Change-Id: I51538093f76d8ff7d2f3c1a3736e0aad30a641d5
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6265
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,33 @@ |
0 |
+commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e |
|
1 |
+Author: Young_X <YangX92@hotmail.com> |
|
2 |
+Date: Sat Sep 8 14:46:27 2018 +0800 |
|
3 |
+ |
|
4 |
+ avoid potential int32 overflows in multiply_ms() |
|
5 |
+ |
|
6 |
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c |
|
7 |
+index af6e412..c2d5925 100644 |
|
8 |
+--- a/tools/ppm2tiff.c |
|
9 |
+@@ -70,15 +70,16 @@ BadPPM(char* file) |
|
10 |
+ exit(-2); |
|
11 |
+ } |
|
12 |
+ |
|
13 |
++ |
|
14 |
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) |
|
15 |
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) |
|
16 |
++ |
|
17 |
+ static tmsize_t |
|
18 |
+ multiply_ms(tmsize_t m1, tmsize_t m2) |
|
19 |
+ { |
|
20 |
+- tmsize_t bytes = m1 * m2; |
|
21 |
+- |
|
22 |
+- if (m1 && bytes / m1 != m2) |
|
23 |
+- bytes = 0; |
|
24 |
+- |
|
25 |
+- return bytes; |
|
26 |
++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) |
|
27 |
++ return 0; |
|
28 |
++ return m1 * m2; |
|
29 |
+ } |
|
30 |
+ |
|
31 |
+ int |
0 | 32 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,64 @@ |
0 |
+commit f1b94e8a3ba49febdd3361c0214a1d1149251577 |
|
1 |
+Author: Young_X <YangX92@hotmail.com> |
|
2 |
+Date: Sat Sep 8 14:36:12 2018 +0800 |
|
3 |
+ |
|
4 |
+ only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 |
|
5 |
+ |
|
6 |
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c |
|
7 |
+index 01fcf94..01d8502 100644 |
|
8 |
+--- a/tools/pal2rgb.c |
|
9 |
+@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out) |
|
10 |
+ { |
|
11 |
+ struct cpTag *p; |
|
12 |
+ for (p = tags; p < &tags[NTAGS]; p++) |
|
13 |
+- cpTag(in, out, p->tag, p->count, p->type); |
|
14 |
++ { |
|
15 |
++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) |
|
16 |
++ { |
|
17 |
++ uint16 compression; |
|
18 |
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || |
|
19 |
++ compression != COMPRESSION_CCITTFAX3 ) |
|
20 |
++ continue; |
|
21 |
++ } |
|
22 |
++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) |
|
23 |
++ { |
|
24 |
++ uint16 compression; |
|
25 |
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || |
|
26 |
++ compression != COMPRESSION_CCITTFAX4 ) |
|
27 |
++ continue; |
|
28 |
++ } |
|
29 |
++ cpTag(in, out, p->tag, p->count, p->type); |
|
30 |
++ } |
|
31 |
+ } |
|
32 |
+ #undef NTAGS |
|
33 |
+ |
|
34 |
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c |
|
35 |
+index 05faba8..5bef314 100644 |
|
36 |
+--- a/tools/tiff2bw.c |
|
37 |
+@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out) |
|
38 |
+ { |
|
39 |
+ struct cpTag *p; |
|
40 |
+ for (p = tags; p < &tags[NTAGS]; p++) |
|
41 |
+- cpTag(in, out, p->tag, p->count, p->type); |
|
42 |
++ { |
|
43 |
++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) |
|
44 |
++ { |
|
45 |
++ uint16 compression; |
|
46 |
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || |
|
47 |
++ compression != COMPRESSION_CCITTFAX3 ) |
|
48 |
++ continue; |
|
49 |
++ } |
|
50 |
++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) |
|
51 |
++ { |
|
52 |
++ uint16 compression; |
|
53 |
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || |
|
54 |
++ compression != COMPRESSION_CCITTFAX4 ) |
|
55 |
++ continue; |
|
56 |
++ } |
|
57 |
++ cpTag(in, out, p->tag, p->count, p->type); |
|
58 |
++ } |
|
59 |
+ } |
|
60 |
+ #undef NTAGS |
|
61 |
+ |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 | 3 |
Version: 4.0.9 |
4 |
-Release: 4%{?dist} |
|
4 |
+Release: 5%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.simplesystems.org/libtiff/ |
7 | 7 |
Group: System Environment/Libraries |
... | ... |
@@ -17,6 +17,8 @@ Patch4: libtiff-4.0-9-CVE-2017-11613-1.patch |
17 | 17 |
Patch5: libtiff-4.0-9-CVE-2017-11613-2.patch |
18 | 18 |
Patch6: libtiff-4.0-9-CVE-2018-7456.patch |
19 | 19 |
Patch7: libtiff-4.0.9-CVE-2018-8905.patch |
20 |
+Patch8: libtiff-4.0.9-CVE-2018-17100.patch |
|
21 |
+Patch9: libtiff-4.0.9-CVE-2018-17101.patch |
|
20 | 22 |
BuildRequires: libjpeg-turbo-devel |
21 | 23 |
Requires: libjpeg-turbo |
22 | 24 |
%description |
... | ... |
@@ -39,6 +41,8 @@ It contains the libraries and header files to create applications |
39 | 39 |
%patch5 -p1 |
40 | 40 |
%patch6 -p1 |
41 | 41 |
%patch7 -p1 |
42 |
+%patch8 -p1 |
|
43 |
+%patch9 -p1 |
|
42 | 44 |
%build |
43 | 45 |
%configure \ |
44 | 46 |
--disable-static |
... | ... |
@@ -72,6 +76,8 @@ make %{?_smp_mflags} -k check |
72 | 72 |
%{_datadir}/man/man3/* |
73 | 73 |
|
74 | 74 |
%changelog |
75 |
+* Sun Dec 02 2018 Ashwin H <xiaolinl@vmware.com> 4.0.9-5 |
|
76 |
+- Fix CVE-2018-17100, CVE-2018-17101 |
|
75 | 77 |
* Mon May 14 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-4 |
76 | 78 |
- Fix CVE-2018-7456, CVE-2018-8905, CVE-2018-5784, CVE-2017-11613 |
77 | 79 |
* Wed Feb 14 2018 Dheeraj Shetty <dheerajs@vmware.com> 4.0.9-3 |