Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id C9A317A26E for ; Thu, 11 May 2017 17:47:22 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 6B02E84DCC; Thu, 11 May 2017 17:47:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id EC56E84DC8 for ; Thu, 11 May 2017 17:47:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id UxpbZzWrnpc6 for ; Thu, 11 May 2017 17:47:20 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 67EA784CF0 for ; Thu, 11 May 2017 17:47:20 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 631CFFBE4; Thu, 11 May 2017 17:47:20 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1494524840174000" MIME-Version: 1.0 Date: Thu, 11 May 2017 17:47:20 +0000 From: "Benny Siegert" Subject: CVS commit: [pkgsrc-2017Q1] pkgsrc/graphics/tiff To: pkgsrc-changes@NetBSD.org Reply-To: bsiegert@netbsd.org X-Mailer: log_accum Message-Id: <20170511174720.631CFFBE4@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1494524840174000 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: bsiegert Date: Thu May 11 17:47:20 UTC 2017 Modified Files: pkgsrc/graphics/tiff [pkgsrc-2017Q1]: Makefile distinfo pkgsrc/graphics/tiff/patches [pkgsrc-2017Q1]: patch-libtiff_tif_dirread.c patch-libtiff_tif_ojpeg.c patch-libtiff_tif_read.c patch-tools_tiffcp.c Added Files: pkgsrc/graphics/tiff/patches [pkgsrc-2017Q1]: patch-libtiff_tif__luv.c patch-libtiff_tif__pixarlog.c patch-libtiff_tif__strip.c patch-libtiff_tiffiop.h patch-tools_tiff2pdf.c Log Message: Pullup ticket #5406 - requested by sevan graphics/tiff: security fix Revisions pulled up: - graphics/tiff/Makefile 1.130-1.135 - graphics/tiff/distinfo 1.76-1.81 - graphics/tiff/patches/patch-libtiff_tif__luv.c 1.1 - graphics/tiff/patches/patch-libtiff_tif__pixarlog.c 1.1 - graphics/tiff/patches/patch-libtiff_tif__strip.c 1.1 - graphics/tiff/patches/patch-libtiff_tif_dirread.c 1.3 - graphics/tiff/patches/patch-libtiff_tif_ojpeg.c 1.2 - graphics/tiff/patches/patch-libtiff_tif_read.c 1.2 - graphics/tiff/patches/patch-libtiff_tiffiop.h 1.3 - graphics/tiff/patches/patch-tools_tiff2pdf.c 1.3 - graphics/tiff/patches/patch-tools_tiffcp.c 1.3 --- Module Name: pkgsrc Committed By: he Date: Sat May 6 20:34:40 UTC 2017 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo Added Files: pkgsrc/graphics/tiff/patches: patch-tools_tiff2pdf.c Log Message: Fix CVE-2016-10094, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2640 and https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: he Date: Sat May 6 21:02:00 UTC 2017 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo Added Files: pkgsrc/graphics/tiff/patches: patch-libtiff_tif__luv.c patch-libtiff_tif__pixarlog.c Log Message: Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604 and https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: he Date: Sat May 6 21:29:17 UTC 2017 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo pkgsrc/graphics/tiff/patches: patch-libtiff_tif_dirread.c Added Files: pkgsrc/graphics/tiff/patches: patch-libtiff_tif__strip.c Log Message: Fix CVE-2016-10270, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2608 https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: he Date: Sat May 6 21:37:16 UTC 2017 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo pkgsrc/graphics/tiff/patches: patch-tools_tiffcp.c Log Message: Fix CVE-2016-10268, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2598 https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df Bump PKGREVISION. --- Module Name: pkgsrc Committed By: he Date: Sun May 7 21:32:30 UTC 2017 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo pkgsrc/graphics/tiff/patches: patch-libtiff_tif_read.c Added Files: pkgsrc/graphics/tiff/patches: patch-libtiff_tiffiop.h Log Message: Fix CVE-2016-10266 ref. http://bugzilla.maptools.org/show_bug.cgi?id=2596 https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: he Date: Sun May 7 21:52:16 UTC 2017 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo pkgsrc/graphics/tiff/patches: patch-libtiff_tif_ojpeg.c Log Message: Fix CVE-2016-10267 ref. http://bugzilla.maptools.org/show_bug.cgi?id=2611 https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.125.4.2 -r1.125.4.3 pkgsrc/graphics/tiff/Makefile cvs rdiff -u -r1.71.4.2 -r1.71.4.3 pkgsrc/graphics/tiff/distinfo cvs rdiff -u -r0 -r1.1.2.2 \ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c \ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c \ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__strip.c cvs rdiff -u -r1.2.2.3 -r1.2.2.4 \ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c \ pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c cvs rdiff -u -r1.1.2.2 -r1.1.2.3 \ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c \ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c cvs rdiff -u -r0 -r1.3.2.2 \ pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h \ pkgsrc/graphics/tiff/patches/patch-tools_tiff2pdf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1494524840174000 Content-Disposition: inline Content-Length: 20308 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/graphics/tiff/Makefile diff -u pkgsrc/graphics/tiff/Makefile:1.125.4.2 pkgsrc/graphics/tiff/Makefile:1.125.4.3 --- pkgsrc/graphics/tiff/Makefile:1.125.4.2 Sat May 6 15:08:52 2017 +++ pkgsrc/graphics/tiff/Makefile Thu May 11 17:47:20 2017 @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.125.4.2 2017/05/06 15:08:52 bsiegert Exp $ +# $NetBSD: Makefile,v 1.125.4.3 2017/05/11 17:47:20 bsiegert Exp $ DISTNAME= tiff-4.0.7 -PKGREVISION= 5 +PKGREVISION= 11 CATEGORIES= graphics MASTER_SITES= ftp://download.osgeo.org/libtiff/ Index: pkgsrc/graphics/tiff/distinfo diff -u pkgsrc/graphics/tiff/distinfo:1.71.4.2 pkgsrc/graphics/tiff/distinfo:1.71.4.3 --- pkgsrc/graphics/tiff/distinfo:1.71.4.2 Sat May 6 15:08:52 2017 +++ pkgsrc/graphics/tiff/distinfo Thu May 11 17:47:20 2017 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.71.4.2 2017/05/06 15:08:52 bsiegert Exp $ +$NetBSD: distinfo,v 1.71.4.3 2017/05/11 17:47:20 bsiegert Exp $ SHA1 (tiff-4.0.7.tar.gz) = 2c1b64478e88f93522a42dd5271214a0e5eae648 RMD160 (tiff-4.0.7.tar.gz) = 582e19c31e7f29d9ed36995dcad7ad68802cbadb @@ -6,16 +6,21 @@ SHA512 (tiff-4.0.7.tar.gz) = 941357bdd5f Size (tiff-4.0.7.tar.gz) = 2076392 bytes SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6 SHA1 (patch-html_man_Makefile.in) = 705604e2a3065da192e7354a4a9cdcd16bd6823d +SHA1 (patch-libtiff_tif__luv.c) = c2e8ce7474119ffa02d226932ad6c8c2b230062c +SHA1 (patch-libtiff_tif__pixarlog.c) = ad16681cf3fcb5fded048eb70c0a93f1b6447147 +SHA1 (patch-libtiff_tif__strip.c) = f7dc7b24378d0541a8f3bcc3cad78ea2d6ae14d7 SHA1 (patch-libtiff_tif_dir.c) = 28c45b95cedeebe005b44b45393d66f61e0ea6f7 -SHA1 (patch-libtiff_tif_dirread.c) = 213b8c2f172303d095ef3edc3f850aa75de36d3d +SHA1 (patch-libtiff_tif_dirread.c) = f6d442da817457d7ac801a3005e21c357ac31f8a SHA1 (patch-libtiff_tif_dirwrite.c) = 07ccbf8cf210b95d5ca7710cc2982368783b4dcb SHA1 (patch-libtiff_tif_getimage.c) = 267b555c8b043d0a835db4d46ef65131776601e6 SHA1 (patch-libtiff_tif_jpeg.c) = 1049b7b243e9e145886bcac8e68e5e7889337ebc -SHA1 (patch-libtiff_tif_ojpeg.c) = 6447168e952bb80a1a8272c2c27bb0ce3ccf6939 -SHA1 (patch-libtiff_tif_read.c) = 85674d2e222846e3971301ce2fb7ebe02f54b9b2 +SHA1 (patch-libtiff_tif_ojpeg.c) = 1c43555434525157c1783de4802af4508c5113a4 +SHA1 (patch-libtiff_tif_read.c) = d43b10fa74a51da21f44abb7bd0251b88e8a702b SHA1 (patch-libtiff_tif_unix.c) = c8312771e567f90de0f77ac8eb66ed5c36e35617 SHA1 (patch-libtiff_tif_win32.c) = 1ea9dcb6618c40b9de3e8d2a81914355f2111fdc SHA1 (patch-libtiff_tiffio.h) = e0efa9e1246e07dbb3a69d626988a18f12ba9d3c +SHA1 (patch-libtiff_tiffiop.h) = 1100e55483da58037fa3f4168fffdfcbc5407456 SHA1 (patch-man_Makefile.in) = ff073529c9d3ab98a03efa7d98c3263c1782482f -SHA1 (patch-tools_tiffcp.c) = 42573d15fc66655a09e9227213b0929238f7e651 +SHA1 (patch-tools_tiff2pdf.c) = ce7a3e77c27ad3cabaa33b5da61cbd1b27f187d1 +SHA1 (patch-tools_tiffcp.c) = bd6abd9dc6e044ff04d761d999fabfb0919ba0db SHA1 (patch-tools_tiffcrop.c) = 1d729028fb8c05de958424234d5cc2808acc9b25 Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c diff -u pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.3 pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.4 --- pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c:1.2.2.3 Sat May 6 15:08:52 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_dirread.c Thu May 11 17:47:20 2017 @@ -1,4 +1,4 @@ -$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $ +$NetBSD: patch-libtiff_tif_dirread.c,v 1.2.2.4 2017/05/11 17:47:20 bsiegert Exp $ CVE-2017-7596 CVE-2017-7597 @@ -8,7 +8,13 @@ CVE-2017-7600 https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 ---- libtiff/tif_dirread.c.orig 2017-05-05 18:56:15.000000000 +0000 +and + +CVE-2016-10270 +http://bugzilla.maptools.org/show_bug.cgi?id=2608 +https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 + +--- libtiff/tif_dirread.c.orig 2016-11-18 02:42:46.000000000 +0000 +++ libtiff/tif_dirread.c @@ -40,6 +40,7 @@ */ @@ -58,3 +64,59 @@ https://github.com/vadz/libtiff/commit/3 *value=0.0; else *value=(double)((int32)m.i[0])/(double)m.i[1]; +@@ -5502,8 +5516,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + uint64 rowblockbytes; + uint64 stripbytes; + uint32 strip; +- uint64 nstrips64; +- uint32 nstrips32; ++ uint32 nstrips; + uint32 rowsperstrip; + uint64* newcounts; + uint64* newoffsets; +@@ -5534,18 +5547,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + return; + + /* +- * never increase the number of strips in an image ++ * never increase the number of rows per strip + */ + if (rowsperstrip >= td->td_rowsperstrip) + return; +- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); +- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ ++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); ++ if( nstrips == 0 ) + return; +- nstrips32 = (uint32)nstrips64; + +- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); +- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripOffsets\" array"); + if (newcounts == NULL || newoffsets == NULL) { + /* +@@ -5562,18 +5574,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + * Fill the strip information arrays with new bytecounts and offsets + * that reflect the broken-up format. + */ +- for (strip = 0; strip < nstrips32; strip++) { ++ for (strip = 0; strip < nstrips; strip++) { + if (stripbytes > bytecount) + stripbytes = bytecount; + newcounts[strip] = stripbytes; +- newoffsets[strip] = offset; ++ newoffsets[strip] = stripbytes ? offset : 0; + offset += stripbytes; + bytecount -= stripbytes; + } + /* + * Replace old single strip info with multi-strip info. + */ +- td->td_stripsperimage = td->td_nstrips = nstrips32; ++ td->td_stripsperimage = td->td_nstrips = nstrips; + TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + + _TIFFfree(td->td_stripbytecount); Index: pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c diff -u pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.3 pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.4 --- pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c:1.2.2.3 Sat May 6 15:08:52 2017 +++ pkgsrc/graphics/tiff/patches/patch-tools_tiffcp.c Thu May 11 17:47:20 2017 @@ -1,4 +1,4 @@ -$NetBSD: patch-tools_tiffcp.c,v 1.2.2.3 2017/05/06 15:08:52 bsiegert Exp $ +$NetBSD: patch-tools_tiffcp.c,v 1.2.2.4 2017/05/11 17:47:20 bsiegert Exp $ CVE-2017-5225 http://bugzilla.maptools.org/show_bug.cgi?id=2656 @@ -11,6 +11,12 @@ CVE-2016-10093 http://bugzilla.maptools.org/show_bug.cgi?id=2610 https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec +and + +CVE-2016-10268 +http://bugzilla.maptools.org/show_bug.cgi?id=2598 +https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df + --- tools/tiffcp.c.orig 2016-10-12 01:45:17.000000000 +0000 +++ tools/tiffcp.c @@ -592,7 +592,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF @@ -22,6 +28,15 @@ https://github.com/vadz/libtiff/commit/7 uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; copyFunc cf; uint32 width, length; +@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips) + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 row = 0; + _TIFFmemset(buf, 0, stripsize); +- for (s = 0; s < ns; s++) { ++ for (s = 0; s < ns && row < imagelength; s++) { + tsize_t cc = (row + rowsperstrip > imagelength) ? + TIFFVStripSize(in, imagelength - row) : stripsize; + if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 @@ -1068,6 +1068,16 @@ DECLAREcpFunc(cpContig2SeparateByRow) register uint32 n; uint32 row; Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c diff -u pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c:1.1.2.2 pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c:1.1.2.3 --- pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c:1.1.2.2 Sat May 6 15:01:21 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_ojpeg.c Thu May 11 17:47:20 2017 @@ -1,13 +1,48 @@ -$NetBSD: patch-libtiff_tif_ojpeg.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $ +$NetBSD: patch-libtiff_tif_ojpeg.c,v 1.1.2.3 2017/05/11 17:47:20 bsiegert Exp $ CVE-2017-7594 http://bugzilla.maptools.org/show_bug.cgi?id=2659 https://github.com/vadz/libtiff/commit/8283e4d1b7e5 https://github.com/vadz/libtiff/commit/2ea32f7372b6 ---- libtiff/tif_ojpeg.c.orig 2017-05-03 22:08:50.000000000 +0000 +CVE-2016-10267 +http://bugzilla.maptools.org/show_bug.cgi?id=2611 +https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec + +--- libtiff/tif_ojpeg.c.orig 2016-09-08 13:23:57.000000000 +0000 +++ libtiff/tif_ojpeg.c -@@ -1782,7 +1782,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* +@@ -244,6 +244,7 @@ typedef enum { + + typedef struct { + TIFF* tif; ++ int decoder_ok; + #ifndef LIBJPEG_ENCAP_EXTERNAL + JMP_BUF exit_jmpbuf; + #endif +@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) + } + sp->write_curstrile++; + } ++ sp->decoder_ok = 1; + return(1); + } + +@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) + static int + OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) + { ++ static const char module[]="OJPEGDecode"; + OJPEGState* sp=(OJPEGState*)tif->tif_data; + (void)s; ++ if( !sp->decoder_ok ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); ++ return 0; ++ } + if (sp->libjpeg_jpeg_query_style==0) + { + if (OJPEGDecodeRaw(tif,buf,cc)==0) +@@ -1782,7 +1790,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); if (p!=64) @@ -18,7 +53,7 @@ https://github.com/vadz/libtiff/commit/2 sp->qtable[m]=ob; sp->sof_tq[m]=m; } -@@ -1846,7 +1849,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF +@@ -1846,7 +1857,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF rb[sizeof(uint32)+5+n]=o[n]; p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); if (p!=q) @@ -29,7 +64,7 @@ https://github.com/vadz/libtiff/commit/2 sp->dctable[m]=rb; sp->sos_tda[m]=(m<<4); } -@@ -1910,7 +1916,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF +@@ -1910,7 +1924,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF rb[sizeof(uint32)+5+n]=o[n]; p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); if (p!=q) Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c diff -u pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c:1.1.2.2 pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c:1.1.2.3 --- pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c:1.1.2.2 Sat May 6 15:01:21 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif_read.c Thu May 11 17:47:20 2017 @@ -1,4 +1,4 @@ -$NetBSD: patch-libtiff_tif_read.c,v 1.1.2.2 2017/05/06 15:01:21 bsiegert Exp $ +$NetBSD: patch-libtiff_tif_read.c,v 1.1.2.3 2017/05/11 17:47:20 bsiegert Exp $ CVE-2017-7593 http://bugzilla.maptools.org/show_bug.cgi?id=2651 @@ -7,8 +7,21 @@ https://github.com/vadz/libtiff/commit/d CVE-2017-7602 https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4 ---- libtiff/tif_read.c.orig 2017-05-03 22:31:30.000000000 +0000 +CVE-2016-10266 +http://bugzilla.maptools.org/show_bug.cgi?id=2596 +https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 + +--- libtiff/tif_read.c.orig 2016-07-13 13:28:17.000000000 +0000 +++ libtiff/tif_read.c +@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 s + rowsperstrip=td->td_rowsperstrip; + if (rowsperstrip>td->td_imagelength) + rowsperstrip=td->td_imagelength; +- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); ++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); + stripinplane=(strip%stripsperplane); + plane=(uint16)(strip/stripsperplane); + rows=td->td_imagelength-stripinplane*rowsperstrip; @@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 stri return ((tmsize_t)(-1)); } Added files: Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c:1.1.2.2 --- /dev/null Thu May 11 17:47:20 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__luv.c Thu May 11 17:47:20 2017 @@ -0,0 +1,56 @@ +$NetBSD: patch-libtiff_tif__luv.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $ + +Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604 +and +https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 + +--- libtiff/tif_luv.c.orig 2016-09-08 13:23:57.000000000 +0000 ++++ libtiff/tif_luv.c +@@ -158,6 +158,7 @@ + typedef struct logLuvState LogLuvState; + + struct logLuvState { ++ int encoder_state; /* 1 if encoder correctly initialized */ + int user_datafmt; /* user data format */ + int encode_meth; /* encoding method */ + int pixel_size; /* bytes per pixel */ +@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif) + td->td_photometric, "must be either LogLUV or LogL"); + break; + } ++ sp->encoder_state = 1; + return (1); + notsupported: + TIFFErrorExt(tif->tif_clientdata, module, +@@ -1563,19 +1565,27 @@ notsupported: + static void + LogLuvClose(TIFF* tif) + { ++ LogLuvState* sp = (LogLuvState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* + * For consistency, we always want to write out the same + * bitspersample and sampleformat for our TIFF file, + * regardless of the data format being used by the application. + * Since this routine is called after tags have been set but + * before they have been recorded in the file, we reset them here. ++ * Note: this is really a nasty approach. See PixarLogClose + */ +- td->td_samplesperpixel = +- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; +- td->td_bitspersample = 16; +- td->td_sampleformat = SAMPLEFORMAT_INT; ++ if( sp->encoder_state ) ++ { ++ /* See PixarLogClose. Might avoid issues with tags whose size depends ++ * on those below, but not completely sure this is enough. */ ++ td->td_samplesperpixel = ++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; ++ td->td_bitspersample = 16; ++ td->td_sampleformat = SAMPLEFORMAT_INT; ++ } + } + + static void Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c:1.1.2.2 --- /dev/null Thu May 11 17:47:20 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__pixarlog.c Thu May 11 17:47:20 2017 @@ -0,0 +1,41 @@ +$NetBSD: patch-libtiff_tif__pixarlog.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $ + +Fix CVE-2016-10269, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2604 +and +https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 + +--- libtiff/tif_pixarlog.c.orig 2016-09-23 22:56:06.000000000 +0000 ++++ libtiff/tif_pixarlog.c +@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif) + static void + PixarLogClose(TIFF* tif) + { ++ PixarLogState* sp = (PixarLogState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* In a really sneaky (and really incorrect, and untruthful, and + * troublesome, and error-prone) maneuver that completely goes against + * the spirit of TIFF, and breaks TIFF, on close, we covertly +@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif) + * readers that don't know about PixarLog, or how to set + * the PIXARLOGDATFMT pseudo-tag. + */ +- td->td_bitspersample = 8; +- td->td_sampleformat = SAMPLEFORMAT_UINT; ++ ++ if (sp->state&PLSTATE_INIT) { ++ /* We test the state to avoid an issue such as in ++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 ++ * What appends in that case is that the bitspersample is 1 and ++ * a TransferFunction is set. The size of the TransferFunction ++ * depends on 1<td_bitspersample = 8; ++ td->td_sampleformat = SAMPLEFORMAT_UINT; ++ } + } + + static void Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tif__strip.c diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tif__strip.c:1.1.2.2 --- /dev/null Thu May 11 17:47:20 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tif__strip.c Thu May 11 17:47:20 2017 @@ -0,0 +1,24 @@ +$NetBSD: patch-libtiff_tif__strip.c,v 1.1.2.2 2017/05/11 17:47:20 bsiegert Exp $ + +Fix CVE-2016-10270, ref. +http://bugzilla.maptools.org/show_bug.cgi?id=2608 +https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 + +--- libtiff/tif_strip.c.orig 2016-11-10 02:12:36.000000000 +0000 ++++ libtiff/tif_strip.c +@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif) + TIFFDirectory *td = &tif->tif_dir; + uint32 nstrips; + +- /* If the value was already computed and store in td_nstrips, then return it, +- since ChopUpSingleUncompressedStrip might have altered and resized the +- since the td_stripbytecount and td_stripoffset arrays to the new value +- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in +- tif_dirread.c ~line 3612. +- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ +- if( td->td_nstrips ) +- return td->td_nstrips; +- + nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : + TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) Index: pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h:1.3.2.2 --- /dev/null Thu May 11 17:47:20 2017 +++ pkgsrc/graphics/tiff/patches/patch-libtiff_tiffiop.h Thu May 11 17:47:20 2017 @@ -0,0 +1,19 @@ +$NetBSD: patch-libtiff_tiffiop.h,v 1.3.2.2 2017/05/11 17:47:20 bsiegert Exp $ + +CVE-2016-10266 +http://bugzilla.maptools.org/show_bug.cgi?id=2596 +https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 + +--- libtiff/tiffiop.h.orig 2016-01-24 15:39:51.000000000 +0000 ++++ libtiff/tiffiop.h +@@ -250,6 +250,10 @@ struct tiff { + #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ + ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ + 0U) ++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ ++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ ++#define TIFFhowmany_32_maxuint_compat(x, y) \ ++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) + #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) + #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) Index: pkgsrc/graphics/tiff/patches/patch-tools_tiff2pdf.c diff -u /dev/null pkgsrc/graphics/tiff/patches/patch-tools_tiff2pdf.c:1.3.2.2 --- /dev/null Thu May 11 17:47:20 2017 +++ pkgsrc/graphics/tiff/patches/patch-tools_tiff2pdf.c Thu May 11 17:47:20 2017 @@ -0,0 +1,16 @@ +$NetBSD: patch-tools_tiff2pdf.c,v 1.3.2.2 2017/05/11 17:47:20 bsiegert Exp $ + +Fix CVE-2016-10094, ref. http://bugzilla.maptools.org/show_bug.cgi?id=2640 +and https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76 + +--- tools/tiff2pdf.c.orig 2016-11-12 14:58:09.000000000 +0000 ++++ tools/tiff2pdf.c +@@ -2895,7 +2895,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count >= 4) { ++ if (count > 4) { + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; --_----------=_1494524840174000--