Leo Famulari writes: > * gnu/packages/patches/libtiff-CVE-2016-9297.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/image.scm (libtiff/fixed)[source]: Use it. > --- > gnu/local.mk | 1 + > gnu/packages/image.scm | 3 +- > gnu/packages/patches/libtiff-CVE-2016-9297.patch | 52 ++++++++++++++++++++++++ > 3 files changed, 55 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/libtiff-CVE-2016-9297.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 08f99c4..513bd34 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -667,6 +667,7 @@ dist_patch_DATA = \ > %D%/packages/patches/libtiff-CVE-2016-5323.patch \ > %D%/packages/patches/libtiff-CVE-2016-5652.patch \ > %D%/packages/patches/libtiff-CVE-2016-9273.patch \ > + %D%/packages/patches/libtiff-CVE-2016-9297.patch \ > %D%/packages/patches/libtiff-oob-accesses-in-decode.patch \ > %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \ > %D%/packages/patches/libtool-skip-tests2.patch \ > diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm > index a40b212..d38344a 100644 > --- a/gnu/packages/image.scm > +++ b/gnu/packages/image.scm > @@ -300,7 +300,8 @@ collection of tools for doing simple manipulations of TIFF images.") > "libtiff-CVE-2016-5321.patch" > "libtiff-CVE-2016-5323.patch" > "libtiff-CVE-2016-5652.patch" > - "libtiff-CVE-2016-9273.patch")))))) > + "libtiff-CVE-2016-9273.patch" > + "libtiff-CVE-2016-9297.patch")))))) > > (define-public libwmf > (package > diff --git a/gnu/packages/patches/libtiff-CVE-2016-9297.patch b/gnu/packages/patches/libtiff-CVE-2016-9297.patch > new file mode 100644 > index 0000000..c9207bb > --- /dev/null > +++ b/gnu/packages/patches/libtiff-CVE-2016-9297.patch > @@ -0,0 +1,52 @@ > +Fix CVE-2016-9297: > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297 > +http://bugzilla.maptools.org/show_bug.cgi?id=2590 > + > +Patch copied from upstream source repository. > + > +2016-11-11 Even Rouault > + > + * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that > + values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII > + access are null terminated, to avoid potential read outside buffer > + in _TIFFPrintField(). > + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590 > + > + > +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog > +new revision: 1.1154; previous revision: 1.1153 > +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- > +libtiff/tif_dirread.c > +new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_dirread.c > +=================================================================== > +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v > +retrieving revision 1.202 > +retrieving revision 1.203 > +diff -u -r1.202 -r1.203 > +--- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:01:55 -0000 1.202 > ++++ libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203 > +@@ -5000,6 +5000,11 @@ > + if (err==TIFFReadDirEntryErrOk) > + { > + int m; > ++ if( data[dp->tdir_count-1] != '\0' ) > ++ { > ++ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); > ++ data[dp->tdir_count-1] = '\0'; > ++ } > + m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data); > + if (data!=0) > + _TIFFfree(data); > +@@ -5172,6 +5177,11 @@ > + if (err==TIFFReadDirEntryErrOk) > + { > + int m; > ++ if( data[dp->tdir_count-1] != '\0' ) > ++ { > ++ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name); > ++ data[dp->tdir_count-1] = '\0'; > ++ } > + m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data); > + if (data!=0) > + _TIFFfree(data); LGTM.