Change-Id: I90e94761c0c77f52690096e89d5e050052d140ca
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5160
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Ashok Venkiteswaran
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,107 @@ |
0 |
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c |
|
1 |
+index 6baa7b3..af5b84a 100644 |
|
2 |
+--- a/libtiff/tif_dirread.c |
|
3 |
+@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin |
|
4 |
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); |
|
5 |
+ static void ChopUpSingleUncompressedStrip(TIFF*); |
|
6 |
+ static uint64 TIFFReadUInt64(const uint8 *value); |
|
7 |
++static int _TIFFGetMaxColorChannels(uint16 photometric); |
|
8 |
+ |
|
9 |
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); |
|
10 |
+ |
|
11 |
+@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c |
|
12 |
+ } |
|
13 |
+ |
|
14 |
+ /* |
|
15 |
++ * Return the maximum number of color channels specified for a given photometric |
|
16 |
++ * type. 0 is returned if photometric type isn't supported or no default value |
|
17 |
++ * is defined by the specification. |
|
18 |
++ */ |
|
19 |
++static int _TIFFGetMaxColorChannels( uint16 photometric ) |
|
20 |
++{ |
|
21 |
++ switch (photometric) { |
|
22 |
++ case PHOTOMETRIC_PALETTE: |
|
23 |
++ case PHOTOMETRIC_MINISWHITE: |
|
24 |
++ case PHOTOMETRIC_MINISBLACK: |
|
25 |
++ return 1; |
|
26 |
++ case PHOTOMETRIC_YCBCR: |
|
27 |
++ case PHOTOMETRIC_RGB: |
|
28 |
++ case PHOTOMETRIC_CIELAB: |
|
29 |
++ return 3; |
|
30 |
++ case PHOTOMETRIC_SEPARATED: |
|
31 |
++ case PHOTOMETRIC_MASK: |
|
32 |
++ return 4; |
|
33 |
++ case PHOTOMETRIC_LOGL: |
|
34 |
++ case PHOTOMETRIC_LOGLUV: |
|
35 |
++ case PHOTOMETRIC_CFA: |
|
36 |
++ case PHOTOMETRIC_ITULAB: |
|
37 |
++ case PHOTOMETRIC_ICCLAB: |
|
38 |
++ default: |
|
39 |
++ return 0; |
|
40 |
++ } |
|
41 |
++} |
|
42 |
++ |
|
43 |
++/* |
|
44 |
+ * Read the next TIFF directory from a file and convert it to the internal |
|
45 |
+ * format. We read directories sequentially. |
|
46 |
+ */ |
|
47 |
+@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif) |
|
48 |
+ uint32 fii=FAILED_FII; |
|
49 |
+ toff_t nextdiroff; |
|
50 |
+ int bitspersample_read = FALSE; |
|
51 |
++ int color_channels; |
|
52 |
+ |
|
53 |
+ tif->tif_diroff=tif->tif_nextdiroff; |
|
54 |
+ if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) |
|
55 |
+@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif) |
|
56 |
+ } |
|
57 |
+ } |
|
58 |
+ } |
|
59 |
++ |
|
60 |
++ /* |
|
61 |
++ * Make sure all non-color channels are extrasamples. |
|
62 |
++ * If it's not the case, define them as such. |
|
63 |
++ */ |
|
64 |
++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); |
|
65 |
++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { |
|
66 |
++ uint16 old_extrasamples; |
|
67 |
++ uint16 *new_sampleinfo; |
|
68 |
++ |
|
69 |
++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " |
|
70 |
++ "color channels and ExtraSamples doesn't match SamplesPerPixel. " |
|
71 |
++ "Defining non-color channels as ExtraSamples."); |
|
72 |
++ |
|
73 |
++ old_extrasamples = tif->tif_dir.td_extrasamples; |
|
74 |
++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); |
|
75 |
++ |
|
76 |
++ // sampleinfo should contain information relative to these new extra samples |
|
77 |
++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); |
|
78 |
++ if (!new_sampleinfo) { |
|
79 |
++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " |
|
80 |
++ "temporary new sampleinfo array (%d 16 bit elements)", |
|
81 |
++ tif->tif_dir.td_extrasamples); |
|
82 |
++ goto bad; |
|
83 |
++ } |
|
84 |
++ |
|
85 |
++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); |
|
86 |
++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); |
|
87 |
++ _TIFFfree(new_sampleinfo); |
|
88 |
++ } |
|
89 |
++ |
|
90 |
+ /* |
|
91 |
+ * Verify Palette image has a Colormap. |
|
92 |
+ */ |
|
93 |
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c |
|
94 |
+index 8deceb2..1d86adb 100644 |
|
95 |
+--- a/libtiff/tif_print.c |
|
96 |
+@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) |
|
97 |
+ uint16 i; |
|
98 |
+ fprintf(fd, " %2ld: %5u", |
|
99 |
+ l, td->td_transferfunction[0][l]); |
|
100 |
+- for (i = 1; i < td->td_samplesperpixel; i++) |
|
101 |
++ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) |
|
102 |
+ fprintf(fd, " %5u", |
|
103 |
+ td->td_transferfunction[i][l]); |
|
104 |
+ fputc('\n', fd); |
0 | 105 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,37 @@ |
0 |
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c |
|
1 |
+index 4ccb443..94d85e3 100644 |
|
2 |
+--- a/libtiff/tif_lzw.c |
|
3 |
+@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) |
|
4 |
+ char *tp; |
|
5 |
+ unsigned char *bp; |
|
6 |
+ int code, nbits; |
|
7 |
++ int len; |
|
8 |
+ long nextbits, nextdata, nbitsmask; |
|
9 |
+ code_t *codep, *free_entp, *maxcodep, *oldcodep; |
|
10 |
+ |
|
11 |
+@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) |
|
12 |
+ } while (--occ); |
|
13 |
+ break; |
|
14 |
+ } |
|
15 |
+- assert(occ >= codep->length); |
|
16 |
+- op += codep->length; |
|
17 |
+- occ -= codep->length; |
|
18 |
+- tp = op; |
|
19 |
++ len = codep->length; |
|
20 |
++ tp = op + len; |
|
21 |
+ do { |
|
22 |
+- *--tp = codep->value; |
|
23 |
+- } while( (codep = codep->next) != NULL ); |
|
24 |
++ int t; |
|
25 |
++ --tp; |
|
26 |
++ t = codep->value; |
|
27 |
++ codep = codep->next; |
|
28 |
++ *tp = (char)t; |
|
29 |
++ } while (codep && tp > op); |
|
30 |
++ assert(occ >= len); |
|
31 |
++ op += len; |
|
32 |
++ occ -= len; |
|
33 |
+ } else { |
|
34 |
+ *op++ = (char)code; |
|
35 |
+ occ--; |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 | 3 |
Version: 4.0.9 |
4 |
-Release: 4%{?dist} |
|
4 |
+Release: 5%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.simplesystems.org/libtiff/ |
7 | 7 |
Group: System Environment/Libraries |
... | ... |
@@ -16,6 +16,9 @@ Patch2: libtiff-4.0.9-CVE-2017-17095.patch |
16 | 16 |
Patch3: libtiff-4.0.9-CVE-2018-5784.patch |
17 | 17 |
Patch4: libtiff-4.0-9-CVE-2017-11613-1.patch |
18 | 18 |
Patch5: libtiff-4.0-9-CVE-2017-11613-2.patch |
19 |
+Patch6: libtiff-4.0-9-CVE-2018-7456.patch |
|
20 |
+Patch7: libtiff-4.0.9-CVE-2018-8905.patch |
|
21 |
+ |
|
19 | 22 |
BuildRequires: libjpeg-turbo-devel |
20 | 23 |
Requires: libjpeg-turbo |
21 | 24 |
%description |
... | ... |
@@ -36,6 +39,8 @@ It contains the libraries and header files to create applications |
36 | 36 |
%patch3 -p1 |
37 | 37 |
%patch4 -p1 |
38 | 38 |
%patch5 -p1 |
39 |
+%patch6 -p1 |
|
40 |
+%patch7 -p1 |
|
39 | 41 |
%build |
40 | 42 |
%configure \ |
41 | 43 |
--disable-static |
... | ... |
@@ -69,6 +74,8 @@ make %{?_smp_mflags} -k check |
69 | 69 |
%{_datadir}/man/man3/* |
70 | 70 |
|
71 | 71 |
%changelog |
72 |
+* Mon May 14 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-5 |
|
73 |
+- Fix CVE-2018-7456, CVE-2018-8905 |
|
72 | 74 |
* Fri Apr 20 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-4 |
73 | 75 |
- Patches for CVE-2018-5784, CVE-2017-11613 |
74 | 76 |
* Wed Feb 14 2018 Dheeraj Shetty <dheerajs@vmware.com> 4.0.9-3 |