Thu Aug 15 14:58:46 2013 UTC ()
add patches from upstream CVS and Redhat bugzilla to fix buffer overflow
and use-after-free problems in the "gif2tiff" and "tiff2pdf"
command line tools (the library is not affected)
(CVE-2013-4231, CVE-2013-4232, CVE-2013-4244)
bump PKGREV


(drochner)
diff -r1.112 -r1.113 pkgsrc/graphics/tiff/Makefile
diff -r1.60 -r1.61 pkgsrc/graphics/tiff/distinfo
diff -r1.1 -r1.2 pkgsrc/graphics/tiff/patches/patch-CVE-2013-1960_1961
diff -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-CVE-2013-4231
cvs diff -r1.112 -r1.113 pkgsrc/graphics/tiff/Makefile (expand / switch to unified diff)

--- pkgsrc/graphics/tiff/Makefile 2013/05/02 14:52:44 1.112
+++ pkgsrc/graphics/tiff/Makefile 2013/08/15 14:58:46 1.113
@@ -1,17 +1,17 @@ @@ -1,17 +1,17 @@
1# $NetBSD: Makefile,v 1.112 2013/05/02 14:52:44 drochner Exp $ 1# $NetBSD: Makefile,v 1.113 2013/08/15 14:58:46 drochner Exp $
2 2
3DISTNAME= tiff-4.0.3 3DISTNAME= tiff-4.0.3
4PKGREVISION= 3 4PKGREVISION= 4
5CATEGORIES= graphics 5CATEGORIES= graphics
6MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ 6MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
7 http://libtiff.maptools.org/dl/ 7 http://libtiff.maptools.org/dl/
8 8
9MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= http://www.remotesensing.org/libtiff/ 10HOMEPAGE= http://www.remotesensing.org/libtiff/
11COMMENT= Library and tools for reading and writing TIFF data files 11COMMENT= Library and tools for reading and writing TIFF data files
12LICENSE= mit 12LICENSE= mit
13 13
14EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} 14EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX}
15 15
16PKG_INSTALLATION_TYPES= overwrite pkgviews 16PKG_INSTALLATION_TYPES= overwrite pkgviews
17 17
cvs diff -r1.60 -r1.61 pkgsrc/graphics/tiff/distinfo (expand / switch to unified diff)

--- pkgsrc/graphics/tiff/distinfo 2013/05/02 14:52:44 1.60
+++ pkgsrc/graphics/tiff/distinfo 2013/08/15 14:58:46 1.61
@@ -1,8 +1,9 @@ @@ -1,8 +1,9 @@
1$NetBSD: distinfo,v 1.60 2013/05/02 14:52:44 drochner Exp $ 1$NetBSD: distinfo,v 1.61 2013/08/15 14:58:46 drochner Exp $
2 2
3SHA1 (tiff-4.0.3.tar.gz) = 652e97b78f1444237a82cbcfe014310e776eb6f0 3SHA1 (tiff-4.0.3.tar.gz) = 652e97b78f1444237a82cbcfe014310e776eb6f0
4RMD160 (tiff-4.0.3.tar.gz) = eacd725fb3c299682c1c2e508049d98acd170f31 4RMD160 (tiff-4.0.3.tar.gz) = eacd725fb3c299682c1c2e508049d98acd170f31
5Size (tiff-4.0.3.tar.gz) = 2051630 bytes 5Size (tiff-4.0.3.tar.gz) = 2051630 bytes
6SHA1 (patch-CVE-2012-4564) = bda3b26e431e8234e5afd984a086c980a8eb6c41 6SHA1 (patch-CVE-2012-4564) = bda3b26e431e8234e5afd984a086c980a8eb6c41
7SHA1 (patch-CVE-2013-1960_1961) = dff40e975426a6df2ba27383d22b5f8f4275a443 7SHA1 (patch-CVE-2013-1960_1961) = b815edbeeb1eb23ce2633060dd390985dec794f3
 8SHA1 (patch-CVE-2013-4231) = bc1420583b9c4b0a34d26142bc35b6d0d26af529
8SHA1 (patch-configure) = 1fb9ef790a59ac9c1396dd8e962c75946e2c998a 9SHA1 (patch-configure) = 1fb9ef790a59ac9c1396dd8e962c75946e2c998a
cvs diff -r1.1 -r1.2 pkgsrc/graphics/tiff/patches/Attic/patch-CVE-2013-1960_1961 (expand / switch to unified diff)

--- pkgsrc/graphics/tiff/patches/Attic/patch-CVE-2013-1960_1961 2013/05/02 14:52:44 1.1
+++ pkgsrc/graphics/tiff/patches/Attic/patch-CVE-2013-1960_1961 2013/08/15 14:58:46 1.2
@@ -1,18 +1,21 @@ @@ -1,18 +1,21 @@
1$NetBSD: patch-CVE-2013-1960_1961,v 1.1 2013/05/02 14:52:44 drochner Exp $ 1$NetBSD: patch-CVE-2013-1960_1961,v 1.2 2013/08/15 14:58:46 drochner Exp $
2 2
3see https://bugzilla.redhat.com/show_bug.cgi?id=952131 3see https://bugzilla.redhat.com/show_bug.cgi?id=952131
4and https://bugzilla.redhat.com/show_bug.cgi?id=952158 4and https://bugzilla.redhat.com/show_bug.cgi?id=952158
5 5
 6also fixes CVE-2013-4232
 7see http://bugzilla.maptools.org/show_bug.cgi?id=2449
 8
6--- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200 9--- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200
7+++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200 10+++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200
8@@ -512,9 +512,9 @@ SetNameLabel() 11@@ -512,9 +512,9 @@ SetNameLabel()
9 Arg args[1]; 12 Arg args[1];
10  13
11 if (tfMultiPage) 14 if (tfMultiPage)
12- sprintf(buffer, "%s - page %d", fileName, tfDirectory); 15- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
13+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); 16+ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
14 else 17 else
15- strcpy(buffer, fileName); 18- strcpy(buffer, fileName);
16+ snprintf(buffer, sizeof(buffer), "%s", fileName); 19+ snprintf(buffer, sizeof(buffer), "%s", fileName);
17 XtSetArg(args[0], XtNlabel, buffer); 20 XtSetArg(args[0], XtNlabel, buffer);
18 XtSetValues(labelWidget, args, 1); 21 XtSetValues(labelWidget, args, 1);
@@ -53,29 +56,37 @@ and https://bugzilla.redhat.com/show_bug @@ -53,29 +56,37 @@ and https://bugzilla.redhat.com/show_bug
53 } 56 }
54 TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); 57 TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
55--- tools/tiff2bw.c.orig 2010-07-08 18:10:24.000000000 +0200 58--- tools/tiff2bw.c.orig 2010-07-08 18:10:24.000000000 +0200
56+++ tools/tiff2bw.c 2013-05-02 16:27:43.000000000 +0200 59+++ tools/tiff2bw.c 2013-05-02 16:27:43.000000000 +0200
57@@ -205,7 +205,7 @@ main(int argc, char* argv[]) 60@@ -205,7 +205,7 @@ main(int argc, char* argv[])
58 } 61 }
59 } 62 }
60 TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); 63 TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
61- sprintf(thing, "B&W version of %s", argv[optind]); 64- sprintf(thing, "B&W version of %s", argv[optind]);
62+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); 65+ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
63 TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); 66 TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
64 TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); 67 TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
65 outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); 68 outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
66--- tools/tiff2pdf.c.orig 2013-05-02 16:27:43.000000000 +0200 69--- tools/tiff2pdf.c.orig 2012-07-26 02:56:43.000000000 +0000
67+++ tools/tiff2pdf.c 2013-05-02 16:32:49.000000000 +0200 70+++ tools/tiff2pdf.c
68@@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip( 71@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p
 72 TIFFFileName(input));
 73 t2p->t2p_error = T2P_ERR_ERROR;
 74 _TIFFfree(buffer);
 75+ return(0);
 76 } else {
 77 buffer=samplebuffer;
 78 t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
 79@@ -3341,33 +3342,56 @@ int t2p_process_jpeg_strip(
69 uint32 height){ 80 uint32 height){
70  81
71 tsize_t i=0; 82 tsize_t i=0;
72- uint16 ri =0; 83- uint16 ri =0;
73- uint16 v_samp=1; 84- uint16 v_samp=1;
74- uint16 h_samp=1; 85- uint16 h_samp=1;
75- int j=0; 86- int j=0;
76-  87-
77- i++; 88- i++;
78-  89-
79- while(i<(*striplength)){ 90- while(i<(*striplength)){
80+ 91+
81+ while (i < *striplength) { 92+ while (i < *striplength) {
@@ -134,27 +145,27 @@ and https://bugzilla.redhat.com/show_bug @@ -134,27 +145,27 @@ and https://bugzilla.redhat.com/show_bug
134+ if (ncomp < 1 || ncomp > 4) 145+ if (ncomp < 1 || ncomp > 4)
135+ return(0); 146+ return(0);
136+ v_samp=1; 147+ v_samp=1;
137+ h_samp=1; 148+ h_samp=1;
138+ for(j=0;j<ncomp;j++){ 149+ for(j=0;j<ncomp;j++){
139+ uint16 samp = buffer[*bufferoffset+11+(3*j)]; 150+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
140+ if( (samp>>4) > h_samp)  151+ if( (samp>>4) > h_samp)
141+ h_samp = (samp>>4); 152+ h_samp = (samp>>4);
142+ if( (samp & 0x0f) > v_samp)  153+ if( (samp & 0x0f) > v_samp)
143+ v_samp = (samp & 0x0f); 154+ v_samp = (samp & 0x0f);
144 } 155 }
145 v_samp*=8; 156 v_samp*=8;
146 h_samp*=8; 157 h_samp*=8;
147@@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip( 158@@ -3381,45 +3405,43 @@ int t2p_process_jpeg_strip(
148 (unsigned char) ((height>>8) & 0xff); 159 (unsigned char) ((height>>8) & 0xff);
149 buffer[*bufferoffset+6]= 160 buffer[*bufferoffset+6]=
150 (unsigned char) (height & 0xff); 161 (unsigned char) (height & 0xff);
151- *bufferoffset+=strip[i+2]+2; 162- *bufferoffset+=strip[i+2]+2;
152- i+=strip[i+2]+2; 163- i+=strip[i+2]+2;
153- 164-
154+ *bufferoffset+=datalen+2; 165+ *bufferoffset+=datalen+2;
155+ /* insert a DRI marker */ 166+ /* insert a DRI marker */
156 buffer[(*bufferoffset)++]=0xff; 167 buffer[(*bufferoffset)++]=0xff;
157 buffer[(*bufferoffset)++]=0xdd; 168 buffer[(*bufferoffset)++]=0xdd;
158 buffer[(*bufferoffset)++]=0x00; 169 buffer[(*bufferoffset)++]=0x00;
159 buffer[(*bufferoffset)++]=0x04; 170 buffer[(*bufferoffset)++]=0x04;
160 buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; 171 buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
File Added: pkgsrc/graphics/tiff/patches/Attic/patch-CVE-2013-4231
$NetBSD: patch-CVE-2013-4231,v 1.1 2013/08/15 14:58:46 drochner Exp $

see http://bugzilla.maptools.org/show_bug.cgi?id=2450

also fixes CVE-2013-4244
see https://bugzilla.redhat.com/show_bug.cgi?id=996468

--- tools/gif2tiff.c.orig	2010-12-15 03:52:53.000000000 +0000
+++ tools/gif2tiff.c
@@ -333,6 +333,10 @@ readraster(void)
     int status = 1;
 
     datasize = getc(infile);
+
+    if (datasize > 12)
+	return 0;
+
     clear = 1 << datasize;
     eoi = clear + 1;
     avail = clear + 2;
@@ -398,6 +402,10 @@ process(register int code, unsigned char
     }
 
     if (oldcode == -1) {
+	if (code >= clear) {
+	    fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+	    return 0;
+	}
 	*(*fill)++ = suffix[code];
 	firstchar = oldcode = code;
 	return 1;