svn commit: r418585 - in head/graphics/tiff: . files
Mark Felder
feld at FreeBSD.org
Fri Jul 15 16:22:54 UTC 2016
Author: feld
Date: Fri Jul 15 16:22:53 2016
New Revision: 418585
URL: https://svnweb.freebsd.org/changeset/ports/418585
Log:
graphics/tiff: Patch vulnerabilities
These two patches were obtained from OpenBSD. An additional CVE is not
yet addressed, but upstream indicates they are removing the gif2tiff
utility as the mitigation in the upcoming 4.0.7.
PR: 211113
MFH: 2016Q3
Security: CVE-2016-5875
Security: CVE-2016-3186
Added:
head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c (contents, props changed)
head/graphics/tiff/files/patch-tools_gif2tiff.c (contents, props changed)
Modified:
head/graphics/tiff/Makefile
Modified: head/graphics/tiff/Makefile
==============================================================================
--- head/graphics/tiff/Makefile Fri Jul 15 16:19:21 2016 (r418584)
+++ head/graphics/tiff/Makefile Fri Jul 15 16:22:53 2016 (r418585)
@@ -3,7 +3,7 @@
PORTNAME= tiff
PORTVERSION= 4.0.6
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://download.osgeo.org/libtiff/
Added: head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c Fri Jul 15 16:22:53 2016 (r418585)
@@ -0,0 +1,34 @@
+CVE-2016-5875(, dup?)
+https://marc.info/?l=oss-security&m=146720235906569&w=2
+
+--- libtiff/tif_pixarlog.c.orig Sat Aug 29 00:16:22 2015
++++ libtiff/tif_pixarlog.c Fri Jul 1 13:04:52 2016
+@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid
+ typedef struct {
+ TIFFPredictorState predict;
+ z_stream stream;
++ tmsize_t tbuf_size; /* only set/used on reading for now */
+ uint16 *tbuf;
+ uint16 stride;
+ int state;
+@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ if (sp->tbuf == NULL)
+ return (0);
++ sp->tbuf_size = tbuf_size;
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+ sp->user_datafmt = PixarLogGuessDataFmt(td);
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin
+ if (sp->stream.avail_out != nsamples * sizeof(uint16))
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
++ return (0);
++ }
++ /* Check that we will not fill more than what was allocated */
++ if (sp->stream.avail_out > sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ return (0);
+ }
+ do {
Added: head/graphics/tiff/files/patch-tools_gif2tiff.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/graphics/tiff/files/patch-tools_gif2tiff.c Fri Jul 15 16:22:53 2016 (r418585)
@@ -0,0 +1,14 @@
+CVE-2016-3186, patch from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1319666
+
+--- tools/gif2tiff.c.orig Fri Jul 1 13:11:43 2016
++++ tools/gif2tiff.c Fri Jul 1 13:12:07 2016
+@@ -349,7 +349,7 @@ readextension(void)
+ int status = 1;
+
+ (void) getc(infile);
+- while ((count = getc(infile)) && count <= 255)
++ while ((count = getc(infile)) && count >= 0 && count <= 255)
+ if (fread(buf, 1, count, infile) != (size_t) count) {
+ fprintf(stderr, "short read from file %s (%s)\n",
+ filename, strerror(errno));
More information about the svn-ports-all
mailing list