mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 13:28:12 -05:00
gnu: libtiff: Fix CVE-2017-{9936,10688}.
* gnu/packages/patches/libtiff-CVE-2017-9936.patch, gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use them. Signed-off-by: Leo Famulari <leo@famulari.name>
This commit is contained in:
parent
ab104672e1
commit
dab536fe1a
4 changed files with 144 additions and 1 deletions
|
@ -765,7 +765,9 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libtiff-CVE-2016-10092.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-10093.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-10094.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-10688.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2017-5225.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2017-9936.patch \
|
||||
%D%/packages/patches/libtiff-assertion-failure.patch \
|
||||
%D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \
|
||||
%D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \
|
||||
|
|
|
@ -391,7 +391,9 @@ (define libtiff-4.0.8
|
|||
(method url-fetch)
|
||||
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
|
||||
version ".tar.gz"))
|
||||
(patches (search-patches "libtiff-tiffgetfield-bugs.patch"))
|
||||
(patches (search-patches "libtiff-tiffgetfield-bugs.patch"
|
||||
"libtiff-CVE-2016-10688.patch"
|
||||
"libtiff-CVE-2017-9936.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))
|
||||
|
|
92
gnu/packages/patches/libtiff-CVE-2016-10688.patch
Normal file
92
gnu/packages/patches/libtiff-CVE-2016-10688.patch
Normal file
|
@ -0,0 +1,92 @@
|
|||
Fix CVE-2017-10688:
|
||||
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2712
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-10688
|
||||
|
||||
Patch lifted from upstream source repository (the changes to 'ChangeLog'
|
||||
don't apply to the libtiff 4.0.8 release tarball).
|
||||
|
||||
3rd party Git reference:
|
||||
|
||||
https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
|
||||
|
||||
2017-06-30 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
|
||||
functions associated with LONG8/SLONG8 data type, replace assertion
|
||||
that
|
||||
the file is BigTIFF, by a non-fatal error.
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
|
||||
Reported by team OWL337
|
||||
|
||||
|
||||
|
||||
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
|
||||
new revision: 1.1259; previous revision: 1.1258
|
||||
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <--
|
||||
libtiff/tif_dirwrite.c
|
||||
new revision: 1.86; previous revision: 1.85
|
||||
|
||||
Index: libtiff/libtiff/tif_dirwrite.c
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v
|
||||
retrieving revision 1.85
|
||||
retrieving revision 1.86
|
||||
diff -u -r1.85 -r1.86
|
||||
--- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85
|
||||
+++ libtiff/libtiff/tif_dirwrite.c 30 Jun 2017 17:29:44 -0000 1.86
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
|
||||
+/* $Id: tif_dirwrite.c,v 1.86 2017-06-30 17:29:44 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988-1997 Sam Leffler
|
||||
@@ -2111,7 +2111,10 @@
|
||||
{
|
||||
uint64 m;
|
||||
assert(sizeof(uint64)==8);
|
||||
- assert(tif->tif_flags&TIFF_BIGTIFF);
|
||||
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
|
||||
+ return(0);
|
||||
+ }
|
||||
m=value;
|
||||
if (tif->tif_flags&TIFF_SWAB)
|
||||
TIFFSwabLong8(&m);
|
||||
@@ -2124,7 +2127,10 @@
|
||||
{
|
||||
assert(count<0x20000000);
|
||||
assert(sizeof(uint64)==8);
|
||||
- assert(tif->tif_flags&TIFF_BIGTIFF);
|
||||
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
|
||||
+ return(0);
|
||||
+ }
|
||||
if (tif->tif_flags&TIFF_SWAB)
|
||||
TIFFSwabArrayOfLong8(value,count);
|
||||
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
|
||||
@@ -2136,7 +2142,10 @@
|
||||
{
|
||||
int64 m;
|
||||
assert(sizeof(int64)==8);
|
||||
- assert(tif->tif_flags&TIFF_BIGTIFF);
|
||||
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
|
||||
+ return(0);
|
||||
+ }
|
||||
m=value;
|
||||
if (tif->tif_flags&TIFF_SWAB)
|
||||
TIFFSwabLong8((uint64*)(&m));
|
||||
@@ -2149,7 +2158,10 @@
|
||||
{
|
||||
assert(count<0x20000000);
|
||||
assert(sizeof(int64)==8);
|
||||
- assert(tif->tif_flags&TIFF_BIGTIFF);
|
||||
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
|
||||
+ return(0);
|
||||
+ }
|
||||
if (tif->tif_flags&TIFF_SWAB)
|
||||
TIFFSwabArrayOfLong8((uint64*)value,count);
|
||||
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
|
47
gnu/packages/patches/libtiff-CVE-2017-9936.patch
Normal file
47
gnu/packages/patches/libtiff-CVE-2017-9936.patch
Normal file
|
@ -0,0 +1,47 @@
|
|||
Fix CVE-2017-9936:
|
||||
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2706
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-9936
|
||||
|
||||
Patch lifted from upstream source repository (the changes to 'ChangeLog'
|
||||
don't apply to the libtiff 4.0.8 release tarball).
|
||||
|
||||
3rd party Git reference:
|
||||
|
||||
https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a
|
||||
|
||||
2017-06-26 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_jbig.c: fix memory leak in error code path of
|
||||
JBIGDecode()
|
||||
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
|
||||
Reported by team OWL337
|
||||
|
||||
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
|
||||
new revision: 1.1254; previous revision: 1.1253
|
||||
/cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v <-- libtiff/tif_jbig.c
|
||||
new revision: 1.16; previous revision: 1.15
|
||||
|
||||
Index: libtiff/libtiff/tif_jbig.c
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v
|
||||
retrieving revision 1.15
|
||||
retrieving revision 1.16
|
||||
diff -u -r1.15 -r1.16
|
||||
--- libtiff/libtiff/tif_jbig.c 10 Mar 2010 18:56:48 -0000 1.15
|
||||
+++ libtiff/libtiff/tif_jbig.c 26 Jun 2017 15:20:00 -0000 1.16
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tif_jbig.c,v 1.15 2010-03-10 18:56:48 bfriesen Exp $ */
|
||||
+/* $Id: tif_jbig.c,v 1.16 2017-06-26 15:20:00 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988-1997 Sam Leffler
|
||||
@@ -94,6 +94,7 @@
|
||||
jbg_strerror(decodeStatus)
|
||||
#endif
|
||||
);
|
||||
+ jbg_dec_free(&decoder);
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in a new issue