me/guix
Archived
1
0
Fork 0
Code Activity

gnu: libtiff: Update replacement to 4.0.7.

Browse source 
* gnu/packages/image.scm (libtiff)[replacement]: Update to 4.0.7.
(libtiff-4.0.7): New variable. Update home-page and source URLs.
(libtiff/fixed): Delete variable.
* gnu/packages/patches/libtiff-CVE-2016-5652.patch,
gnu/packages/patches/libtiff-CVE-2016-9273.patch,
gnu/packages/patches/libtiff-CVE-2016-9297.patch,
gnu/packages/patches/libtiff-CVE-2016-9448.patch,
gnu/packages/patches/libtiff-uint32-overflow.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
Leo Famulari 2016-11-22 10:19:51 -05:00
parent d8e3bb082d
commit be72eb98fa
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
7 changed files with 10 additions and 300 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
gnu/local.mk
View file

@ -672,13 +672,8 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-CVE-2016-5314.patch \
%D%/packages/patches/libtiff-CVE-2016-5321.patch \
%D%/packages/patches/libtiff-CVE-2016-5323.patch \
%D%/packages/patches/libtiff-CVE-2016-5652.patch \
%D%/packages/patches/libtiff-CVE-2016-9273.patch \
%D%/packages/patches/libtiff-CVE-2016-9297.patch \
%D%/packages/patches/libtiff-CVE-2016-9448.patch \
%D%/packages/patches/libtiff-oob-accesses-in-decode.patch \
%D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \
%D%/packages/patches/libtiff-uint32-overflow.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
%D%/packages/patches/libupnp-CVE-2016-6255.patch \

29
gnu/packages/image.scm
View file

@ -243,7 +243,7 @@ extracting icontainer icon files.")
(define-public libtiff
(package
(name "libtiff")
(replacement libtiff/fixed)
(replacement libtiff-4.0.7)
(version "4.0.6")
(source (origin
(method url-fetch)
@ -283,27 +283,18 @@ collection of tools for doing simple manipulations of TIFF images.")
"See COPYRIGHT in the distribution."))
(home-page "http://www.remotesensing.org/libtiff/")))
(define libtiff/fixed
(define libtiff-4.0.7
(package
(inherit libtiff)
(version "4.0.7")
(source (origin
(inherit (package-source libtiff))
(patches (search-patches
"libtiff-oob-accesses-in-decode.patch"
"libtiff-oob-write-in-nextdecode.patch"
"libtiff-uint32-overflow.patch"
"libtiff-CVE-2015-8665+CVE-2015-8683.patch"
"libtiff-CVE-2016-3623.patch"
"libtiff-CVE-2016-3945.patch"
"libtiff-CVE-2016-3990.patch"
"libtiff-CVE-2016-3991.patch"
"libtiff-CVE-2016-5314.patch"
"libtiff-CVE-2016-5321.patch"
"libtiff-CVE-2016-5323.patch"
"libtiff-CVE-2016-5652.patch"
"libtiff-CVE-2016-9273.patch"
"libtiff-CVE-2016-9297.patch"
"libtiff-CVE-2016-9448.patch"))))))
(method url-fetch)
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
version ".tar.gz"))
(sha256
(base32
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
(home-page "http://www.simplesystems.org/libtiff/")))
(define-public libwmf
(package

47
gnu/packages/patches/libtiff-CVE-2016-5652.patch
View file

@ -1,47 +0,0 @@
Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
Patches exfiltrated from upstream CVS repo with:
cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
Index: tools/tiff2pdf.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
retrieving revision 1.92
retrieving revision 1.94
diff -u -r1.92 -r1.94
--- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92
+++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94
@@ -2887,21 +2887,24 @@
return(0);
}
if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
- if (count > 0) {
- _TIFFmemcpy(buffer, jpt, count);
+ if (count >= 4) {
+ /* Ignore EOI marker of JpegTables */
+ _TIFFmemcpy(buffer, jpt, count - 2);
bufferoffset += count - 2;
+ /* Store last 2 bytes of the JpegTables */
table_end[0] = buffer[bufferoffset-2];
table_end[1] = buffer[bufferoffset-1];
- }
- if (count > 0) {
xuint32 = bufferoffset;
+ bufferoffset -= 2;
bufferoffset += TIFFReadRawTile(
input,
tile,
- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),
+ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
-1);
- buffer[xuint32-2]=table_end[0];
- buffer[xuint32-1]=table_end[1];
+ /* Overwrite SOI marker of image scan with previously */
+ /* saved end of JpegTables */
+ buffer[xuint32-2]=table_end[0];
+ buffer[xuint32-1]=table_end[1];
} else {
bufferoffset += TIFFReadRawTile(
input,

41
gnu/packages/patches/libtiff-CVE-2016-9273.patch
View file

@ -1,41 +0,0 @@
Fix CVE-2016-9273:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
http://bugzilla.maptools.org/show_bug.cgi?id=2587
Patch extracted from upstream CVS repo:
2016-11-10 Even Rouault <even.rouault at spatialys.com>
revision 1.37
date: 2016-11-09 18:00:49 -0500; author: erouault; state: Exp; lines: +10 -1; commitid: pzKipPxDJO2dxvtz;
* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
Index: libtiff/tif_strip.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- a/libtiff/tif_strip.c 7 Jun 2015 22:35:40 -0000 1.36
+++ b/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37
@@ -63,6 +63,15 @@
TIFFDirectory *td = &tif->tif_dir;
uint32 nstrips;
+ /* If the value was already computed and store in td_nstrips, then return it,
+ since ChopUpSingleUncompressedStrip might have altered and resized the
+ since the td_stripbytecount and td_stripoffset arrays to the new value
+ after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+ tif_dirread.c ~line 3612.
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+ if( td->td_nstrips )
+ return td->td_nstrips;
+
nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)

52
gnu/packages/patches/libtiff-CVE-2016-9297.patch
View file

@ -1,52 +0,0 @@
Fix CVE-2016-9297:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297
http://bugzilla.maptools.org/show_bug.cgi?id=2590
Patch copied from upstream source repository.
2016-11-11 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated, to avoid potential read outside buffer
in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1154; previous revision: 1.1153
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <--
libtiff/tif_dirread.c
new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_dirread.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
retrieving revision 1.202
retrieving revision 1.203
diff -u -r1.202 -r1.203
--- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:01:55 -0000 1.202
+++ libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203
@@ -5000,6 +5000,11 @@
if (err==TIFFReadDirEntryErrOk)
{
int m;
+ if( data[dp->tdir_count-1] != '\0' )
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
+ data[dp->tdir_count-1] = '\0';
+ }
m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
if (data!=0)
_TIFFfree(data);
@@ -5172,6 +5177,11 @@
if (err==TIFFReadDirEntryErrOk)
{
int m;
+ if( data[dp->tdir_count-1] != '\0' )
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
+ data[dp->tdir_count-1] = '\0';
+ }
m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
if (data!=0)
_TIFFfree(data);

34
gnu/packages/patches/libtiff-CVE-2016-9448.patch
View file

@ -1,34 +0,0 @@
Fix CVE-2016-9448 (regression caused by fix for CVE-2016-9297).
http://bugzilla.maptools.org/show_bug.cgi?id=2593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
Patch copied from upstream source repository with:
$ cvs diff -u -r 1.203 -r 1.204 libtiff/libtiff/tif_dirread.c
Index: libtiff/libtiff/tif_dirread.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
retrieving revision 1.203
retrieving revision 1.204
diff -u -r1.203 -r1.204
--- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203
+++ libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204
@@ -5000,7 +5000,7 @@
if (err==TIFFReadDirEntryErrOk)
{
int m;
- if( data[dp->tdir_count-1] != '\0' )
+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
{
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
data[dp->tdir_count-1] = '\0';
@@ -5177,7 +5177,7 @@
if (err==TIFFReadDirEntryErrOk)
{
int m;
- if( data[dp->tdir_count-1] != '\0' )
+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
{
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
data[dp->tdir_count-1] = '\0';

102
gnu/packages/patches/libtiff-uint32-overflow.patch
View file

@ -1,102 +0,0 @@
Fix some buffer overflows:
http://seclists.org/oss-sec/2016/q4/408
http://bugzilla.maptools.org/show_bug.cgi?id=2592
2016-11-11 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcrop.c: fix multiple uint32 overflows in
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer
overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1152; previous revision: 1.1151
/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c
new revision: 1.43; previous revision: 1.42
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- libtiff/tools/tiffcrop.c 14 Oct 2016 19:13:20 -0000 1.42
+++ libtiff/tools/tiffcrop.c 11 Nov 2016 19:33:06 -0000 1.43
@@ -148,6 +148,8 @@
#define PATH_MAX 1024
#endif
+#define TIFF_UINT32_MAX 0xFFFFFFFFU
+
#ifndef streq
#define streq(a,b) (strcmp((a),(b)) == 0)
#endif
@@ -1164,7 +1166,24 @@
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
bytes_per_sample = (bps + 7) / 8;
- rowsize = ((bps * spp * width) + 7) / 8; /* source has interleaved samples */
+ if( width == 0 ||
+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
+ bps * spp * width > TIFF_UINT32_MAX - 7U )
+ {
+ TIFFError(TIFFFileName(out),
+ "Error, uint32 overflow when computing (bps * spp * width) + 7");
+ return 1;
+ }
+ rowsize = ((bps * spp * width) + 7U) / 8; /* source has interleaved samples */
+ if( bytes_per_sample == 0 ||
+ rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample ||
+ rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) )
+ {
+ TIFFError(TIFFFileName(out),
+ "Error, uint32 overflow when computing rowsperstrip * "
+ "bytes_per_sample * (width + 1)");
+ return 1;
+ }
rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
obuf = _TIFFmalloc (rowstripsize);
@@ -1251,11 +1270,19 @@
}
}
+ if( imagewidth == 0 ||
+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
+ bps * spp * imagewidth > TIFF_UINT32_MAX - 7U )
+ {
+ TIFFError(TIFFFileName(out),
+ "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
+ return 1;
+ }
+ src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
+
tilebuf = _TIFFmalloc(tile_buffsize);
if (tilebuf == 0)
return 1;
-
- src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
for (row = 0; row < imagelength; row += tl)
{
nrow = (row + tl > imagelength) ? imagelength - row : tl;
@@ -1315,7 +1342,16 @@
TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
- src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
+
+ if( imagewidth == 0 ||
+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
+ bps * spp * imagewidth > TIFF_UINT32_MAX - 7 )
+ {
+ TIFFError(TIFFFileName(out),
+ "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
+ return 1;
+ }
+ src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
for (row = 0; row < imagelength; row += tl)
{