gnu: libtiff: Update replacement to 4.0.7.
* gnu/packages/image.scm (libtiff)[replacement]: Update to 4.0.7. (libtiff-4.0.7): New variable. Update home-page and source URLs. (libtiff/fixed): Delete variable. * gnu/packages/patches/libtiff-CVE-2016-5652.patch, gnu/packages/patches/libtiff-CVE-2016-9273.patch, gnu/packages/patches/libtiff-CVE-2016-9297.patch, gnu/packages/patches/libtiff-CVE-2016-9448.patch, gnu/packages/patches/libtiff-uint32-overflow.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
parent
d8e3bb082d
commit
be72eb98fa
|
@ -672,13 +672,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libtiff-CVE-2016-5314.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-5321.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-5323.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-5652.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-9273.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-9297.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-9448.patch \
|
||||
%D%/packages/patches/libtiff-oob-accesses-in-decode.patch \
|
||||
%D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \
|
||||
%D%/packages/patches/libtiff-uint32-overflow.patch \
|
||||
%D%/packages/patches/libtool-skip-tests2.patch \
|
||||
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
|
||||
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
|
||||
|
|
|
@ -243,7 +243,7 @@ extracting icontainer icon files.")
|
|||
(define-public libtiff
|
||||
(package
|
||||
(name "libtiff")
|
||||
(replacement libtiff/fixed)
|
||||
(replacement libtiff-4.0.7)
|
||||
(version "4.0.6")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
|
@ -283,27 +283,18 @@ collection of tools for doing simple manipulations of TIFF images.")
|
|||
"See COPYRIGHT in the distribution."))
|
||||
(home-page "http://www.remotesensing.org/libtiff/")))
|
||||
|
||||
(define libtiff/fixed
|
||||
(define libtiff-4.0.7
|
||||
(package
|
||||
(inherit libtiff)
|
||||
(version "4.0.7")
|
||||
(source (origin
|
||||
(inherit (package-source libtiff))
|
||||
(patches (search-patches
|
||||
"libtiff-oob-accesses-in-decode.patch"
|
||||
"libtiff-oob-write-in-nextdecode.patch"
|
||||
"libtiff-uint32-overflow.patch"
|
||||
"libtiff-CVE-2015-8665+CVE-2015-8683.patch"
|
||||
"libtiff-CVE-2016-3623.patch"
|
||||
"libtiff-CVE-2016-3945.patch"
|
||||
"libtiff-CVE-2016-3990.patch"
|
||||
"libtiff-CVE-2016-3991.patch"
|
||||
"libtiff-CVE-2016-5314.patch"
|
||||
"libtiff-CVE-2016-5321.patch"
|
||||
"libtiff-CVE-2016-5323.patch"
|
||||
"libtiff-CVE-2016-5652.patch"
|
||||
"libtiff-CVE-2016-9273.patch"
|
||||
"libtiff-CVE-2016-9297.patch"
|
||||
"libtiff-CVE-2016-9448.patch"))))))
|
||||
(method url-fetch)
|
||||
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
|
||||
version ".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
|
||||
(home-page "http://www.simplesystems.org/libtiff/")))
|
||||
|
||||
(define-public libwmf
|
||||
(package
|
||||
|
|
|
@ -1,47 +0,0 @@
|
|||
Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
|
||||
|
||||
Patches exfiltrated from upstream CVS repo with:
|
||||
cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
|
||||
|
||||
Index: tools/tiff2pdf.c
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
|
||||
retrieving revision 1.92
|
||||
retrieving revision 1.94
|
||||
diff -u -r1.92 -r1.94
|
||||
--- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92
|
||||
+++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94
|
||||
@@ -2887,21 +2887,24 @@
|
||||
return(0);
|
||||
}
|
||||
if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
|
||||
- if (count > 0) {
|
||||
- _TIFFmemcpy(buffer, jpt, count);
|
||||
+ if (count >= 4) {
|
||||
+ /* Ignore EOI marker of JpegTables */
|
||||
+ _TIFFmemcpy(buffer, jpt, count - 2);
|
||||
bufferoffset += count - 2;
|
||||
+ /* Store last 2 bytes of the JpegTables */
|
||||
table_end[0] = buffer[bufferoffset-2];
|
||||
table_end[1] = buffer[bufferoffset-1];
|
||||
- }
|
||||
- if (count > 0) {
|
||||
xuint32 = bufferoffset;
|
||||
+ bufferoffset -= 2;
|
||||
bufferoffset += TIFFReadRawTile(
|
||||
input,
|
||||
tile,
|
||||
- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),
|
||||
+ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
|
||||
-1);
|
||||
- buffer[xuint32-2]=table_end[0];
|
||||
- buffer[xuint32-1]=table_end[1];
|
||||
+ /* Overwrite SOI marker of image scan with previously */
|
||||
+ /* saved end of JpegTables */
|
||||
+ buffer[xuint32-2]=table_end[0];
|
||||
+ buffer[xuint32-1]=table_end[1];
|
||||
} else {
|
||||
bufferoffset += TIFFReadRawTile(
|
||||
input,
|
|
@ -1,41 +0,0 @@
|
|||
Fix CVE-2016-9273:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2587
|
||||
|
||||
Patch extracted from upstream CVS repo:
|
||||
|
||||
2016-11-10 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
revision 1.37
|
||||
date: 2016-11-09 18:00:49 -0500; author: erouault; state: Exp; lines: +10 -1; commitid: pzKipPxDJO2dxvtz;
|
||||
* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
|
||||
value when it is non-zero, instead of recomputing it. This is needed in
|
||||
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
|
||||
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
|
||||
|
||||
Index: libtiff/tif_strip.c
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
|
||||
retrieving revision 1.36
|
||||
retrieving revision 1.37
|
||||
diff -u -r1.36 -r1.37
|
||||
--- a/libtiff/tif_strip.c 7 Jun 2015 22:35:40 -0000 1.36
|
||||
+++ b/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37
|
||||
@@ -63,6 +63,15 @@
|
||||
TIFFDirectory *td = &tif->tif_dir;
|
||||
uint32 nstrips;
|
||||
|
||||
+ /* If the value was already computed and store in td_nstrips, then return it,
|
||||
+ since ChopUpSingleUncompressedStrip might have altered and resized the
|
||||
+ since the td_stripbytecount and td_stripoffset arrays to the new value
|
||||
+ after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
|
||||
+ tif_dirread.c ~line 3612.
|
||||
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
|
||||
+ if( td->td_nstrips )
|
||||
+ return td->td_nstrips;
|
||||
+
|
||||
nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
|
||||
TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
|
||||
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
|
|
@ -1,52 +0,0 @@
|
|||
Fix CVE-2016-9297:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2590
|
||||
|
||||
Patch copied from upstream source repository.
|
||||
|
||||
2016-11-11 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
|
||||
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
|
||||
access are null terminated, to avoid potential read outside buffer
|
||||
in _TIFFPrintField().
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
|
||||
|
||||
|
||||
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
|
||||
new revision: 1.1154; previous revision: 1.1153
|
||||
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <--
|
||||
libtiff/tif_dirread.c
|
||||
new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_dirread.c
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
|
||||
retrieving revision 1.202
|
||||
retrieving revision 1.203
|
||||
diff -u -r1.202 -r1.203
|
||||
--- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:01:55 -0000 1.202
|
||||
+++ libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203
|
||||
@@ -5000,6 +5000,11 @@
|
||||
if (err==TIFFReadDirEntryErrOk)
|
||||
{
|
||||
int m;
|
||||
+ if( data[dp->tdir_count-1] != '\0' )
|
||||
+ {
|
||||
+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
|
||||
+ data[dp->tdir_count-1] = '\0';
|
||||
+ }
|
||||
m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
|
||||
if (data!=0)
|
||||
_TIFFfree(data);
|
||||
@@ -5172,6 +5177,11 @@
|
||||
if (err==TIFFReadDirEntryErrOk)
|
||||
{
|
||||
int m;
|
||||
+ if( data[dp->tdir_count-1] != '\0' )
|
||||
+ {
|
||||
+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
|
||||
+ data[dp->tdir_count-1] = '\0';
|
||||
+ }
|
||||
m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
|
||||
if (data!=0)
|
||||
_TIFFfree(data);
|
|
@ -1,34 +0,0 @@
|
|||
Fix CVE-2016-9448 (regression caused by fix for CVE-2016-9297).
|
||||
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2593
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
|
||||
|
||||
Patch copied from upstream source repository with:
|
||||
$ cvs diff -u -r 1.203 -r 1.204 libtiff/libtiff/tif_dirread.c
|
||||
|
||||
Index: libtiff/libtiff/tif_dirread.c
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
|
||||
retrieving revision 1.203
|
||||
retrieving revision 1.204
|
||||
diff -u -r1.203 -r1.204
|
||||
--- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203
|
||||
+++ libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204
|
||||
@@ -5000,7 +5000,7 @@
|
||||
if (err==TIFFReadDirEntryErrOk)
|
||||
{
|
||||
int m;
|
||||
- if( data[dp->tdir_count-1] != '\0' )
|
||||
+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
|
||||
{
|
||||
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
|
||||
data[dp->tdir_count-1] = '\0';
|
||||
@@ -5177,7 +5177,7 @@
|
||||
if (err==TIFFReadDirEntryErrOk)
|
||||
{
|
||||
int m;
|
||||
- if( data[dp->tdir_count-1] != '\0' )
|
||||
+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
|
||||
{
|
||||
TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
|
||||
data[dp->tdir_count-1] = '\0';
|
|
@ -1,102 +0,0 @@
|
|||
Fix some buffer overflows:
|
||||
|
||||
http://seclists.org/oss-sec/2016/q4/408
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2592
|
||||
|
||||
2016-11-11 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* tools/tiffcrop.c: fix multiple uint32 overflows in
|
||||
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
|
||||
writeBufferToSeparateTiles() that could cause heap buffer
|
||||
overflows.
|
||||
Reported by Henri Salo from Nixu Corporation.
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
|
||||
|
||||
|
||||
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
|
||||
new revision: 1.1152; previous revision: 1.1151
|
||||
/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c
|
||||
new revision: 1.43; previous revision: 1.42
|
||||
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
|
||||
retrieving revision 1.42
|
||||
retrieving revision 1.43
|
||||
diff -u -r1.42 -r1.43
|
||||
--- libtiff/tools/tiffcrop.c 14 Oct 2016 19:13:20 -0000 1.42
|
||||
+++ libtiff/tools/tiffcrop.c 11 Nov 2016 19:33:06 -0000 1.43
|
||||
@@ -148,6 +148,8 @@
|
||||
#define PATH_MAX 1024
|
||||
#endif
|
||||
|
||||
+#define TIFF_UINT32_MAX 0xFFFFFFFFU
|
||||
+
|
||||
#ifndef streq
|
||||
#define streq(a,b) (strcmp((a),(b)) == 0)
|
||||
#endif
|
||||
@@ -1164,7 +1166,24 @@
|
||||
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
|
||||
(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
|
||||
bytes_per_sample = (bps + 7) / 8;
|
||||
- rowsize = ((bps * spp * width) + 7) / 8; /* source has interleaved samples */
|
||||
+ if( width == 0 ||
|
||||
+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
|
||||
+ bps * spp * width > TIFF_UINT32_MAX - 7U )
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(out),
|
||||
+ "Error, uint32 overflow when computing (bps * spp * width) + 7");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ rowsize = ((bps * spp * width) + 7U) / 8; /* source has interleaved samples */
|
||||
+ if( bytes_per_sample == 0 ||
|
||||
+ rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample ||
|
||||
+ rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) )
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(out),
|
||||
+ "Error, uint32 overflow when computing rowsperstrip * "
|
||||
+ "bytes_per_sample * (width + 1)");
|
||||
+ return 1;
|
||||
+ }
|
||||
rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
|
||||
|
||||
obuf = _TIFFmalloc (rowstripsize);
|
||||
@@ -1251,11 +1270,19 @@
|
||||
}
|
||||
}
|
||||
|
||||
+ if( imagewidth == 0 ||
|
||||
+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
|
||||
+ bps * spp * imagewidth > TIFF_UINT32_MAX - 7U )
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(out),
|
||||
+ "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
|
||||
+
|
||||
tilebuf = _TIFFmalloc(tile_buffsize);
|
||||
if (tilebuf == 0)
|
||||
return 1;
|
||||
-
|
||||
- src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
|
||||
for (row = 0; row < imagelength; row += tl)
|
||||
{
|
||||
nrow = (row + tl > imagelength) ? imagelength - row : tl;
|
||||
@@ -1315,7 +1342,16 @@
|
||||
TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
|
||||
TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
|
||||
TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
|
||||
- src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
|
||||
+
|
||||
+ if( imagewidth == 0 ||
|
||||
+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
|
||||
+ bps * spp * imagewidth > TIFF_UINT32_MAX - 7 )
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(out),
|
||||
+ "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
|
||||
|
||||
for (row = 0; row < imagelength; row += tl)
|
||||
{
|
Loading…
Reference in New Issue