Update of /cvsroot/fink/dists/10.4/unstable/main/finkinfo/graphics In directory sc8-pr-cvs17:/tmp/cvs-serv2017
Modified Files: libtiff.info libtiff.patch netpbm.info netpbm.patch netpbm10.info netpbm10.patch Log Message: security fixes (thanks to Tomoaki Okayama) Index: netpbm.patch =================================================================== RCS file: /cvsroot/fink/dists/10.4/unstable/main/finkinfo/graphics/netpbm.patch,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- netpbm.patch 20 Jan 2006 20:26:46 -0000 1.1 +++ netpbm.patch 29 Aug 2007 15:02:50 -0000 1.2 @@ -12,3 +12,535 @@ # push(@Makefile_config, "INSTALL = install\n"); push(@Makefile_config, 'TIFFHDR_DIR = $(LOCALBASE)/include', "\n"); push(@Makefile_config, 'TIFFLIB_DIR = $(LOCALBASE)/lib', "\n"); +--- netpbm-9.24/pnm/pstopnm.c.CAN-2005-2471 2005-08-10 13:12:38.000000000 +0200 ++++ netpbm-9.24/pnm/pstopnm.c 2005-08-10 13:15:20.000000000 +0200 +@@ -480,7 +480,7 @@ + + sprintf(ghostscript_command, + "gs -sDEVICE='%s' -sOutputFile='%s' -g'%dx%d' -r'%dx%d' " +- "-q -dNOPAUSE -", ++ "-q -dNOPAUSE -dPARANOIDSAFER -", + ghostscript_device, outfile_arg, + xsize, ysize, xres, yres); + +--- netpbm-9.24/pnm/pnmtopng.c.CVE-2005-3632 2005-12-05 16:05:17.000000000 +0100 ++++ netpbm-9.24/pnm/pnmtopng.c 2005-12-05 16:14:40.000000000 +0100 +@@ -205,7 +205,8 @@ + FILE *tfp; + #endif + { +- char textline[256]; ++#define MAXLINE 1024 ++ char textline[MAXLINE]; + int textpos; + int i, j; + int c; +@@ -217,6 +218,7 @@ + textpos = 0; + while ((c = getc (tfp)) != EOF) { + if (c != '\n' && c != EOF) { ++ if (textpos >= MAXLINE) continue; + textline[textpos++] = c; + } else { + textline[textpos++] = '\0'; +@@ -227,33 +229,41 @@ + else + info_ptr->text[j].compression = 0; + cp = malloc (textpos); ++ if ( cp == NULL ) ++ pm_error("out of memory"); + info_ptr->text[j].key = cp; + i = 0; + if (textline[0] == '"') { + i++; +- while (textline[i] != '"' && textline[i] != '\n') ++ while (textline[i] != '"' && textline[i] != '\n' && i<textpos) + *(cp++) = textline[i++]; + i++; + } else { +- while (textline[i] != ' ' && textline[i] != '\t' && textline[i] != '\n') ++ while (textline[i] != ' ' && textline[i] != '\t' && textline[i] != '\n' && i<textpos) + *(cp++) = textline[i++]; + } + *(cp++) = '\0'; + cp = malloc (textpos); ++ if ( cp == NULL ) ++ pm_error("out of memory"); + info_ptr->text[j].text = cp; +- while (textline[i] == ' ' || textline[i] == '\t') ++ while ((textline[i] == ' ' || textline[i] == '\t') && i<textpos) + i++; + strcpy (cp, &textline[i]); + info_ptr->text[j].text_length = strlen (cp); + j++; + } else { + j--; ++ if ( info_ptr->text[j].text_length + textpos <= 0 ) ++ pm_error("allocation underflow"); + cp = malloc (info_ptr->text[j].text_length + textpos); ++ if ( cp == NULL ) ++ pm_error("out of memory"); + strcpy (cp, info_ptr->text[j].text); + strcat (cp, "\n"); + info_ptr->text[j].text = cp; + i = 0; +- while (textline[i] == ' ' || textline[i] == '\t') ++ while ((textline[i] == ' ' || textline[i] == '\t') && i<textpos) + i++; + strcat (cp, &textline[i]); + info_ptr->text[j].text_length = strlen (cp); +--- netpbm-9.24/pnm/pnmtopng.c.pnmtopng-offbyone 2005-09-29 10:58:32.000000000 +0200 ++++ netpbm-9.24/pnm/pnmtopng.c 2005-11-17 17:02:58.000000000 +0100 +@@ -576,8 +576,8 @@ static int convertpnm (ifp, afp, tfp) + int alpha_rows; + int alpha_cols; + int alpha_can_be_transparency_index; +- gray *alphas_of_color[MAXCOLORS]; +- int alphas_of_color_cnt[MAXCOLORS]; ++ gray *alphas_of_color[MAXCOLORS+1]; ++ int alphas_of_color_cnt[MAXCOLORS+1]; + int alphas_first_index[MAXCOLORS+1]; + int mapping[MAXCOLORS]; + int colors; +--- netpbm-9.24/pnm/pnmindex.debiansecurity 2001-08-30 04:21:14.000000000 +0200 ++++ netpbm-9.24/pnm/pnmindex 2004-01-22 15:27:01.243659161 +0100 +@@ -24,10 +24,6 @@ + exit 1 + } + +-if [ "$TMPDIR"x = ""x ] ; then +- TMPDIR=/tmp +-fi +- + while :; do + case "$1" in + +@@ -94,8 +90,10 @@ + fi + + #tmpfile=`tempfile -p pi -m 600` +-tmpfile=$TMPDIR/pi.tmp.$$ +-rm -f $tmpfile ++#tmpfile=$TMPDIR/pi.tmp.$$ ++#rm -f $tmpfile ++tmpdir=$(mktemp -d /tmp/pi.XXXXXXXX) || exit 1 #219019 ++tmpfile="$tmpdir/pi.tmp" + maxformat=PBM + + rowfiles=() +@@ -105,7 +103,7 @@ + + if [ "$title"x != ""x ] ; then + # rowfile=`tempfile -p pirow -m 600` +- rowfile=$TMPDIR/pi.${row}.$$ ++ rowfile="$tmpdir/pi.${row}.$$" + pbmtext "$title" > $rowfile + rowfiles=(${rowfiles[*]} $rowfile ) + row=$(($row + 1)) +@@ -153,7 +151,7 @@ + esac + fi + +- imagefile=$TMPDIR/pi.${row}.${col}.$$ ++ imagefile="$tmpdir/pi.${row}.${col}.$$" + rm -f $imagefile + if [ "$back" = "-white" ]; then + pbmtext "$i" | pnmcat $back -tb $tmpfile - > $imagefile +@@ -164,7 +162,7 @@ + imagefiles=( ${imagefiles[*]} $imagefile ) + + if [ $col -ge $across ]; then +- rowfile=$TMPDIR/pi.${row}.$$ ++ rowfile="$tmpdir/pi.${row}.$$" + rm -f $rowfile + + if [ $maxformat != PPM -o "$doquant" = "false" ]; then +@@ -189,7 +187,7 @@ + # Now put the final partial row in its row file. + + if [ ${#imagefiles[*]} -gt 0 ]; then +- rowfile=$TMPDIR/pi.${row}.$$ ++ rowfile="$tmpdir/pi.${row}.$$" + rm -f $rowfile + if [ $maxformat != PPM -o "$doquant" = "false" ]; then + pnmcat $back -lr -jbottom ${imagefiles[*]} > $rowfile +@@ -212,5 +210,9 @@ + fi + rm -f ${rowfiles[*]} + ++if [ -d "$tmpdir" ]; then ++ rm -rf "$tmpdir"; ++fi ++ + exit 0 + +--- netpbm-9.24/pnm/pnmmargin.debiansecurity 1993-10-04 10:11:44.000000000 +0100 ++++ netpbm-9.24/pnm/pnmmargin 2004-01-22 15:29:31.748349881 +0100 +@@ -11,11 +11,16 @@ + # documentation. This software is provided "as is" without express or + # implied warranty. + +-tmp1=/tmp/pnmm1$$ +-tmp2=/tmp/pnmm2$$ +-tmp3=/tmp/pnmm3$$ +-tmp4=/tmp/pnmm4$$ +-rm -f $tmp1 $tmp2 $tmp3 $tmp4 ++#tmp1=/tmp/pnmm1$$ ++#tmp2=/tmp/pnmm2$$ ++#tmp3=/tmp/pnmm3$$ ++#tmp4=/tmp/pnmm4$$ ++#rm -f $tmp1 $tmp2 $tmp3 $tmp4 ++tmpdir=$(mktemp -d /tmp/ppmmargin.XXXXXXX) || exit 1 #219019 ++tmp1="$tmpdir/tmp1" ++tmp2="$tmpdir/tmp2" ++tmp3="$tmpdir/tmp3" ++tmp4="$tmpdir/tmp4" + + color="-gofigure" + +@@ -83,4 +88,7 @@ + pnmcat -tb $tmp3 $tmp4 $tmp3 + + # All done. +-rm -f $tmp1 $tmp2 $tmp3 $tmp4 ++#rm -f $tmp1 $tmp2 $tmp3 $tmp4 ++if [ -d "$tmpdir" ]; then ++ rm -rf "$tmpdir" ++fi +--- netpbm-9.24/pnm/anytopnm.debiansecurity 2000-07-26 03:54:08.000000000 +0200 ++++ netpbm-9.24/pnm/anytopnm 2004-01-22 15:27:01.252657947 +0100 +@@ -22,6 +22,7 @@ + fi + + tmpfiles="" ++tmpdir=$(mktemp -d /tmp/anytopnm.XXXXXXXXXX) || exit 1 #219019 + + # Take out all spaces + # Find the filename extension for last-ditch efforts later +@@ -29,8 +30,7 @@ + + # Sanitize the filename by making our own temporary files as safely as + # possible. +-file="/tmp/atn.stdin.$$" +-rm -f "$file" ++file="$tmpdir/atn.stdin" + if [ $# -eq 0 -o "$1" = "-" ] ; then + cat > "$file" + else +@@ -57,10 +57,6 @@ + cat < "$1" > "$file" + fi + +-tmpfiles="$tmpfiles $file" +- +- +- + filetype=`file "$file" | cut -d: -f2-` + + case "$filetype" in +@@ -70,7 +66,7 @@ + ;; + + *uuencoded* ) +- newfile="/tmp/atn.decode.$$" ++ newfile="$tmpdir/atn.decode" + rm -f "$newfile" + (echo begin 600 $newfile; tail +2 < "$file") | uudecode + tmpfiles="$tmpfiles $newfile" +@@ -257,8 +253,7 @@ + + esac + +- +-if [ "$tmpfiles" ] ; then +- rm -f $tmpfiles ++if [ -d "$tmpdir" ] ; then ++ rm -rf "$tmpdir" + fi + exit 0 +--- netpbm-9.24/ppm/ppmtompeg/parallel.c.debiansecurity 2001-08-31 22:48:30.000000000 +0200 ++++ netpbm-9.24/ppm/ppmtompeg/parallel.c 2004-01-22 15:27:01.257657272 +0100 +@@ -20,6 +20,8 @@ + /*==============* + * HEADER FILES * + *==============*/ ++#define _BSD_SOURCE 1 ++/* This makes sure that mkstemp() is in unistd.h */ + + #include <sys/types.h> + #include <sys/socket.h> +@@ -557,6 +559,7 @@ + register int y; + int numBytes; + unsigned long data; ++#define TMPFILE_TEMPLATE "/tmp/ppmtompeg.XXXXXX" + char fileName[256]; + + Fsize_Note(frameNumber, yuvWidth, yuvHeight); +@@ -575,7 +578,9 @@ + + if ( frameNumber != -1 ) { + if ( separateConversion ) { +- sprintf(fileName, "/tmp/foobar%d", machineNumber); ++ strcpy(fileName, TMPFILE_TEMPLATE); ++ if (-1 == mkstemp(fileName)) ++ pm_error( "could not create temporary convolution file"); + filePtr = fopen(fileName, "wb"); + + /* read in stuff, SafeWrite to file, perform local conversion */ +--- netpbm-9.24/ppm/ppmtompeg/ppmtompeg.1.debiansecurity 2001-04-17 04:42:42.000000000 +0200 ++++ netpbm-9.24/ppm/ppmtompeg/ppmtompeg.1 2004-01-22 15:27:01.259657002 +0100 +@@ -366,6 +366,9 @@ + .SH VERSION + This is version 1.5 it contins new features and bug fixes from version 1.3. + .SH BUGS ++Not really a bug, but at least a limitation: If writing to an output file, ++ppmtompeg sometimes uses <filename>.* as temporary files. ++.LP + No known bugs, but if you find any, report them to [EMAIL PROTECTED] + .HP + .SH AUTHORS +--- netpbm-9.24/ppm/ppmfade.debiansecurity 2000-09-18 23:31:04.000000000 +0200 ++++ netpbm-9.24/ppm/ppmfade 2004-01-22 15:27:01.264656327 +0100 +@@ -23,6 +23,7 @@ + # + #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + use strict; ++use File::Temp "tempdir"; + + my $SPREAD = 1; + my $SHIFT = 2; +@@ -125,20 +126,25 @@ + + print("Frames are " . $width . "W x " . $height . "H\n"); + ++# ++# We create a tmp-directory right here ++# ++my $tmpdir = tempdir("ppmfade.XXXXXX", CLEANUP => 1); ++ + if ($first_file eq "undefined") { + print "Fading from black to "; +- system("ppmmake \\#000 $width $height >junk1$$.ppm"); ++ system("ppmmake \\#000 $width $height >$tmpdir/junk1.ppm"); + } else { + print "Fading from $first_file to "; +- system("cp", $first_file, "junk1$$.ppm"); ++ system("cp", $first_file, "$tmpdir/junk1.ppm"); + } + + if ($last_file eq "undefined") { + print "black.\n"; +- system("ppmmake \\#000 $width $height >junk2$$.ppm"); ++ system("ppmmake \\#000 $width $height >$tmpdir/junk2.ppm"); + } else { + print "$last_file\n"; +- system("cp", $last_file, "junk2$$.ppm"); ++ system("cp", $last_file, "$tmpdir/junk2.ppm"); + } + + # +@@ -161,148 +167,150 @@ + if ($mode eq $SPREAD) { + if ($i <= 10) { + my $n = $spline20[$i] * 100; +- system("ppmspread $n junk1$$.ppm >junk3$$.ppm"); ++ system("ppmspread $n $tmpdir/junk1.ppm >$tmpdir/junk3.ppm"); + } elsif ($i <= 20) { + my $n; + $n = $spline20[$i] * 100; +- system("ppmspread $n junk1$$.ppm >junk1a$$.ppm"); ++ system("ppmspread $n $tmpdir/junk1.ppm >$tmpdir/junk1a.ppm"); + $n = (1-$spline20[$i-10]) * 100; +- system("ppmspread $n junk2$$.ppm >junk2a$$.ppm"); ++ system("ppmspread $n $tmpdir/junk2.ppm >$tmpdir/junk2a.ppm"); + $n = $spline10[$i-10]; +- system("ppmmix $n junk1a$$.ppm junk2a$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1a.ppm $tmpdir/junk2a.ppm >$tmpdir/junk3.ppm"); + } else { + my $n = (1-$spline20[$i-10])*100; +- system("ppmspread $n junk2$$.ppm >junk3$$.ppm"); ++ system("ppmspread $n $tmpdir/junk2.ppm >$tmpdir/junk3.ppm"); + } + } elsif ($mode eq $SHIFT) { + if ($i <= 10) { + my $n = $spline20[$i] * 100; +- system("ppmshift $n junk1$$.ppm >junk3$$.ppm"); ++ system("ppmshift $n $tmpdir/junk1.ppm >$tmpdir/junk3.ppm"); + } elsif ($i <= 20) { + my $n; + $n = $spline20[$i] * 100; +- system("ppmshift $n junk1$$.ppm >junk1a$$.ppm"); ++ system("ppmshift $n $tmpdir/junk1.ppm >$tmpdir/junk1a.ppm"); + $n = (1-$spline20[$i-10])*100; +- system("ppmshift $n junk2$$.ppm >junk2a$$.ppm"); ++ system("ppmshift $n $tmpdir/junk2.ppm >$tmpdir/junk2a.ppm"); + $n = $spline10[$i-10]; +- system("ppmmix $n junk1a$$.ppm junk2a$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1a.ppm $tmpdir/junk2a.ppm >$tmpdir/junk3.ppm"); + } else { + my $n = (1-$spline20[$i-10]) * 100; +- system("ppmshift $n junk2$$.ppm >junk3$$.ppm"); ++ system("ppmshift $n $tmpdir/junk2.ppm >$tmpdir/junk3.ppm"); + } + } elsif ($mode eq $RELIEF) { + if ($i == 1) { +- system("ppmrelief junk1$$.ppm >junk1r$$.ppm"); ++ system("ppmrelief $tmpdir/junk1.ppm >$tmpdir/junk1r.ppm"); + } + if ($i <= 10) { + my $n = $spline10[$i]; +- system("ppmmix $n junk1$$.ppm junk1r$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1.ppm $tmpdir/junk1r.ppm >$tmpdir/junk3.ppm"); + } elsif ($i <= 20) { + my $n = $spline10[$i-10]; +- system("ppmmix $n junk1r$$.ppm junk2r$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1r.ppm $tmpdir/junk2r.ppm >$tmpdir/junk3.ppm"); + } else { + my $n = $spline10[$i-20]; +- system("ppmmix $n junk2r$$.ppm junk2$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk2r.ppm $tmpdir/junk2.ppm >$tmpdir/junk3.ppm"); + } + if ($i == 10) { +- system("ppmrelief junk2$$.ppm >junk2r$$.ppm"); ++ system("ppmrelief $tmpdir/junk2.ppm >$tmpdir/junk2r.ppm"); + } + } elsif ($mode eq $OIL) { + if ($i == 1) { +- system("ppmtopgm junk1$$.ppm | pgmoil >junko$$.ppm"); +- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " . +- ">junk1o$$.ppm"); ++ system("ppmtopgm $tmpdir/junk1.ppm | pgmoil >$tmpdir/junko.ppm"); ++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm $tmpdir/junko.ppm " . ++ ">$tmpdir/junk1o.ppm"); + } + if ($i <= 10) { + my $n = $spline10[$i]; +- system("ppmmix $n junk1$$.ppm junk1o$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1.ppm $tmpdir/junk1o.ppm >$tmpdir/junk3.ppm"); + } elsif ($i <= 20) { + my $n = $spline10[$i-10]; +- system("ppmmix $n junk1o$$.ppm junk2o$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1o.ppm $tmpdir/junk2o.ppm >$tmpdir/junk3.ppm"); + } else { + my $n = $spline10[$i-20]; +- system("ppmmix $n junk2o$$.ppm junk2$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk2o.ppm $tmpdir/junk2.ppm >$tmpdir/junk3.ppm"); + } + if ($i == 10) { +- system("ppmtopgm junk2$$.ppm | pgmoil >junko$$.ppm"); +- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " . +- ">junk2o$$.ppm"); ++ system("ppmtopgm $tmpdir/junk2.ppm | pgmoil >$tmpdir/junko.ppm"); ++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm $tmpdir/junko.ppm " . ++ ">$tmpdir/junk2o.ppm"); + } + } elsif ($mode eq $EDGE) { + if ($i == 1) { +- system("ppmtopgm junk1$$.ppm | pgmedge >junko$$.ppm"); +- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " . +- ">junk1o$$.ppm"); ++ system("ppmtopgm $tmpdir/junk1.ppm | pgmedge >$tmpdir/junko.ppm"); ++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm $tmpdir/junko.ppm " . ++ ">$tmpdir/junk1o.ppm"); + } + if ($i <= 10) { + my $n = $spline10[$i]; +- system("ppmmix $n junk1$$.ppm junk1o$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1.ppm $tmpdir/junk1o.ppm >$tmpdir/junk3.ppm"); + } elsif ($i <= 20) { + my $n = $spline10[$i-10]; +- system("ppmmix $n junk1o$$.ppm junk2o$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1o.ppm $tmpdir/junk2o.ppm >$tmpdir/junk3.ppm"); + } else { + my $n = $spline10[$i-20]; +- system("ppmmix $n junk2o$$.ppm junk2$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk2o.ppm $tmpdir/junk2.ppm >$tmpdir/junk3.ppm"); + } + if ($i == 10) { +- system("ppmtopgm junk2$$.ppm | pgmedge >junko$$.ppm"); +- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " . +- ">junk2o$$.ppm"); ++ system("ppmtopgm $tmpdir/junk2.ppm | pgmedge >$tmpdir/junko.ppm"); ++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm $tmpdir/junko.ppm " . ++ ">$tmpdir/junk2o.ppm"); + } + } elsif ($mode eq $BENTLEY) { + if ($i == 1) { +- system("ppmtopgm junk1$$.ppm | pgmbentley >junko$$.ppm"); +- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " . +- ">junk1o$$.ppm"); ++ system("ppmtopgm $tmpdir/junk1.ppm | pgmbentley >$tmpdir/junko.ppm"); ++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm $tmpdir/junko.ppm " . ++ ">$tmpdir/junk1o.ppm"); + } + if ($i <= 10) { + my $n = $spline10[$i]; +- system("ppmmix $n junk1$$.ppm junk1o$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1.ppm $tmpdir/junk1o.ppm >$tmpdir/junk3.ppm"); + } elsif ($i <= 20) { + my $n = $spline10[$i-10]; +- system("ppmmix $n junk1o$$.ppm junk2o$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1o.ppm $tmpdir/junk2o.ppm >$tmpdir/junk3.ppm"); + } else { + my $n = $spline10[$i-20]; +- system("ppmmix $n junk2o$$.ppm junk2$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk2o.ppm $tmpdir/junk2.ppm >$tmpdir/junk3.ppm"); + } + if ($i == 10) { +- system("ppmtopgm junk2$$.ppm | pgmbentley >junko$$.ppm"); +- system("rgb3toppm junko$$.ppm junko$$.ppm junko$$.ppm " . +- ">junk2o$$.ppm"); ++ system("ppmtopgm $tmpdir/junk2.ppm | pgmbentley >$tmpdir/junko.ppm"); ++ system("rgb3toppm $tmpdir/junko.ppm $tmpdir/junko.ppm $tmpdir/junko.ppm " . ++ ">$tmpdir/junk2o.ppm"); + } + } elsif ($mode eq $BLOCK) { + if ($i <= 10) { + my $n = 1 - 1.9*$spline20[$i]; +- system("pnmscale $n junk1$$.ppm | " . +- "pnmscale -width $width -height $height >junk3$$.ppm"); ++ system("pnmscale $n $tmpdir/junk1.ppm | " . ++ "pnmscale -width $width -height $height >$tmpdir/junk3.ppm"); + } elsif ($i <= 20) { + my $n = $spline10[$i-10]; +- system("ppmmix $n junk1a$$.ppm junk2a$$.ppm >junk3$$.ppm"); ++ system("ppmmix $n $tmpdir/junk1a.ppm $tmpdir/junk2a.ppm >$tmpdir/junk3.ppm"); + } else { + my $n = 1 - 1.9*$spline20[31-$i]; +- system("pnmscale $n junk2$$.ppm | " . +- "pnmscale -width $width -height $height >junk3$$.ppm"); ++ system("pnmscale $n $tmpdir/junk2.ppm | " . ++ "pnmscale -width $width -height $height >$tmpdir/junk3.ppm"); + } + if ($i == 10) { +- system("cp", "junk3$$.ppm", "junk1a$$.ppm"); +- system("pnmscale $n junk2$$.ppm | " . +- "pnmscale -width $width -height $height >junk2a$$.ppm"); ++ system("cp", "$tmpdir/junk3.ppm", "$tmpdir/junk1a.ppm"); ++ system("pnmscale $n $tmpdir/junk2.ppm | " . ++ "pnmscale -width $width -height $height >$tmpdir/junk2a.ppm"); + } + } elsif ($mode eq $MIX) { + my $fade_factor = sqrt(1/($nframes-$i+1)); +- system("ppmmix $fade_factor junk1$$.ppm junk2$$.ppm >junk3$$.ppm"); ++ system("ppmmix $fade_factor $tmpdir/junk1.ppm $tmpdir/junk2.ppm >$tmpdir/junk3.ppm"); + } else { + print("Internal error: impossible mode value '$mode'\n"); + } + + my $outfile = sprintf("%s.%04d.ppm", $base_name, $i); +- system("cp", "junk3$$.ppm", $outfile); ++ system("cp", "$tmpdir/junk3.ppm", $outfile); + } + + # + # Clean up shop. + # +-system("rm junk*$$.ppm"); ++#system("rm $tmpdir/junk*.ppm"); ++# As the temporary files are automatically deleted, nothing is needed for ++# cleanup any more. + + exit(0); + Index: netpbm10.patch =================================================================== RCS file: /cvsroot/fink/dists/10.4/unstable/main/finkinfo/graphics/netpbm10.patch,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- netpbm10.patch 20 Jan 2006 20:26:46 -0000 1.1 +++ netpbm10.patch 29 Aug 2007 15:02:50 -0000 1.2 @@ -53,3 +53,56 @@ } +--- netpbm-10.25/converter/other/pstopnm.c.CAN-2005-2471 2004-06-23 04:22:33.000000000 +0200 ++++ netpbm-10.25/converter/other/pstopnm.c 2005-08-09 08:41:42.000000000 +0200 +@@ -702,13 +702,13 @@ + + if (verbose) { + pm_message("execing '%s' with args '%s' (arg 0), " +- "'%s', '%s', '%s', '%s', '%s', '%s', '%s'", ++ "'%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s'", + ghostscriptProg, arg0, +- deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-"); ++ deviceopt, outfileopt, gopt, ropt, "-q", "-dNOPAUSE", "-dPARANOIDSAFER", "-"); + } + + execl(ghostscriptProg, arg0, deviceopt, outfileopt, gopt, ropt, "-q", +- "-dNOPAUSE", "-", NULL); ++ "-dNOPAUSE", "-dPARANOIDSAFER", "-", NULL); + + pm_error("execl() of Ghostscript ('%s') failed, errno=%d (%s)", + ghostscriptProg, errno, strerror(errno)); +--- netpbm-10.26.12/converter/other/pnmtopng.c.pnmtopng 2004-08-28 04:53:12.000000000 +0200 ++++ netpbm-10.26.12/converter/other/pnmtopng.c 2005-09-16 14:17:47.129390456 +0200 +@@ -159,7 +159,7 @@ + unsigned int * const bestMatchP) { + + unsigned int paletteIndex; +- unsigned int bestIndex; ++ unsigned int bestIndex = 0; + unsigned int bestMatch; + + bestMatch = UINT_MAX; +@@ -1566,7 +1566,7 @@ + /* The color part of the color/alpha palette passed to the PNG + compressor + */ +- unsigned int palette_size; ++ unsigned int palette_size = MAXCOLORS; + + gray trans_pnm[MAXCOLORS]; + png_byte trans[MAXCOLORS]; +--- netpbm-10.26.12/converter/other/pnmtopng.c ++++ netpbm-10.26.12/converter/other/pnmtopng.c +@@ -913,9 +913,9 @@ + colorhist_vector chv; + unsigned int colors; + +- gray *alphas_of_color[MAXPALETTEENTRIES]; ++ gray *alphas_of_color[MAXPALETTEENTRIES + 1]; + unsigned int alphas_first_index[MAXPALETTEENTRIES]; +- unsigned int alphas_of_color_cnt[MAXPALETTEENTRIES]; ++ unsigned int alphas_of_color_cnt[MAXPALETTEENTRIES + 1]; + + getChv(ifP, imagepos, cols, rows, maxval, format, MAXCOLORS, + &chv, &colors); Index: netpbm10.info =================================================================== RCS file: /cvsroot/fink/dists/10.4/unstable/main/finkinfo/graphics/netpbm10.info,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- netpbm10.info 14 Feb 2007 18:40:08 -0000 1.4 +++ netpbm10.info 29 Aug 2007 15:02:50 -0000 1.5 @@ -1,6 +1,6 @@ Package: netpbm10 Version: 10.26.39 -Revision: 2 +Revision: 3 BuildDepends: libjpeg, libpng3, libtiff, fink (>= 0.24.12-1) Depends: %N-shlibs (= %v-%r) Replaces: netpbm @@ -12,7 +12,7 @@ NoSetLDFLAGS: true SetLIBRARY_PATH: %p/lib PatchFile: %n.patch -PatchFile-MD5: e20b75f3b47c775bc7b915e1fc30fc98 +PatchFile-MD5: 8729d202e76346cbcbab26917f5b7cf3 PatchScript: << sed 's|@PREFIX@|%p|g' < %{PatchFile} | patch -p1 cat Makefile.config.in Makefile.config.fink >Makefile.config @@ -47,6 +47,11 @@ Hopefully this does not break latex2html. Patches for gcc 4.0 compatibility thanks to Matt Sachs. + + Security patches thanks to Tomoaki Okayama: + CVE-2005-2471: netpbm-10.25-CAN-2005-2471.patch (from RedHat) + CVE-2005-2978: netpbm-10.26.12-pnmtopng-CAN-2005-2978.patch (from SUSE) + CVE-2005-3662: netpbm-10.26.12-pnmtopng-overflow.patch (from SUSE) << License: OSI-Approved Homepage: http://netpbm.sourceforge.net Index: libtiff.patch =================================================================== RCS file: /cvsroot/fink/dists/10.4/unstable/main/finkinfo/graphics/libtiff.patch,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- libtiff.patch 2 Aug 2006 18:52:54 -0000 1.2 +++ libtiff.patch 29 Aug 2007 15:02:50 -0000 1.3 @@ -9,3 +9,706 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +diff -ruN tiff-3.7.4-old/tools/tiff2pdf.c tiff-3.7.4/tools/tiff2pdf.c +--- tiff-3.7.4-old/tools/tiff2pdf.c 2005-06-23 15:30:28.000000000 +0200 ++++ tiff-3.7.4/tools/tiff2pdf.c 2006-06-02 18:15:11.000000000 +0200 +@@ -3758,7 +3758,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;i<len;i++){ + if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ +- sprintf(buffer, "\\%.3o", pdfstr[i]); ++ sprintf(buffer, "\\%.3hho", pdfstr[i]); + written += TIFFWriteFile(output, (tdata_t) buffer, 4); + } else { + switch (pdfstr[i]){ + +diff -ruN tiff-3.7.4-old/tools/tiffsplit.c tiff-3.7.4/tools/tiffsplit.c +--- tiff-3.7.4-old/tools/tiffsplit.c 2005-05-26 20:38:48.000000000 +0200 ++++ tiff-3.7.4/tools/tiffsplit.c 2006-06-01 16:00:11.000000000 +0200 +@@ -60,14 +60,13 @@ + return (-3); + } + if (argc > 2) +- strcpy(fname, argv[2]); ++ snprintf(fname, sizeof(fname), "%s", argv[2]); + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); +- strcat(path, ".tif"); ++ snprintf(path, sizeof(path), "%s.tif", fname); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) + return (-2); + +diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c +--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- [EMAIL PROTECTED] 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- [EMAIL PROTECTED] 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } +diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c +--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c +--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include <limits.h> ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- [EMAIL PROTECTED], 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- [EMAIL PROTECTED] 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- [EMAIL PROTECTED] 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- [EMAIL PROTECTED] 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c +--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c +--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- [EMAIL PROTECTED] 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- [EMAIL PROTECTED] 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) +diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c +--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 +@@ -105,11 +105,16 @@ + * as codes of the form <color><npixels> + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- [EMAIL PROTECTED] 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; +diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c +--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- [EMAIL PROTECTED] 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, +diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c +--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include <stdio.h> + ++#include <limits.h> ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- [EMAIL PROTECTED] 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- [EMAIL PROTECTED] 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + } Index: libtiff.info =================================================================== RCS file: /cvsroot/fink/dists/10.4/unstable/main/finkinfo/graphics/libtiff.info,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- libtiff.info 5 Sep 2006 04:42:20 -0000 1.4 +++ libtiff.info 29 Aug 2007 15:02:50 -0000 1.5 @@ -1,11 +1,12 @@ Package: libtiff Version: 3.8.2 -Revision: 1001 +Revision: 1002 Depends: %N-shlibs (= %v-%r), %N-bin -BuildDepends: libjpeg (>= 6b-3), fink (>= 0.9.9) +BuildDepends: libjpeg (>= 6b-3), fink (>= 0.24.12) Source: ftp://ftp.remotesensing.org/libtiff/tiff-%v.tar.gz Source-MD5: fbb6f446ea4ed18955e2714934e5b698 -Patch: %n.patch +PatchFile: %n.patch +PatchFile-MD5: 8939f6447c55b85b060f4a3525bd54d3 NoSetMAKEFLAGS: true SetMAKEFLAGS: -j1 ConfigureParams: --mandir='${prefix}/share/man' --disable-dependency-tracking @@ -56,6 +57,11 @@ symbol in the new build system. Previous versions by Christoph Pfisterer. + + Security patches thanks to Tomoaki Okayama: + CVE-2006-2193: debian/patches/tiff2pdf-octal-printf.patch + CVE-2006-2656: debian/patches/tiffsplit-fname-overflow.patch + CVE-2006-3459-3465: debian/patches/CVE-2006-3459-3465.patch << License: BSD Homepage: http://remotesensing.org/libtiff/ Index: netpbm.info =================================================================== RCS file: /cvsroot/fink/dists/10.4/unstable/main/finkinfo/graphics/netpbm.info,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- netpbm.info 5 Sep 2006 04:42:20 -0000 1.2 +++ netpbm.info 29 Aug 2007 15:02:50 -0000 1.3 @@ -1,14 +1,15 @@ Package: netpbm Version: 9.25 -Revision: 14 -BuildDepends: libjpeg, libpng3, libtiff +Revision: 15 +BuildDepends: libjpeg, libpng3, libtiff, fink (>= 0.24.12) Depends: %N-shlibs (= %v-%r), %N-bin Replaces: netpbm (<< 9.25-1), netpbm10 Conflicts: netpbm10 BuildDependsOnly: True Source: mirror:sourceforge:%n/%n-%v.tgz Source-MD5: cb8036f3649c93cf51ee377971ddbf1c -Patch: %n.patch +PatchFile: %n.patch +PatchFile-MD5: 741be205daf067a1917c44662e64c9b6 NoSetMAKEFLAGS: true SetMAKEFLAGS: -j1 CompileScript: << @@ -42,6 +43,13 @@ Description: Graphics manipulation programs and libraries DescPort: << Patches for gcc 4.0 compatibility thanks to Matt Sachs. + + Security patches thanks to Tomoaki Okayama: + CVE-2003-0924: netpbm-9.24-debiansecurity.patch (from Turbo) + CVE-2005-2471: netpbm-9.24-CAN-2005-2471.patch (from RedHat) + CVE-2005-3632: netpbm-9.24-CVE-2005-3632.diff (from RedHat) + CVE-2005-3662: netpbm-9.24-CVE-2005-3662.patch (from RedHat) + I modified netpbm-9.24-CVE-2005-3632.diff a little for avoiding conflicts. << License: OSI-Approved Homepage: http://netpbm.sourceforge.net ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Fink-commits mailing list Fink-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fink-commits