Browse code
libtiff: Fix for CVE-2019-6128
Change-Id: I601677dc864c578aebfbf1d772d3cbfc955d3bb9
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6727
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Keerthana K authored on 2019/02/14 19:48:35Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,34 @@ |
| 0 |
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c |
|
| 1 |
+--- a/tools/pal2rgb.c |
|
| 2 |
+@@ -118,12 +118,14 @@ main(int argc, char* argv[]) |
|
| 3 |
+ shortv != PHOTOMETRIC_PALETTE) {
|
|
| 4 |
+ fprintf(stderr, "%s: Expecting a palette image.\n", |
|
| 5 |
+ argv[optind]); |
|
| 6 |
++ (void) TIFFClose(in); |
|
| 7 |
+ return (-1); |
|
| 8 |
+ } |
|
| 9 |
+ if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
|
|
| 10 |
+ fprintf(stderr, |
|
| 11 |
+ "%s: No colormap (not a valid palette image).\n", |
|
| 12 |
+ argv[optind]); |
|
| 13 |
++ (void) TIFFClose(in); |
|
| 14 |
+ return (-1); |
|
| 15 |
+ } |
|
| 16 |
+ bitspersample = 0; |
|
| 17 |
+@@ -131,11 +133,14 @@ main(int argc, char* argv[]) |
|
| 18 |
+ if (bitspersample != 8) {
|
|
| 19 |
+ fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", |
|
| 20 |
+ argv[optind]); |
|
| 21 |
++ (void) TIFFClose(in); |
|
| 22 |
+ return (-1); |
|
| 23 |
+ } |
|
| 24 |
+ out = TIFFOpen(argv[optind+1], "w"); |
|
| 25 |
+- if (out == NULL) |
|
| 26 |
++ if (out == NULL) {
|
|
| 27 |
++ (void) TIFFClose(in); |
|
| 28 |
+ return (-2); |
|
| 29 |
++ } |
|
| 30 |
+ cpTags(in, out); |
|
| 31 |
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); |
|
| 32 |
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: TIFF libraries and associated utilities. |
| 2 | 2 |
Name: libtiff |
| 3 | 3 |
Version: 4.0.10 |
| 4 |
-Release: 2%{?dist}
|
|
| 4 |
+Release: 3%{?dist}
|
|
| 5 | 5 |
License: libtiff |
| 6 | 6 |
URL: http://www.simplesystems.org/libtiff/ |
| 7 | 7 |
Group: System Environment/Libraries |
| ... | ... |
@@ -10,6 +10,7 @@ Distribution: Photon |
| 10 | 10 |
Source0: https://gitlab.com/libtiff/libtiff/-/archive/v%{version}/libtiff-v%{version}.tar.gz
|
| 11 | 11 |
%define sha1 libtiff-v=e4ec512e56544d7586178dc69c7b5728f74fcc79 |
| 12 | 12 |
Patch0: CVE-2018-12900.patch |
| 13 |
+Patch1: CVE-2019-6128.patch |
|
| 13 | 14 |
BuildRequires: libjpeg-turbo-devel |
| 14 | 15 |
Requires: libjpeg-turbo |
| 15 | 16 |
%description |
| ... | ... |
@@ -25,6 +26,7 @@ It contains the libraries and header files to create applications |
| 25 | 25 |
%prep |
| 26 | 26 |
%setup -q -n libtiff-v%{version}
|
| 27 | 27 |
%patch0 -p1 |
| 28 |
+%patch1 -p1 |
|
| 28 | 29 |
|
| 29 | 30 |
%build |
| 30 | 31 |
sh autogen.sh |
| ... | ... |
@@ -60,6 +62,8 @@ make %{?_smp_mflags} -k check
|
| 60 | 60 |
%{_datadir}/man/man3/*
|
| 61 | 61 |
|
| 62 | 62 |
%changelog |
| 63 |
+* Thu Feb 14 2019 Keerthana K <keerthanak@vmware.com> 4.0.10-3 |
|
| 64 |
+- Fix for CVE-2019-6128 |
|
| 63 | 65 |
* Fri Feb 08 2019 Tapas Kundu <tkundu@vmware.com> 4.0.10-2 |
| 64 | 66 |
- Fix for CVE-2018-12900 |
| 65 | 67 |
* Thu Dec 27 2018 Ashwin H <ankitja@vmware.com> 4.0.10-1 |