Change-Id: I16ed6949fef2215aea5df9ca123fbed88f92efd8
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/2753
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,35 @@ |
0 |
+diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c |
|
1 |
+index 1ccc3f9b..f19e8fd0 100644 |
|
2 |
+--- a/libtiff/tif_ojpeg.c |
|
3 |
+@@ -244,6 +244,7 @@ typedef enum { |
|
4 |
+ |
|
5 |
+ typedef struct { |
|
6 |
+ TIFF* tif; |
|
7 |
++ int decoder_ok; |
|
8 |
+ #ifndef LIBJPEG_ENCAP_EXTERNAL |
|
9 |
+ JMP_BUF exit_jmpbuf; |
|
10 |
+ #endif |
|
11 |
+@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) |
|
12 |
+ } |
|
13 |
+ sp->write_curstrile++; |
|
14 |
+ } |
|
15 |
++ sp->decoder_ok = 1; |
|
16 |
+ return(1); |
|
17 |
+ } |
|
18 |
+ |
|
19 |
+@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) |
|
20 |
+ static int |
|
21 |
+ OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) |
|
22 |
+ { |
|
23 |
++ static const char module[]="OJPEGDecode"; |
|
24 |
+ OJPEGState* sp=(OJPEGState*)tif->tif_data; |
|
25 |
+ (void)s; |
|
26 |
++ if( !sp->decoder_ok ) |
|
27 |
++ { |
|
28 |
++ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); |
|
29 |
++ return 0; |
|
30 |
++ } |
|
31 |
+ if (sp->libjpeg_jpeg_query_style==0) |
|
32 |
+ { |
|
33 |
+ if (OJPEGDecodeRaw(tif,buf,cc)==0) |
0 | 34 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,13 @@ |
0 |
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c |
|
1 |
+index a99c906..f294ed1 100644 |
|
2 |
+--- a/tools/tiffcp.c |
|
3 |
+@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips) |
|
4 |
+ tstrip_t s, ns = TIFFNumberOfStrips(in); |
|
5 |
+ uint32 row = 0; |
|
6 |
+ _TIFFmemset(buf, 0, stripsize); |
|
7 |
+- for (s = 0; s < ns; s++) { |
|
8 |
++ for (s = 0; s < ns && row < imagelength; s++) { |
|
9 |
+ tsize_t cc = (row + rowsperstrip > imagelength) ? |
|
10 |
+ TIFFVStripSize(in, imagelength - row) : stripsize; |
|
11 |
+ if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 |
0 | 12 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,31 @@ |
0 |
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c |
|
1 |
+index 44c5eee8..eecde217 100644 |
|
2 |
+--- a/tools/tiffcrop.c |
|
3 |
+@@ -1164,7 +1164,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf, |
|
4 |
+ tdata_t obuf; |
|
5 |
+ |
|
6 |
+ (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); |
|
7 |
+- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); |
|
8 |
++ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps); |
|
9 |
+ bytes_per_sample = (bps + 7) / 8; |
|
10 |
+ if( width == 0 || |
|
11 |
+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || |
|
12 |
+@@ -4760,7 +4760,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, |
|
13 |
+ int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; |
|
14 |
+ uint32 j; |
|
15 |
+ int32 bytes_read = 0; |
|
16 |
+- uint16 bps, planar; |
|
17 |
++ uint16 bps = 0, planar; |
|
18 |
+ uint32 nstrips; |
|
19 |
+ uint32 strips_per_sample; |
|
20 |
+ uint32 src_rowsize, dst_rowsize, rows_processed, rps; |
|
21 |
+@@ -4780,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length, |
|
22 |
+ } |
|
23 |
+ |
|
24 |
+ memset (srcbuffs, '\0', sizeof(srcbuffs)); |
|
25 |
+- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); |
|
26 |
++ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); |
|
27 |
+ TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar); |
|
28 |
+ TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); |
|
29 |
+ if (rps > length) |
0 | 30 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,81 @@ |
0 |
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c |
|
1 |
+index 3eec79c9..570d0c32 100644 |
|
2 |
+--- a/libtiff/tif_dirread.c |
|
3 |
+@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif) |
|
4 |
+ uint64 rowblockbytes; |
|
5 |
+ uint64 stripbytes; |
|
6 |
+ uint32 strip; |
|
7 |
+- uint64 nstrips64; |
|
8 |
+- uint32 nstrips32; |
|
9 |
++ uint32 nstrips; |
|
10 |
+ uint32 rowsperstrip; |
|
11 |
+ uint64* newcounts; |
|
12 |
+ uint64* newoffsets; |
|
13 |
+@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) |
|
14 |
+ return; |
|
15 |
+ |
|
16 |
+ /* |
|
17 |
+- * never increase the number of strips in an image |
|
18 |
++ * never increase the number of rows per strip |
|
19 |
+ */ |
|
20 |
+ if (rowsperstrip >= td->td_rowsperstrip) |
|
21 |
+ return; |
|
22 |
+- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); |
|
23 |
+- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ |
|
24 |
+- return; |
|
25 |
+- nstrips32 = (uint32)nstrips64; |
|
26 |
++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); |
|
27 |
++ if( nstrips == 0 ) |
|
28 |
++ return; |
|
29 |
+ |
|
30 |
+- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), |
|
31 |
++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), |
|
32 |
+ "for chopped \"StripByteCounts\" array"); |
|
33 |
+- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), |
|
34 |
++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), |
|
35 |
+ "for chopped \"StripOffsets\" array"); |
|
36 |
+ if (newcounts == NULL || newoffsets == NULL) { |
|
37 |
+ /* |
|
38 |
+@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) |
|
39 |
+ * Fill the strip information arrays with new bytecounts and offsets |
|
40 |
+ * that reflect the broken-up format. |
|
41 |
+ */ |
|
42 |
+- for (strip = 0; strip < nstrips32; strip++) { |
|
43 |
++ for (strip = 0; strip < nstrips; strip++) { |
|
44 |
+ if (stripbytes > bytecount) |
|
45 |
+ stripbytes = bytecount; |
|
46 |
+ newcounts[strip] = stripbytes; |
|
47 |
+- newoffsets[strip] = offset; |
|
48 |
++ newoffsets[strip] = stripbytes ? offset : 0; |
|
49 |
+ offset += stripbytes; |
|
50 |
+ bytecount -= stripbytes; |
|
51 |
+ } |
|
52 |
+ /* |
|
53 |
+ * Replace old single strip info with multi-strip info. |
|
54 |
+ */ |
|
55 |
+- td->td_stripsperimage = td->td_nstrips = nstrips32; |
|
56 |
++ td->td_stripsperimage = td->td_nstrips = nstrips; |
|
57 |
+ TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); |
|
58 |
+ |
|
59 |
+ _TIFFfree(td->td_stripbytecount); |
|
60 |
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c |
|
61 |
+index 4c46ecf5..1676e47d 100644 |
|
62 |
+--- a/libtiff/tif_strip.c |
|
63 |
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif) |
|
64 |
+ TIFFDirectory *td = &tif->tif_dir; |
|
65 |
+ uint32 nstrips; |
|
66 |
+ |
|
67 |
+- /* If the value was already computed and store in td_nstrips, then return it, |
|
68 |
+- since ChopUpSingleUncompressedStrip might have altered and resized the |
|
69 |
+- since the td_stripbytecount and td_stripoffset arrays to the new value |
|
70 |
+- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in |
|
71 |
+- tif_dirread.c ~line 3612. |
|
72 |
+- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ |
|
73 |
+- if( td->td_nstrips ) |
|
74 |
+- return td->td_nstrips; |
|
75 |
+- |
|
76 |
+ nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : |
|
77 |
+ TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); |
|
78 |
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE) |
0 | 79 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,89 @@ |
0 |
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c |
|
1 |
+index f68a9b13..e6783db5 100644 |
|
2 |
+--- a/libtiff/tif_luv.c |
|
3 |
+@@ -158,6 +158,7 @@ |
|
4 |
+ typedef struct logLuvState LogLuvState; |
|
5 |
+ |
|
6 |
+ struct logLuvState { |
|
7 |
++ int encoder_state; /* 1 if encoder correctly initialized */ |
|
8 |
+ int user_datafmt; /* user data format */ |
|
9 |
+ int encode_meth; /* encoding method */ |
|
10 |
+ int pixel_size; /* bytes per pixel */ |
|
11 |
+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif) |
|
12 |
+ td->td_photometric, "must be either LogLUV or LogL"); |
|
13 |
+ break; |
|
14 |
+ } |
|
15 |
++ sp->encoder_state = 1; |
|
16 |
+ return (1); |
|
17 |
+ notsupported: |
|
18 |
+ TIFFErrorExt(tif->tif_clientdata, module, |
|
19 |
+@@ -1563,19 +1565,27 @@ LogLuvSetupEncode(TIFF* tif) |
|
20 |
+ static void |
|
21 |
+ LogLuvClose(TIFF* tif) |
|
22 |
+ { |
|
23 |
++ LogLuvState* sp = (LogLuvState*) tif->tif_data; |
|
24 |
+ TIFFDirectory *td = &tif->tif_dir; |
|
25 |
+ |
|
26 |
++ assert(sp != 0); |
|
27 |
+ /* |
|
28 |
+ * For consistency, we always want to write out the same |
|
29 |
+ * bitspersample and sampleformat for our TIFF file, |
|
30 |
+ * regardless of the data format being used by the application. |
|
31 |
+ * Since this routine is called after tags have been set but |
|
32 |
+ * before they have been recorded in the file, we reset them here. |
|
33 |
++ * Note: this is really a nasty approach. See PixarLogClose |
|
34 |
+ */ |
|
35 |
+- td->td_samplesperpixel = |
|
36 |
+- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; |
|
37 |
+- td->td_bitspersample = 16; |
|
38 |
+- td->td_sampleformat = SAMPLEFORMAT_INT; |
|
39 |
++ if( sp->encoder_state ) |
|
40 |
++ { |
|
41 |
++ /* See PixarLogClose. Might avoid issues with tags whose size depends |
|
42 |
++ * on those below, but not completely sure this is enough. */ |
|
43 |
++ td->td_samplesperpixel = |
|
44 |
++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; |
|
45 |
++ td->td_bitspersample = 16; |
|
46 |
++ td->td_sampleformat = SAMPLEFORMAT_INT; |
|
47 |
++ } |
|
48 |
+ } |
|
49 |
+ |
|
50 |
+ static void |
|
51 |
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c |
|
52 |
+index d1246c3d..aa99bc92 100644 |
|
53 |
+--- a/libtiff/tif_pixarlog.c |
|
54 |
+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif) |
|
55 |
+ static void |
|
56 |
+ PixarLogClose(TIFF* tif) |
|
57 |
+ { |
|
58 |
++ PixarLogState* sp = (PixarLogState*) tif->tif_data; |
|
59 |
+ TIFFDirectory *td = &tif->tif_dir; |
|
60 |
+ |
|
61 |
++ assert(sp != 0); |
|
62 |
+ /* In a really sneaky (and really incorrect, and untruthful, and |
|
63 |
+ * troublesome, and error-prone) maneuver that completely goes against |
|
64 |
+ * the spirit of TIFF, and breaks TIFF, on close, we covertly |
|
65 |
+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif) |
|
66 |
+ * readers that don't know about PixarLog, or how to set |
|
67 |
+ * the PIXARLOGDATFMT pseudo-tag. |
|
68 |
+ */ |
|
69 |
+- td->td_bitspersample = 8; |
|
70 |
+- td->td_sampleformat = SAMPLEFORMAT_UINT; |
|
71 |
++ |
|
72 |
++ if (sp->state&PLSTATE_INIT) { |
|
73 |
++ /* We test the state to avoid an issue such as in |
|
74 |
++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 |
|
75 |
++ * What appends in that case is that the bitspersample is 1 and |
|
76 |
++ * a TransferFunction is set. The size of the TransferFunction |
|
77 |
++ * depends on 1<<bitspersample. So if we increase it, an access |
|
78 |
++ * out of the buffer will happen at directory flushing. |
|
79 |
++ * Another option would be to clear those targs. |
|
80 |
++ */ |
|
81 |
++ td->td_bitspersample = 8; |
|
82 |
++ td->td_sampleformat = SAMPLEFORMAT_UINT; |
|
83 |
++ } |
|
84 |
+ } |
|
85 |
+ |
|
86 |
+ static void |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 | 3 |
Version: 4.0.7 |
4 |
-Release: 3%{?dist} |
|
4 |
+Release: 4%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.remotesensing.org/libtiff |
7 | 7 |
Group: System Environment/Libraries |
... | ... |
@@ -9,12 +9,18 @@ Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz |
11 | 11 |
%define sha1 tiff=2c1b64478e88f93522a42dd5271214a0e5eae648 |
12 |
+# patches: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ |
|
12 | 13 |
Patch0: libtiff-4.0.6-CVE-2015-7554.patch |
13 | 14 |
Patch1: libtiff-4.0.6-CVE-2015-1547.patch |
14 | 15 |
Patch2: libtiff-4.0.7-CVE-2017-5225.patch |
15 | 16 |
Patch3: libtiff-4.0.7-CVE-2016-10092.patch |
16 | 17 |
Patch4: libtiff-4.0.7-CVE-2016-10093.patch |
17 | 18 |
Patch5: libtiff-4.0.7-CVE-2016-10094.patch |
19 |
+Patch6: libtiff-4.0.6-CVE-2016-10268.patch |
|
20 |
+Patch7: libtiff-heap-buffer-overflow.patch |
|
21 |
+Patch8: libtiff-4.0.7-CVE-2016-10269.patch |
|
22 |
+Patch9: libtiff-4.0.7-CVE-2016-10267.patch |
|
23 |
+Patch10: libtiff-2017-CVE-2016-10266.patch |
|
18 | 24 |
BuildRequires: libjpeg-turbo-devel |
19 | 25 |
Requires: libjpeg-turbo |
20 | 26 |
%description |
... | ... |
@@ -25,7 +31,7 @@ Summary: Header and development files |
25 | 25 |
Requires: %{name} = %{version}-%{release} |
26 | 26 |
Requires: libjpeg-turbo-devel |
27 | 27 |
%description devel |
28 |
-It contains the libraries and header files to create applications |
|
28 |
+It contains the libraries and header files to create applications |
|
29 | 29 |
|
30 | 30 |
%prep |
31 | 31 |
%setup -q -n tiff-%{version} |
... | ... |
@@ -35,7 +41,11 @@ It contains the libraries and header files to create applications |
35 | 35 |
%patch3 -p1 |
36 | 36 |
%patch4 -p1 |
37 | 37 |
%patch5 -p1 |
38 |
- |
|
38 |
+%patch6 -p1 |
|
39 |
+%patch7 -p1 |
|
40 |
+%patch8 -p1 |
|
41 |
+%patch9 -p1 |
|
42 |
+%patch10 -p1 |
|
39 | 43 |
%build |
40 | 44 |
./configure \ |
41 | 45 |
--prefix=%{_prefix} \ |
... | ... |
@@ -70,6 +80,8 @@ make %{?_smp_mflags} -k check |
70 | 70 |
%{_datadir}/man/man3/* |
71 | 71 |
|
72 | 72 |
%changelog |
73 |
+* Tue May 16 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.7-4 |
|
74 |
+- Added patch for CVE-2016-10266, CVE-2016-10268, CVE-2016-10269, CVE-2016-10267 and libtiff-heap-buffer-overflow patch |
|
73 | 75 |
* Mon Apr 10 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.0.7-3 |
74 | 76 |
- Patch : CVE-2016-10092, CVE-2016-10093, CVE-2016-10094 |
75 | 77 |
* Thu Jan 19 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.0.7-2 |