataoffset = 0;
datatruncated = 0;
if (!bigtiff)
{
- if (datasize>4)
+ if (datasizeoverflow || datasize>4)
{
uint32 dataoffset32;
datafits = 0;
@@ -432,7 +435,7 @@
}
else
{
- if (datasize>8)
+ if (datasizeoverflow || datasize>8)
{
datafits = 0;
datamem = NULL;
@@ -442,7 +445,7 @@
}
dp += sizeof(uint64);
}
- if (datasize>0x10000)
+ if (datasizeoverflow || datasize>0x10000)
{
datatruncated = 1;
count = 0x10000/typewidth;
++++++ erouault.2857.patch ++++++
---------------------
PatchSet 2857
Date: 2014/12/21 18:28:37
Author: erouault
Branch: HEAD
Tag: (none)
Log:
* tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert