guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

33/34: gnu: libtiff: Update to 4.0.10.


From: guix-commits
Subject: 33/34: gnu: libtiff: Update to 4.0.10.
Date: Wed, 12 Dec 2018 15:56:50 -0500 (EST)

mbakke pushed a commit to branch staging
in repository guix.

commit 3f2848a5f91bf7bb9c5643776be13196f587f952
Author: Marius Bakke <address@hidden>
Date:   Wed Dec 12 20:36:46 2018 +0100

    gnu: libtiff: Update to 4.0.10.
    
    * gnu/packages/patches/libtiff-CVE-2017-18013.patch,
    gnu/packages/patches/libtiff-CVE-2017-9935.patch,
    gnu/packages/patches/libtiff-CVE-2018-10963.patch,
    gnu/packages/patches/libtiff-CVE-2018-8905.patch: Delete files.
    * gnu/local.mk (dist_patch_DATA): Remove them.
    * gnu/packages/image.scm (libtiff): Update to 4.0.10.
    [source](patches): Remove.
---
 gnu/local.mk                                      |   4 -
 gnu/packages/image.scm                            |   8 +-
 gnu/packages/patches/libtiff-CVE-2017-18013.patch |  45 ------
 gnu/packages/patches/libtiff-CVE-2017-9935.patch  | 162 ----------------------
 gnu/packages/patches/libtiff-CVE-2018-10963.patch |  40 ------
 gnu/packages/patches/libtiff-CVE-2018-8905.patch  |  61 --------
 6 files changed, 2 insertions(+), 318 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 03627b9..fe5224c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -909,10 +909,6 @@ dist_patch_DATA =                                          
\
   %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch     \
   %D%/packages/patches/libtar-CVE-2013-4420.patch              \
   %D%/packages/patches/libtheora-config-guess.patch            \
-  %D%/packages/patches/libtiff-CVE-2017-9935.patch             \
-  %D%/packages/patches/libtiff-CVE-2017-18013.patch            \
-  %D%/packages/patches/libtiff-CVE-2018-8905.patch             \
-  %D%/packages/patches/libtiff-CVE-2018-10963.patch            \
   %D%/packages/patches/libtool-skip-tests2.patch               \
   %D%/packages/patches/libusb-0.1-disable-tests.patch          \
   %D%/packages/patches/libusb-for-axoloti.patch                        \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 92447c2..1a6b8fe 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -461,7 +461,7 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (version "4.0.9")
+   (version "4.0.10")
    (source
      (origin
        (method url-fetch)
@@ -469,11 +469,7 @@ extracting icontainer icon files.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "1kfg4q01r4mqn7dj63ifhi6pmqzbf4xax6ni6kkk81ri5kndwyvf"))
-       (patches (search-patches "libtiff-CVE-2017-9935.patch"
-                                "libtiff-CVE-2017-18013.patch"
-                                "libtiff-CVE-2018-8905.patch"
-                                "libtiff-CVE-2018-10963.patch"))))
+         "1r4np635gr6zlc0bic38dzvxia6iqzcrary4n1ylarzpr8fd2lic"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch 
b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
deleted file mode 100644
index ba03c83..0000000
--- a/gnu/packages/patches/libtiff-CVE-2017-18013.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-18013:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2770
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
-
-From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
-From: Even Rouault <address@hidden>
-Date: Sun, 31 Dec 2017 15:09:41 +0100
-Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
- dereference on corrupted file. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2770
-
----
- libtiff/tif_print.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 9959d353..8deceb2b 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
-                       fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
-                           (unsigned long) s,
--                          (unsigned __int64) td->td_stripoffset[s],
--                          (unsigned __int64) td->td_stripbytecount[s]);
-+                          td->td_stripoffset ? (unsigned __int64) 
td->td_stripoffset[s] : 0,
-+                          td->td_stripbytecount ? (unsigned __int64) 
td->td_stripbytecount[s] : 0);
- #else
-                       fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
-                           (unsigned long) s,
--                          (unsigned long long) td->td_stripoffset[s],
--                          (unsigned long long) td->td_stripbytecount[s]);
-+                          td->td_stripoffset ? (unsigned long long) 
td->td_stripoffset[s] : 0,
-+                          td->td_stripbytecount ? (unsigned long long) 
td->td_stripbytecount[s] : 0);
- #endif
-       }
- }
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch 
b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
deleted file mode 100644
index 5685d81..0000000
--- a/gnu/packages/patches/libtiff-CVE-2017-9935.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-Fix CVE-2017-9935
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
-http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
-
-From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
-From: Brian May <address@hidden>
-Date: Thu, 7 Dec 2017 07:46:47 +1100
-Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
-
-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-This vulnerability - at least for the supplied test case - is because we
-assume that a tiff will only have one transfer function that is the same
-for all pages. This is not required by the TIFF standards.
-
-We than read the transfer function for every page.  Depending on the
-transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
-We allocate this memory after we read in the transfer function for the
-page.
-
-For the first exploit - POC1, this file has 3 pages. For the first page
-we allocate 2 extra extra XREF entries. Then for the next page 2 more
-entries. Then for the last page the transfer function changes and we
-allocate 4 more entries.
-
-When we read the file into memory, we assume we have 4 bytes extra for
-each and every page (as per the last transfer function we read). Which
-is not correct, we only have 2 bytes extra for the first 2 pages. As a
-result, we end up writing past the end of the buffer.
-
-There are also some related issues that this also fixes. For example,
-TIFFGetField can return uninitalized pointer values, and the logic to
-detect a N=3 vs N=1 transfer function seemed rather strange.
-
-It is also strange that we declare the transfer functions to be of type
-float, when the standard says they are unsigned 16 bit values. This is
-fixed in another patch.
-
-This patch will check to ensure that the N value for every transfer
-function is the same for every page. If this changes, we abort with an
-error. In theory, we should perhaps check that the transfer function
-itself is identical for every page, however we don't do that due to the
-confusion of the type of the data in the transfer function.
----
- libtiff/tif_dir.c |  3 +++
- tools/tiff2pdf.c  | 65 +++++++++++++++++++++++++++++++++++++------------------
- 2 files changed, 47 insertions(+), 21 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index 2ccaf448..cbf2b693 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
-                       if (td->td_samplesperpixel - td->td_extrasamples > 1) {
-                               *va_arg(ap, uint16**) = 
td->td_transferfunction[1];
-                               *va_arg(ap, uint16**) = 
td->td_transferfunction[2];
-+                      } else {
-+                              *va_arg(ap, uint16**) = NULL;
-+                              *va_arg(ap, uint16**) = NULL;
-                       }
-                       break;
-               case TIFFTAG_REFERENCEBLACKWHITE:
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index d1a9b095..c3ec0746 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
-       uint16 pagen=0;
-       uint16 paged=0;
-       uint16 xuint16=0;
-+      uint16 tiff_transferfunctioncount=0;
-+      float* tiff_transferfunction[3];
- 
-       directorycount=TIFFNumberOfDirectories(input);
-       t2p->tiff_pages = (T2P_PAGE*) 
_TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
-@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
-                 }
- #endif
-               if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
--                                 &(t2p->tiff_transferfunction[0]),
--                                 &(t2p->tiff_transferfunction[1]),
--                                 &(t2p->tiff_transferfunction[2]))) {
--                      if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[1] !=
--                            t2p->tiff_transferfunction[0])) {
--                              t2p->tiff_transferfunctioncount = 3;
--                              t2p->tiff_pages[i].page_extra += 4;
--                              t2p->pdf_xrefcount += 4;
--                      } else {
--                              t2p->tiff_transferfunctioncount = 1;
--                              t2p->tiff_pages[i].page_extra += 2;
--                              t2p->pdf_xrefcount += 2;
--                      }
--                      if(t2p->pdf_minorversion < 2)
--                              t2p->pdf_minorversion = 2;
-+                                 &(tiff_transferfunction[0]),
-+                                 &(tiff_transferfunction[1]),
-+                                 &(tiff_transferfunction[2]))) {
-+
-+                        if((tiff_transferfunction[1] != (float*) NULL) &&
-+                           (tiff_transferfunction[2] != (float*) NULL)
-+                          ) {
-+                            tiff_transferfunctioncount=3;
-+                        } else {
-+                            tiff_transferfunctioncount=1;
-+                        }
-                 } else {
--                      t2p->tiff_transferfunctioncount=0;
-+                      tiff_transferfunctioncount=0;
-               }
-+
-+                if (i > 0){
-+                    if (tiff_transferfunctioncount != 
t2p->tiff_transferfunctioncount){
-+                        TIFFError(
-+                            TIFF2PDF_MODULE,
-+                            "Different transfer function on page %d",
-+                            i);
-+                        t2p->t2p_error = T2P_ERR_ERROR;
-+                        return;
-+                    }
-+                }
-+
-+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
-+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
-+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
-+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
-+                if(tiff_transferfunctioncount == 3){
-+                        t2p->tiff_pages[i].page_extra += 4;
-+                        t2p->pdf_xrefcount += 4;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                } else if (tiff_transferfunctioncount == 1){
-+                        t2p->tiff_pages[i].page_extra += 2;
-+                        t2p->pdf_xrefcount += 2;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                }
-+
-               if( TIFFGetField(
-                       input, 
-                       TIFFTAG_ICCPROFILE, 
-@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
-                        &(t2p->tiff_transferfunction[1]),
-                        &(t2p->tiff_transferfunction[2]))) {
-               if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[1] !=
--                    t2p->tiff_transferfunction[0])) {
-+                   (t2p->tiff_transferfunction[2] != (float*) NULL)
-+                  ) {
-                       t2p->tiff_transferfunctioncount=3;
-               } else {
-                       t2p->tiff_transferfunctioncount=1;
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/libtiff-CVE-2018-10963.patch 
b/gnu/packages/patches/libtiff-CVE-2018-10963.patch
deleted file mode 100644
index d31c123..0000000
--- a/gnu/packages/patches/libtiff-CVE-2018-10963.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Fix CVE-2018-10963:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2795
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9
-
-From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <address@hidden>
-Date: Sat, 12 May 2018 14:24:15 +0200
-Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
-
----
- libtiff/tif_dirwrite.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index 2430de6d..c15a28db 100644
---- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int 
imagedone, uint64* pdiroff)
-                                                               }
-                                                               break;
-                                                       default:
--                                                              assert(0);   /* 
we should never get here */
--                                                              break;
-+                                                              
TIFFErrorExt(tif->tif_clientdata,module,
-+                                                                          
"Cannot write tag %d (%s)",
-+                                                                          
TIFFFieldTag(o),
-+                                                                            
o->field_name ? o->field_name : "unknown");
-+                                                              goto bad;
-                                               }
-                                       }
-                               }
--- 
-2.17.0
-
diff --git a/gnu/packages/patches/libtiff-CVE-2018-8905.patch 
b/gnu/packages/patches/libtiff-CVE-2018-8905.patch
deleted file mode 100644
index f498157..0000000
--- a/gnu/packages/patches/libtiff-CVE-2018-8905.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-Fix CVE-2018-8095:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2780
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d
-
-From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
-From: Even Rouault <address@hidden>
-Date: Sat, 12 May 2018 15:32:31 +0200
-Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
-
-The fix consists in using the similar code LZWDecode() to validate we
-don't write outside of the output buffer.
----
- libtiff/tif_lzw.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index 4ccb443c..94d85e38 100644
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, 
uint16 s)
-       char *tp;
-       unsigned char *bp;
-       int code, nbits;
-+      int len;
-       long nextbits, nextdata, nbitsmask;
-       code_t *codep, *free_entp, *maxcodep, *oldcodep;
- 
-@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, 
uint16 s)
-                               }  while (--occ);
-                               break;
-                       }
--                      assert(occ >= codep->length);
--                      op += codep->length;
--                      occ -= codep->length;
--                      tp = op;
-+                      len = codep->length;
-+                      tp = op + len;
-                       do {
--                              *--tp = codep->value;
--                      } while( (codep = codep->next) != NULL );
-+                              int t;
-+                              --tp;
-+                              t = codep->value;
-+                              codep = codep->next;
-+                              *tp = (char)t;
-+                      } while (codep && tp > op);
-+                      assert(occ >= len);
-+                      op += len;
-+                      occ -= len;
-               } else {
-                       *op++ = (char)code;
-                       occ--;
--- 
-2.17.0
-



reply via email to

[Prev in Thread] Current Thread [Next in Thread]