Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2016-02-03 10:19:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tiff" Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2016-01-15 10:40:30.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2016-02-03 10:19:03.000000000 +0100 @@ -1,0 +2,16 @@ +Mon Feb 1 08:01:19 UTC 2016 - fstrba@suse.com + +- Added patch: + * tiff-4.0.6-CVE-2015-8782.patch + - fix CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds + writes for invalid images (upstream bug #2522) [bsc#964225] + +------------------------------------------------------------------- +Wed Jan 13 17:03:31 UTC 2016 - fstrba@suse.com + +- Added patch: + * tiff-4.0.6-CVE-2015-7554.patch + - fix CVE-2015-7554: Out-of-bounds Write in the thumbnail and + tiffcmp tools (upsteam bug #2499) [bsc#960341] + +------------------------------------------------------------------- @@ -4,3 +20,4 @@ -- add tiff-4.0.4-uninitialized_mem_NeXTDecode.patch to fix - uninitialized memory in NeXTDecode (upstream bug #2508) - [bnc#942690] +- Added patch: + * tiff-4.0.4-uninitialized_mem_NeXTDecode.patch + - fix uninitialized memory in NeXTDecode (upstream bug #2508) + [bsc#942690] New: ---- tiff-4.0.6-CVE-2015-7554.patch tiff-4.0.6-CVE-2015-8782.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.CYtZKK/_old 2016-02-03 10:19:04.000000000 +0100 +++ /var/tmp/diff_new_pack.CYtZKK/_new 2016-02-03 10:19:04.000000000 +0100 @@ -31,6 +31,10 @@ Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2508 Patch2: tiff-4.0.4-uninitialized_mem_NeXTDecode.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2499 +Patch3: tiff-4.0.6-CVE-2015-7554.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2522 +Patch4: tiff-4.0.6-CVE-2015-8782.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: libtool @@ -94,6 +98,8 @@ %patch0 -p1 %patch1 -p1 %patch2 +%patch3 +%patch4 -p1 %build CFLAGS="%{optflags} -fPIE" ++++++ tiff-4.0.6-CVE-2015-7554.patch ++++++ --- libtiff/tif_dirinfo.c 12 Dec 2015 18:04:26 -0000 1.124 +++ libtiff/tif_dirinfo.c 12 Jan 2016 15:01:21 -0000 @@ -87,6 +87,7 @@ { TIFFTAG_DATETIME, 20, 20, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "DateTime", NULL }, { TIFFTAG_ARTIST, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Artist", NULL }, { TIFFTAG_HOSTCOMPUTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "HostComputer", NULL }, + { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CODEC+0, FALSE, FALSE, "Predictor", NULL }, { TIFFTAG_WHITEPOINT, 2, 2, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "WhitePoint", NULL }, { TIFFTAG_PRIMARYCHROMATICITIES, 6, 6, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "PrimaryChromaticities", NULL }, { TIFFTAG_COLORMAP, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_OTHER, TIFF_SETGET_UNDEFINED, FIELD_COLORMAP, 1, 0, "ColorMap", NULL }, @@ -95,6 +96,7 @@ { TIFFTAG_TILELENGTH, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UNDEFINED, FIELD_TILEDIMENSIONS, 0, 0, "TileLength", NULL }, { TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL }, { TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", &tiffFieldArray }, { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, ++++++ tiff-4.0.6-CVE-2015-8782.patch ++++++ --- a/libtiff/tif_luv.c +++ b/libtiff/tif_luv.c @@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_16BIT) tp = (int16*) op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (int16*) sp->tbuf; } _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); @@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) cc = tif->tif_rawcc; /* get each byte string */ for (shft = 2*8; (shft -= 8) >= 0; ) { - for (i = 0; i < npixels && cc > 0; ) + for (i = 0; i < npixels && cc > 0; ) { if (*bp >= 128) { /* run */ - rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ + if( cc < 2 ) + break; + rc = *bp++ + (2-128); b = (int16)(*bp++ << shft); cc -= 2; while (rc-- && i < npixels) @@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) while (--cc && rc-- && i < npixels) tp[i++] |= (int16)*bp++ << shft; } + } if (i != npixels) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_RAW) tp = (uint32 *)op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (uint32 *) sp->tbuf; } /* copy to array of uint32 */ bp = (unsigned char*) tif->tif_rawcp; cc = tif->tif_rawcc; - for (i = 0; i < npixels && cc > 0; i++) { + for (i = 0; i < npixels && cc >= 3; i++) { tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; bp += 3; cc -= 3; @@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) if (sp->user_datafmt == SGILOGDATAFMT_RAW) tp = (uint32*) op; else { - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } tp = (uint32*) sp->tbuf; } _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); @@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) cc = tif->tif_rawcc; /* get each byte string */ for (shft = 4*8; (shft -= 8) >= 0; ) { - for (i = 0; i < npixels && cc > 0; ) + for (i = 0; i < npixels && cc > 0; ) { if (*bp >= 128) { /* run */ + if( cc < 2 ) + break; rc = *bp++ + (2-128); b = (uint32)*bp++ << shft; - cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ + cc -= 2; while (rc-- && i < npixels) tp[i++] |= b; } else { /* non-run */ @@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) while (--cc && rc-- && i < npixels) tp[i++] |= (uint32)*bp++ << shft; } + } if (i != npixels) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, @@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogL16Encode"; LogLuvState* sp = EncoderState(tif); int shft; tmsize_t i; @@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (int16*) bp; else { tp = (int16*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* compress each byte string */ @@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogLuvEncode24"; LogLuvState* sp = EncoderState(tif); tmsize_t i; tmsize_t npixels; @@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (uint32*) bp; else { tp = (uint32*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* write out encoded pixels */ @@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) static int LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) { + static const char module[] = "LogLuvEncode32"; LogLuvState* sp = EncoderState(tif); int shft; tmsize_t i; @@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) tp = (uint32*) bp; else { tp = (uint32*) sp->tbuf; - assert(sp->tbuflen >= npixels); + if(sp->tbuflen < npixels) { + TIFFErrorExt(tif->tif_clientdata, module, + "Translation buffer too short"); + return (0); + } (*sp->tfunc)(sp, bp, npixels); } /* compress each byte string */