Hello community,
here is the log from the commit of package tiff for openSUSE:Factory checked in
at 2018-06-08 23:19:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tiff (Old)
and /work/SRC/openSUSE:Factory/.tiff.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff"
Fri Jun 8 23:19:57 2018 rev:73 rq:614266 version:4.0.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2018-05-19
15:41:51.451963956 +0200
+++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2018-06-08
23:20:01.558180325 +0200
@@ -1,0 +2,21 @@
+Tue Jun 5 12:21:02 UTC 2018 - pgaj...@suse.com
+
+- security update
+ * CVE-2018-8905 [bsc#1086408]
+ + tiff-CVE-2018-8905.patch
+
+-------------------------------------------------------------------
+Mon Jun 4 15:12:15 UTC 2018 - pgaj...@suse.com
+
+- security update
+ * CVE-2017-11613 [bsc#1082332]
+ + tiff-CVE-2017-11613.patch
+
+-------------------------------------------------------------------
+Mon Jun 4 12:55:54 UTC 2018 - pgaj...@suse.com
+
+- security update
+ * CVE-2018-7456 [bsc#1082825]
+ + tiff-CVE-2018-7456.patch
+
+-------------------------------------------------------------------
New:
----
tiff-CVE-2017-11613.patch
tiff-CVE-2018-7456.patch
tiff-CVE-2018-8905.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tiff.spec ++++++
--- /var/tmp/diff_new_pack.wIZ8C9/_old 2018-06-08 23:20:02.802135387 +0200
+++ /var/tmp/diff_new_pack.wIZ8C9/_new 2018-06-08 23:20:02.806135242 +0200
@@ -34,6 +34,9 @@
Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
Patch4: tiff-CVE-2018-10963.patch
Patch5: tiff-CVE-2017-18013.patch
+Patch6: tiff-CVE-2018-7456.patch
+Patch7: tiff-CVE-2017-11613.patch
+Patch8: tiff-CVE-2018-8905.patch
BuildRequires: gcc-c++
BuildRequires: libjpeg-devel
@@ -101,6 +104,9 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
%build
CFLAGS="%{optflags} -fPIE"
++++++ tiff-CVE-2017-11613.patch ++++++
Index: tiff-4.0.9/libtiff/tif_dirread.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_dirread.c 2018-06-04 16:49:48.940452546
+0200
+++ tiff-4.0.9/libtiff/tif_dirread.c 2018-06-04 16:50:18.572859131 +0200
@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
if( nstrips == 0 )
return;
+ /* If we are going to allocate a lot of memory, make sure that the */
+ /* file is as big as needed */
+ if( tif->tif_mode == O_RDONLY &&
+ nstrips > 1000000 &&
+ (offset >= TIFFGetFileSize(tif) ||
+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
+ {
+ return;
+ }
+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
++++++ tiff-CVE-2018-7456.patch ++++++
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 6baa7b3..af5b84a 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry*
dir, uint32 nstrips, uin
static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
static void ChopUpSingleUncompressedStrip(TIFF*);
static uint64 TIFFReadUInt64(const uint8 *value);
+static int _TIFFGetMaxColorChannels(uint16 photometric);
static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum
TIFFReadDirEntryErr err, c
}
/*
+ * Return the maximum number of color channels specified for a given
photometric
+ * type. 0 is returned if photometric type isn't supported or no default value
+ * is defined by the specification.
+ */
+static int _TIFFGetMaxColorChannels( uint16 photometric )
+{
+ switch (photometric) {
+ case PHOTOMETRIC_PALETTE:
+ case PHOTOMETRIC_MINISWHITE:
+ case PHOTOMETRIC_MINISBLACK:
+ return 1;
+ case PHOTOMETRIC_YCBCR:
+ case PHOTOMETRIC_RGB:
+ case PHOTOMETRIC_CIELAB:
+ return 3;
+ case PHOTOMETRIC_SEPARATED:
+ case PHOTOMETRIC_MASK:
+ return 4;
+ case PHOTOMETRIC_LOGL:
+ case PHOTOMETRIC_LOGLUV:
+ case PHOTOMETRIC_CFA:
+ case PHOTOMETRIC_ITULAB:
+ case PHOTOMETRIC_ICCLAB:
+ default:
+ return 0;
+ }
+}
+
+/*
* Read the next TIFF directory from a file and convert it to the internal
* format. We read directories sequentially.
*/
@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
uint32 fii=FAILED_FII;
toff_t nextdiroff;
int bitspersample_read = FALSE;
+ int color_channels;
tif->tif_diroff=tif->tif_nextdiroff;
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
}
}
}
+
+ /*
+ * Make sure all non-color channels are extrasamples.
+ * If it's not the case, define them as such.
+ */
+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
+ if (color_channels && tif->tif_dir.td_samplesperpixel -
tif->tif_dir.td_extrasamples > color_channels) {
+ uint16 old_extrasamples;
+ uint16 *new_sampleinfo;
+
+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric
type-related "
+ "color channels and ExtraSamples doesn't match
SamplesPerPixel. "
+ "Defining non-color channels as ExtraSamples.");
+
+ old_extrasamples = tif->tif_dir.td_extrasamples;
+ tif->tif_dir.td_extrasamples =
(tif->tif_dir.td_samplesperpixel - color_channels);
+
+ // sampleinfo should contain information relative to these new
extra samples
+ new_sampleinfo = (uint16*)
_TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
+ if (!new_sampleinfo) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to
allocate memory for "
+ "temporary new sampleinfo array (%d 16 bit
elements)",
+ tif->tif_dir.td_extrasamples);
+ goto bad;
+ }
+
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo,
old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo,
new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
+
/*
* Verify Palette image has a Colormap.
*/
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 8deceb2..1d86adb 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
uint16 i;
fprintf(fd, " %2ld: %5u",
l, td->td_transferfunction[0][l]);
- for (i = 1; i < td->td_samplesperpixel; i++)
+ for (i = 1; i < td->td_samplesperpixel -
td->td_extrasamples && i < 3; i++)
fprintf(fd, " %5u",
td->td_transferfunction[i][l]);
fputc('\n', fd);
++++++ tiff-CVE-2018-8905.patch ++++++
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 4ccb443..94d85e3 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0,
uint16 s)
char *tp;
unsigned char *bp;
int code, nbits;
+ int len;
long nextbits, nextdata, nbitsmask;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0,
uint16 s)
} while (--occ);
break;
}
- assert(occ >= codep->length);
- op += codep->length;
- occ -= codep->length;
- tp = op;
+ len = codep->length;
+ tp = op + len;
do {
- *--tp = codep->value;
- } while( (codep = codep->next) != NULL );
+ int t;
+ --tp;
+ t = codep->value;
+ codep = codep->next;
+ *tp = (char)t;
+ } while (codep && tp > op);
+ assert(occ >= len);
+ op += len;
+ occ -= len;
} else {
*op++ = (char)code;
occ--;
