Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 240477A111 for ; Sat, 6 May 2017 21:02:02 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 82B8D84DA6; Sat, 6 May 2017 21:02:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 12A8F84D93 for ; Sat, 6 May 2017 21:02:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id xWFFLhG0LIL6 for ; Sat, 6 May 2017 21:02:00 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 6723F84D85 for ; Sat, 6 May 2017 21:02:00 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 61EBDFBE4; Sat, 6 May 2017 21:02:00 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1494104520280400" MIME-Version: 1.0 Date: Sat, 6 May 2017 21:02:00 +0000 From: "Havard Eidnes" Subject: CVS commit: pkgsrc/graphics/tiff To: pkgsrc-changes@NetBSD.org Reply-To: he@netbsd.org X-Mailer: log_accum Message-Id: <20170506210200.61EBDFBE4@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1494104520280400 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: he Date: Sat May 6 21:02:00 UTC 2017 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo Added Files: pkgsrc/graphics/tiff/patches: patch-libtiff_tif__luv.c patch-libtiff_tif__pixarlog.c Log Message: Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604 and https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.130 -r1.131 pkgsrc/graphics/tiff/Makefile cvs rdiff -u -r1.76 -r1.77 pkgsrc/graphics/tiff/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c \ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1494104520280400 Content-Disposition: inline Content-Length: 5861 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/graphics/tiff/Makefile diff -u pkgsrc/graphics/tiff/Makefile:1.130 pkgsrc/graphics/tiff/Makefile:1.131 --- pkgsrc/graphics/tiff/Makefile:1.130 Sat May 6 20:34:40 2017 +++ pkgsrc/graphics/tiff/Makefile Sat May 6 21:02:00 2017 @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.130 2017/05/06 20:34:40 he Exp $ +# $NetBSD: Makefile,v 1.131 2017/05/06 21:02:00 he Exp $ DISTNAME= tiff-4.0.7 -PKGREVISION= 6 +PKGREVISION= 7 CATEGORIES= graphics MASTER_SITES= ftp://download.osgeo.org/libtiff/ Index: pkgsrc/graphics/tiff/distinfo diff -u pkgsrc/graphics/tiff/distinfo:1.76 pkgsrc/graphics/tiff/distinfo:1.77 --- pkgsrc/graphics/tiff/distinfo:1.76 Sat May 6 20:34:40 2017 +++ pkgsrc/graphics/tiff/distinfo Sat May 6 21:02:00 2017 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.76 2017/05/06 20:34:40 he Exp $ +$NetBSD: distinfo,v 1.77 2017/05/06 21:02:00 he Exp $ SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb @@ -6,6 +6,8 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f Size (tiff-4.0.7.tar.gz) = 2076392 bytes SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d +SHA1 (patch-libtiff_tif__luv.c) = c2e8ce7474119ffa02d226932ad6c8c2b230062c +SHA1 (patch-libtiff_tif__pixarlog.c) = ad16681cf3fcb5fded048eb70c0a93f1b6447147 SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7 SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb Added files: Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c:1.1 --- /dev/null Sat May 6 21:02:00 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c Sat May 6 21:02:00 2017 @@ -0,0 +1,56 @@ +$NetBSD: patch-libtiff_tif__luv.c,v 1.1 2017/05/06 21:02:00 he Exp $ + +Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604 +and +https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 + +--- libtiff/tif_luv.c.orig 2016-09-08 13:23:57.000000000 +0000 ++++ libtiff/tif_luv.c +@@ -158,6 +158,7 @@ + typedef struct logLuvState LogLuvState; + + struct logLuvState { ++ int encoder_state; /* 1 if encoder correctly initialized */ + int user_datafmt; /* user data format */ + int encode_meth; /* encoding method */ + int pixel_size; /* bytes per pixel */ +@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif) + td->td_photometric, "must be either LogLUV or LogL"); + break; + } ++ sp->encoder_state = 1; + return (1); + notsupported: + TIFFErrorExt(tif->tif_clientdata, module, +@@ -1563,19 +1565,27 @@ notsupported: + static void + LogLuvClose(TIFF* tif) + { ++ LogLuvState* sp = (LogLuvState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* + * For consistency, we always want to write out the same + * bitspersample and sampleformat for our TIFF file, + * regardless of the data format being used by the application. + * Since this routine is called after tags have been set but + * before they have been recorded in the file, we reset them here. ++ * Note: this is really a nasty approach. See PixarLogClose + */ +- td->td_samplesperpixel = +- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; +- td->td_bitspersample = 16; +- td->td_sampleformat = SAMPLEFORMAT_INT; ++ if( sp->encoder_state ) ++ { ++ /* See PixarLogClose. Might avoid issues with tags whose size depends ++ * on those below, but not completely sure this is enough. */ ++ td->td_samplesperpixel = ++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; ++ td->td_bitspersample = 16; ++ td->td_sampleformat = SAMPLEFORMAT_INT; ++ } + } + + static void Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c:1.1 --- /dev/null Sat May 6 21:02:00 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c Sat May 6 21:02:00 2017 @@ -0,0 +1,41 @@ +$NetBSD: patch-libtiff_tif__pixarlog.c,v 1.1 2017/05/06 21:02:00 he Exp $ + +Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604 +and +https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 + +--- libtiff/tif_pixarlog.c.orig 2016-09-23 22:56:06.000000000 +0000 ++++ libtiff/tif_pixarlog.c +@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif) + static void + PixarLogClose(TIFF* tif) + { ++ PixarLogState* sp = (PixarLogState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* In a really sneaky (and really incorrect, and untruthful, and + * troublesome, and error-prone) maneuver that completely goes against + * the spirit of TIFF, and breaks TIFF, on close, we covertly +@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif) + * readers that don't know about PixarLog, or how to set + * the PIXARLOGDATFMT pseudo-tag. + */ +- td->td_bitspersample = 8; +- td->td_sampleformat = SAMPLEFORMAT_UINT; ++ ++ if (sp->state&PLSTATE_INIT) { ++ /* We test the state to avoid an issue such as in ++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 ++ * What appends in that case is that the bitspersample is 1 and ++ * a TransferFunction is set. The size of the TransferFunction ++ * depends on 1<td_bitspersample = 8; ++ td->td_sampleformat = SAMPLEFORMAT_UINT; ++ } + } + + static void --_----------=_1494104520280400--