diff --git a/abi_symbols b/abi_symbols --- a/abi_symbols +++ b/abi_symbols @@ -113,7 +113,9 @@ libtiff.so.5:TIFFReadRGBAImage libtiff.so.5:TIFFReadRGBAImageOriented libtiff.so.5:TIFFReadRGBAStrip +libtiff.so.5:TIFFReadRGBAStripExt libtiff.so.5:TIFFReadRGBATile +libtiff.so.5:TIFFReadRGBATileExt libtiff.so.5:TIFFReadRawStrip libtiff.so.5:TIFFReadRawTile libtiff.so.5:TIFFReadScanline diff --git a/abi_symbols32 b/abi_symbols32 --- a/abi_symbols32 +++ b/abi_symbols32 @@ -72,12 +72,15 @@ libtiff.so.5:TIFFInitCCITTRLEW libtiff.so.5:TIFFInitDumpMode libtiff.so.5:TIFFInitJPEG +libtiff.so.5:TIFFInitLZMA libtiff.so.5:TIFFInitLZW libtiff.so.5:TIFFInitNeXT libtiff.so.5:TIFFInitOJPEG libtiff.so.5:TIFFInitPackBits +libtiff.so.5:TIFFInitPixarLog libtiff.so.5:TIFFInitSGILog libtiff.so.5:TIFFInitThunderScan +libtiff.so.5:TIFFInitZIP libtiff.so.5:TIFFIsBigEndian libtiff.so.5:TIFFIsByteSwapped libtiff.so.5:TIFFIsCODECConfigured @@ -110,7 +113,9 @@ libtiff.so.5:TIFFReadRGBAImage libtiff.so.5:TIFFReadRGBAImageOriented libtiff.so.5:TIFFReadRGBAStrip +libtiff.so.5:TIFFReadRGBAStripExt libtiff.so.5:TIFFReadRGBATile +libtiff.so.5:TIFFReadRGBATileExt libtiff.so.5:TIFFReadRawStrip libtiff.so.5:TIFFReadRawTile libtiff.so.5:TIFFReadScanline diff --git a/abi_used_libs32 b/abi_used_libs32 --- a/abi_used_libs32 +++ b/abi_used_libs32 @@ -1,4 +1,6 @@ libc.so.6 libjpeg.so.8 +liblzma.so.5 libm.so.6 libstdc++.so.6 +libz.so.1 diff --git a/files/security/CVE-2016-10092.patch b/files/security/CVE-2016-10092.patch deleted file mode 100644 --- a/files/security/CVE-2016-10092.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sat, 3 Dec 2016 11:35:56 +0000 -Subject: [PATCH] * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i - (ignore) mode so that the output buffer is correctly incremented to avoid - write outside bounds. Reported by Agostino Sarubbo. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2620 - - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index b87a77a8..70a71e17 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) - (unsigned long) strip, (unsigned long)rows); - return 0; - } -- bufp += bytes_read; -+ bufp += stripsize; - } - - return 1; --- -2.12.2 - diff --git a/files/security/CVE-2016-10093.patch b/files/security/CVE-2016-10093.patch deleted file mode 100644 --- a/files/security/CVE-2016-10093.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 787c0ee906430b772f33ca50b97b8b5ca070faec Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sat, 3 Dec 2016 16:40:01 +0000 -Subject: [PATCH 1/1] * tools/tiffcp.c: fix uint32 underflow/overflow that can - cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2610 - ---- - tools/tiffcp.c | 6 +++--- - 2 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 2d8dfba1..89b27f86 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1163,7 +1163,7 @@ bad: - - static void - cpStripToTile(uint8* out, uint8* in, -- uint32 rows, uint32 cols, int outskew, int inskew) -+ uint32 rows, uint32 cols, int outskew, int64 inskew) - { - while (rows-- > 0) { - uint32 j = cols; -@@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer) - tdata_t tilebuf; - uint32 imagew = TIFFScanlineSize(in); - uint32 tilew = TIFFTileRowSize(in); -- int iskew = imagew - tilew; -+ int64 iskew = (int64)imagew - (int64)tilew; - uint8* bufp = (uint8*) buf; - uint32 tw, tl; - uint32 row; -@@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer) - status = 0; - goto done; - } -- if (colb + tilew > imagew) { -+ if (colb > iskew) { - uint32 width = imagew - colb; - uint32 oskew = tilew - width; - cpStripToTile(bufp + colb, --- -2.12.2 - diff --git a/files/security/CVE-2016-10094.patch b/files/security/CVE-2016-10094.patch deleted file mode 100644 --- a/files/security/CVE-2016-10094.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 7b7e1bd44ec5fee479ee961ff84c004bb7cff824 Mon Sep 17 00:00:00 2001 -From: Joshua Strobl -Date: Sat, 15 Apr 2017 22:37:26 +0300 -Subject: [PATCH 1/1] CVE-2016-10094 patch - ---- - tools/tiff2pdf.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index 870f2bef..8e346e08 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -2895,7 +2895,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ - return(0); - } - if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { -- if (count >= 4) { -+ if (count > 4) { - /* Ignore EOI marker of JpegTables */ - _TIFFmemcpy(buffer, jpt, count - 2); - bufferoffset += count - 2; --- -2.12.2 - diff --git a/files/security/CVE-2016-10266.patch b/files/security/CVE-2016-10266.patch deleted file mode 100644 --- a/files/security/CVE-2016-10266.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 438274f938e046d33cb0e1230b41da32ffe223e1 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Fri, 2 Dec 2016 21:56:56 +0000 -Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow - in TIFFReadEncodedStrip() that caused an integer division by zero. Reported - by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 - ---- - libtiff/tif_read.c | 2 +- - libtiff/tiffiop.h | 4 ++++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index c26c55f..52bbf50 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) - rowsperstrip=td->td_rowsperstrip; - if (rowsperstrip>td->td_imagelength) - rowsperstrip=td->td_imagelength; -- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); -+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); - stripinplane=(strip%stripsperplane); - plane=(uint16)(strip/stripsperplane); - rows=td->td_imagelength-stripinplane*rowsperstrip; -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index ffbb647..cb59460 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -250,6 +250,10 @@ struct tiff { - #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ - ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ - 0U) -+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ -+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ -+#define TIFFhowmany_32_maxuint_compat(x, y) \ -+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) - #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) - #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) - #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) --- -2.7.4 - diff --git a/files/security/CVE-2016-10267.patch b/files/security/CVE-2016-10267.patch deleted file mode 100644 --- a/files/security/CVE-2016-10267.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sat, 3 Dec 2016 11:15:18 +0000 -Subject: [PATCH] * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case - of failure in OJPEGPreDecode(). This will avoid a divide by zero, and - potential other issues. Reported by Agostino Sarubbo. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2611 - ---- - libtiff/tif_ojpeg.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c -index 1ccc3f9..f19e8fd 100644 ---- a/libtiff/tif_ojpeg.c -+++ b/libtiff/tif_ojpeg.c -@@ -244,6 +244,7 @@ typedef enum { - - typedef struct { - TIFF* tif; -+ int decoder_ok; - #ifndef LIBJPEG_ENCAP_EXTERNAL - JMP_BUF exit_jmpbuf; - #endif -@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) - } - sp->write_curstrile++; - } -+ sp->decoder_ok = 1; - return(1); - } - -@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) - static int - OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) - { -+ static const char module[]="OJPEGDecode"; - OJPEGState* sp=(OJPEGState*)tif->tif_data; - (void)s; -+ if( !sp->decoder_ok ) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); -+ return 0; -+ } - if (sp->libjpeg_jpeg_query_style==0) - { - if (OJPEGDecodeRaw(tif,buf,cc)==0) --- -2.7.4 - diff --git a/files/security/CVE-2016-10268.patch b/files/security/CVE-2016-10268.patch deleted file mode 100644 --- a/files/security/CVE-2016-10268.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5397a417e61258c69209904e652a1f409ec3b9df Mon Sep 17 00:00:00 2001 -From: erouault -Date: Fri, 2 Dec 2016 22:13:32 +0000 -Subject: [PATCH] * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips - that can cause various issues, such as buffer overflows in the library. - Reported by Agostino Sarubbo. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2598 - ---- - tools/tiffcp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index a99c906..f294ed1 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips) - tstrip_t s, ns = TIFFNumberOfStrips(in); - uint32 row = 0; - _TIFFmemset(buf, 0, stripsize); -- for (s = 0; s < ns; s++) { -+ for (s = 0; s < ns && row < imagelength; s++) { - tsize_t cc = (row + rowsperstrip > imagelength) ? - TIFFVStripSize(in, imagelength - row) : stripsize; - if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 --- -2.7.4 - diff --git a/files/security/CVE-2016-10269.patch b/files/security/CVE-2016-10269.patch deleted file mode 100644 --- a/files/security/CVE-2016-10269.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 1044b43637fa7f70fb19b93593777b78bd20da86 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Fri, 2 Dec 2016 23:05:51 +0000 -Subject: [PATCH] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based - buffer overflow on generation of PixarLog / LUV compressed files, with - ColorMap, TransferFunction attached and nasty plays with bitspersample. The - fix for LUV has not been tested, but suffers from the same kind of issue of - PixarLog. Reported by Agostino Sarubbo. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2604 - ---- - libtiff/tif_luv.c | 18 ++++++++++++++---- - libtiff/tif_pixarlog.c | 17 +++++++++++++++-- - 2 files changed, 29 insertions(+), 6 deletions(-) - -diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c -index f68a9b1..e6783db 100644 ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -158,6 +158,7 @@ - typedef struct logLuvState LogLuvState; - - struct logLuvState { -+ int encoder_state; /* 1 if encoder correctly initialized */ - int user_datafmt; /* user data format */ - int encode_meth; /* encoding method */ - int pixel_size; /* bytes per pixel */ -@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif) - td->td_photometric, "must be either LogLUV or LogL"); - break; - } -+ sp->encoder_state = 1; - return (1); - notsupported: - TIFFErrorExt(tif->tif_clientdata, module, -@@ -1563,19 +1565,27 @@ notsupported: - static void - LogLuvClose(TIFF* tif) - { -+ LogLuvState* sp = (LogLuvState*) tif->tif_data; - TIFFDirectory *td = &tif->tif_dir; - -+ assert(sp != 0); - /* - * For consistency, we always want to write out the same - * bitspersample and sampleformat for our TIFF file, - * regardless of the data format being used by the application. - * Since this routine is called after tags have been set but - * before they have been recorded in the file, we reset them here. -+ * Note: this is really a nasty approach. See PixarLogClose - */ -- td->td_samplesperpixel = -- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; -- td->td_bitspersample = 16; -- td->td_sampleformat = SAMPLEFORMAT_INT; -+ if( sp->encoder_state ) -+ { -+ /* See PixarLogClose. Might avoid issues with tags whose size depends -+ * on those below, but not completely sure this is enough. */ -+ td->td_samplesperpixel = -+ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; -+ td->td_bitspersample = 16; -+ td->td_sampleformat = SAMPLEFORMAT_INT; -+ } - } - - static void -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c -index d1246c3..aa99bc9 100644 ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif) - static void - PixarLogClose(TIFF* tif) - { -+ PixarLogState* sp = (PixarLogState*) tif->tif_data; - TIFFDirectory *td = &tif->tif_dir; - -+ assert(sp != 0); - /* In a really sneaky (and really incorrect, and untruthful, and - * troublesome, and error-prone) maneuver that completely goes against - * the spirit of TIFF, and breaks TIFF, on close, we covertly -@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif) - * readers that don't know about PixarLog, or how to set - * the PIXARLOGDATFMT pseudo-tag. - */ -- td->td_bitspersample = 8; -- td->td_sampleformat = SAMPLEFORMAT_UINT; -+ -+ if (sp->state&PLSTATE_INIT) { -+ /* We test the state to avoid an issue such as in -+ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 -+ * What appends in that case is that the bitspersample is 1 and -+ * a TransferFunction is set. The size of the TransferFunction -+ * depends on 1<td_bitspersample = 8; -+ td->td_sampleformat = SAMPLEFORMAT_UINT; -+ } - } - - static void --- -2.7.4 - diff --git a/files/security/CVE-2016-10270.patch b/files/security/CVE-2016-10270.patch deleted file mode 100644 --- a/files/security/CVE-2016-10270.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 9a72a69e035ee70ff5c41541c8c61cd97990d018 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Sat, 3 Dec 2016 11:02:15 +0000 -Subject: [PATCH] * libtiff/tif_dirread.c: modify - ChopUpSingleUncompressedStrip() to instanciate compute ntrips as - TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on - the total size of data. Which is faulty is the total size of data is not - sufficient to fill the whole image, and thus results in reading outside of - the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported - by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. - -* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done -for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since -the above change is a better fix that makes it unnecessary. ---- - libtiff/tif_dirread.c | 22 ++++++++++------------ - libtiff/tif_strip.c | 9 --------- - 2 files changed, 10 insertions(+), 21 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 3eec79c..570d0c3 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - uint64 rowblockbytes; - uint64 stripbytes; - uint32 strip; -- uint64 nstrips64; -- uint32 nstrips32; -+ uint32 nstrips; - uint32 rowsperstrip; - uint64* newcounts; - uint64* newoffsets; -@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - return; - - /* -- * never increase the number of strips in an image -+ * never increase the number of rows per strip - */ - if (rowsperstrip >= td->td_rowsperstrip) - return; -- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); -- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ -- return; -- nstrips32 = (uint32)nstrips64; -+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); -+ if( nstrips == 0 ) -+ return; - -- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), -+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); -- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), -+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripOffsets\" array"); - if (newcounts == NULL || newoffsets == NULL) { - /* -@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - * Fill the strip information arrays with new bytecounts and offsets - * that reflect the broken-up format. - */ -- for (strip = 0; strip < nstrips32; strip++) { -+ for (strip = 0; strip < nstrips; strip++) { - if (stripbytes > bytecount) - stripbytes = bytecount; - newcounts[strip] = stripbytes; -- newoffsets[strip] = offset; -+ newoffsets[strip] = stripbytes ? offset : 0; - offset += stripbytes; - bytecount -= stripbytes; - } - /* - * Replace old single strip info with multi-strip info. - */ -- td->td_stripsperimage = td->td_nstrips = nstrips32; -+ td->td_stripsperimage = td->td_nstrips = nstrips; - TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - - _TIFFfree(td->td_stripbytecount); -diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c -index 4c46ecf..1676e47 100644 ---- a/libtiff/tif_strip.c -+++ b/libtiff/tif_strip.c -@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif) - TIFFDirectory *td = &tif->tif_dir; - uint32 nstrips; - -- /* If the value was already computed and store in td_nstrips, then return it, -- since ChopUpSingleUncompressedStrip might have altered and resized the -- since the td_stripbytecount and td_stripoffset arrays to the new value -- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in -- tif_dirread.c ~line 3612. -- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ -- if( td->td_nstrips ) -- return td->td_nstrips; -- - nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : - TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); - if (td->td_planarconfig == PLANARCONFIG_SEPARATE) --- -2.7.4 - diff --git a/files/security/CVE-2016-10271.nopatch b/files/security/CVE-2016-10271.nopatch deleted file mode 100644 diff --git a/files/security/CVE-2016-10272.nopatch b/files/security/CVE-2016-10272.nopatch deleted file mode 100644 diff --git a/files/security/CVE-2017-5225.patch b/files/security/CVE-2017-5225.patch deleted file mode 100644 --- a/files/security/CVE-2017-5225.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index bdf754c..8bbcd52 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); - static int - tiffcp(TIFF* in, TIFF* out) - { -- uint16 bitspersample, samplesperpixel = 1; -+ uint16 bitspersample = 1, samplesperpixel = 1; - uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; - copyFunc cf; - uint32 width, length; -@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow) - register uint32 n; - uint32 row; - tsample_t s; -+ uint16 bps = 0; -+ -+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps != 8 ) -+ { -+ TIFFError(TIFFFileName(in), -+ "Error, can only handle BitsPerSample=8 in %s", -+ "cpContig2SeparateByRow"); -+ return 0; -+ } - - inbuf = _TIFFmalloc(scanlinesizein); - outbuf = _TIFFmalloc(scanlinesizeout); -@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow) - register uint32 n; - uint32 row; - tsample_t s; -+ uint16 bps = 0; -+ -+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps != 8 ) -+ { -+ TIFFError(TIFFFileName(in), -+ "Error, can only handle BitsPerSample=8 in %s", -+ "cpSeparate2ContigByRow"); -+ return 0; -+ } - - inbuf = _TIFFmalloc(scanlinesizein); - outbuf = _TIFFmalloc(scanlinesizeout); -@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel) - uint32 w, l, tw, tl; - int bychunk; - -- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); -+ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); - if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { - fprintf(stderr, - "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", diff --git a/files/security/CVE-2017-7592.patch b/files/security/CVE-2017-7592.patch deleted file mode 100644 --- a/files/security/CVE-2017-7592.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ae475079a1cc9064327d0a1f680dd6107db29859 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Wed, 11 Jan 2017 16:38:26 +0000 -Subject: [PATCH 1/8] =?UTF-8?q?*=20libtiff/tif=5Fgetimage.c:=20add=20expli?= - =?UTF-8?q?cit=20uint32=20cast=20in=20putagreytile=20to=20avoid=20Undefine?= - =?UTF-8?q?dBehaviorSanitizer=20warning.=20Patch=20by=20Nicol=C3=A1s=20Pe?= - =?UTF-8?q?=C3=B1a.=20Fixes=20http://bugzilla.maptools.org/show=5Fbug.cgi?= - =?UTF-8?q?=3Fid=3D2658?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - libtiff/tif_getimage.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 0f5e932..f5258b3 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -1305,7 +1305,7 @@ DECLAREContigPutFunc(putagreytile) - while (h-- > 0) { - for (x = w; x-- > 0;) - { -- *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1); -+ *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1); - pp += samplesperpixel; - } - cp += toskew; --- -2.7.4 - diff --git a/files/security/CVE-2017-7593.patch b/files/security/CVE-2017-7593.patch deleted file mode 100644 --- a/files/security/CVE-2017-7593.patch +++ /dev/null @@ -1,84 +0,0 @@ -From e230043bc9e9bb67ecd3c7378885cbdb3bb89384 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Wed, 11 Jan 2017 19:02:49 +0000 -Subject: [PATCH 2/8] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c: add - _TIFFcalloc() - -* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero -initialize tif_rawdata. -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 ---- - libtiff/tif_read.c | 4 +++- - libtiff/tif_unix.c | 8 ++++++++ - libtiff/tif_win32.c | 8 ++++++++ - libtiff/tiffio.h | 1 + - 4 files changed, 20 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index eb3e3ef..f65bfab 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -976,7 +976,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size) - "Invalid buffer size"); - return (0); - } -- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); -+ /* Initialize to zero to avoid uninitialized buffers in case of */ -+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ -+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); - tif->tif_flags |= TIFF_MYBUFFER; - } - if (tif->tif_rawdata == NULL) { -diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c -index 81e9d66..16694df 100644 ---- a/libtiff/tif_unix.c -+++ b/libtiff/tif_unix.c -@@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s) - return (malloc((size_t) s)); - } - -+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) -+{ -+ if( nmemb == 0 || siz == 0 ) -+ return ((void *) NULL); -+ -+ return calloc((size_t) nmemb, (size_t)siz); -+} -+ - void - _TIFFfree(void* p) - { -diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c -index 24b824f..9dcbc3d 100644 ---- a/libtiff/tif_win32.c -+++ b/libtiff/tif_win32.c -@@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s) - return (malloc((size_t) s)); - } - -+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) -+{ -+ if( nmemb == 0 || siz == 0 ) -+ return ((void *) NULL); -+ -+ return calloc((size_t) nmemb, (size_t)siz); -+} -+ - void - _TIFFfree(void* p) - { -diff --git a/libtiff/tiffio.h b/libtiff/tiffio.h -index 6a84d80..9b24fae 100644 ---- a/libtiff/tiffio.h -+++ b/libtiff/tiffio.h -@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void); - */ - - extern void* _TIFFmalloc(tmsize_t s); -+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); - extern void* _TIFFrealloc(void* p, tmsize_t s); - extern void _TIFFmemset(void* p, int v, tmsize_t c); - extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); --- -2.7.4 - diff --git a/files/security/CVE-2017-7594.patch b/files/security/CVE-2017-7594.patch deleted file mode 100644 --- a/files/security/CVE-2017-7594.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 368f11b41c726df5d888124330855e1042db9603 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Thu, 12 Jan 2017 19:23:20 +0000 -Subject: [PATCH 3/8] * libtiff/tif_ojpeg.c: fix leak in - OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and - OJPEGReadHeaderInfoSecTablesAcTable -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable when read fails. Patch by Nicolás Peña. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 ---- - libtiff/tif_ojpeg.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c -index 0e69a46..3421a05 100644 ---- a/libtiff/tif_ojpeg.c -+++ b/libtiff/tif_ojpeg.c -@@ -1790,7 +1790,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif) - TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); - p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); - if (p!=64) -+ { -+ _TIFFfree(ob); - return(0); -+ } - sp->qtable[m]=ob; - sp->sof_tq[m]=m; - } -@@ -1854,7 +1857,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif) - rb[sizeof(uint32)+5+n]=o[n]; - p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); - if (p!=q) -+ { -+ _TIFFfree(rb); - return(0); -+ } - sp->dctable[m]=rb; - sp->sos_tda[m]=(m<<4); - } -@@ -1918,7 +1924,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif) - rb[sizeof(uint32)+5+n]=o[n]; - p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); - if (p!=q) -+ { -+ _TIFFfree(rb); - return(0); -+ } - sp->actable[m]=rb; - sp->sos_tda[m]=(sp->sos_tda[m]|m); - } --- -2.7.4 - diff --git a/files/security/CVE-2017-7595.patch b/files/security/CVE-2017-7595.patch deleted file mode 100644 --- a/files/security/CVE-2017-7595.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ad5165ff126fc43c60e4d2473c4d8901dc896fec Mon Sep 17 00:00:00 2001 -From: erouault -Date: Wed, 11 Jan 2017 12:15:01 +0000 -Subject: [PATCH 4/8] * libtiff/tif_jpeg.c: avoid integer division by zero in - JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2653 - ---- - libtiff/tif_jpeg.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c -index 70b72d8..1508ce6 100644 ---- a/libtiff/tif_jpeg.c -+++ b/libtiff/tif_jpeg.c -@@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif) - case PHOTOMETRIC_YCBCR: - sp->h_sampling = td->td_ycbcrsubsampling[0]; - sp->v_sampling = td->td_ycbcrsubsampling[1]; -+ if( sp->h_sampling == 0 || sp->v_sampling == 0 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Invalig horizontal/vertical sampling value"); -+ return (0); -+ } -+ - /* - * A ReferenceBlackWhite field *must* be present since the - * default value is inappropriate for YCbCr. Fill in the --- -2.7.4 - diff --git a/files/security/CVE-2017-7596.patch b/files/security/CVE-2017-7596.patch deleted file mode 100644 --- a/files/security/CVE-2017-7596.patch +++ /dev/null @@ -1,302 +0,0 @@ -From bf4ca0b5a627bdc00f51d85184beaac6318be355 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Wed, 11 Jan 2017 12:51:59 +0000 -Subject: [PATCH 5/8] * libtiff/tif_dirwrite.c: in - TIFFWriteDirectoryTagCheckedRational, replace assertion by runtime check to - error out if passed value is strictly negative. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2535 - -* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that -caused double free. -Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535 - -* libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings of double to other data types to avoid undefined behaviour if the output range isn't big enough to hold the input value. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 http://bugzilla.maptools.org/show_bug.cgi?id=2642 http://bugzilla.maptools.org/show_bug.cgi?id=2646 http://bugzilla.maptools.org/show_bug.cgi?id=2647 ---- - libtiff/tif_dir.c | 18 +++++++-- - libtiff/tif_dirread.c | 10 ++++- - libtiff/tif_dirwrite.c | 99 ++++++++++++++++++++++++++++++++++++++++++++------ - tools/tiffcrop.c | 1 - - 4 files changed, 110 insertions(+), 18 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index ad21655..8806241 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -31,6 +31,7 @@ - * (and also some miscellaneous stuff) - */ - #include "tiffiop.h" -+#include - - /* - * These are used in the backwards compatibility code... -@@ -154,6 +155,15 @@ bad: - return (0); - } - -+static float TIFFClampDoubleToFloat( double val ) -+{ -+ if( val > FLT_MAX ) -+ return FLT_MAX; -+ if( val < -FLT_MAX ) -+ return -FLT_MAX; -+ return (float)val; -+} -+ - static int - _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - { -@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - dblval = va_arg(ap, double); - if( dblval < 0 ) - goto badvaluedouble; -- td->td_xresolution = (float) dblval; -+ td->td_xresolution = TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_YRESOLUTION: - dblval = va_arg(ap, double); - if( dblval < 0 ) - goto badvaluedouble; -- td->td_yresolution = (float) dblval; -+ td->td_yresolution = TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_PLANARCONFIG: - v = (uint16) va_arg(ap, uint16_vap); -@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - td->td_planarconfig = (uint16) v; - break; - case TIFFTAG_XPOSITION: -- td->td_xposition = (float) va_arg(ap, double); -+ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); - break; - case TIFFTAG_YPOSITION: -- td->td_yposition = (float) va_arg(ap, double); -+ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); - break; - case TIFFTAG_RESOLUTIONUNIT: - v = (uint16) va_arg(ap, uint16_vap); -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index bfd0105..7d1d194 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -40,6 +40,7 @@ - */ - - #include "tiffiop.h" -+#include - - #define IGNORE 0 /* tag placeholder used below */ - #define FAILED_FII ((uint32) -1) -@@ -2406,7 +2407,14 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEnt - ma=(double*)origdata; - mb=data; - for (n=0; n FLT_MAX ) -+ val = FLT_MAX; -+ else if( val < -FLT_MAX ) -+ val = -FLT_MAX; -+ *mb++=(float)val; -+ } - } - break; - } -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index d34f6f6..50bc3d5 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -30,6 +30,7 @@ - * Directory Write Support Routines. - */ - #include "tiffiop.h" -+#include - - #ifdef HAVE_IEEEFP - #define TIFFCvtNativeToIEEEFloat(tif, n, fp) -@@ -939,6 +940,69 @@ bad: - return(0); - } - -+static float TIFFClampDoubleToFloat( double val ) -+{ -+ if( val > FLT_MAX ) -+ return FLT_MAX; -+ if( val < -FLT_MAX ) -+ return -FLT_MAX; -+ return (float)val; -+} -+ -+static int8 TIFFClampDoubleToInt8( double val ) -+{ -+ if( val > 127 ) -+ return 127; -+ if( val < -128 || val != val ) -+ return -128; -+ return (int8)val; -+} -+ -+static int16 TIFFClampDoubleToInt16( double val ) -+{ -+ if( val > 32767 ) -+ return 32767; -+ if( val < -32768 || val != val ) -+ return -32768; -+ return (int16)val; -+} -+ -+static int32 TIFFClampDoubleToInt32( double val ) -+{ -+ if( val > 0x7FFFFFFF ) -+ return 0x7FFFFFFF; -+ if( val < -0x7FFFFFFF-1 || val != val ) -+ return -0x7FFFFFFF-1; -+ return (int32)val; -+} -+ -+static uint8 TIFFClampDoubleToUInt8( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 255 || val != val ) -+ return 255; -+ return (uint8)val; -+} -+ -+static uint16 TIFFClampDoubleToUInt16( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 65535 || val != val ) -+ return 65535; -+ return (uint16)val; -+} -+ -+static uint32 TIFFClampDoubleToUInt32( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 0xFFFFFFFFU || val != val ) -+ return 0xFFFFFFFFU; -+ return (uint32)val; -+} -+ - static int - TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value) - { -@@ -959,7 +1023,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di - if (tif->tif_dir.td_bitspersample<=32) - { - for (i = 0; i < count; ++i) -- ((float*)conv)[i] = (float)value[i]; -+ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); - ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); - } - else -@@ -971,19 +1035,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di - if (tif->tif_dir.td_bitspersample<=8) - { - for (i = 0; i < count; ++i) -- ((int8*)conv)[i] = (int8)value[i]; -+ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]); - ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv); - } - else if (tif->tif_dir.td_bitspersample<=16) - { - for (i = 0; i < count; ++i) -- ((int16*)conv)[i] = (int16)value[i]; -+ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]); - ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv); - } - else - { - for (i = 0; i < count; ++i) -- ((int32*)conv)[i] = (int32)value[i]; -+ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]); - ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv); - } - break; -@@ -991,19 +1055,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di - if (tif->tif_dir.td_bitspersample<=8) - { - for (i = 0; i < count; ++i) -- ((uint8*)conv)[i] = (uint8)value[i]; -+ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]); - ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv); - } - else if (tif->tif_dir.td_bitspersample<=16) - { - for (i = 0; i < count; ++i) -- ((uint16*)conv)[i] = (uint16)value[i]; -+ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]); - ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv); - } - else - { - for (i = 0; i < count; ++i) -- ((uint32*)conv)[i] = (uint32)value[i]; -+ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]); - ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv); - } - break; -@@ -2094,15 +2158,25 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d - static int - TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value) - { -+ static const char module[] = "TIFFWriteDirectoryTagCheckedRational"; - uint32 m[2]; -- assert(value>=0.0); - assert(sizeof(uint32)==4); -- if (value<=0.0) -+ if( value < 0 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal"); -+ return 0; -+ } -+ else if( value != value ) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal"); -+ return 0; -+ } -+ else if (value==0.0) - { - m[0]=0; - m[1]=1; - } -- else if (value==(double)(uint32)value) -+ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value) - { - m[0]=(uint32)value; - m[1]=1; -@@ -2143,12 +2217,13 @@ TIFFWriteDirectoryTagCheckedRationalArray(TIFF* tif, uint32* ndir, TIFFDirEntry* - } - for (na=value, nb=m, nc=0; nc= 0 && *na <= (float)0xFFFFFFFFU && -+ *na==(float)(uint32)(*na)) - { - nb[0]=(uint32)(*na); - nb[1]=1; -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index ad2c00f..6e7b727 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -7986,7 +7986,6 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, - if (!TIFFWriteDirectory(out)) - { - TIFFError("","Failed to write IFD for page number %d", pagenum); -- TIFFClose(out); - return (-1); - } - --- -2.7.4 - diff --git a/files/security/CVE-2017-7597.nopatch b/files/security/CVE-2017-7597.nopatch deleted file mode 100644 diff --git a/files/security/CVE-2017-7598.patch b/files/security/CVE-2017-7598.patch deleted file mode 100644 --- a/files/security/CVE-2017-7598.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Wed, 11 Jan 2017 13:28:01 +0000 -Subject: [PATCH 1/1] * libtiff/tif_dirread.c: avoid division by floating point - 0 in TIFFReadDirEntryCheckedRational() and - TIFFReadDirEntryCheckedSrational(), and return 0 in that case (instead of - infinity as before presumably) Apparently some sanitizers do not like those - divisions by zero. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 - ---- - libtiff/tif_dirread.c | 10 ++++++++-- - 2 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 570d0c32..8a1e42aa 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFD - m.l = direntry->tdir_offset.toff_long8; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong(m.i,2); -- if (m.i[0]==0) -+ /* Not completely sure what we should do when m.i[1]==0, but some */ -+ /* sanitizers do not like division by 0.0: */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ -+ if (m.i[0]==0 || m.i[1]==0) - *value=0.0; - else - *value=(double)m.i[0]/(double)m.i[1]; -@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFF - m.l=direntry->tdir_offset.toff_long8; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong(m.i,2); -- if ((int32)m.i[0]==0) -+ /* Not completely sure what we should do when m.i[1]==0, but some */ -+ /* sanitizers do not like division by 0.0: */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ -+ if ((int32)m.i[0]==0 || m.i[1]==0) - *value=0.0; - else - *value=(double)((int32)m.i[0])/(double)m.i[1]; --- -2.12.2 - diff --git a/files/security/CVE-2017-7599.nopatch b/files/security/CVE-2017-7599.nopatch deleted file mode 100644 diff --git a/files/security/CVE-2017-7600.nopatch b/files/security/CVE-2017-7600.nopatch deleted file mode 100644 diff --git a/files/security/CVE-2017-7601 b/files/security/CVE-2017-7601 deleted file mode 100644 --- a/files/security/CVE-2017-7601 +++ /dev/null @@ -1,49 +0,0 @@ -From 0a76a8c765c7b8327c59646284fa78c3c27e5490 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Wed, 11 Jan 2017 16:13:50 +0000 -Subject: [PATCH 1/1] * libtiff/tif_jpeg.c: validate BitsPerSample in - JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift - exponent. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 - ---- - ChangeLog | 6 ++++++ - libtiff/tif_jpeg.c | 7 +++++++ - 2 files changed, 13 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index 65176404..8e202a2c 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,5 +1,11 @@ - 2017-01-11 Even Rouault - -+ * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid -+ undefined behaviour caused by invalid shift exponent. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 -+ -+2017-01-11 Even Rouault -+ - * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings - of double to other data types to avoid undefined behaviour if the output range - isn't big enough to hold the input value. -diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c -index 6c17c388..192989a9 100644 ---- a/libtiff/tif_jpeg.c -+++ b/libtiff/tif_jpeg.c -@@ -1632,6 +1632,13 @@ JPEGSetupEncode(TIFF* tif) - "Invalig horizontal/vertical sampling value"); - return (0); - } -+ if( td->td_bitspersample > 16 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "BitsPerSample %d not allowed for JPEG", -+ td->td_bitspersample); -+ return (0); -+ } - - /* - * A ReferenceBlackWhite field *must* be present since the --- -2.12.2 - diff --git a/files/security/CVE-2017-7601.patch b/files/security/CVE-2017-7601.patch deleted file mode 100644 --- a/files/security/CVE-2017-7601.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 148b32d6d0d79641b73b75b48ccacda3d640b47d Mon Sep 17 00:00:00 2001 -From: erouault -Date: Wed, 11 Jan 2017 16:13:50 +0000 -Subject: [PATCH 7/8] * libtiff/tif_jpeg.c: validate BitsPerSample in - JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift - exponent. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 - ---- - libtiff/tif_jpeg.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c -index 1508ce6..a223eea 100644 ---- a/libtiff/tif_jpeg.c -+++ b/libtiff/tif_jpeg.c -@@ -1632,6 +1632,13 @@ JPEGSetupEncode(TIFF* tif) - "Invalig horizontal/vertical sampling value"); - return (0); - } -+ if( td->td_bitspersample > 16 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "BitsPerSample %d not allowed for JPEG", -+ td->td_bitspersample); -+ return (0); -+ } - - /* - * A ReferenceBlackWhite field *must* be present since the --- -2.7.4 - diff --git a/files/security/CVE-2017-7602.patch b/files/security/CVE-2017-7602.patch deleted file mode 100644 --- a/files/security/CVE-2017-7602.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Wed, 11 Jan 2017 16:33:34 +0000 -Subject: [PATCH 1/1] * libtiff/tif_read.c: avoid potential undefined behaviour - on signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2650 - ---- - libtiff/tif_read.c | 27 ++++++++++++++++++--------- - 2 files changed, 24 insertions(+), 9 deletions(-) - -diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c -index 52bbf507..b7aacbda 100644 ---- a/libtiff/tif_read.c -+++ b/libtiff/tif_read.c -@@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, - return ((tmsize_t)(-1)); - } - } else { -- tmsize_t ma,mb; -+ tmsize_t ma; - tmsize_t n; -- ma=(tmsize_t)td->td_stripoffset[strip]; -- mb=ma+size; -- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) -- n=0; -- else if ((mbtif->tif_size)) -- n=tif->tif_size-ma; -- else -- n=size; -+ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| -+ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) -+ { -+ n=0; -+ } -+ else if( ma > TIFF_TMSIZE_T_MAX - size ) -+ { -+ n=0; -+ } -+ else -+ { -+ tmsize_t mb=ma+size; -+ if (mb>tif->tif_size) -+ n=tif->tif_size-ma; -+ else -+ n=size; -+ } - if (n!=size) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, --- -2.12.2 - diff --git a/files/security/hylafax-fix.patch b/files/security/hylafax-fix.patch deleted file mode 100644 --- a/files/security/hylafax-fix.patch +++ /dev/null @@ -1,35 +0,0 @@ -From dacc8bd0dd8b50e9d1c84c4c19aedcbb8f026bee Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Nikola=20Forr=C3=B3?= -Date: Tue, 24 Jan 2017 14:32:18 +0100 -Subject: [PATCH] * libtiff/tif_fax3.h: revert change done on 2016-01-09 that - made Param member of TIFFFaxTabEnt structure a uint16 to reduce size of the - binary. It happens that the Hylafax software uses the tables that follow this - typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable), also they - are not in a public libtiff header. Raised by Lee Howard. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2636 - ---- - libtiff/tif_fax3.h | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_fax3.h b/libtiff/tif_fax3.h -index e0b2ca6..1715d3e 100644 ---- a/libtiff/tif_fax3.h -+++ b/libtiff/tif_fax3.h -@@ -81,10 +81,12 @@ extern void _TIFFFax3fillruns(unsigned char*, uint32*, uint32*, uint32); - #define S_MakeUp 11 - #define S_EOL 12 - -+/* WARNING: do not change the layout of this structure as the HylaFAX software */ -+/* really depends on it. See http://bugzilla.maptools.org/show_bug.cgi?id=2636 */ - typedef struct { /* state table entry */ - unsigned char State; /* see above */ - unsigned char Width; /* width of code in bits */ -- uint16 Param; /* unsigned 16-bit run length in bits */ -+ uint32 Param; /* unsigned 32-bit run length in bits (holds on 16 bit actually, but cannot be changed. See above warning) */ - } TIFFFaxTabEnt; - - extern const TIFFFaxTabEnt TIFFFaxMainTable[]; --- -2.7.4 - diff --git a/files/series b/files/series deleted file mode 100644 --- a/files/series +++ /dev/null @@ -1,18 +0,0 @@ -security/CVE-2016-10092.patch -security/CVE-2016-10093.patch -security/CVE-2016-10094.patch -security/CVE-2016-10266.patch -security/CVE-2016-10267.patch -security/CVE-2016-10268.patch -security/CVE-2016-10269.patch -security/CVE-2016-10270.patch -security/CVE-2017-5225.patch -security/CVE-2017-7592.patch -security/CVE-2017-7593.patch -security/CVE-2017-7594.patch -security/CVE-2017-7595.patch -security/CVE-2017-7596.patch -security/CVE-2017-7598.patch -security/CVE-2017-7601.patch -security/CVE-2017-7602.patch -security/hylafax-fix.patch diff --git a/package.yml b/package.yml --- a/package.yml +++ b/package.yml @@ -1,8 +1,8 @@ name : libtiff -version : 4.0.7 -release : 18 +version : 4.0.8 +release : 19 source : - - http://download.osgeo.org/libtiff/tiff-4.0.7.tar.gz : 9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019 + - http://download.osgeo.org/libtiff/tiff-4.0.8.tar.gz : 59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910 license : - libtiff component : desktop.library @@ -11,7 +11,8 @@ The LibTIFF package contains the TIFF libraries and associated utilities. The libraries are used by many programs for reading and writing TIFF files and the utilities are used for general work with TIFF files. emul32 : yes builddeps : - - pkgconfig(liblzma) + - pkgconfig32(zlib) + - pkgconfig32(liblzma) - libjpeg-turbo-32bit-devel - libgcc-32bit - glibc-32bit-devel @@ -23,7 +24,6 @@ - utils : /usr/bin - utils : /usr/share/man/man1 setup : | - %apply_patches %configure --prefix=/usr \ --disable-jbig \ --disable-static diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml --- a/pspec_x86_64.xml +++ b/pspec_x86_64.xml @@ -2,8 +2,8 @@ libtiff - Joshua Strobl - joshua@stroblindustries.com + Pierre-Yves + pyu@riseup.net libtiff desktop.library @@ -29,7 +29,7 @@ emul32 - libtiff + libtiff /usr/lib32/lib*.so.* @@ -42,8 +42,8 @@ programming.devel - libtiff-devel - libtiff-32bit + libtiff-devel + libtiff-32bit /usr/lib32/lib*.so @@ -57,7 +57,7 @@ programming.devel - libtiff + libtiff /usr/include/ @@ -82,7 +82,7 @@ The LibTIFF package contains the TIFF libraries and associated utilities. The libraries are used by many programs for reading and writing TIFF files and the utilities are used for general work with TIFF files. - libtiff + libtiff /usr/bin @@ -90,12 +90,12 @@ - - 2017-04-15 - 4.0.7 + + 2017-05-22 + 4.0.8 Packaging update - Joshua Strobl - joshua@stroblindustries.com + Pierre-Yves + pyu@riseup.net \ No newline at end of file