* bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598, 7599, 7600, 7601, 7602}.
@ 2017-05-06 14:45 Kei Kebreau
2017-05-06 18:54 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Kei Kebreau @ 2017-05-06 14:45 UTC (permalink / raw)
To: 26804; +Cc: Kei Kebreau
* gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file.
* gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file.
* gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[source]: Use them.
---
gnu/local.mk | 3 +
gnu/packages/image.scm | 7 +-
gnu/packages/patches/libtiff-CVE-2017-7593.patch | 113 ++++++
gnu/packages/patches/libtiff-CVE-2017-7594.patch | 54 +++
.../patches/libtiff-multiple-UBSAN-crashes.patch | 449 +++++++++++++++++++++
5 files changed, 624 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7593.patch
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7594.patch
create mode 100644 gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index c93dca64c..d983d62fd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -739,6 +739,9 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-CVE-2016-10093.patch \
%D%/packages/patches/libtiff-CVE-2016-10094.patch \
%D%/packages/patches/libtiff-CVE-2017-5225.patch \
+ %D%/packages/patches/libtiff-CVE-2017-7593.patch \
+ %D%/packages/patches/libtiff-CVE-2017-7594.patch \
+ %D%/packages/patches/libtiff-multiple-UBSAN-crashes.patch \
%D%/packages/patches/libtiff-assertion-failure.patch \
%D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \
%D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 2027395ca..a8cc837d5 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
;;;
;;; This file is part of GNU Guix.
@@ -319,7 +319,10 @@ extracting icontainer icon files.")
"libtiff-divide-by-zero-tiffcp.patch"
"libtiff-assertion-failure.patch"
"libtiff-CVE-2016-10094.patch"
- "libtiff-CVE-2017-5225.patch"))
+ "libtiff-CVE-2017-5225.patch"
+ "libtiff-CVE-2017-7593.patch"
+ "libtiff-CVE-2017-7594.patch"
+ "libtiff-multiple-UBSAN-crashes.patch"))
(sha256
(base32
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7593.patch b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
new file mode 100644
index 000000000..496efb73b
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
@@ -0,0 +1,113 @@
+Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawdata):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593
+https://security-tracker.debian.org/tracker/CVE-2017-7593
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+
+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+ initialize tif_rawdata.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1208; previous revision: 1.1207
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
+new revision: 1.53; previous revision: 1.52
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_unix.c
+new revision: 1.28; previous revision: 1.27
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.c
+new revision: 1.14; previous revision: 1.13
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_win32.c
+new revision: 1.42; previous revision: 1.41
+/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h
+new revision: 1.94; previous revision: 1.93
+
+diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h
+--- tiff-4.0.7/libtiff/tiffio.h 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tiffio.h 2017-05-05 19:08:03.772999790 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -293,6 +293,7 @@
+ */
+
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c
+--- tiff-4.0.7/libtiff/tif_read.c 2017-05-05 19:04:09.740966642 -0400
++++ tiff-4.0.7.new/libtiff/tif_read.c 2017-05-05 18:59:11.070709441 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
++/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -976,7 +976,9 @@
+ "Invalid buffer size");
+ return (0);
+ }
+- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++ /* Initialize to zero to avoid uninitialized buffers in case of */
++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ tif->tif_flags |= TIFF_MYBUFFER;
+ }
+ if (tif->tif_rawdata == NULL) {
+diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c
+--- tiff-4.0.7/libtiff/tif_unix.c 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_unix.c 2017-05-05 19:10:48.302645187 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */
++/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -316,6 +316,14 @@
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32.c
+--- tiff-4.0.7/libtiff/tif_win32.c 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_win32.c 2017-05-05 19:13:06.903399627 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */
++/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -360,6 +360,14 @@
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7594.patch b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
new file mode 100644
index 000000000..d17997d44
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
@@ -0,0 +1,54 @@
+Fixes CVE-2017-7594 (Direct leak in tif_ojpeg.c):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2659
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7594
+https://security-tracker.debian.org/tracker/CVE-2017-7594
+
+2017-01-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
+ when read fails.
+ Patch by Nicolás Peña.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1212; previous revision: 1.1211
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c
+new revision: 1.67; previous revision: 1.66
+
+Index: libtiff/libtiff/tif_ojpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.67
+retrieving revision 1.68
+diff -u -r1.67 -r1.68
+--- libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 17:43:26 -0000 1.67
++++ libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 19:23:20 -0000 1.68
+@@ -1,4 +1,4 @@
+-/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
++/* $Id: tif_ojpeg.c,v 1.68 2017-01-12 19:23:20 erouault Exp $ */
+
+ /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
+ specification is now totally obsolete and deprecated for new applications and
+@@ -1790,7 +1790,10 @@
+ TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
+ p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+ if (p!=64)
++ {
++ _TIFFfree(ob);
+ return(0);
++ }
+ sp->qtable[m]=ob;
+ sp->sof_tq[m]=m;
+ }
+@@ -1854,7 +1857,10 @@
+ rb[sizeof(uint32)+5+n]=o[n];
+ p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ if (p!=q)
++ {
++ _TIFFfree(rb);
+ return(0);
++ }
+ sp->dctable[m]=rb;
+ sp->sos_tda[m]=(m<<4);
+ }
diff --git a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
new file mode 100644
index 000000000..2f4509f38
--- /dev/null
+++ b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
@@ -0,0 +1,449 @@
+Fixes CVE-2017-{7595,7596,7597,7598,7599,7600,7601,7602}:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7595
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7596
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7597
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7598
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7599
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7600
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7601
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7602
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various
+ clampings
+ of double to other data types to avoid undefined behaviour if the
+ output range
+ isn't big enough to hold the input value.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
+ http://bugzilla.maptools.org/show_bug.cgi?id=2642
+ http://bugzilla.maptools.org/show_bug.cgi?id=2646
+ http://bugzilla.maptools.org/show_bug.cgi?id=2647
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1204; previous revision: 1.1203
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c
+new revision: 1.129; previous revision: 1.128
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
+new revision: 1.207; previous revision: 1.206
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- libtiff/tif_dirwrite.c
+new revision: 1.85; previous revision: 1.84
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: avoid division by floating point 0 in
+ TIFFReadDirEntryCheckedRational() and
+ TIFFReadDirEntryCheckedSrational(),
+ and return 0 in that case (instead of infinity as before presumably)
+ Apparently some sanitizers do not like those divisions by zero.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1203; previous revision: 1.1202
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
+new revision: 1.206; previous revision: 1.205
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to
+ avoid undefined behaviour caused by invalid shift exponent.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1205; previous revision: 1.1204
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v <-- libtiff/tif_jpeg.c
+new revision: 1.126; previous revision: 1.125
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: avoid potential undefined behaviour on signed
+ integer addition in TIFFReadRawStrip1() in isMapped() case.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1206; previous revision: 1.1205
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
+new revision: 1.51; previous revision: 1.50
+
+Index: libtiff/libtiff/tif_dir.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
+retrieving revision 1.128
+retrieving revision 1.129
+diff -u -r1.128 -r1.129
+--- libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128
++++ libtiff/libtiff/tif_dir.c 11 Jan 2017 16:09:02 -0000 1.129
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
++/* $Id: tif_dir.c,v 1.129 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -31,6 +31,7 @@
+ * (and also some miscellaneous stuff)
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ /*
+ * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@
+ return (0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_xresolution = (float) dblval;
++ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_YRESOLUTION:
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_yresolution = (float) dblval;
++ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@
+ td->td_planarconfig = (uint16) v;
+ break;
+ case TIFFTAG_XPOSITION:
+- td->td_xposition = (float) va_arg(ap, double);
++ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_YPOSITION:
+- td->td_yposition = (float) va_arg(ap, double);
++ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_RESOLUTIONUNIT:
+ v = (uint16) va_arg(ap, uint16_vap);
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.206
+retrieving revision 1.207
+diff -u -r1.206 -r1.207
+--- libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206
++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 16:09:02 -0000 1.207
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.207 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -40,6 +40,7 @@
+ */
+
+ #include "tiffiop.h"
++#include <float.h>
+
+ #define IGNORE 0 /* tag placeholder used below */
+ #define FAILED_FII ((uint32) -1)
+@@ -2406,7 +2407,14 @@
+ ma=(double*)origdata;
+ mb=data;
+ for (n=0; n<count; n++)
+- *mb++=(float)(*ma++);
++ {
++ double val = *ma++;
++ if( val > FLT_MAX )
++ val = FLT_MAX;
++ else if( val < -FLT_MAX )
++ val = -FLT_MAX;
++ *mb++=(float)val;
++ }
+ }
+ break;
+ }
+Index: libtiff/libtiff/tif_dirwrite.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v
+retrieving revision 1.84
+retrieving revision 1.85
+diff -u -r1.84 -r1.85
+--- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 12:51:59 -0000 1.84
++++ libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */
++/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -30,6 +30,7 @@
+ * Directory Write Support Routines.
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@
+ return(0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++ if( val > 127 )
++ return 127;
++ if( val < -128 || val != val )
++ return -128;
++ return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++ if( val > 32767 )
++ return 32767;
++ if( val < -32768 || val != val )
++ return -32768;
++ return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++ if( val > 0x7FFFFFFF )
++ return 0x7FFFFFFF;
++ if( val < -0x7FFFFFFF-1 || val != val )
++ return -0x7FFFFFFF-1;
++ return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 255 || val != val )
++ return 255;
++ return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 65535 || val != val )
++ return 65535;
++ return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 0xFFFFFFFFU || val != val )
++ return 0xFFFFFFFFU;
++ return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@
+ if (tif->tif_dir.td_bitspersample<=32)
+ {
+ for (i = 0; i < count; ++i)
+- ((float*)conv)[i] = (float)value[i];
++ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+ }
+ else
+@@ -971,19 +1035,19 @@
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((int8*)conv)[i] = (int8)value[i];
++ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+ ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((int16*)conv)[i] = (int16)value[i];
++ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+ ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((int32*)conv)[i] = (int32)value[i];
++ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
+ ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
+ }
+ break;
+@@ -991,19 +1055,19 @@
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((uint8*)conv)[i] = (uint8)value[i];
++ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
+ ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((uint16*)conv)[i] = (uint16)value[i];
++ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
+ ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((uint32*)conv)[i] = (uint32)value[i];
++ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
+ ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
+ }
+ break;
+@@ -2102,7 +2102,7 @@
+ m[0]=0;
+ m[1]=1;
+ }
+- else if (value==(double)(uint32)value)
++ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
+ {
+ m[0]=(uint32)value;
+ m[1]=1;
+@@ -2148,12 +2217,13 @@
+ }
+ for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
+ {
+- if (*na<=0.0)
++ if (*na<=0.0 || *na != *na)
+ {
+ nb[0]=0;
+ nb[1]=1;
+ }
+- else if (*na==(float)(uint32)(*na))
++ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
++ *na==(float)(uint32)(*na))
+ {
+ nb[0]=(uint32)(*na);
+ nb[1]=1;
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.205
+retrieving revision 1.206
+diff -u -r1.205 -r1.206
+--- libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205
++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206
+@@ -2872,7 +2872,10 @@
+ m.l = direntry->tdir_offset.toff_long8;
+ if (tif->tif_flags&TIFF_SWAB)
+ TIFFSwabArrayOfLong(m.i,2);
+- if (m.i[0]==0)
++ /* Not completely sure what we should do when m.i[1]==0, but some */
++ /* sanitizers do not like division by 0.0: */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++ if (m.i[0]==0 || m.i[1]==0)
+ *value=0.0;
+ else
+ *value=(double)m.i[0]/(double)m.i[1];
+@@ -2900,7 +2903,10 @@
+ m.l=direntry->tdir_offset.toff_long8;
+ if (tif->tif_flags&TIFF_SWAB)
+ TIFFSwabArrayOfLong(m.i,2);
+- if ((int32)m.i[0]==0)
++ /* Not completely sure what we should do when m.i[1]==0, but some */
++ /* sanitizers do not like division by 0.0: */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++ if ((int32)m.i[0]==0 || m.i[1]==0)
+ *value=0.0;
+ else
+ *value=(double)((int32)m.i[0])/(double)m.i[1];
+Index: libtiff/libtiff/tif_jpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v
+retrieving revision 1.125
+retrieving revision 1.126
+diff -u -r1.125 -r1.126
+--- libtiff/libtiff/tif_jpeg.c 11 Jan 2017 12:15:01 -0000 1.125
++++ libtiff/libtiff/tif_jpeg.c 11 Jan 2017 16:13:50 -0000 1.126
+@@ -1,4 +1,4 @@
+-/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1994-1997 Sam Leffler
+@@ -1632,6 +1632,13 @@
+ "Invalig horizontal/vertical sampling value");
+ return (0);
+ }
++ if( td->td_bitspersample > 16 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "BitsPerSample %d not allowed for JPEG",
++ td->td_bitspersample);
++ return (0);
++ }
+
+ /*
+ * A ReferenceBlackWhite field *must* be present since the
+Index: libtiff/libtiff/tif_read.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
+retrieving revision 1.50
+retrieving revision 1.51
+diff -u -r1.50 -r1.51
+--- libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50
++++ libtiff/libtiff/tif_read.c 11 Jan 2017 16:33:34 -0000 1.51
+@@ -420,16 +420,25 @@
+ return ((tmsize_t)(-1));
+ }
+ } else {
+- tmsize_t ma,mb;
++ tmsize_t ma;
+ tmsize_t n;
+- ma=(tmsize_t)td->td_stripoffset[strip];
+- mb=ma+size;
+- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+- n=0;
+- else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+- n=tif->tif_size-ma;
+- else
+- n=size;
++ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
++ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
++ {
++ n=0;
++ }
++ else if( ma > TIFF_TMSIZE_T_MAX - size )
++ {
++ n=0;
++ }
++ else
++ {
++ tmsize_t mb=ma+size;
++ if (mb>tif->tif_size)
++ n=tif->tif_size-ma;
++ else
++ n=size;
++ }
+ if (n!=size) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
--
2.12.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598, 7599, 7600, 7601, 7602}.
2017-05-06 14:45 bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598, 7599, 7600, 7601, 7602} Kei Kebreau
@ 2017-05-06 18:54 ` Leo Famulari
2017-05-07 0:11 ` Kei Kebreau
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2017-05-06 18:54 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 26804
[-- Attachment #1: Type: text/plain, Size: 928 bytes --]
On Sat, May 06, 2017 at 10:45:57AM -0400, Kei Kebreau wrote:
> * gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file.
> * gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file.
> * gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/image.scm (libtiff)[source]: Use them.
Thank you!
This change should be grafted, since ~2000 packages will be affected.
There's a recent example of appending patches in a replacement package:
+ (source
+ (origin
+ (inherit (package-source libsndfile))
+ (patches
+ (append
+ (origin-patches (package-source libsndfile))
+ (search-patches "libsndfile-CVE-2017-8361-8363-8365.patch"
+ "libsndfile-CVE-2017-8362.patch")))))))
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=1c4a500aae53b8cd33d1266eb3809b859ae2555d
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598, 7599, 7600, 7601, 7602}.
2017-05-06 18:54 ` Leo Famulari
@ 2017-05-07 0:11 ` Kei Kebreau
2017-05-07 3:41 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Kei Kebreau @ 2017-05-07 0:11 UTC (permalink / raw)
To: Leo Famulari; +Cc: 26804
[-- Attachment #1.1: Type: text/plain, Size: 1106 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Sat, May 06, 2017 at 10:45:57AM -0400, Kei Kebreau wrote:
>> * gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file.
>> * gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file.
>> * gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/image.scm (libtiff)[source]: Use them.
>
> Thank you!
Thanks for the tips you gave.
>
> This change should be grafted, since ~2000 packages will be affected.
>
> There's a recent example of appending patches in a replacement package:
>
> + (source
> + (origin
> + (inherit (package-source libsndfile))
> + (patches
> + (append
> + (origin-patches (package-source libsndfile))
> + (search-patches "libsndfile-CVE-2017-8361-8363-8365.patch"
> + "libsndfile-CVE-2017-8362.patch")))))))
>
> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=1c4a500aae53b8cd33d1266eb3809b859ae2555d
So the attached patch would be okay to push to the master branch?
[-- Attachment #1.2: 0001-gnu-libtiff-Fix-CVE-2017-7593-7594-7595-7596-7597-75.patch --]
[-- Type: text/plain, Size: 26666 bytes --]
From fe8c0d5c5c4f7bbba7375dc28294a2efd0d2f85e Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Sat, 6 May 2017 10:45:57 -0400
Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597,
7598, 7599, 7600, 7601, 7602}.
* gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file.
* gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file.
* gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
---
gnu/local.mk | 3 +
gnu/packages/image.scm | 16 +-
gnu/packages/patches/libtiff-CVE-2017-7593.patch | 113 ++++++
gnu/packages/patches/libtiff-CVE-2017-7594.patch | 54 +++
.../patches/libtiff-multiple-UBSAN-crashes.patch | 449 +++++++++++++++++++++
5 files changed, 634 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7593.patch
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7594.patch
create mode 100644 gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index c93dca64c..d983d62fd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -739,6 +739,9 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-CVE-2016-10093.patch \
%D%/packages/patches/libtiff-CVE-2016-10094.patch \
%D%/packages/patches/libtiff-CVE-2017-5225.patch \
+ %D%/packages/patches/libtiff-CVE-2017-7593.patch \
+ %D%/packages/patches/libtiff-CVE-2017-7594.patch \
+ %D%/packages/patches/libtiff-multiple-UBSAN-crashes.patch \
%D%/packages/patches/libtiff-assertion-failure.patch \
%D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \
%D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 2027395ca..1a1108563 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
-;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kei@openmailbox.org>
;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
;;;
;;; This file is part of GNU Guix.
@@ -299,6 +299,7 @@ extracting icontainer icon files.")
(define-public libtiff
(package
(name "libtiff")
+ (replacement libtiff/fixed)
(version "4.0.7")
(source (origin
(method url-fetch)
@@ -347,6 +348,19 @@ collection of tools for doing simple manipulations of TIFF images.")
"See COPYRIGHT in the distribution."))
(home-page "http://www.simplesystems.org/libtiff/")))
+(define libtiff/fixed
+ (package
+ (inherit libtiff)
+ (source
+ (origin
+ (inherit (package-source libtiff))
+ (patches
+ (append
+ (origin-patches (package-source libtiff))
+ (search-patches "libtiff-CVE-2017-7593.patch"
+ "libtiff-CVE-2017-7594.patch"
+ "libtiff-multiple-UBSAN-crashes.patch")))))))
+
(define-public libwmf
(package
(name "libwmf")
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7593.patch b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
new file mode 100644
index 000000000..496efb73b
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
@@ -0,0 +1,113 @@
+Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawdata):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593
+https://security-tracker.debian.org/tracker/CVE-2017-7593
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+
+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+ initialize tif_rawdata.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1208; previous revision: 1.1207
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
+new revision: 1.53; previous revision: 1.52
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_unix.c
+new revision: 1.28; previous revision: 1.27
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.c
+new revision: 1.14; previous revision: 1.13
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_win32.c
+new revision: 1.42; previous revision: 1.41
+/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h
+new revision: 1.94; previous revision: 1.93
+
+diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h
+--- tiff-4.0.7/libtiff/tiffio.h 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tiffio.h 2017-05-05 19:08:03.772999790 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -293,6 +293,7 @@
+ */
+
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c
+--- tiff-4.0.7/libtiff/tif_read.c 2017-05-05 19:04:09.740966642 -0400
++++ tiff-4.0.7.new/libtiff/tif_read.c 2017-05-05 18:59:11.070709441 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
++/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -976,7 +976,9 @@
+ "Invalid buffer size");
+ return (0);
+ }
+- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++ /* Initialize to zero to avoid uninitialized buffers in case of */
++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ tif->tif_flags |= TIFF_MYBUFFER;
+ }
+ if (tif->tif_rawdata == NULL) {
+diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c
+--- tiff-4.0.7/libtiff/tif_unix.c 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_unix.c 2017-05-05 19:10:48.302645187 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */
++/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -316,6 +316,14 @@
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32.c
+--- tiff-4.0.7/libtiff/tif_win32.c 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_win32.c 2017-05-05 19:13:06.903399627 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */
++/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -360,6 +360,14 @@
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7594.patch b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
new file mode 100644
index 000000000..d17997d44
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
@@ -0,0 +1,54 @@
+Fixes CVE-2017-7594 (Direct leak in tif_ojpeg.c):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2659
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7594
+https://security-tracker.debian.org/tracker/CVE-2017-7594
+
+2017-01-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
+ when read fails.
+ Patch by Nicolás Peña.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1212; previous revision: 1.1211
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c
+new revision: 1.67; previous revision: 1.66
+
+Index: libtiff/libtiff/tif_ojpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.67
+retrieving revision 1.68
+diff -u -r1.67 -r1.68
+--- libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 17:43:26 -0000 1.67
++++ libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 19:23:20 -0000 1.68
+@@ -1,4 +1,4 @@
+-/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
++/* $Id: tif_ojpeg.c,v 1.68 2017-01-12 19:23:20 erouault Exp $ */
+
+ /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
+ specification is now totally obsolete and deprecated for new applications and
+@@ -1790,7 +1790,10 @@
+ TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
+ p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+ if (p!=64)
++ {
++ _TIFFfree(ob);
+ return(0);
++ }
+ sp->qtable[m]=ob;
+ sp->sof_tq[m]=m;
+ }
+@@ -1854,7 +1857,10 @@
+ rb[sizeof(uint32)+5+n]=o[n];
+ p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ if (p!=q)
++ {
++ _TIFFfree(rb);
+ return(0);
++ }
+ sp->dctable[m]=rb;
+ sp->sos_tda[m]=(m<<4);
+ }
diff --git a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
new file mode 100644
index 000000000..2f4509f38
--- /dev/null
+++ b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
@@ -0,0 +1,449 @@
+Fixes CVE-2017-{7595,7596,7597,7598,7599,7600,7601,7602}:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7595
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7596
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7597
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7598
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7599
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7600
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7601
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7602
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various
+ clampings
+ of double to other data types to avoid undefined behaviour if the
+ output range
+ isn't big enough to hold the input value.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
+ http://bugzilla.maptools.org/show_bug.cgi?id=2642
+ http://bugzilla.maptools.org/show_bug.cgi?id=2646
+ http://bugzilla.maptools.org/show_bug.cgi?id=2647
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1204; previous revision: 1.1203
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c
+new revision: 1.129; previous revision: 1.128
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
+new revision: 1.207; previous revision: 1.206
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- libtiff/tif_dirwrite.c
+new revision: 1.85; previous revision: 1.84
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: avoid division by floating point 0 in
+ TIFFReadDirEntryCheckedRational() and
+ TIFFReadDirEntryCheckedSrational(),
+ and return 0 in that case (instead of infinity as before presumably)
+ Apparently some sanitizers do not like those divisions by zero.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1203; previous revision: 1.1202
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
+new revision: 1.206; previous revision: 1.205
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to
+ avoid undefined behaviour caused by invalid shift exponent.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1205; previous revision: 1.1204
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v <-- libtiff/tif_jpeg.c
+new revision: 1.126; previous revision: 1.125
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: avoid potential undefined behaviour on signed
+ integer addition in TIFFReadRawStrip1() in isMapped() case.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1206; previous revision: 1.1205
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
+new revision: 1.51; previous revision: 1.50
+
+Index: libtiff/libtiff/tif_dir.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
+retrieving revision 1.128
+retrieving revision 1.129
+diff -u -r1.128 -r1.129
+--- libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128
++++ libtiff/libtiff/tif_dir.c 11 Jan 2017 16:09:02 -0000 1.129
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
++/* $Id: tif_dir.c,v 1.129 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -31,6 +31,7 @@
+ * (and also some miscellaneous stuff)
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ /*
+ * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@
+ return (0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_xresolution = (float) dblval;
++ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_YRESOLUTION:
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_yresolution = (float) dblval;
++ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@
+ td->td_planarconfig = (uint16) v;
+ break;
+ case TIFFTAG_XPOSITION:
+- td->td_xposition = (float) va_arg(ap, double);
++ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_YPOSITION:
+- td->td_yposition = (float) va_arg(ap, double);
++ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_RESOLUTIONUNIT:
+ v = (uint16) va_arg(ap, uint16_vap);
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.206
+retrieving revision 1.207
+diff -u -r1.206 -r1.207
+--- libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206
++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 16:09:02 -0000 1.207
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.207 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -40,6 +40,7 @@
+ */
+
+ #include "tiffiop.h"
++#include <float.h>
+
+ #define IGNORE 0 /* tag placeholder used below */
+ #define FAILED_FII ((uint32) -1)
+@@ -2406,7 +2407,14 @@
+ ma=(double*)origdata;
+ mb=data;
+ for (n=0; n<count; n++)
+- *mb++=(float)(*ma++);
++ {
++ double val = *ma++;
++ if( val > FLT_MAX )
++ val = FLT_MAX;
++ else if( val < -FLT_MAX )
++ val = -FLT_MAX;
++ *mb++=(float)val;
++ }
+ }
+ break;
+ }
+Index: libtiff/libtiff/tif_dirwrite.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v
+retrieving revision 1.84
+retrieving revision 1.85
+diff -u -r1.84 -r1.85
+--- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 12:51:59 -0000 1.84
++++ libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */
++/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -30,6 +30,7 @@
+ * Directory Write Support Routines.
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@
+ return(0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++ if( val > 127 )
++ return 127;
++ if( val < -128 || val != val )
++ return -128;
++ return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++ if( val > 32767 )
++ return 32767;
++ if( val < -32768 || val != val )
++ return -32768;
++ return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++ if( val > 0x7FFFFFFF )
++ return 0x7FFFFFFF;
++ if( val < -0x7FFFFFFF-1 || val != val )
++ return -0x7FFFFFFF-1;
++ return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 255 || val != val )
++ return 255;
++ return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 65535 || val != val )
++ return 65535;
++ return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 0xFFFFFFFFU || val != val )
++ return 0xFFFFFFFFU;
++ return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@
+ if (tif->tif_dir.td_bitspersample<=32)
+ {
+ for (i = 0; i < count; ++i)
+- ((float*)conv)[i] = (float)value[i];
++ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+ }
+ else
+@@ -971,19 +1035,19 @@
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((int8*)conv)[i] = (int8)value[i];
++ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+ ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((int16*)conv)[i] = (int16)value[i];
++ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+ ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((int32*)conv)[i] = (int32)value[i];
++ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
+ ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
+ }
+ break;
+@@ -991,19 +1055,19 @@
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((uint8*)conv)[i] = (uint8)value[i];
++ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
+ ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((uint16*)conv)[i] = (uint16)value[i];
++ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
+ ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((uint32*)conv)[i] = (uint32)value[i];
++ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
+ ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
+ }
+ break;
+@@ -2102,7 +2102,7 @@
+ m[0]=0;
+ m[1]=1;
+ }
+- else if (value==(double)(uint32)value)
++ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
+ {
+ m[0]=(uint32)value;
+ m[1]=1;
+@@ -2148,12 +2217,13 @@
+ }
+ for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
+ {
+- if (*na<=0.0)
++ if (*na<=0.0 || *na != *na)
+ {
+ nb[0]=0;
+ nb[1]=1;
+ }
+- else if (*na==(float)(uint32)(*na))
++ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
++ *na==(float)(uint32)(*na))
+ {
+ nb[0]=(uint32)(*na);
+ nb[1]=1;
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.205
+retrieving revision 1.206
+diff -u -r1.205 -r1.206
+--- libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205
++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206
+@@ -2872,7 +2872,10 @@
+ m.l = direntry->tdir_offset.toff_long8;
+ if (tif->tif_flags&TIFF_SWAB)
+ TIFFSwabArrayOfLong(m.i,2);
+- if (m.i[0]==0)
++ /* Not completely sure what we should do when m.i[1]==0, but some */
++ /* sanitizers do not like division by 0.0: */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++ if (m.i[0]==0 || m.i[1]==0)
+ *value=0.0;
+ else
+ *value=(double)m.i[0]/(double)m.i[1];
+@@ -2900,7 +2903,10 @@
+ m.l=direntry->tdir_offset.toff_long8;
+ if (tif->tif_flags&TIFF_SWAB)
+ TIFFSwabArrayOfLong(m.i,2);
+- if ((int32)m.i[0]==0)
++ /* Not completely sure what we should do when m.i[1]==0, but some */
++ /* sanitizers do not like division by 0.0: */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++ if ((int32)m.i[0]==0 || m.i[1]==0)
+ *value=0.0;
+ else
+ *value=(double)((int32)m.i[0])/(double)m.i[1];
+Index: libtiff/libtiff/tif_jpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v
+retrieving revision 1.125
+retrieving revision 1.126
+diff -u -r1.125 -r1.126
+--- libtiff/libtiff/tif_jpeg.c 11 Jan 2017 12:15:01 -0000 1.125
++++ libtiff/libtiff/tif_jpeg.c 11 Jan 2017 16:13:50 -0000 1.126
+@@ -1,4 +1,4 @@
+-/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1994-1997 Sam Leffler
+@@ -1632,6 +1632,13 @@
+ "Invalig horizontal/vertical sampling value");
+ return (0);
+ }
++ if( td->td_bitspersample > 16 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "BitsPerSample %d not allowed for JPEG",
++ td->td_bitspersample);
++ return (0);
++ }
+
+ /*
+ * A ReferenceBlackWhite field *must* be present since the
+Index: libtiff/libtiff/tif_read.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
+retrieving revision 1.50
+retrieving revision 1.51
+diff -u -r1.50 -r1.51
+--- libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50
++++ libtiff/libtiff/tif_read.c 11 Jan 2017 16:33:34 -0000 1.51
+@@ -420,16 +420,25 @@
+ return ((tmsize_t)(-1));
+ }
+ } else {
+- tmsize_t ma,mb;
++ tmsize_t ma;
+ tmsize_t n;
+- ma=(tmsize_t)td->td_stripoffset[strip];
+- mb=ma+size;
+- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+- n=0;
+- else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+- n=tif->tif_size-ma;
+- else
+- n=size;
++ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
++ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
++ {
++ n=0;
++ }
++ else if( ma > TIFF_TMSIZE_T_MAX - size )
++ {
++ n=0;
++ }
++ else
++ {
++ tmsize_t mb=ma+size;
++ if (mb>tif->tif_size)
++ n=tif->tif_size-ma;
++ else
++ n=size;
++ }
+ if (n!=size) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
--
2.12.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598, 7599, 7600, 7601, 7602}.
2017-05-07 0:11 ` Kei Kebreau
@ 2017-05-07 3:41 ` Leo Famulari
2017-05-07 10:58 ` Kei Kebreau
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2017-05-07 3:41 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 26804
[-- Attachment #1: Type: text/plain, Size: 535 bytes --]
On Sat, May 06, 2017 at 08:11:35PM -0400, Kei Kebreau wrote:
> So the attached patch would be okay to push to the master branch?
Yes, after ...
> From fe8c0d5c5c4f7bbba7375dc28294a2efd0d2f85e Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Sat, 6 May 2017 10:45:57 -0400
> Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597,
> 7598, 7599, 7600, 7601, 7602}.
... putting the list of CVEs on its own line, and changing the title to
be shorter than 80 characters. Then please push :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598, 7599, 7600, 7601, 7602}.
2017-05-07 3:41 ` Leo Famulari
@ 2017-05-07 10:58 ` Kei Kebreau
0 siblings, 0 replies; 5+ messages in thread
From: Kei Kebreau @ 2017-05-07 10:58 UTC (permalink / raw)
To: Leo Famulari; +Cc: 26804-done
[-- Attachment #1: Type: text/plain, Size: 650 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Sat, May 06, 2017 at 08:11:35PM -0400, Kei Kebreau wrote:
>> So the attached patch would be okay to push to the master branch?
>
> Yes, after ...
>
>> From fe8c0d5c5c4f7bbba7375dc28294a2efd0d2f85e Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Sat, 6 May 2017 10:45:57 -0400
>> Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597,
>> 7598, 7599, 7600, 7601, 7602}.
>
> ... putting the list of CVEs on its own line, and changing the title to
> be shorter than 80 characters. Then please push :)
Pushed with appropriate changes. Thanks for your time!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-05-07 10:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-06 14:45 bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598, 7599, 7600, 7601, 7602} Kei Kebreau
2017-05-06 18:54 ` Leo Famulari
2017-05-07 0:11 ` Kei Kebreau
2017-05-07 3:41 ` Leo Famulari
2017-05-07 10:58 ` Kei Kebreau
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).