Hello community, here is the log from the commit of package tiff for openSUSE:11.3 checked in at Fri Apr 1 10:48:24 CEST 2011.
-------- --- old-versions/11.3/UPDATES/all/tiff/tiff.changes 2011-03-03 09:29:00.000000000 +0100 +++ 11.3/tiff/tiff.changes 2011-03-31 23:07:33.000000000 +0200 @@ -1,0 +2,8 @@ +Thu Mar 31 10:33:24 CEST 2011 - pgaj...@suse.cz + +- fixed regression caused by previous update [bnc#682871] + * modified CVE-2011-0192.patch +- fixed buffer overflow in thunder decoder [bnc#683337] + * added CVE-2011-1167.patch + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- tiff-3.9.2-CVE-2011-1167.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.V55Fxf/_old 2011-04-01 10:47:38.000000000 +0200 +++ /var/tmp/diff_new_pack.V55Fxf/_new 2011-04-01 10:47:38.000000000 +0200 @@ -29,7 +29,7 @@ # Url: http://www.remotesensing.org/libtiff/ Version: 3.9.2 -Release: 5.<RELEASE4> +Release: 5.<RELEASE8> Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2: README.SUSE @@ -45,6 +45,7 @@ Patch10: tiff-%{version}-dont-fancy-upsampling.patch Patch11: tiff-%{version}-CVE-2011-0192.patch Patch12: tiff-%{version}-CVE-2011-0191.patch +Patch13: tiff-3.9.2-CVE-2011-1167.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -115,6 +116,7 @@ %patch10 -p1 %patch11 %patch12 +%patch13 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++++++ tiff-3.9.2-CVE-2011-0192.patch ++++++ --- /var/tmp/diff_new_pack.V55Fxf/_old 2011-04-01 10:47:38.000000000 +0200 +++ /var/tmp/diff_new_pack.V55Fxf/_new 2011-04-01 10:47:38.000000000 +0200 @@ -1,15 +1,29 @@ -Index: libtiff/tif_fax3.h -=================================================================== ---- libtiff/tif_fax3.h.orig -+++ libtiff/tif_fax3.h -@@ -478,6 +478,10 @@ done1d: \ +Protect against a fax VL(n) codeword commanding a move left. Without +this, a malicious input file can generate an indefinitely large series +of runs without a0 ever reaching the right margin, thus overrunning +our buffer of run lengths. Per CVE-2011-0192. This is a modified +version of a patch proposed by Drew Yao of Apple Product Security. +It adds an unexpected() report, and disallows the equality case except +for the first run of a line, since emitting a run without increasing a0 +still allows buffer overrun. (We have to allow it for the first run to +cover the case of encoding a zero-length run at start of line using VL.) + +http://bugzilla.maptools.org/show_bug.cgi?id=2297 + +diff -Naur libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h +--- libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400 ++++ libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500 +@@ -478,6 +478,12 @@ break; \ case S_VL: \ CHECK_b1; \ -+ if (b1 <= (int) (a0 + TabEnt->Param)) { \ -+ unexpected("VL", a0); \ -+ goto eol2d; \ -+ } \ ++ if (b1 <= (int) (a0 + TabEnt->Param)) { \ ++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ ++ unexpected("VL", a0); \ ++ goto eol2d; \ ++ } \ ++ } \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= *--pb; \ break; \ + ++++++ tiff-3.9.2-CVE-2011-1167.patch ++++++ Index: libtiff/tif_thunder.c =================================================================== --- libtiff/tif_thunder.c.orig +++ libtiff/tif_thunder.c @@ -25,6 +25,7 @@ */ #include "tiffiop.h" +#include <assert.h> #ifdef THUNDER_SUPPORT /* * TIFF Library. @@ -55,12 +56,32 @@ static const int twobitdeltas[4] = { 0, 1, 0, -1 }; static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; -#define SETPIXEL(op, v) { \ - lastpixel = (v) & 0xf; \ - if (npixels++ & 1) \ - *op++ |= lastpixel; \ - else \ +#define SETPIXEL(op, v) { \ + lastpixel = (v) & 0xf; \ + if ( npixels < maxpixels ) \ + { \ + if (npixels++ & 1) \ + *op++ |= lastpixel; \ + else \ op[0] = (tidataval_t) (lastpixel << 4); \ + } \ +} + +static int +ThunderSetupDecode(TIFF* tif) +{ + static const char module[] = "ThunderSetupDecode"; + + if( tif->tif_dir.td_bitspersample != 4 ) + { + TIFFErrorExt(tif->tif_clientdata, module, + "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", + (int) tif->tif_dir.td_bitspersample ); + return 0; + } + + + return (1); } static int @@ -142,7 +163,8 @@ ThunderDecodeRow(TIFF* tif, tidata_t buf occ -= tif->tif_scanlinesize; row += tif->tif_scanlinesize; } - return (1); + + return (1); } int @@ -151,6 +173,7 @@ TIFFInitThunderScan(TIFF* tif, int schem (void) scheme; tif->tif_decoderow = ThunderDecodeRow; tif->tif_decodestrip = ThunderDecodeRow; + tif->tif_setupdecode = ThunderSetupDecode; return (1); } #endif /* THUNDER_SUPPORT */ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org