Change-Id: I382e7cfc8de0a4cce41a9c270e35da18b04fee19
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1988
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: suezzelur <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,68 @@ |
0 |
+From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: erouault <erouault> |
|
2 |
+Date: Wed, 11 Jan 2017 19:25:44 +0000 |
|
3 |
+Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow |
|
4 |
+ and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based |
|
5 |
+ overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and |
|
6 |
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657 |
|
7 |
+ |
|
8 |
+--- |
|
9 |
+ tools/tiffcp.c | 24 ++++++++++++++++++++++-- |
|
10 |
+ 2 files changed, 29 insertions(+), 2 deletions(-) |
|
11 |
+ |
|
12 |
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c |
|
13 |
+index bdf754c..8bbcd52 100644 |
|
14 |
+--- a/tools/tiffcp.c |
|
15 |
+@@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); |
|
16 |
+ static int |
|
17 |
+ tiffcp(TIFF* in, TIFF* out) |
|
18 |
+ { |
|
19 |
+- uint16 bitspersample, samplesperpixel = 1; |
|
20 |
++ uint16 bitspersample = 1, samplesperpixel = 1; |
|
21 |
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; |
|
22 |
+ copyFunc cf; |
|
23 |
+ uint32 width, length; |
|
24 |
+@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow) |
|
25 |
+ register uint32 n; |
|
26 |
+ uint32 row; |
|
27 |
+ tsample_t s; |
|
28 |
++ uint16 bps = 0; |
|
29 |
++ |
|
30 |
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); |
|
31 |
++ if( bps != 8 ) |
|
32 |
++ { |
|
33 |
++ TIFFError(TIFFFileName(in), |
|
34 |
++ "Error, can only handle BitsPerSample=8 in %s", |
|
35 |
++ "cpContig2SeparateByRow"); |
|
36 |
++ return 0; |
|
37 |
++ } |
|
38 |
+ |
|
39 |
+ inbuf = _TIFFmalloc(scanlinesizein); |
|
40 |
+ outbuf = _TIFFmalloc(scanlinesizeout); |
|
41 |
+@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow) |
|
42 |
+ register uint32 n; |
|
43 |
+ uint32 row; |
|
44 |
+ tsample_t s; |
|
45 |
++ uint16 bps = 0; |
|
46 |
++ |
|
47 |
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); |
|
48 |
++ if( bps != 8 ) |
|
49 |
++ { |
|
50 |
++ TIFFError(TIFFFileName(in), |
|
51 |
++ "Error, can only handle BitsPerSample=8 in %s", |
|
52 |
++ "cpSeparate2ContigByRow"); |
|
53 |
++ return 0; |
|
54 |
++ } |
|
55 |
+ |
|
56 |
+ inbuf = _TIFFmalloc(scanlinesizein); |
|
57 |
+ outbuf = _TIFFmalloc(scanlinesizeout); |
|
58 |
+@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel) |
|
59 |
+ uint32 w, l, tw, tl; |
|
60 |
+ int bychunk; |
|
61 |
+ |
|
62 |
+- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); |
|
63 |
++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); |
|
64 |
+ if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { |
|
65 |
+ fprintf(stderr, |
|
66 |
+ "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 | 3 |
Version: 4.0.7 |
4 |
-Release: 1%{?dist} |
|
4 |
+Release: 2%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.remotesensing.org/libtiff |
7 | 7 |
Group: System Environment/Libraries |
... | ... |
@@ -11,6 +11,7 @@ Source0: http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz |
11 | 11 |
%define sha1 tiff=2c1b64478e88f93522a42dd5271214a0e5eae648 |
12 | 12 |
Patch0: libtiff-4.0.6-CVE-2015-7554.patch |
13 | 13 |
Patch1: libtiff-4.0.6-CVE-2015-1547.patch |
14 |
+Patch2: libtiff-4.0.7-CVE-2017-5225.patch |
|
14 | 15 |
BuildRequires: libjpeg-turbo-devel |
15 | 16 |
Requires: libjpeg-turbo |
16 | 17 |
%description |
... | ... |
@@ -27,6 +28,7 @@ It contains the libraries and header files to create applications |
27 | 27 |
%setup -q -n tiff-%{version} |
28 | 28 |
%patch0 -p1 |
29 | 29 |
%patch1 -p1 |
30 |
+%patch2 -p1 |
|
30 | 31 |
|
31 | 32 |
%build |
32 | 33 |
./configure \ |
... | ... |
@@ -62,6 +64,8 @@ make %{?_smp_mflags} -k check |
62 | 62 |
%{_datadir}/man/man3/* |
63 | 63 |
|
64 | 64 |
%changelog |
65 |
+* Thu Jan 19 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.0.7-2 |
|
66 |
+- Patch : CVE-2017-5225 |
|
65 | 67 |
* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 4.0.7-1 |
66 | 68 |
- Update to 4.0.7. It fixes CVE-2016-953[3456789] and CVE-2016-9540 |
67 | 69 |
- Remove obsolete patches |