[arch-commits] Commit in libtiff/repos (5 files)

Fri Aug 14 22:08:59 UTC 2009

Date: Friday, August 14, 2009 @ 18:08:59
  Author: eric
Revision: 49674

Merged revisions 49673 via svnmerge from 
svn+ssh://svn.archlinux.org/srv/svn-packages/libtiff/trunk

........
  r49673 | eric | 2009-08-14 18:08:37 -0400 (Fri, 14 Aug 2009) | 2 lines
  
  upgpkg: libtiff 3.8.2-6
      Added security fixes (close FS#15931)
........

Added:
  libtiff/repos/extra-x86_64/libtiff-CVE-2009-2285.patch
    (from rev 49673, libtiff/trunk/libtiff-CVE-2009-2285.patch)
  libtiff/repos/extra-x86_64/tiff-3.8.2-CVE-2009-2347.patch
    (from rev 49673, libtiff/trunk/tiff-3.8.2-CVE-2009-2347.patch)
Modified:
  libtiff/repos/extra-x86_64/	(properties)
  libtiff/repos/extra-x86_64/ChangeLog
  libtiff/repos/extra-x86_64/PKGBUILD

--------------------------------+
 ChangeLog                      |    5 +
 PKGBUILD                       |   42 ++++-----
 libtiff-CVE-2009-2285.patch    |   22 +++++
 tiff-3.8.2-CVE-2009-2347.patch |  170 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 218 insertions(+), 21 deletions(-)


Property changes on: libtiff/repos/extra-x86_64
___________________________________________________________________
Modified: svnmerge-integrated
   - /libtiff/trunk:1-43712
   + /libtiff/trunk:1-49673

Modified: extra-x86_64/ChangeLog
===================================================================

--- extra-x86_64/ChangeLog	2009-08-14 22:08:37 UTC (rev 49673)
+++ extra-x86_64/ChangeLog	2009-08-14 22:08:59 UTC (rev 49674)
@@ -1,3 +1,8 @@
+2009-08-14  Eric Belanger  <eric at archlinux.org>
+
+	* libtiff 3.8.2-6
+	* Added security fixes (close FS#15931)
+
 2008-09-05  Eric Belanger  <eric at archlinux.org>
 
 	* libtiff 3.8.2-4

Modified: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD	2009-08-14 22:08:37 UTC (rev 49673)
+++ extra-x86_64/PKGBUILD	2009-08-14 22:08:59 UTC (rev 49674)
@@ -4,7 +4,7 @@
 
 pkgname=libtiff
 pkgver=3.8.2
-pkgrel=5
+pkgrel=6
 pkgdesc="Library for manipulation of TIFF images"
 arch=('i686' 'x86_64')
 url="http://www.libtiff.org/"
@@ -14,30 +14,30 @@
 optdepends=('freeglut: for using tiffgt')
 options=('!libtool')
 source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-${pkgver}.tar.gz \
-	tiff2pdf-octal-printf.patch \
-       	tiffsplit-fname-overflow.patch \
-	CVE-2006-3459-3465.patch \
-	tiff2pdf-compression.patch \
-        tiff-3.8.2-CVE-2008-2327.patch)
+	tiff2pdf-octal-printf.patch tiffsplit-fname-overflow.patch \
+	CVE-2006-3459-3465.patch tiff2pdf-compression.patch \
+        tiff-3.8.2-CVE-2008-2327.patch libtiff-CVE-2009-2285.patch \
+        tiff-3.8.2-CVE-2009-2347.patch)
 md5sums=('fbb6f446ea4ed18955e2714934e5b698' 'd54368687d2645ffbbe6c2df384b11bf'\
          '323352fd60a7bd3ffac8724c3c031669' '624d3067e6a4c0680767eb62253ea980'\
-         'b443ffca9d498bb3a88c17da0200025b' 'c2c2e22557d9c63011df5777dda6a86b')
-sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb'
-          'c79245249634a121bfaff6cfecb763f72fe7f8eb'
-          'dc86bb68c7831ff70ff01d952d553be9f986be46'
-          '85dc50a60a10025757e249d869dab7eb73ba6e3c'
-          '508751f55131356ea8a7e7c4994ffbc9bd881769'
-          '1da2ec6a47c0666cad9d07fb8427c1c75ca27b10')
+         'b443ffca9d498bb3a88c17da0200025b' 'c2c2e22557d9c63011df5777dda6a86b'\
+         'ff61077408727a82281f77a94f555e2a' 'd3b02693cca83e63005b162edd43016b')
+sha1sums=('549e67b6a15b42bfcd72fe17cda7c9a198a393eb' 'c79245249634a121bfaff6cfecb763f72fe7f8eb'\
+         'dc86bb68c7831ff70ff01d952d553be9f986be46' '85dc50a60a10025757e249d869dab7eb73ba6e3c'\
+         '508751f55131356ea8a7e7c4994ffbc9bd881769' '1da2ec6a47c0666cad9d07fb8427c1c75ca27b10'\
+         'eadce8c8bd72ea9c74f35300bf299131813b0c8b' '3017201b7f500389acfa775479a6fdd069e9a099')
 
 build() {
-  cd ${srcdir}/tiff-${pkgver}
-  patch -Np1 -i ${srcdir}/tiff2pdf-octal-printf.patch || return 1
-  patch -Np1 -i ${srcdir}/tiffsplit-fname-overflow.patch || return 1
-  patch -Np1 -i ${srcdir}/CVE-2006-3459-3465.patch || return 1
-  patch -Np1 -i ${srcdir}/tiff2pdf-compression.patch || return 1
-  patch -Np1 -i ${srcdir}/tiff-3.8.2-CVE-2008-2327.patch || return 1
+  cd "${srcdir}/tiff-${pkgver}"
+  patch -p1 < ../tiff2pdf-octal-printf.patch || return 1
+  patch -p1 < ../tiffsplit-fname-overflow.patch || return 1
+  patch -p1 < ../CVE-2006-3459-3465.patch || return 1
+  patch -p1 < ../tiff2pdf-compression.patch || return 1
+  patch -p1 < ../tiff-3.8.2-CVE-2008-2327.patch || return 1
+  patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1
+  patch -p1 < ../tiff-3.8.2-CVE-2009-2347.patch || return 1
   ./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man || return 1
   make || return 1
-  make DESTDIR=${pkgdir} install || return 1
-  install -D -m644 COPYRIGHT ${pkgdir}/usr/share/licenses/${pkgname}/LICENSE || return 1
+  make DESTDIR="${pkgdir}" install || return 1
+  install -D -m644 COPYRIGHT "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" || return 1
 }

Copied: libtiff/repos/extra-x86_64/libtiff-CVE-2009-2285.patch (from rev 49673, libtiff/trunk/libtiff-CVE-2009-2285.patch)
===================================================================
--- extra-x86_64/libtiff-CVE-2009-2285.patch	                        (rev 0)
+++ extra-x86_64/libtiff-CVE-2009-2285.patch	2009-08-14 22:08:59 UTC (rev 49674)
@@ -0,0 +1,22 @@
+Index: tiff-3.8.2/libtiff/tif_lzw.c
+===================================================================
+--- tiff-3.8.2.orig/libtiff/tif_lzw.c
++++ tiff-3.8.2/libtiff/tif_lzw.c
+@@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
+ 			NextCode(tif, sp, bp, code, GetNextCode);
+ 			if (code == CODE_EOI)
+ 				break;
+-			if (code == CODE_CLEAR) {
++			if (code >= CODE_CLEAR) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ 				"LZWDecode: Corrupted LZW table at scanline %d",
+ 				tif->tif_row);
+@@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
+ 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ 			if (code == CODE_EOI)
+ 				break;
+-			if (code == CODE_CLEAR) {
++			if (code >= CODE_CLEAR) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ 				"LZWDecode: Corrupted LZW table at scanline %d",
+ 				tif->tif_row);

Copied: libtiff/repos/extra-x86_64/tiff-3.8.2-CVE-2009-2347.patch (from rev 49673, libtiff/trunk/tiff-3.8.2-CVE-2009-2347.patch)
===================================================================
--- extra-x86_64/tiff-3.8.2-CVE-2009-2347.patch	                        (rev 0)
+++ extra-x86_64/tiff-3.8.2-CVE-2009-2347.patch	2009-08-14 22:08:59 UTC (rev 49674)
@@ -0,0 +1,170 @@
+Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
+possible integer overflow in calculation of buffer sizes.
+
+CVE-2009-2347
+
+
+diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
+--- tiff-3.8.2.orig/tools/rgb2ycbcr.c	2004-09-03 03:57:13.000000000 -0400
++++ tiff-3.8.2/tools/rgb2ycbcr.c	2009-07-10 17:12:32.000000000 -0400
+@@ -202,6 +202,17 @@
+ #undef LumaBlue
+ #undef V2Code
+ 
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++    tsize_t prod = m1 * m2;
++
++    if (m1 && prod / m1 != m2)
++        prod = 0;		/* overflow */
++
++    return prod;
++}
++
+ /*
+  * Convert a strip of RGB data to YCbCr and
+  * sample to generate the output data.
+@@ -278,10 +289,19 @@
+ 	float floatv;
+ 	char *stringv;
+ 	uint32 longv;
++	tsize_t raster_size;
+ 
+ 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+-	raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++
++	raster_size = multiply(multiply(width, height), sizeof (uint32));
++	if (!raster_size) {
++		TIFFError(TIFFFileName(in),
++			  "Can't allocate buffer for raster of size %lux%lu",
++			  (unsigned long) width, (unsigned long) height);
++		return (0);
++	}
++	raster = (uint32*)_TIFFmalloc(raster_size);
+ 	if (raster == 0) {
+ 		TIFFError(TIFFFileName(in), "No space for raster buffer");
+ 		return (0);
+diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
+--- tiff-3.8.2.orig/tools/tiff2rgba.c	2004-11-07 06:08:37.000000000 -0500
++++ tiff-3.8.2/tools/tiff2rgba.c	2009-07-10 17:06:42.000000000 -0400
+@@ -124,6 +124,17 @@
+     return (0);
+ }
+ 
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++    tsize_t prod = m1 * m2;
++
++    if (m1 && prod / m1 != m2)
++        prod = 0;		/* overflow */
++
++    return prod;
++}
++
+ static int
+ cvt_by_tile( TIFF *in, TIFF *out )
+ 
+@@ -133,6 +144,7 @@
+     uint32  tile_width, tile_height;
+     uint32  row, col;
+     uint32  *wrk_line;
++    tsize_t raster_size;
+     int	    ok = 1;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -150,7 +162,14 @@
+     /*
+      * Allocate tile buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
++    if (!raster_size) {
++	TIFFError(TIFFFileName(in),
++		  "Can't allocate buffer for raster of size %lux%lu",
++		  (unsigned long) tile_width, (unsigned long) tile_height);
++	return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -158,7 +177,7 @@
+ 
+     /*
+      * Allocate a scanline buffer for swapping during the vertical
+-     * mirroring pass.
++     * mirroring pass.  (Request can't overflow given prior checks.)
+      */
+     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+     if (!wrk_line) {
+@@ -226,6 +245,7 @@
+     uint32  width, height;		/* image width & height */
+     uint32  row;
+     uint32  *wrk_line;
++    tsize_t raster_size;
+     int	    ok = 1;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -241,7 +261,14 @@
+     /*
+      * Allocate strip buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
++    if (!raster_size) {
++	TIFFError(TIFFFileName(in),
++		  "Can't allocate buffer for raster of size %lux%lu",
++		  (unsigned long) width, (unsigned long) rowsperstrip);
++	return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -249,7 +276,7 @@
+ 
+     /*
+      * Allocate a scanline buffer for swapping during the vertical
+-     * mirroring pass.
++     * mirroring pass.  (Request can't overflow given prior checks.)
+      */
+     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+     if (!wrk_line) {
+@@ -328,14 +355,22 @@
+     uint32* raster;			/* retrieve RGBA image */
+     uint32  width, height;		/* image width & height */
+     uint32  row;
+-        
++    tsize_t raster_size;
++
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+ 
+     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+-    raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++    raster_size = multiply(multiply(width, height), sizeof (uint32));
++    if (!raster_size) {
++	TIFFError(TIFFFileName(in),
++		  "Can't allocate buffer for raster of size %lux%lu",
++		  (unsigned long) width, (unsigned long) height);
++	return (0);
++    }
++    raster = (uint32*)_TIFFmalloc(raster_size);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -353,7 +388,7 @@
+     */
+     if( no_alpha )
+     {
+-        int	pixel_count = width * height;
++        tsize_t  pixel_count = (tsize_t) width * (tsize_t) height;
+         unsigned char *src, *dst;
+ 
+         src = (unsigned char *) raster;
+


