aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2018-11-06 15:33:47 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2018-11-06 15:43:16 +0000
commit9f0242b867730fa2a8b0a7957c1d101574f31df5 (patch)
tree112f7aa37bb4ba540ecd9d84f7fb17f2e27df7c7
parent73c7cfb12e9bf26f050b7ad2b5975c7b8c737f76 (diff)
downloadaports-9f0242b867730fa2a8b0a7957c1d101574f31df5.tar.bz2
aports-9f0242b867730fa2a8b0a7957c1d101574f31df5.tar.xz
main/tiff: security fixes
-rw-r--r--main/tiff/APKBUILD12
-rw-r--r--main/tiff/CVE-2018-10779.patch32
-rw-r--r--main/tiff/CVE-2018-17100-1.patch112
3 files changed, 154 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 80ac261036..f7386da092 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=4.0.9
-pkgrel=5
+pkgrel=6
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
arch="all"
@@ -20,10 +20,16 @@ source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
CVE-2018-5784.patch
CVE-2018-7456.patch
CVE-2018-8905.patch
+ CVE-2018-10779.patch
CVE-2018-10963.patch
+ CVE-2018-17100-1.patch
"
# secfixes:
+# 4.0.9-r6:
+# - CVE-2018-10779
+# - CVE-2018-17100
+# - CVE-2018-17101
# 4.0.9-r5:
# - CVE-2017-9935
# - CVE-2017-11613
@@ -106,4 +112,6 @@ sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844b
c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch
8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch
ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch
-8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e CVE-2018-10963.patch"
+aceae14ec9c6dcbaeb51a3d5527d0da1b0c3f1ef1e87f301615be745f9535be23305e8409105740e615f09d80642d7f84897a89cb98327ad8313d11d877f7e35 CVE-2018-10779.patch
+8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e CVE-2018-10963.patch
+d19f584bc70bb8b0c1da910cb8642ff2e41741aaa85b23213c6cc27959d6133275b0124c6e779effeb447c559f3debfd04f377b69b8acb9fa5da8fe182c3f2aa CVE-2018-17100-1.patch"
diff --git a/main/tiff/CVE-2018-10779.patch b/main/tiff/CVE-2018-10779.patch
new file mode 100644
index 0000000000..828d684708
--- /dev/null
+++ b/main/tiff/CVE-2018-10779.patch
@@ -0,0 +1,32 @@
+From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 15 Aug 2018 16:34:40 +0200
+Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit
+ systems with large number of strips. Probably relates to
+ http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
+
+---
+ libtiff/tif_write.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
+index 586f6fdf..a31ecd12 100644
+--- a/libtiff/tif_write.c
++++ b/libtiff/tif_write.c
+@@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif)
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ td->td_stripsperimage /= td->td_samplesperpixel;
+ td->td_stripoffset = (uint64 *)
+- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
++ "for \"StripOffsets\" array");
+ td->td_stripbytecount = (uint64 *)
+- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
++ "for \"StripByteCounts\" array");
+ if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
+ return (0);
+ /*
+--
+2.18.1
+
diff --git a/main/tiff/CVE-2018-17100-1.patch b/main/tiff/CVE-2018-17100-1.patch
new file mode 100644
index 0000000000..f5a9e1a915
--- /dev/null
+++ b/main/tiff/CVE-2018-17100-1.patch
@@ -0,0 +1,112 @@
+From f1b94e8a3ba49febdd3361c0214a1d1149251577 Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:36:12 +0800
+Subject: [PATCH 1/3] only read/write TIFFTAG_GROUP3OPTIONS or
+ TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
+ COMPRESSION_CCITTFAX4
+
+---
+ tools/pal2rgb.c | 18 +++++++++++++++++-
+ tools/tiff2bw.c | 18 +++++++++++++++++-
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01fcf941..01d8502e 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
+- cpTag(in, out, p->tag, p->count, p->type);
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
++ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index 05faba87..5bef3142 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
+- cpTag(in, out, p->tag, p->count, p->type);
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
++ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+--
+2.18.1
+
+
+From 6da1fb3f64d43be37e640efbec60400d1f1ac39e Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:46:27 +0800
+Subject: [PATCH 2/3] avoid potential int32 overflows in multiply_ms()
+
+---
+ tools/ppm2tiff.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index af6e4124..c2d59257 100644
+--- a/tools/ppm2tiff.c
++++ b/tools/ppm2tiff.c
+@@ -70,15 +70,16 @@ BadPPM(char* file)
+ exit(-2);
+ }
+
++
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+- tmsize_t bytes = m1 * m2;
+-
+- if (m1 && bytes / m1 != m2)
+- bytes = 0;
+-
+- return bytes;
++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++ return 0;
++ return m1 * m2;
+ }
+
+ int
+--
+2.18.1