GitList

Browse code

BUG 2139746 [CVE-2018-10963] package : libtiff

Changes are done in spec file and added a patch.
Fix for assertion failure and application crash in libtiff-4.0.9 pkg.

Change-Id: I5347a3a9f8ffbda5badc1cda9c17a5bb867ea671
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5272
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George

Ankit Jain authored on 2018/06/19 23:19:18
Showing 2 changed files

SPECS/libtiff/libtiff-4.0.9-CVE-2018-10963.patch index 0000000..63bc107
SPECS/libtiff/libtiff.spec index 2d96f04..961c0c6 100644

SPECS/libtiff/libtiff-4.0.9-CVE-2018-10963.patch

History View file @ 3a4dee1

                     new file mode 100644
@@ -0,0 +1,18 @@
                     +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
                     +index 2430de6d0c0dacf2cb3d228573972cc3ea3a153d..c15a28dbd8fcb99b81fa5a1d44fcbcda881f42a7 100644
                     +--- a/libtiff/tif_dirwrite.c
                     +@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
                     + 								}
                     + 								break;
                     + 							default:
                     +-								assert(0);   /* we should never get here */
                     +-								break;
                     ++								TIFFErrorExt(tif->tif_clientdata,module,
                     ++								            "Cannot write tag %d (%s)",
                     ++								            TIFFFieldTag(o),
                     ++                                                                            o->field_name ? o->field_name : "unknown");
                     ++								goto bad;
                     + 						}
                     + 					}
                     + 				}

SPECS/libtiff/libtiff.spec

History View file @ 3a4dee1

@@ -1,7 +1,7 @@
                      Summary:        TIFF libraries and associated utilities.
                      Name:           libtiff
                      Version:        4.0.9
                     -Release:        5%{?dist}
                     +Release:        6%{?dist}
                      License:        libtiff
                      URL:            http://www.simplesystems.org/libtiff/
                      Group:          System Environment/Libraries
@@ -18,6 +18,7 @@ Patch4:         libtiff-4.0-9-CVE-2017-11613-1.patch
                      Patch5:         libtiff-4.0-9-CVE-2017-11613-2.patch
                      Patch6:         libtiff-4.0-9-CVE-2018-7456.patch
                      Patch7:         libtiff-4.0.9-CVE-2018-8905.patch
                     +Patch8:         libtiff-4.0.9-CVE-2018-10963.patch
                      BuildRequires:  libjpeg-turbo-devel
                      Requires:       libjpeg-turbo
@@ -41,6 +42,7 @@ It contains the libraries and header files to create applications
                      %patch5 -p1
                      %patch6 -p1
                      %patch7 -p1
                     +%patch8 -p1
                      %build
                      %configure \
                          --disable-static
@@ -74,6 +76,8 @@ make %{?_smp_mflags} -k check
                      %{_datadir}/man/man3/*
                      %changelog
                     +*   Tue Jun 19 2018 Ankit Jain <ankitja@vmware.com> 4.0.9-6
                     +-   Fix CVE-2018-10963
                      *   Mon May 14 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-5
                      -   Fix CVE-2018-7456, CVE-2018-8905
                      *   Fri Apr 20 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-4