From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Libtiff 4.0.7 update Date: Mon, 21 Nov 2016 11:48:27 -0500 Message-ID: <20161121164827.GA29287@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5I6of5zJg18YgZEa" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48485) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c8rln-0002St-QZ for guix-devel@gnu.org; Mon, 21 Nov 2016 11:48:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c8rlf-0006oh-E9 for guix-devel@gnu.org; Mon, 21 Nov 2016 11:48:39 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:51317) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c8rlf-0006nX-44 for guix-devel@gnu.org; Mon, 21 Nov 2016 11:48:31 -0500 Received: from localhost (ec2-52-45-90-242.compute-1.amazonaws.com [52.45.90.242]) by mail.messagingengine.com (Postfix) with ESMTPA id 50AEB7E7F1 for ; Mon, 21 Nov 2016 11:48:29 -0500 (EST) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --5I6of5zJg18YgZEa Content-Type: multipart/mixed; boundary="DocE+STaALJfprDB" Content-Disposition: inline --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This updates libtiff to the latest upstream version, 4.0.7. I went through the tarball and confirmed that all the patches were contained in it but, please, double-check :) Also, libtiff has new source and home-page URLs. Read all about it: http://www.asmail.be/msg0054885794.html It will require ~1600 rebuilds. --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-libtiff-Update-to-4.0.7.patch" Content-Transfer-Encoding: quoted-printable =46rom 755367331d73c36c91b493a440d533a96e12a5bc Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 21 Nov 2016 11:39:49 -0500 Subject: [PATCH] gnu: libtiff: Update to 4.0.7. * gnu/packages/image.scm (libtiff): Update to 4.0.7. [source]: Remove obsolete patches and update URL. [home-page]: Update URL. * gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch, gnu/packages/patches/libtiff-CVE-2016-3623.patch, gnu/packages/patches/libtiff-CVE-2016-3945.patch, gnu/packages/patches/libtiff-CVE-2016-3990.patch, gnu/packages/patches/libtiff-CVE-2016-3991.patch, gnu/packages/patches/libtiff-CVE-2016-5314.patch, gnu/packages/patches/libtiff-CVE-2016-5321.patch, gnu/packages/patches/libtiff-CVE-2016-5323.patch, gnu/packages/patches/libtiff-CVE-2016-5652.patch, gnu/packages/patches/libtiff-CVE-2016-9273.patch, gnu/packages/patches/libtiff-CVE-2016-9297.patch, gnu/packages/patches/libtiff-CVE-2016-9448.patch, gnu/packages/patches/libtiff-oob-accesses-in-decode.patch, gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch, gnu/packages/patches/libtiff-uint32-overflow.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 15 -- gnu/packages/image.scm | 47 +----- .../libtiff-CVE-2015-8665+CVE-2015-8683.patch | 107 ------------- gnu/packages/patches/libtiff-CVE-2016-3623.patch | 30 ---- gnu/packages/patches/libtiff-CVE-2016-3945.patch | 94 ----------- gnu/packages/patches/libtiff-CVE-2016-3990.patch | 31 ---- gnu/packages/patches/libtiff-CVE-2016-3991.patch | 123 --------------- gnu/packages/patches/libtiff-CVE-2016-5314.patch | 45 ------ gnu/packages/patches/libtiff-CVE-2016-5321.patch | 25 --- gnu/packages/patches/libtiff-CVE-2016-5323.patch | 88 ----------- gnu/packages/patches/libtiff-CVE-2016-5652.patch | 47 ------ gnu/packages/patches/libtiff-CVE-2016-9273.patch | 41 ----- gnu/packages/patches/libtiff-CVE-2016-9297.patch | 52 ------- gnu/packages/patches/libtiff-CVE-2016-9448.patch | 34 ---- .../patches/libtiff-oob-accesses-in-decode.patch | 171 -----------------= ---- .../patches/libtiff-oob-write-in-nextdecode.patch | 49 ------ gnu/packages/patches/libtiff-uint32-overflow.patch | 102 ------------ 17 files changed, 7 insertions(+), 1094 deletions(-) delete mode 100644 gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-868= 3.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3623.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3945.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3990.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3991.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5314.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5321.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5323.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5652.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9273.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9297.patch delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9448.patch delete mode 100644 gnu/packages/patches/libtiff-oob-accesses-in-decode.pat= ch delete mode 100644 gnu/packages/patches/libtiff-oob-write-in-nextdecode.pa= tch delete mode 100644 gnu/packages/patches/libtiff-uint32-overflow.patch diff --git a/gnu/local.mk b/gnu/local.mk index 430d05f..82e939b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -664,21 +664,6 @@ dist_patch_DATA =3D \ %D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtheora-config-guess.patch \ - %D%/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \ - %D%/packages/patches/libtiff-CVE-2016-3623.patch \ - %D%/packages/patches/libtiff-CVE-2016-3945.patch \ - %D%/packages/patches/libtiff-CVE-2016-3990.patch \ - %D%/packages/patches/libtiff-CVE-2016-3991.patch \ - %D%/packages/patches/libtiff-CVE-2016-5314.patch \ - %D%/packages/patches/libtiff-CVE-2016-5321.patch \ - %D%/packages/patches/libtiff-CVE-2016-5323.patch \ - %D%/packages/patches/libtiff-CVE-2016-5652.patch \ - %D%/packages/patches/libtiff-CVE-2016-9273.patch \ - %D%/packages/patches/libtiff-CVE-2016-9297.patch \ - %D%/packages/patches/libtiff-CVE-2016-9448.patch \ - %D%/packages/patches/libtiff-oob-accesses-in-decode.patch \ - %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \ - %D%/packages/patches/libtiff-uint32-overflow.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ %D%/packages/patches/libupnp-CVE-2016-6255.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 309c336..25de802 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -243,25 +243,14 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") - (replacement libtiff/fixed) - (version "4.0.6") + (version "4.0.7") (source (origin (method url-fetch) - (uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/t= iff-" - version ".tar.gz")) - (sha256 (base32 - "136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd= ")) - (patches (search-patches - "libtiff-oob-accesses-in-decode.patch" - "libtiff-oob-write-in-nextdecode.patch" - "libtiff-CVE-2015-8665+CVE-2015-8683.patch" - "libtiff-CVE-2016-3623.patch" - "libtiff-CVE-2016-3945.patch" - "libtiff-CVE-2016-3990.patch" - "libtiff-CVE-2016-3991.patch" - "libtiff-CVE-2016-5314.patch" - "libtiff-CVE-2016-5321.patch" - "libtiff-CVE-2016-5323.patch")))) + (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" + version ".tar.gz")) + (sha256 + (base32 + "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.3 MiB of HTML documenta= tion @@ -281,29 +270,7 @@ Included are a library, libtiff, for reading and writi= ng TIFF and a small collection of tools for doing simple manipulations of TIFF images.") (license (license:non-copyleft "file://COPYRIGHT" "See COPYRIGHT in the distribution.")) - (home-page "http://www.remotesensing.org/libtiff/"))) - -(define libtiff/fixed - (package - (inherit libtiff) - (source (origin - (inherit (package-source libtiff)) - (patches (search-patches - "libtiff-oob-accesses-in-decode.patch" - "libtiff-oob-write-in-nextdecode.patch" - "libtiff-uint32-overflow.patch" - "libtiff-CVE-2015-8665+CVE-2015-8683.patch" - "libtiff-CVE-2016-3623.patch" - "libtiff-CVE-2016-3945.patch" - "libtiff-CVE-2016-3990.patch" - "libtiff-CVE-2016-3991.patch" - "libtiff-CVE-2016-5314.patch" - "libtiff-CVE-2016-5321.patch" - "libtiff-CVE-2016-5323.patch" - "libtiff-CVE-2016-5652.patch" - "libtiff-CVE-2016-9273.patch" - "libtiff-CVE-2016-9297.patch" - "libtiff-CVE-2016-9448.patch")))))) + (home-page "http://www.simplesystems.org/libtiff/"))) =20 (define-public libwmf (package diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch= b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch deleted file mode 100644 index 811516d..0000000 --- a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch +++ /dev/null @@ -1,107 +0,0 @@ -2015-12-26 Even Rouault - - * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage - interface in case of unsupported values of SamplesPerPixel/ExtraSamples - for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in - TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and - CVE-2015-8683 reported by zzf of Alibaba. - -diff -u -r1.93 -r1.94 ---- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93 -+++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94 -@@ -182,20 +182,22 @@ - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel !=3D 3 ) -+ if( td->td_samplesperpixel !=3D 3 || colorchannels !=3D 3 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=3D%d", -- "Samples/pixel", td->td_samplesperpixel); -+ "Sorry, can not handle image with %s=3D%d, %s=3D%= d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel !=3D 3 || td->td_bitspersample != =3D 8 ) -+ if( td->td_samplesperpixel !=3D 3 || colorchannels !=3D 3 || = td->td_bitspersample !=3D 8 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=3D%d and %s= =3D%d", -+ "Sorry, can not handle image with %s=3D%d, %s=3D%= d and %s=3D%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } -@@ -255,6 +257,9 @@ - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+=09 -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; -=20 - /* Initialize to normal values */ - img->row_offset =3D 0; -@@ -2509,29 +2514,33 @@ - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha =3D=3D EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha =3D=3D EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=3D 4) - img->put.contig =3D putRGBAAcontig8bittile; -- else if (img->alpha =3D=3D EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha =3D=3D EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=3D 4) - { - if (BuildMapUaToAa(img)) - img->put.contig =3D putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >=3D 3 ) - img->put.contig =3D putRGBcontig8bittile; - break; - case 16: -- if (img->alpha =3D=3D EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha =3D=3D EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=3D4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig =3D putRGBAAcontig16bittile; - } -- else if (img->alpha =3D=3D EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha =3D=3D EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=3D4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig =3D putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3D3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig =3D putRGBcontig16bittile; -@@ -2540,7 +2549,7 @@ - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=3D4 && buildMap(img)) { - if (img->bitspersample =3D=3D 8) { - if (!img->Map) - img->put.contig =3D putRGBcontig8bitCMYKtile; -@@ -2636,7 +2645,7 @@ - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel =3D=3D 3 && buildMap(img)) { - if (img->bitspersample =3D=3D 8) - img->put.contig =3D initCIELabConversion(img); - break; diff --git a/gnu/packages/patches/libtiff-CVE-2016-3623.patch b/gnu/package= s/patches/libtiff-CVE-2016-3623.patch deleted file mode 100644 index 0870586..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3623.patch +++ /dev/null @@ -1,30 +0,0 @@ -Fix CVE-2016-3623. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-3623 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2569 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.16 -r1.17 tools/rgb2ycbcr.c - -Index: tools/rgb2ycbcr.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/tools/rgb2ycbcr.c,v -retrieving revision 1.16 -retrieving revision 1.17 -diff -u -r1.16 -r1.17 ---- libtiff/tools/rgb2ycbcr.c 21 Jun 2015 01:09:10 -0000 1.16 -+++ libtiff/tools/rgb2ycbcr.c 15 Aug 2016 21:26:56 -0000 1.17 -@@ -95,9 +95,13 @@ - break; - case 'h': - horizSubSampling =3D atoi(optarg); -+ if( horizSubSampling !=3D 1 && horizSubSampling !=3D 2 && hor= izSubSampling !=3D 4 ) -+ usage(-1); - break; - case 'v': - vertSubSampling =3D atoi(optarg); -+ if( vertSubSampling !=3D 1 && vertSubSampling !=3D 2 && vertS= ubSampling !=3D 4 ) -+ usage(-1); - break; - case 'r': - rowsperstrip =3D atoi(optarg); diff --git a/gnu/packages/patches/libtiff-CVE-2016-3945.patch b/gnu/package= s/patches/libtiff-CVE-2016-3945.patch deleted file mode 100644 index 8ec62ba..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3945.patch +++ /dev/null @@ -1,94 +0,0 @@ -Fix CVE-2016-3945 (integer overflow in size of allocated -buffer, when -b mode is enabled, that could result in out-of-bounds -write). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-3945 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2545 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c - -Index: tools/tiff2rgba.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v -retrieving revision 1.21 -retrieving revision 1.22 -diff -u -r1.21 -r1.22 ---- libtiff/tools/tiff2rgba.c 21 Jun 2015 01:09:10 -0000 1.21 -+++ libtiff/tools/tiff2rgba.c 15 Aug 2016 20:06:41 -0000 1.22 -@@ -147,6 +147,7 @@ - uint32 row, col; - uint32 *wrk_line; - int ok =3D 1; -+ uint32 rastersize, wrk_linesize; -=20 - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -163,7 +164,13 @@ - /* - * Allocate tile buffer - */ -- raster =3D (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (ui= nt32)); -+ rastersize =3D tile_width * tile_height * sizeof (uint32); -+ if (tile_width !=3D (rastersize / tile_height) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster bu= ffer"); -+ exit(-1); -+ } -+ raster =3D (uint32*)_TIFFmalloc(rastersize); - if (raster =3D=3D 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -173,7 +180,13 @@ - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line =3D (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); -+ wrk_linesize =3D tile_width * sizeof (uint32); -+ if (tile_width !=3D wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wr= k_line buffer"); -+ exit(-1); -+ } -+ wrk_line =3D (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"= ); - ok =3D 0; -@@ -249,6 +262,7 @@ - uint32 row; - uint32 *wrk_line; - int ok =3D 1; -+ uint32 rastersize, wrk_linesize; -=20 - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -263,7 +277,13 @@ - /* - * Allocate strip buffer - */ -- raster =3D (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32= )); -+ rastersize =3D width * rowsperstrip * sizeof (uint32); -+ if (width !=3D (rastersize / rowsperstrip) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster bu= ffer"); -+ exit(-1); -+ } -+ raster =3D (uint32*)_TIFFmalloc(rastersize); - if (raster =3D=3D 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -273,7 +293,13 @@ - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line =3D (uint32*)_TIFFmalloc(width * sizeof (uint32)); -+ wrk_linesize =3D width * sizeof (uint32); -+ if (width !=3D wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wr= k_line buffer"); -+ exit(-1); -+ } -+ wrk_line =3D (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"= ); - ok =3D 0; diff --git a/gnu/packages/patches/libtiff-CVE-2016-3990.patch b/gnu/package= s/patches/libtiff-CVE-2016-3990.patch deleted file mode 100644 index 7641c30..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3990.patch +++ /dev/null @@ -1,31 +0,0 @@ -Fix CVE-2016-3990 (write buffer overflow in PixarLogEncode if more input -samples are provided than expected by PixarLogSetupEncode). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-3990 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2544 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.45 -r1.46 libtiff/tif_pixarlog.c - -Index: libtiff/tif_pixarlog.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v -retrieving revision 1.45 -retrieving revision 1.46 -diff -u -r1.45 -r1.46 ---- libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:37:33 -0000 1.45 -+++ libtiff/libtiff/tif_pixarlog.c 15 Aug 2016 20:49:48 -0000 1.46 -@@ -1141,6 +1141,13 @@ - } -=20 - llen =3D sp->stride * td->td_imagewidth; -+ /* Check against the number of elements (of size uint16) of sp->tbuf = */ -+ if( n > td->td_rowsperstrip * llen ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Too many input bytes provided"); -+ return 0; -+ } -=20 - for (i =3D 0, up =3D sp->tbuf; i < n; i +=3D llen, up +=3D llen) { - switch (sp->user_datafmt) { diff --git a/gnu/packages/patches/libtiff-CVE-2016-3991.patch b/gnu/package= s/patches/libtiff-CVE-2016-3991.patch deleted file mode 100644 index cb05f00..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3991.patch +++ /dev/null @@ -1,123 +0,0 @@ -Fix CVE-2016-3991 (out-of-bounds write in loadImage()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-3991 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2543 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.37 -r1.38 tools/tiffcrop.c - -Index: tools/tiffcrop.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.37 -retrieving revision 1.38 -diff -u -r1.37 -r1.38 ---- libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37 -+++ libtiff/tools/tiffcrop.c 15 Aug 2016 21:05:40 -0000 1.38 -@@ -798,6 +798,11 @@ - } -=20 - tile_buffsize =3D tilesize; -+ if (tilesize =3D=3D 0 || tile_rowsize =3D=3D 0) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is= zero"); -+ exit(-1); -+ } -=20 - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -807,7 +812,12 @@ - tilesize, tl * tile_rowsize); - #endif - tile_buffsize =3D tl * tile_rowsize; -- }=20 -+ if (tl !=3D (tile_buffsize / tile_rowsize)) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calcul= ating buffer size."); -+ exit(-1); -+ } -+ } -=20 - tilebuf =3D _TIFFmalloc(tile_buffsize); - if (tilebuf =3D=3D 0) -@@ -1210,6 +1220,12 @@ - !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) - return 1; -=20 -+ if (tilesize =3D=3D 0 || tile_rowsize =3D=3D 0 || tl =3D=3D 0 || tw =3D= =3D 0) -+ { -+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile= width, or tile length is zero"); -+ exit(-1); -+ } -+ =20 - tile_buffsize =3D tilesize; - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -1219,6 +1235,11 @@ - tilesize, tl * tile_rowsize); - #endif - tile_buffsize =3D tl * tile_rowsize; -+ if (tl !=3D tile_buffsize / tile_rowsize) -+ { -+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating= buffer size"); -+ exit(-1); -+ } - } -=20 - tilebuf =3D _TIFFmalloc(tile_buffsize); -@@ -5945,12 +5966,27 @@ - TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); -=20 - tile_rowsize =3D TIFFTileRowSize(in); =20 -+ if (ntiles =3D=3D 0 || tlsize =3D=3D 0 || tile_rowsize =3D=3D 0) -+ { -+ TIFFError("loadImage", "File appears to be tiled, but the number of tile= s, tile size, or tile rowsize is zero."); -+ exit(-1); -+ } - buffsize =3D tlsize * ntiles; -+ if (tlsize !=3D (buffsize / ntiles)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -=20 -- =20 - if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) - { - buffsize =3D ntiles * tl * tile_rowsize; -+ if (ntiles !=3D (buffsize / tl / tile_rowsize)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ =20 - #ifdef DEBUG2 - TIFFError("loadImage", - "Tilesize %u is too small, using ntiles * tilelength * tilerowsi= ze %lu", -@@ -5969,8 +6005,25 @@ - TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - stsize =3D TIFFStripSize(in); - nstrips =3D TIFFNumberOfStrips(in); -+ if (nstrips =3D=3D 0 || stsize =3D=3D 0) -+ { -+ TIFFError("loadImage", "File appears to be striped, but the number of st= ipes or stripe size is zero."); -+ exit(-1); -+ } -+ - buffsize =3D stsize * nstrips; -- =20 -+ if (stsize !=3D (buffsize / nstrips)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ uint32 buffsize_check; -+ buffsize_check =3D ((length * width * spp * bps) + 7); -+ if (length !=3D ((buffsize_check - 7) / width / spp / bps)) -+ { -+ TIFFError("loadImage", "Integer overflow detected."); -+ exit(-1); -+ } - if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) - { - buffsize =3D ((length * width * spp * bps) + 7) / 8; diff --git a/gnu/packages/patches/libtiff-CVE-2016-5314.patch b/gnu/package= s/patches/libtiff-CVE-2016-5314.patch deleted file mode 100644 index e5380f8..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-5314.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2016-5314. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-5314 -bugzilla.maptools.org/show_bug.cgi?id=3D2554 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.43 -r1.44 libtiff/tif_pixarlog.c - -Index: libtiff/tif_pixarlog.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v -retrieving revision 1.43 -retrieving revision 1.44 -diff -u -r1.43 -r1.44 ---- libtiff/libtiff/tif_pixarlog.c 27 Dec 2015 20:14:11 -0000 1.43 -+++ libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:12:19 -0000 1.44 -@@ -459,6 +459,7 @@ - typedef struct { - TIFFPredictorState predict; - z_stream stream; -+ tmsize_t tbuf_size; /* only set/used on reading for now */ - uint16 *tbuf;=20 - uint16 stride; - int state; -@@ -694,6 +695,7 @@ - sp->tbuf =3D (uint16 *) _TIFFmalloc(tbuf_size); - if (sp->tbuf =3D=3D NULL) - return (0); -+ sp->tbuf_size =3D tbuf_size; - if (sp->user_datafmt =3D=3D PIXARLOGDATAFMT_UNKNOWN) - sp->user_datafmt =3D PixarLogGuessDataFmt(td); - if (sp->user_datafmt =3D=3D PIXARLOGDATAFMT_UNKNOWN) { -@@ -783,6 +785,12 @@ - TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffer= s this size"); - return (0); - } -+ /* Check that we will not fill more than what was allocated */ -+ if (sp->stream.avail_out > sp->tbuf_size) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->t= buf_size"); -+ return (0); -+ } - do { - int state =3D inflate(&sp->stream, Z_PARTIAL_FLUSH); - if (state =3D=3D Z_STREAM_END) { diff --git a/gnu/packages/patches/libtiff-CVE-2016-5321.patch b/gnu/package= s/patches/libtiff-CVE-2016-5321.patch deleted file mode 100644 index 2afca18..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-5321.patch +++ /dev/null @@ -1,25 +0,0 @@ -Fix CVE-2016-5321.=20 - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-5321 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2558 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.35 -r1.36 tools/tiffcrop.c - -Index: tools/tiffcrop.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.35 -retrieving revision 1.36 -diff -u -r1.35 -r1.36 ---- libtiff/tools/tiffcrop.c 19 Aug 2015 02:31:04 -0000 1.35 -+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36 -@@ -989,7 +989,7 @@ - nrow =3D (row + tl > imagelength) ? imagelength - row : tl; - for (col =3D 0; col < imagewidth; col +=3D tw) - { -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; s < spp && s < MAX_SAMPLES; s++) - { /* Read each plane of a tile set into srcbuffs[s] */ - tbytes =3D TIFFReadTile(in, srcbuffs[s], col, row, 0, s); - if (tbytes < 0 && !ignore) diff --git a/gnu/packages/patches/libtiff-CVE-2016-5323.patch b/gnu/package= s/patches/libtiff-CVE-2016-5323.patch deleted file mode 100644 index 8b2a043..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-5323.patch +++ /dev/null @@ -1,88 +0,0 @@ -Fix CVE-2016-5323. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-5323 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2559 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.36 -r1.37 tools/tiffcrop.c - -Index: tools/tiffcrop.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.36 -retrieving revision 1.37 -diff -u -r1.36 -r1.37 ---- libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36 -+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37 -@@ -3738,7 +3738,7 @@ -=20 - matchbits =3D maskbits << (8 - src_bit - bps);=20 - /* load up next sample from each plane */ -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src =3D in[s] + src_offset + src_byte; - buff1 =3D ((*src) & matchbits) << (src_bit); -@@ -3837,7 +3837,7 @@ - src_bit =3D bit_offset % 8; -=20 - matchbits =3D maskbits << (16 - src_bit - bps);=20 -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src =3D in[s] + src_offset + src_byte; - if (little_endian) -@@ -3947,7 +3947,7 @@ - src_bit =3D bit_offset % 8; -=20 - matchbits =3D maskbits << (32 - src_bit - bps);=20 -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src =3D in[s] + src_offset + src_byte; - if (little_endian) -@@ -4073,7 +4073,7 @@ - src_bit =3D bit_offset % 8; -=20 - matchbits =3D maskbits << (64 - src_bit - bps);=20 -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src =3D in[s] + src_offset + src_byte; - if (little_endian) -@@ -4263,7 +4263,7 @@ -=20 - matchbits =3D maskbits << (8 - src_bit - bps);=20 - /* load up next sample from each plane */ -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src =3D in[s] + src_offset + src_byte; - buff1 =3D ((*src) & matchbits) << (src_bit); -@@ -4362,7 +4362,7 @@ - src_bit =3D bit_offset % 8; -=20 - matchbits =3D maskbits << (16 - src_bit - bps);=20 -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src =3D in[s] + src_offset + src_byte; - if (little_endian) -@@ -4471,7 +4471,7 @@ - src_bit =3D bit_offset % 8; -=20 - matchbits =3D maskbits << (32 - src_bit - bps);=20 -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src =3D in[s] + src_offset + src_byte; - if (little_endian) -@@ -4597,7 +4597,7 @@ - src_bit =3D bit_offset % 8; -=20 - matchbits =3D maskbits << (64 - src_bit - bps);=20 -- for (s =3D 0; s < spp; s++) -+ for (s =3D 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src =3D in[s] + src_offset + src_byte; - if (little_endian) diff --git a/gnu/packages/patches/libtiff-CVE-2016-5652.patch b/gnu/package= s/patches/libtiff-CVE-2016-5652.patch deleted file mode 100644 index 54b87d0..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-5652.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-5652 - -Patches exfiltrated from upstream CVS repo with: -cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c - -Index: tools/tiff2pdf.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v -retrieving revision 1.92 -retrieving revision 1.94 -diff -u -r1.92 -r1.94 ---- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92 -+++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94 -@@ -2887,21 +2887,24 @@ - return(0); - } - if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) !=3D 0) { -- if (count > 0) { -- _TIFFmemcpy(buffer, jpt, count); -+ if (count >=3D 4) { -+ /* Ignore EOI marker of JpegTables */ -+ _TIFFmemcpy(buffer, jpt, count - 2); - bufferoffset +=3D count - 2; -+ /* Store last 2 bytes of the JpegTables */ - table_end[0] =3D buffer[bufferoffset-2]; - table_end[1] =3D buffer[bufferoffset-1]; -- } -- if (count > 0) { - xuint32 =3D bufferoffset; -+ bufferoffset -=3D 2; - bufferoffset +=3D TIFFReadRawTile( - input,=20 - tile,=20 -- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),=20 -+ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),=20 - -1); -- buffer[xuint32-2]=3Dtable_end[0]; -- buffer[xuint32-1]=3Dtable_end[1]; -+ /* Overwrite SOI marker of image scan with previously= */ -+ /* saved end of JpegTables */ -+ buffer[xuint32-2]=3Dtable_end[0]; -+ buffer[xuint32-1]=3Dtable_end[1]; - } else { - bufferoffset +=3D TIFFReadRawTile( - input,=20 diff --git a/gnu/packages/patches/libtiff-CVE-2016-9273.patch b/gnu/package= s/patches/libtiff-CVE-2016-9273.patch deleted file mode 100644 index 9cd6b3d..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-9273.patch +++ /dev/null @@ -1,41 +0,0 @@ -Fix CVE-2016-9273: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9273 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2587 - -Patch extracted from upstream CVS repo: - -2016-11-10 Even Rouault - -revision 1.37 -date: 2016-11-09 18:00:49 -0500; author: erouault; state: Exp; lines: += 10 -1; commitid: pzKipPxDJO2dxvtz; -* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips -value when it is non-zero, instead of recomputing it. This is needed in -TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of -array in tiffsplit (or other utilities using TIFFNumberOfStrips()). -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2587 - -Index: libtiff/tif_strip.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v -retrieving revision 1.36 -retrieving revision 1.37 -diff -u -r1.36 -r1.37 ---- a/libtiff/tif_strip.c 7 Jun 2015 22:35:40 -0000 1.36 -+++ b/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37 -@@ -63,6 +63,15 @@ - TIFFDirectory *td =3D &tif->tif_dir; - uint32 nstrips; -=20 -+ /* If the value was already computed and store in td_nstrips, then re= turn it, -+ since ChopUpSingleUncompressedStrip might have altered and resized= the -+ since the td_stripbytecount and td_stripoffset arrays to the new v= alue -+ after the initial affectation of td_nstrips =3D TIFFNumberOfStrips= () in -+ tif_dirread.c ~line 3612. -+ See http://bugzilla.maptools.org/show_bug.cgi?id=3D2587 */ -+ if( td->td_nstrips ) -+ return td->td_nstrips; -+ - nstrips =3D (td->td_rowsperstrip =3D=3D (uint32) -1 ? 1 : - TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); - if (td->td_planarconfig =3D=3D PLANARCONFIG_SEPARATE) diff --git a/gnu/packages/patches/libtiff-CVE-2016-9297.patch b/gnu/package= s/patches/libtiff-CVE-2016-9297.patch deleted file mode 100644 index c9207bb..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-9297.patch +++ /dev/null @@ -1,52 +0,0 @@ -Fix CVE-2016-9297: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9297 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2590 - -Patch copied from upstream source repository. - -2016-11-11 Even Rouault - - * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that - values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII - access are null terminated, to avoid potential read outside buffer - in _TIFFPrintField(). - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2590 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1154; previous revision: 1.1153 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <--=20 -libtiff/tif_dirread.c -new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_di= rread.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v -retrieving revision 1.202 -retrieving revision 1.203 -diff -u -r1.202 -r1.203 ---- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:01:55 -0000 1.202 -+++ libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203 -@@ -5000,6 +5000,11 @@ - if (err=3D=3DTIFFReadDirEntryErrOk) - { - int m; -+ if( data[dp->tdir_count-1] !=3D '\0' ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module,"AS= CII value for tag \"%s\" does not end in null byte. Forcing it to be null",= fip->field_name); -+ data[dp->tdir_count-1] =3D '\0'; -+ } - m=3DTIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data); - if (data!=3D0) - _TIFFfree(data); -@@ -5172,6 +5177,11 @@ - if (err=3D=3DTIFFReadDirEntryErrOk) - { - int m; -+ if( data[dp->tdir_count-1] !=3D '\0' ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII = value for tag \"%s\" does not end in null byte. Forcing it to be null",fip-= >field_name); -+ data[dp->tdir_count-1] =3D '\0'; -+ } - m=3DTIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data); - if (data!=3D0) - _TIFFfree(data); diff --git a/gnu/packages/patches/libtiff-CVE-2016-9448.patch b/gnu/package= s/patches/libtiff-CVE-2016-9448.patch deleted file mode 100644 index 05a3af8..0000000 --- a/gnu/packages/patches/libtiff-CVE-2016-9448.patch +++ /dev/null @@ -1,34 +0,0 @@ -Fix CVE-2016-9448 (regression caused by fix for CVE-2016-9297). - -http://bugzilla.maptools.org/show_bug.cgi?id=3D2593 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9448 - -Patch copied from upstream source repository with: -$ cvs diff -u -r 1.203 -r 1.204 libtiff/libtiff/tif_dirread.c - -Index: libtiff/libtiff/tif_dirread.c -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v -retrieving revision 1.203 -retrieving revision 1.204 -diff -u -r1.203 -r1.204 ---- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203 -+++ libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204 -@@ -5000,7 +5000,7 @@ - if (err=3D=3DTIFFReadDirEntryErrOk) - { - int m; -- if( data[dp->tdir_count-1] !=3D '\0' ) -+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] = !=3D '\0' ) - { - TIFFWarningExt(tif->tif_clientdata,module,"AS= CII value for tag \"%s\" does not end in null byte. Forcing it to be null",= fip->field_name); - data[dp->tdir_count-1] =3D '\0'; -@@ -5177,7 +5177,7 @@ - if (err=3D=3DTIFFReadDirEntryErrOk) - { - int m; -- if( data[dp->tdir_count-1] !=3D '\0' ) -+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] !=3D= '\0' ) - { - TIFFWarningExt(tif->tif_clientdata,module,"ASCII = value for tag \"%s\" does not end in null byte. Forcing it to be null",fip-= >field_name); - data[dp->tdir_count-1] =3D '\0'; diff --git a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch b/gn= u/packages/patches/libtiff-oob-accesses-in-decode.patch deleted file mode 100644 index 3fea745..0000000 --- a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch +++ /dev/null @@ -1,171 +0,0 @@ -2015-12-27 Even Rouault - - * libtiff/tif_luv.c: fix potential out-of-bound writes in decode - functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). - Fix potential out-of-bound reads in case of short input data. - -diff -u -r1.40 -r1.41 ---- libtiff/libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40 -+++ libtiff/libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41 -@@ -1,4 +1,4 @@ --/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */ -+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */ -=20 - /* - * Copyright (c) 1997 Greg Ward Larson -@@ -202,7 +202,11 @@ - if (sp->user_datafmt =3D=3D SGILOGDATAFMT_16BIT) - tp =3D (int16*) op; - else { -- assert(sp->tbuflen >=3D npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp =3D (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ - cc =3D tif->tif_rawcc; - /* get each byte string */ - for (shft =3D 2*8; (shft -=3D 8) >=3D 0; ) { -- for (i =3D 0; i < npixels && cc > 0; ) -+ for (i =3D 0; i < npixels && cc > 0; ) { - if (*bp >=3D 128) { /* run */ -- rc =3D *bp++ + (2-128); /* TODO: potential input buffer overrun whe= n decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc =3D *bp++ + (2-128); - b =3D (int16)(*bp++ << shft); - cc -=3D 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ - while (--cc && rc-- && i < npixels) - tp[i++] |=3D (int16)*bp++ << shft; - } -+ } - if (i !=3D npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ - if (sp->user_datafmt =3D=3D SGILOGDATAFMT_RAW) - tp =3D (uint32 *)op; - else { -- assert(sp->tbuflen >=3D npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp =3D (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp =3D (unsigned char*) tif->tif_rawcp; - cc =3D tif->tif_rawcc; -- for (i =3D 0; i < npixels && cc > 0; i++) { -+ for (i =3D 0; i < npixels && cc >=3D 3; i++) { - tp[i] =3D bp[0] << 16 | bp[1] << 8 | bp[2]; - bp +=3D 3; - cc -=3D 3; -@@ -325,7 +336,11 @@ - if (sp->user_datafmt =3D=3D SGILOGDATAFMT_RAW) - tp =3D (uint32*) op; - else { -- assert(sp->tbuflen >=3D npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp =3D (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ - cc =3D tif->tif_rawcc; - /* get each byte string */ - for (shft =3D 4*8; (shft -=3D 8) >=3D 0; ) { -- for (i =3D 0; i < npixels && cc > 0; ) -+ for (i =3D 0; i < npixels && cc > 0; ) { - if (*bp >=3D 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc =3D *bp++ + (2-128); - b =3D (uint32)*bp++ << shft; -- cc -=3D 2; /* TODO: potential input buffer overrun whe= n decoding corrupt or truncated data */ -+ cc -=3D 2; - while (rc-- && i < npixels) - tp[i++] |=3D b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ - while (--cc && rc-- && i < npixels) - tp[i++] |=3D (uint32)*bp++ << shft; - } -+ } - if (i !=3D npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] =3D "LogL16Encode"; - LogLuvState* sp =3D EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ - tp =3D (int16*) bp; - else { - tp =3D (int16*) sp->tbuf; -- assert(sp->tbuflen >=3D npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] =3D "LogLuvEncode24"; - LogLuvState* sp =3D EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ - tp =3D (uint32*) bp; - else { - tp =3D (uint32*) sp->tbuf; -- assert(sp->tbuflen >=3D npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] =3D "LogLuvEncode32"; - LogLuvState* sp =3D EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ - tp =3D (uint32*) bp; - else { - tp =3D (uint32*) sp->tbuf; -- assert(sp->tbuflen >=3D npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch b/g= nu/packages/patches/libtiff-oob-write-in-nextdecode.patch deleted file mode 100644 index 50657b6..0000000 --- a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch +++ /dev/null @@ -1,49 +0,0 @@ -2015-12-27 Even Rouault - - * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() - triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif - (bugzilla #2508) - -diff -u -r1.16 -r1.18 ---- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 -+++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18 -@@ -1,4 +1,4 @@ --/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ -+/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */ -=20 - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -37,7 +37,7 @@ - case 0: op[0] =3D (unsigned char) ((v) << 6); break; \ - case 1: op[0] |=3D (v) << 4; break; \ - case 2: op[0] |=3D (v) << 2; break; \ -- case 3: *op++ |=3D (v); break; \ -+ case 3: *op++ |=3D (v); op_offset++; break; \ - } \ - } -=20 -@@ -103,6 +103,7 @@ - } - default: { - uint32 npixels =3D 0, grey; -+ tmsize_t op_offset =3D 0; - uint32 imagewidth =3D tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth =3D tif->tif_dir.td_tilewidth; -@@ -122,10 +123,15 @@ - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >=3D imagewidth) - break; -+ if (op_offset >=3D scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid da= ta for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc =3D=3D 0) - goto bad; - n =3D *bp++, cc--; diff --git a/gnu/packages/patches/libtiff-uint32-overflow.patch b/gnu/packa= ges/patches/libtiff-uint32-overflow.patch deleted file mode 100644 index c95126f..0000000 --- a/gnu/packages/patches/libtiff-uint32-overflow.patch +++ /dev/null @@ -1,102 +0,0 @@ -Fix some buffer overflows: - -http://seclists.org/oss-sec/2016/q4/408 -http://bugzilla.maptools.org/show_bug.cgi?id=3D2592 - -2016-11-11 Even Rouault - - * tools/tiffcrop.c: fix multiple uint32 overflows in - writeBufferToSeparateStrips(), writeBufferToContigTiles() and - writeBufferToSeparateTiles() that could cause heap buffer -overflows. - Reported by Henri Salo from Nixu Corporation. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2592 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1152; previous revision: 1.1151 -/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c -new revision: 1.43; previous revision: 1.42 - -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.42 -retrieving revision 1.43 -diff -u -r1.42 -r1.43 ---- libtiff/tools/tiffcrop.c 14 Oct 2016 19:13:20 -0000 1.42 -+++ libtiff/tools/tiffcrop.c 11 Nov 2016 19:33:06 -0000 1.43 -@@ -148,6 +148,8 @@ - #define PATH_MAX 1024 - #endif -=20 -+#define TIFF_UINT32_MAX 0xFFFFFFFFU -+ - #ifndef streq - #define streq(a,b) (strcmp((a),(b)) =3D=3D 0) - #endif -@@ -1164,7 +1166,24 @@ - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); - bytes_per_sample =3D (bps + 7) / 8; -- rowsize =3D ((bps * spp * width) + 7) / 8; /* source has interleaved sa= mples */ -+ if( width =3D=3D 0 || -+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || -+ bps * spp * width > TIFF_UINT32_MAX - 7U ) -+ { -+ TIFFError(TIFFFileName(out), -+ "Error, uint32 overflow when computing (bps * spp * width) + = 7"); -+ return 1; -+ } -+ rowsize =3D ((bps * spp * width) + 7U) / 8; /* source has interleaved s= amples */ -+ if( bytes_per_sample =3D=3D 0 || -+ rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample || -+ rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) ) -+ { -+ TIFFError(TIFFFileName(out), -+ "Error, uint32 overflow when computing rowsperstrip * " -+ "bytes_per_sample * (width + 1)"); -+ return 1; -+ } - rowstripsize =3D rowsperstrip * bytes_per_sample * (width + 1);=20 -=20 - obuf =3D _TIFFmalloc (rowstripsize); -@@ -1251,11 +1270,19 @@ - } - } -=20 -+ if( imagewidth =3D=3D 0 || -+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth || -+ bps * spp * imagewidth > TIFF_UINT32_MAX - 7U ) -+ { -+ TIFFError(TIFFFileName(out), -+ "Error, uint32 overflow when computing (imagewidth * bps * sp= p) + 7"); -+ return 1; -+ } -+ src_rowsize =3D ((imagewidth * spp * bps) + 7U) / 8; -+ - tilebuf =3D _TIFFmalloc(tile_buffsize); - if (tilebuf =3D=3D 0) - return 1; -- -- src_rowsize =3D ((imagewidth * spp * bps) + 7) / 8; - for (row =3D 0; row < imagelength; row +=3D tl) - { - nrow =3D (row + tl > imagelength) ? imagelength - row : tl; -@@ -1315,7 +1342,16 @@ - TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); - TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); - TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -- src_rowsize =3D ((imagewidth * spp * bps) + 7) / 8; -+ -+ if( imagewidth =3D=3D 0 || -+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth || -+ bps * spp * imagewidth > TIFF_UINT32_MAX - 7 ) -+ { -+ TIFFError(TIFFFileName(out), -+ "Error, uint32 overflow when computing (imagewidth * bps * sp= p) + 7"); -+ return 1; -+ } -+ src_rowsize =3D ((imagewidth * spp * bps) + 7U) / 8; - =20 - for (row =3D 0; row < imagelength; row +=3D tl) - { --=20 2.10.2 --DocE+STaALJfprDB-- --5I6of5zJg18YgZEa Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlgzJVcACgkQJkb6MLrK fwhRyw//bVIHOUdXQKNVnOdG2BCLrktAPxMlsQGpDNePkj0KsrlVpP+i+eI/at3H YdzstxFzB1X9qFSjEJG62BpWTk7JyyfpMYay34TozaDFqCmMiECcdC7pD2l9Wd5j w7zPIOr/HfPFxywoPdmnDzard5zbZBzge3g0khvdQPnPTL/m/YhTUixE9wtTtfRX /Qci2mORMZQAZddvRIz9rzAIjoYgfQ7+18c1w1ww+1aAPDypCz5sdnNe/Dhifxf6 z/x/LYXwZCSKrQzkQ2l9QXbvXthEZGrjyZPvhbw9AzrmO4VSrTURXR5Gq8ZBs06p ry6aXaytv2vzgmVl9CBEpn+yv644YHIUkhSwZwA71d5eNVfvqpSzW5bcEE8utnMF ZXq3z3jF7LgGQCl9yceeKM/YaBpgqWtuaZcUZ81js33NqLfBnnph/TdlhtglCSww aqKYHXDnJExKLzuJK/LN8OAfihaOwt1n3xijRBm5Fla/tSsC07Wfq/uKopXbencs E5VTfrSeFgQ3WhuEmwrWjsAwFIEH2GSa7DScecvD/GQ0/Q258oTDZBJjUF9gWMyR VN93zNX9zi/qQPXPbpvOJiSR4TFo5+brYncW7uLvl52C8X0hCX0Q84kQ6aKaIp/5 8m+FYRUmimkoPwCzLf+K92E56uPZywQLcKHJlfqhJgfBMo82aMg= =syy9 -----END PGP SIGNATURE----- --5I6of5zJg18YgZEa--