Change-Id: Ie8299d0979ed7bb21e3143fc03728257eb0731f4
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1445
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: suezzelur <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,45 @@ |
0 |
+--- a/libtiff/tif_getimage.c 2016-09-22 14:12:27.736377724 -0700 |
|
1 |
+@@ -1822,10 +1822,10 @@ |
|
2 |
+ (void) y; |
|
3 |
+ /* adjust fromskew */ |
|
4 |
+ fromskew = (fromskew * 18) / 4; |
|
5 |
+- if ((h & 3) == 0 && (w & 3) == 0) { |
|
6 |
++ if ((w & 3) == 0 && (h & 1) == 0) { |
|
7 |
+ for (; h >= 4; h -= 4) { |
|
8 |
+ x = w>>2; |
|
9 |
+- do { |
|
10 |
++ while(x>0) { |
|
11 |
+ int32 Cb = pp[16]; |
|
12 |
+ int32 Cr = pp[17]; |
|
13 |
+ |
|
14 |
+@@ -1848,7 +1848,8 @@ |
|
15 |
+ |
|
16 |
+ cp += 4, cp1 += 4, cp2 += 4, cp3 += 4; |
|
17 |
+ pp += 18; |
|
18 |
+- } while (--x); |
|
19 |
++ x--; |
|
20 |
++ } |
|
21 |
+ cp += incr, cp1 += incr, cp2 += incr, cp3 += incr; |
|
22 |
+ pp += fromskew; |
|
23 |
+ } |
|
24 |
+@@ -2094,7 +2095,7 @@ |
|
25 |
+ { |
|
26 |
+ (void) y; |
|
27 |
+ fromskew = (fromskew * 4) / 2; |
|
28 |
+- do { |
|
29 |
++ while(x>0) { |
|
30 |
+ x = w>>1; |
|
31 |
+ while(x>0) { |
|
32 |
+ int32 Cb = pp[2]; |
|
33 |
+@@ -2121,7 +2122,8 @@ |
|
34 |
+ |
|
35 |
+ cp += toskew; |
|
36 |
+ pp += fromskew; |
|
37 |
+- } while (--h); |
|
38 |
++ x --; |
|
39 |
++ } |
|
40 |
+ } |
|
41 |
+ |
|
42 |
+ /* |
|
43 |
+ |
0 | 44 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,22 @@ |
0 |
+diff tools/tiffsplit.c tools/tiffsplit.c |
|
1 |
+--- tiff-4.0.6/tools/tiffsplit.c 2015-08-28 15:17:08.392793517 -0700 |
|
2 |
+@@ -179,7 +179,8 @@ |
|
3 |
+ TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table); |
|
4 |
+ } |
|
5 |
+ } |
|
6 |
+- CopyField(TIFFTAG_PHOTOMETRIC, shortv); |
|
7 |
++ uint32 count = 0; |
|
8 |
++ CopyField2(TIFFTAG_PREDICTOR, count, shortv); |
|
9 |
+ CopyField(TIFFTAG_PREDICTOR, shortv); |
|
10 |
+ CopyField(TIFFTAG_THRESHHOLDING, shortv); |
|
11 |
+ CopyField(TIFFTAG_FILLORDER, shortv); |
|
12 |
+@@ -188,7 +189,7 @@ |
|
13 |
+ CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv); |
|
14 |
+ CopyField(TIFFTAG_XRESOLUTION, floatv); |
|
15 |
+ CopyField(TIFFTAG_YRESOLUTION, floatv); |
|
16 |
+- CopyField(TIFFTAG_GROUP3OPTIONS, longv); |
|
17 |
++ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv); |
|
18 |
+ CopyField(TIFFTAG_GROUP4OPTIONS, longv); |
|
19 |
+ CopyField(TIFFTAG_RESOLUTIONUNIT, shortv); |
|
20 |
+ CopyField(TIFFTAG_PLANARCONFIG, shortv); |
0 | 21 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,48 @@ |
0 |
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c |
|
1 |
+index 376f4e6..c747c13 100644 |
|
2 |
+--- a/tools/bmp2tiff.c |
|
3 |
+@@ -648,27 +648,26 @@ |
|
4 |
+ || info_hdr.iCompression == BMPC_RLE4 ) { |
|
5 |
+ uint32 i, j, k, runlength; |
|
6 |
+ uint32 compr_size, uncompr_size; |
|
7 |
++ uint32 bits = 0; |
|
8 |
+ unsigned char *comprbuf; |
|
9 |
+ unsigned char *uncomprbuf; |
|
10 |
+ |
|
11 |
+ compr_size = file_hdr.iSize - file_hdr.iOffBits; |
|
12 |
+- uncompr_size = width * length; |
|
13 |
+- /* Detect int overflow */ |
|
14 |
+- if( uncompr_size / width != length ) { |
|
15 |
+- TIFFError(infilename, |
|
16 |
+- "Invalid dimensions of BMP file" ); |
|
17 |
+- close(fd); |
|
18 |
+- return -1; |
|
19 |
+- } |
|
20 |
+- if ( (compr_size == 0) || |
|
21 |
+- (compr_size > ((uint32) ~0) >> 1) || |
|
22 |
+- (uncompr_size == 0) || |
|
23 |
+- (uncompr_size > ((uint32) ~0) >> 1) ) { |
|
24 |
+- TIFFError(infilename, |
|
25 |
+- "Invalid dimensions of BMP file" ); |
|
26 |
+- close(fd); |
|
27 |
+- return -1; |
|
28 |
+- } |
|
29 |
++ bits = info_hdr.iBitCount; |
|
30 |
++ |
|
31 |
++ if (bits > 8) // bit depth is > 8bit, adjust size |
|
32 |
++ { |
|
33 |
++ uncompr_size = width * length * (bits / 8); |
|
34 |
++ /* Detect int overflow */ |
|
35 |
++ if (uncompr_size / width / (bits / 8) != length) { |
|
36 |
++ TIFFError(infilename, |
|
37 |
++ "Invalid dimensions of BMP file"); |
|
38 |
++ close(fd); |
|
39 |
++ return -1; |
|
40 |
++ } |
|
41 |
++ } |
|
42 |
++ else |
|
43 |
++ uncompr_size = width * length; |
|
44 |
+ comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); |
|
45 |
+ if (!comprbuf) { |
|
46 |
+ TIFFError(infilename, |
0 | 47 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,100 @@ |
0 |
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c |
|
1 |
+index cdeff08..261aad6 100644 |
|
2 |
+--- a/libtiff/tif_getimage.c |
|
3 |
+@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) |
|
4 |
+ "Planarconfiguration", td->td_planarconfig); |
|
5 |
+ return (0); |
|
6 |
+ } |
|
7 |
+- if( td->td_samplesperpixel != 3 ) |
|
8 |
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) |
|
9 |
+ { |
|
10 |
+ sprintf(emsg, |
|
11 |
+- "Sorry, can not handle image with %s=%d", |
|
12 |
+- "Samples/pixel", td->td_samplesperpixel); |
|
13 |
++ "Sorry, can not handle image with %s=%d, %s=%d", |
|
14 |
++ "Samples/pixel", td->td_samplesperpixel, |
|
15 |
++ "colorchannels", colorchannels); |
|
16 |
+ return 0; |
|
17 |
+ } |
|
18 |
+ break; |
|
19 |
+ case PHOTOMETRIC_CIELAB: |
|
20 |
+- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) |
|
21 |
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) |
|
22 |
+ { |
|
23 |
+ sprintf(emsg, |
|
24 |
+- "Sorry, can not handle image with %s=%d and %s=%d", |
|
25 |
++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", |
|
26 |
+ "Samples/pixel", td->td_samplesperpixel, |
|
27 |
++ "colorchannels", colorchannels, |
|
28 |
+ "Bits/sample", td->td_bitspersample); |
|
29 |
+ return 0; |
|
30 |
+ } |
|
31 |
+@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024]) |
|
32 |
+ int colorchannels; |
|
33 |
+ uint16 *red_orig, *green_orig, *blue_orig; |
|
34 |
+ int n_color; |
|
35 |
++ |
|
36 |
++ if( !TIFFRGBAImageOK(tif, emsg) ) |
|
37 |
++ return 0; |
|
38 |
+ |
|
39 |
+ /* Initialize to normal values */ |
|
40 |
+ img->row_offset = 0; |
|
41 |
+@@ -2509,29 +2514,33 @@ PickContigCase(TIFFRGBAImage* img) |
|
42 |
+ case PHOTOMETRIC_RGB: |
|
43 |
+ switch (img->bitspersample) { |
|
44 |
+ case 8: |
|
45 |
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) |
|
46 |
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && |
|
47 |
++ img->samplesperpixel >= 4) |
|
48 |
+ img->put.contig = putRGBAAcontig8bittile; |
|
49 |
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) |
|
50 |
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && |
|
51 |
++ img->samplesperpixel >= 4) |
|
52 |
+ { |
|
53 |
+ if (BuildMapUaToAa(img)) |
|
54 |
+ img->put.contig = putRGBUAcontig8bittile; |
|
55 |
+ } |
|
56 |
+- else |
|
57 |
++ else if( img->samplesperpixel >= 3 ) |
|
58 |
+ img->put.contig = putRGBcontig8bittile; |
|
59 |
+ break; |
|
60 |
+ case 16: |
|
61 |
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) |
|
62 |
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && |
|
63 |
++ img->samplesperpixel >=4 ) |
|
64 |
+ { |
|
65 |
+ if (BuildMapBitdepth16To8(img)) |
|
66 |
+ img->put.contig = putRGBAAcontig16bittile; |
|
67 |
+ } |
|
68 |
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) |
|
69 |
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && |
|
70 |
++ img->samplesperpixel >=4 ) |
|
71 |
+ { |
|
72 |
+ if (BuildMapBitdepth16To8(img) && |
|
73 |
+ BuildMapUaToAa(img)) |
|
74 |
+ img->put.contig = putRGBUAcontig16bittile; |
|
75 |
+ } |
|
76 |
+- else |
|
77 |
++ else if( img->samplesperpixel >=3 ) |
|
78 |
+ { |
|
79 |
+ if (BuildMapBitdepth16To8(img)) |
|
80 |
+ img->put.contig = putRGBcontig16bittile; |
|
81 |
+@@ -2540,7 +2549,7 @@ PickContigCase(TIFFRGBAImage* img) |
|
82 |
+ } |
|
83 |
+ break; |
|
84 |
+ case PHOTOMETRIC_SEPARATED: |
|
85 |
+- if (buildMap(img)) { |
|
86 |
++ if (img->samplesperpixel >=4 && buildMap(img)) { |
|
87 |
+ if (img->bitspersample == 8) { |
|
88 |
+ if (!img->Map) |
|
89 |
+ img->put.contig = putRGBcontig8bitCMYKtile; |
|
90 |
+@@ -2636,7 +2645,7 @@ PickContigCase(TIFFRGBAImage* img) |
|
91 |
+ } |
|
92 |
+ break; |
|
93 |
+ case PHOTOMETRIC_CIELAB: |
|
94 |
+- if (buildMap(img)) { |
|
95 |
++ if (img->samplesperpixel == 3 && buildMap(img)) { |
|
96 |
+ if (img->bitspersample == 8) |
|
97 |
+ img->put.contig = initCIELabConversion(img); |
|
98 |
+ break; |
0 | 99 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,11 @@ |
0 |
+--- tiff-4.0.6/tools/gif2tiff.c 2015-08-28 15:17:08.160498720 -0700 |
|
1 |
+@@ -349,7 +349,7 @@ |
|
2 |
+ int status = 1; |
|
3 |
+ |
|
4 |
+ (void) getc(infile); |
|
5 |
+- while ((count = getc(infile)) && count <= 255) |
|
6 |
++ while ((count = getc(infile)) && count >= 0 && count <= 255) |
|
7 |
+ if (fread(buf, 1, count, infile) != (size_t) count) { |
|
8 |
+ fprintf(stderr, "short read from file %s (%s)\n", |
|
9 |
+ filename, strerror(errno)); |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 | 3 |
Version: 4.0.6 |
4 |
-Release: 1 |
|
4 |
+Release: 2%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.remotesensing.org/libtiff |
7 | 7 |
Group: System Environment/Libraries |
... | ... |
@@ -9,6 +9,11 @@ Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz |
11 | 11 |
%define sha1 tiff=280e27704eaca5f592b82e71ac0c78b87395e2de |
12 |
+Patch0: libtiff-4.0.6-CVE-2015-8668.patch |
|
13 |
+Patch1: libtiff-4.0.6-CVE-2015-7554.patch |
|
14 |
+Patch2: libtiff-4.0.6-CVE-2015-8683+CVE-2015-8665.patch |
|
15 |
+Patch3: libtiff-4.0.6-CVE-2016-3186.patch |
|
16 |
+Patch4: libtiff-4.0.6-CVE-2015-1547.patch |
|
12 | 17 |
BuildRequires: libjpeg-turbo-devel |
13 | 18 |
Requires: libjpeg-turbo |
14 | 19 |
%description |
... | ... |
@@ -22,6 +27,11 @@ It contains the libraries and header files to create applications |
22 | 22 |
|
23 | 23 |
%prep |
24 | 24 |
%setup -q -n tiff-%{version} |
25 |
+%patch0 -p1 |
|
26 |
+%patch1 -p1 |
|
27 |
+%patch2 -p1 |
|
28 |
+%patch3 -p1 |
|
29 |
+%patch4 -p1 |
|
25 | 30 |
|
26 | 31 |
%build |
27 | 32 |
./configure \ |
... | ... |
@@ -52,5 +62,8 @@ find %{buildroot} -name '*.la' -delete |
52 | 52 |
%{_libdir}/pkgconfig/*.pc |
53 | 53 |
|
54 | 54 |
%changelog |
55 |
+* Thu Sep 22 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.6-2 |
|
56 |
+- Fixed security issues : CVE-2015-8668, CVE-2015-7554, CVE-2015-8683+CVE-2015-8665,CVE-2016-3186 |
|
57 |
+ CVE-2015-1547 |
|
55 | 58 |
* Wed Jul 27 2016 Divya Thaluru <dthaluru@vmware.com> 4.0.6-1 |
56 | 59 |
- Initial version |