Hello community, here is the log from the commit of package tiff for openSUSE:11.4 checked in at Fri Apr 15 17:04:48 CEST 2011.
-------- --- old-versions/11.4/UPDATES/all/tiff/tiff.changes 2011-03-31 23:08:09.000000000 +0200 +++ 11.4/tiff/tiff.changes 2011-04-14 16:49:07.000000000 +0200 @@ -1,0 +2,7 @@ +Thu Apr 14 16:45:19 CEST 2011 - pgaj...@suse.cz + +- fixed following vulnerabilities: + * integer overflow CVE-2010-4665 [bnc#687442] + * buffer overflow CVE-2009-5022 [bnc#687441] + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- tiff-3.9.4-CVE-2009-5022.patch tiff-3.9.4-CVE-2010-4665.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.TVTVNS/_old 2011-04-15 17:04:36.000000000 +0200 +++ /var/tmp/diff_new_pack.TVTVNS/_new 2011-04-15 17:04:36.000000000 +0200 @@ -29,7 +29,7 @@ # Url: http://www.remotesensing.org/libtiff/ Version: 3.9.4 -Release: 3.<RELEASE5> +Release: 3.<RELEASE7> Summary: Tools for Converting from and to the Tiff Format Source: tiff-%{version}.tar.bz2 Source2: README.SUSE @@ -42,6 +42,8 @@ Patch9: tiff-%{version}-dont-fancy-upsampling.patch Patch10: tiff-%{version}-CVE-2011-0192.patch Patch11: tiff-%{version}-CVE-2011-1167.patch +Patch12: tiff-3.9.4-CVE-2010-4665.patch +Patch13: tiff-3.9.4-CVE-2009-5022.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -109,6 +111,8 @@ %patch9 -p1 %patch10 %patch11 +%patch12 +%patch13 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 ++++++ tiff-3.9.4-CVE-2009-5022.patch ++++++ http://bugzilla.maptools.org/show_bug.cgi?id=1999#c2 and diff between 3.9.5 and 3.9.4 Index: tiff-3.9.4/libtiff/tif_ojpeg.c =================================================================== --- libtiff/tif_ojpeg.c +++ libtiff/tif_ojpeg.c @@ -1555,6 +1555,11 @@ OJPEGReadHeaderInfoSecStreamSof(TIFF* ti TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width"); return(0); } + if ((uint32)p>sp->strile_width) + { + TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width"); + return(0); + } sp->sof_x=p; } /* Nf: Number of image components in frame */ ++++++ tiff-3.9.4-CVE-2010-4665.patch ++++++ http://bugzilla.maptools.org/attachment.cgi?id=398 Make tiffdump more paranoid about checking the count field of a directory entry. diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c --- tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 +++ tools/tiffdump.c 2010-06-22 12:51:42.207932477 -0400 @@ -46,6 +46,7 @@ # include <io.h> #endif +#include "tiffiop.h" #include "tiffio.h" #ifndef O_BINARY @@ -317,7 +318,7 @@ printf(">\n"); continue; } - space = dp->tdir_count * datawidth[dp->tdir_type]; + space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); if (space <= 0) { printf(">\n"); Error("Invalid count for tag %u", dp->tdir_tag); @@ -709,7 +710,7 @@ w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); cc = dir->tdir_count * w; if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 - && read(fd, cp, cc) != -1) { + && read(fd, cp, cc) == cc) { if (swabflag) { switch (dir->tdir_type) { case TIFF_SHORT: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org