[libtiff] Add upstream patches for CVE-2013-4231 CVE-2013-4232
Petr Hracek
phracek at fedoraproject.org
Wed Aug 14 08:33:59 UTC 2013
commit 9db3acd0d071ea81f4a72ed6955d62f469246fb6
Author: Petr Hracek <phracek at redhat.com>
Date: Wed Aug 14 10:33:30 2013 +0200
Add upstream patches for CVE-2013-4231 CVE-2013-4232
libtiff-CVE-2013-4231.patch | 15 +++++++++++++++
libtiff-CVE-2013-4232.patch | 12 ++++++++++++
libtiff.spec | 10 +++++++++-
3 files changed, 36 insertions(+), 1 deletions(-)
---
diff --git a/libtiff-CVE-2013-4231.patch b/libtiff-CVE-2013-4231.patch
new file mode 100644
index 0000000..8ae1e12
--- /dev/null
+++ b/libtiff-CVE-2013-4231.patch
@@ -0,0 +1,15 @@
+diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
+index 17f7a19..375b152 100644
+--- a/tools/gif2tiff.c
++++ b/tools/gif2tiff.c
+@@ -333,6 +333,10 @@ readraster(void)
+ int status = 1;
+
+ datasize = getc(infile);
++
++ if (datasize > 12)
++ return 0;
++
+ clear = 1 << datasize;
+ eoi = clear + 1;
+ avail = clear + 2;
diff --git a/libtiff-CVE-2013-4232.patch b/libtiff-CVE-2013-4232.patch
new file mode 100644
index 0000000..cec322f
--- /dev/null
+++ b/libtiff-CVE-2013-4232.patch
@@ -0,0 +1,12 @@
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 92a1a3d..312a946 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ _TIFFfree(buffer);
++ return(0);
+ } else {
+ buffer=samplebuffer;
+ t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
diff --git a/libtiff.spec b/libtiff.spec
index 5693f4e..8609bce 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.3
-Release: 8%{?dist}
+Release: 9%{?dist}
License: libtiff
Group: System Environment/Libraries
@@ -17,6 +17,8 @@ Patch4: libtiff-jpeg-test.patch
Patch5: libtiff-CVE-2013-1960.patch
Patch6: libtiff-CVE-2013-1961.patch
Patch7: libtiff-manpage-update.patch
+Patch8: libtiff-CVE-2013-4231.patch
+Patch9: libtiff-CVE-2013-4232.patch
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig
@@ -75,6 +77,8 @@ image files using the libtiff library.
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
+%patch9 -p1
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@@ -178,6 +182,10 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
+* Wed Aug 14 2013 Petr Hracek <phracek at redhat.com> 4.0.3-9
+- Add upstream patches for CVE-2013-4231 CVE-2013-4232
+Resolves: #995965 #995975
+
* Mon Aug 12 2013 Petr Hracek <phracek at redhat.com> - 4.0.3-8
- Manpage fixing (#510240, #510258)
More information about the scm-commits
mailing list