rpms/ocaml-camlimages/EL-4 camlimages-oversized-tiff-check-CVE-2009-3296.patch, NONE, 1.1 camlimages-oversized-png-check-CVE-2009-2295.patch, 1.2, 1.3 ocaml-camlimages.spec, 1.3, 1.4
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3755
Modified Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
ocaml-camlimages.spec
Added Files:
camlimages-oversized-tiff-check-CVE-2009-3296.patch
Log Message:
* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-9
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
camlimages-oversized-tiff-check-CVE-2009-3296.patch:
tiffread.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-2.2.orig/tiff/tiffread.c 2004-09-21 22:56:44.000000000 +0100
+++ camlimages-2.2.tiff/tiff/tiffread.c 2009-10-16 10:47:32.515257997 +0100
@@ -18,6 +18,13 @@
#include <caml/memory.h>
#include <caml/fail.h>
+#include <limits.h>
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+ failwith("#lib error: image contains oversized or bogus width and height");
+
#if HAVE_TIFF
/* These are defined in caml/config.h */
@@ -68,6 +75,10 @@
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
if( imagebits != 8 ){
failwith("Sorry, tiff rgb file must be 24bit-color");
@@ -156,6 +167,11 @@
TIFFGetField(tif, TIFFTAG_RESOLUTIONUNIT, &runit);
TIFFGetField(tif, TIFFTAG_XRESOLUTION, &xres);
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
+
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample != 3 || imagebits != 8 ) {
failwith("tiff file is not in the 24 bit RGB format");
}
camlimages-oversized-png-check-CVE-2009-2295.patch:
pngread.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
Index: camlimages-oversized-png-check-CVE-2009-2295.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/camlimages-oversized-png-check-CVE-2009-2295.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 18:28:47 -0000 1.2
+++ camlimages-oversized-png-check-CVE-2009-2295.patch 16 Oct 2009 09:51:57 -0000 1.3
@@ -1,28 +1,28 @@
---- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
-+++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100
-@@ -15,6 +15,8 @@
- #include "config.h"
- #endif
+--- camlimages-2.2.orig/png/pngread.c 2002-03-26 13:15:10.000000000 +0000
++++ camlimages-2.2.png/png/pngread.c 2009-10-16 10:46:07.759508515 +0100
+@@ -13,6 +13,8 @@
+ /***********************************************************************/
+ #include <config.h>
+#include <limits.h>
+
+ #if HAVE_PNG
#include <png.h>
-
- #include <caml/mlvalues.h>
-@@ -26,6 +28,12 @@
+ #endif
+@@ -33,6 +35,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
-+#define oversized(x, y) \
++#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
value read_png_file_as_rgb24( name )
value name;
{
-@@ -81,6 +89,9 @@
+@@ -88,6 +96,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -32,7 +32,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -102,10 +113,16 @@
+@@ -109,10 +120,16 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -49,7 +49,7 @@
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
res = alloc_tuple(3);
-@@ -235,6 +252,9 @@
+@@ -242,6 +259,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -59,7 +59,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -251,6 +271,9 @@
+@@ -258,6 +278,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -69,10 +69,12 @@
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
-@@ -259,6 +282,9 @@
+@@ -265,7 +288,10 @@
+ int i;
png_bytep *row_pointers;
char mesg[256];
-
+-
++
+ if (oversized (sizeof (png_bytep), height))
+ failwith ("png error: image contains oversized or bogus height");
+
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/ocaml-camlimages.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- ocaml-camlimages.spec 3 Jul 2009 13:59:36 -0000 1.3
+++ ocaml-camlimages.spec 16 Oct 2009 09:51:57 -0000 1.4
@@ -13,6 +13,9 @@ Patch0: camlimages-2.2.0-stubdes
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# Excluding on ppc64 due to missing dependencies (Bug #239518)
@@ -48,10 +51,8 @@ Includes documentation provided by ocaml
%prep
%setup -q -n camlimages-2.2 -a 1
%patch0 -p1
-
-pushd png
-%patch1 -p2
-popd
+%patch1 -p1
+%patch2 -p1
sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in
@@ -82,6 +83,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-9
+- ocaml-camlimages: TIFF reader multiple integer overflows
+ (CVE 2009-3296 / RHBZ#528732).
+
* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-8
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
14 years, 6 months
rpms/ocaml-camlimages/EL-5 camlimages-oversized-tiff-check-CVE-2009-3296.patch, NONE, 1.1 camlimages-oversized-png-check-CVE-2009-2295.patch, 1.2, 1.3 ocaml-camlimages.spec, 1.4, 1.5
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22975
Modified Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
ocaml-camlimages.spec
Added Files:
camlimages-oversized-tiff-check-CVE-2009-3296.patch
Log Message:
* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-11
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
camlimages-oversized-tiff-check-CVE-2009-3296.patch:
tiffread.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-2.2.orig/tiff/tiffread.c 2004-09-21 22:56:44.000000000 +0100
+++ camlimages-2.2.tiff/tiff/tiffread.c 2009-10-16 10:47:32.515257997 +0100
@@ -18,6 +18,13 @@
#include <caml/memory.h>
#include <caml/fail.h>
+#include <limits.h>
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+ failwith("#lib error: image contains oversized or bogus width and height");
+
#if HAVE_TIFF
/* These are defined in caml/config.h */
@@ -68,6 +75,10 @@
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
if( imagebits != 8 ){
failwith("Sorry, tiff rgb file must be 24bit-color");
@@ -156,6 +167,11 @@
TIFFGetField(tif, TIFFTAG_RESOLUTIONUNIT, &runit);
TIFFGetField(tif, TIFFTAG_XRESOLUTION, &xres);
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
+
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample != 3 || imagebits != 8 ) {
failwith("tiff file is not in the 24 bit RGB format");
}
camlimages-oversized-png-check-CVE-2009-2295.patch:
pngread.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
Index: camlimages-oversized-png-check-CVE-2009-2295.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/camlimages-oversized-png-check-CVE-2009-2295.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 18:28:47 -0000 1.2
+++ camlimages-oversized-png-check-CVE-2009-2295.patch 16 Oct 2009 09:49:59 -0000 1.3
@@ -1,28 +1,28 @@
---- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
-+++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100
-@@ -15,6 +15,8 @@
- #include "config.h"
- #endif
+--- camlimages-2.2.orig/png/pngread.c 2002-03-26 13:15:10.000000000 +0000
++++ camlimages-2.2.png/png/pngread.c 2009-10-16 10:46:07.759508515 +0100
+@@ -13,6 +13,8 @@
+ /***********************************************************************/
+ #include <config.h>
+#include <limits.h>
+
+ #if HAVE_PNG
#include <png.h>
-
- #include <caml/mlvalues.h>
-@@ -26,6 +28,12 @@
+ #endif
+@@ -33,6 +35,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
-+#define oversized(x, y) \
++#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
value read_png_file_as_rgb24( name )
value name;
{
-@@ -81,6 +89,9 @@
+@@ -88,6 +96,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -32,7 +32,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -102,10 +113,16 @@
+@@ -109,10 +120,16 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -49,7 +49,7 @@
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
res = alloc_tuple(3);
-@@ -235,6 +252,9 @@
+@@ -242,6 +259,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -59,7 +59,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -251,6 +271,9 @@
+@@ -258,6 +278,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -69,10 +69,12 @@
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
-@@ -259,6 +282,9 @@
+@@ -265,7 +288,10 @@
+ int i;
png_bytep *row_pointers;
char mesg[256];
-
+-
++
+ if (oversized (sizeof (png_bytep), height))
+ failwith ("png error: image contains oversized or bogus height");
+
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/ocaml-camlimages.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- ocaml-camlimages.spec 3 Jul 2009 14:06:49 -0000 1.4
+++ ocaml-camlimages.spec 16 Oct 2009 09:49:59 -0000 1.5
@@ -1,6 +1,6 @@
Name: ocaml-camlimages
Version: 2.2.0
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
@@ -13,6 +13,9 @@ Patch0: camlimages-2.2.0-stubdes
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: ocaml-lablgtk libpng-devel libjpeg-devel ocaml
@@ -45,10 +48,8 @@ Includes documentation provided by ocaml
%prep
%setup -q -n camlimages-2.2 -a 1
%patch0 -p1
-
-pushd png
-%patch1 -p2
-popd
+%patch1 -p1
+%patch2 -p1
sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in
@@ -79,6 +80,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-11
+- ocaml-camlimages: TIFF reader multiple integer overflows
+ (CVE 2009-3296 / RHBZ#528732).
+
* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-10
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
14 years, 6 months
rpms/ocaml-camlimages/F-10 camlimages-oversized-tiff-check-CVE-2009-3296.patch, NONE, 1.1 ocaml-camlimages.spec, 1.12, 1.13
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28679
Modified Files:
ocaml-camlimages.spec
Added Files:
camlimages-oversized-tiff-check-CVE-2009-3296.patch
Log Message:
* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-3.fc10.3
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
camlimages-oversized-tiff-check-CVE-2009-3296.patch:
tiffread.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-3.0.1.old/src/tiffread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1/src/tiffread.c 2009-10-16 10:26:53.841258260 +0100
@@ -21,6 +21,13 @@
#include <caml/memory.h>
#include <caml/fail.h>
+#include <limits.h>
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+ failwith("#lib error: image contains oversized or bogus width and height");
+
/* These are defined in caml/config.h */
#define int16 int16tiff
#define uint16 uint16tiff
@@ -64,6 +71,10 @@
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
if( imagebits != 8 ){
failwith("Sorry, tiff rgb file must be 24bit-color");
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/F-10/ocaml-camlimages.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -p -r1.12 -r1.13
--- ocaml-camlimages.spec 3 Jul 2009 18:30:05 -0000 1.12
+++ ocaml-camlimages.spec 16 Oct 2009 09:39:25 -0000 1.13
@@ -4,7 +4,7 @@
Name: ocaml-camlimages
Version: 3.0.1
-Release: 3%{?dist}.2
+Release: 3%{?dist}.3
Summary: OCaml image processing library
Group: Development/Libraries
@@ -19,6 +19,9 @@ Patch0: camlimages-3.0.1-display
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
BuildRequires: ocaml >= 3.10.1
BuildRequires: ocaml-lablgtk-devel
BuildRequires: ocaml-x11
@@ -66,6 +69,7 @@ Includes documentation provided by ocaml
# the examples/liv directory, so rename it:
%patch0 -p1
%patch1 -p1
+%patch2 -p1
aclocal -I .
automake
autoconf
@@ -111,6 +115,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-3.fc10.3
+- ocaml-camlimages: TIFF reader multiple integer overflows
+ (CVE 2009-3296 / RHBZ#528732).
+
* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-3.fc10.2
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
14 years, 6 months
rpms/ocaml-camlimages/F-11 camlimages-oversized-tiff-check-CVE-2009-3296.patch, NONE, 1.1 ocaml-camlimages.spec, 1.16, 1.17
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12043
Modified Files:
ocaml-camlimages.spec
Added Files:
camlimages-oversized-tiff-check-CVE-2009-3296.patch
Log Message:
* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-7.fc11.3
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
camlimages-oversized-tiff-check-CVE-2009-3296.patch:
tiffread.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-3.0.1.old/src/tiffread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1/src/tiffread.c 2009-10-16 10:26:53.841258260 +0100
@@ -21,6 +21,13 @@
#include <caml/memory.h>
#include <caml/fail.h>
+#include <limits.h>
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+ failwith("#lib error: image contains oversized or bogus width and height");
+
/* These are defined in caml/config.h */
#define int16 int16tiff
#define uint16 uint16tiff
@@ -64,6 +71,10 @@
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
if( imagebits != 8 ){
failwith("Sorry, tiff rgb file must be 24bit-color");
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/F-11/ocaml-camlimages.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -p -r1.16 -r1.17
--- ocaml-camlimages.spec 3 Jul 2009 18:30:05 -0000 1.16
+++ ocaml-camlimages.spec 16 Oct 2009 09:36:24 -0000 1.17
@@ -4,7 +4,7 @@
Name: ocaml-camlimages
Version: 3.0.1
-Release: 7%{?dist}.2
+Release: 7%{?dist}.3
Summary: OCaml image processing library
Group: Development/Libraries
@@ -19,6 +19,9 @@ Patch0: camlimages-3.0.1-display
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
BuildRequires: ocaml >= 3.10.1
BuildRequires: ocaml-lablgtk-devel
BuildRequires: ocaml-x11
@@ -66,6 +69,7 @@ Includes documentation provided by ocaml
# the examples/liv directory, so rename it:
%patch0 -p1
%patch1 -p1
+%patch2 -p1
aclocal -I .
automake
autoconf
@@ -111,6 +115,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-7.fc11.3
+- ocaml-camlimages: TIFF reader multiple integer overflows
+ (CVE 2009-3296 / RHBZ#528732).
+
* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-7.fc11.2
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
14 years, 6 months
rpms/ocaml-camlimages/F-12 camlimages-oversized-tiff-check-CVE-2009-3296.patch, NONE, 1.1 ocaml-camlimages.spec, 1.20, 1.21
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5530
Modified Files:
ocaml-camlimages.spec
Added Files:
camlimages-oversized-tiff-check-CVE-2009-3296.patch
Log Message:
* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-12.fc12.1
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
camlimages-oversized-tiff-check-CVE-2009-3296.patch:
tiffread.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-3.0.1.old/src/tiffread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1/src/tiffread.c 2009-10-16 10:26:53.841258260 +0100
@@ -21,6 +21,13 @@
#include <caml/memory.h>
#include <caml/fail.h>
+#include <limits.h>
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+ failwith("#lib error: image contains oversized or bogus width and height");
+
/* These are defined in caml/config.h */
#define int16 int16tiff
#define uint16 uint16tiff
@@ -64,6 +71,10 @@
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
if( imagebits != 8 ){
failwith("Sorry, tiff rgb file must be 24bit-color");
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/F-12/ocaml-camlimages.spec,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -p -r1.20 -r1.21
--- ocaml-camlimages.spec 29 Sep 2009 15:12:40 -0000 1.20
+++ ocaml-camlimages.spec 16 Oct 2009 09:33:42 -0000 1.21
@@ -4,7 +4,7 @@
Name: ocaml-camlimages
Version: 3.0.1
-Release: 12%{?dist}
+Release: 12%{?dist}.1
Summary: OCaml image processing library
Group: Development/Libraries
@@ -20,6 +20,9 @@ Patch0: camlimages-3.0.1-display
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
BuildRequires: ocaml >= 3.10.1
BuildRequires: ocaml-lablgtk-devel
BuildRequires: ocaml-x11
@@ -67,6 +70,7 @@ Includes documentation provided by ocaml
# the examples/liv directory, so rename it:
%patch0 -p1
%patch1 -p1
+%patch2 -p1
aclocal -I .
automake
autoconf
@@ -112,6 +116,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-12.fc12.1
+- ocaml-camlimages: TIFF reader multiple integer overflows
+ (CVE 2009-3296 / RHBZ#528732).
+
* Tue Sep 29 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-12
- Force rebuild against newer lablgtk.
14 years, 6 months
rpms/ocaml-camlimages/devel ocaml-camlimages.spec,1.21,1.22
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4858
Modified Files:
ocaml-camlimages.spec
Log Message:
Force rebuild.
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/devel/ocaml-camlimages.spec,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -p -r1.21 -r1.22
--- ocaml-camlimages.spec 16 Oct 2009 09:30:27 -0000 1.21
+++ ocaml-camlimages.spec 16 Oct 2009 09:31:31 -0000 1.22
@@ -4,7 +4,7 @@
Name: ocaml-camlimages
Version: 3.0.1
-Release: 13%{?dist}
+Release: 14%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
@@ -116,7 +116,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
-* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-13
+* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-14
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
14 years, 6 months
rpms/ocaml-camlimages/devel camlimages-oversized-tiff-check-CVE-2009-3296.patch, NONE, 1.1 ocaml-camlimages.spec, 1.20, 1.21
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4505
Modified Files:
ocaml-camlimages.spec
Added Files:
camlimages-oversized-tiff-check-CVE-2009-3296.patch
Log Message:
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
camlimages-oversized-tiff-check-CVE-2009-3296.patch:
tiffread.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-3.0.1.old/src/tiffread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1/src/tiffread.c 2009-10-16 10:26:53.841258260 +0100
@@ -21,6 +21,13 @@
#include <caml/memory.h>
#include <caml/fail.h>
+#include <limits.h>
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+ failwith("#lib error: image contains oversized or bogus width and height");
+
/* These are defined in caml/config.h */
#define int16 int16tiff
#define uint16 uint16tiff
@@ -64,6 +71,10 @@
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
if( imagebits != 8 ){
failwith("Sorry, tiff rgb file must be 24bit-color");
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/devel/ocaml-camlimages.spec,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -p -r1.20 -r1.21
--- ocaml-camlimages.spec 29 Sep 2009 15:13:31 -0000 1.20
+++ ocaml-camlimages.spec 16 Oct 2009 09:30:27 -0000 1.21
@@ -4,7 +4,7 @@
Name: ocaml-camlimages
Version: 3.0.1
-Release: 12%{?dist}
+Release: 13%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
@@ -20,6 +20,9 @@ Patch0: camlimages-3.0.1-display
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
BuildRequires: ocaml >= 3.10.1
BuildRequires: ocaml-lablgtk-devel
BuildRequires: ocaml-x11
@@ -67,6 +70,7 @@ Includes documentation provided by ocaml
# the examples/liv directory, so rename it:
%patch0 -p1
%patch1 -p1
+%patch2 -p1
aclocal -I .
automake
autoconf
@@ -112,6 +116,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-13
+- ocaml-camlimages: TIFF reader multiple integer overflows
+ (CVE 2009-3296 / RHBZ#528732).
+
* Tue Sep 29 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-12
- Force rebuild against newer lablgtk.
14 years, 6 months
rpms/ocaml-lwt/devel ocaml-lwt.spec,1.9,1.10
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-lwt/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18815
Modified Files:
ocaml-lwt.spec
Log Message:
Missing BR on camlp4.
Index: ocaml-lwt.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-lwt/devel/ocaml-lwt.spec,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -p -r1.9 -r1.10
--- ocaml-lwt.spec 12 Oct 2009 08:39:50 -0000 1.9
+++ ocaml-lwt.spec 12 Oct 2009 08:50:06 -0000 1.10
@@ -3,7 +3,7 @@
Name: ocaml-lwt
Version: 2.0.0
-Release: 0.1.rc1%{?dist}
+Release: 0.2.rc1%{?dist}
Summary: OCaml lightweight thread library
Group: Development/Libraries
@@ -16,6 +16,7 @@ ExcludeArch: sparc64 s390 s390x
BuildRequires: ocaml >= 3.10.0
BuildRequires: ocaml-findlib-devel
BuildRequires: ocaml-ocamldoc
+BuildRequires: ocaml-camlp4-devel
BuildRequires: ocaml-ssl >= 0.4.0
BuildRequires: ocaml-react >= 0.9.0
BuildRequires: chrpath
@@ -93,8 +94,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
-* Mon Oct 12 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.0.0-0.1.rc1.fc13
+* Mon Oct 12 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.0.0-0.2.rc1.fc13
- ocaml-react is now in Fedora, so build this package.
+- Missing BR on camlp4.
* Thu Oct 8 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.0.0-0.rc1.fc13
- New upstream version 2.0.0+rc1.
14 years, 6 months
rpms/ocaml-lwt/devel ocaml-lwt.spec,1.8,1.9
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-lwt/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14846
Modified Files:
ocaml-lwt.spec
Log Message:
ocaml-react is now in Fedora, so build this package.
Index: ocaml-lwt.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-lwt/devel/ocaml-lwt.spec,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- ocaml-lwt.spec 8 Oct 2009 12:42:49 -0000 1.8
+++ ocaml-lwt.spec 12 Oct 2009 08:39:50 -0000 1.9
@@ -3,7 +3,7 @@
Name: ocaml-lwt
Version: 2.0.0
-Release: 0.rc1%{?dist}
+Release: 0.1.rc1%{?dist}
Summary: OCaml lightweight thread library
Group: Development/Libraries
@@ -93,6 +93,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Mon Oct 12 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.0.0-0.1.rc1.fc13
+- ocaml-react is now in Fedora, so build this package.
+
* Thu Oct 8 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.0.0-0.rc1.fc13
- New upstream version 2.0.0+rc1.
- NB. This cannot be built as it depends on new package ocaml-react
14 years, 6 months