phracek pushed to libtiff (f21). "CVE-2014-9655 and CVE-2015-1547 #1190710 (..more)"

notifications at fedoraproject.org notifications at fedoraproject.org
Wed May 20 06:27:32 UTC 2015 

From 37199ad8a2c39a409aa5be879c7aa709f8d55a49 Mon Sep 17 00:00:00 2001
From: Petr Hracek <phracek at redhat.com>
Date: Tue, 19 May 2015 14:40:53 +0200
Subject: CVE-2014-9655 and CVE-2015-1547 #1190710

Signed-off-by: Petr Hracek <phracek at redhat.com>

diff --git a/libtiff-CVE-2014-9655.patch b/libtiff-CVE-2014-9655.patch
new file mode 100644
index 0000000..e80edd7
--- /dev/null
+++ b/libtiff-CVE-2014-9655.patch
@@ -0,0 +1,68 @@
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a85273c..5e0cf92 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -1852,10 +1852,10 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ 
+     (void) y;
+     fromskew = (fromskew * 10) / 4;
+-    if ((h & 3) == 0 && (w & 1) == 0) {
++    if ((w & 3) == 0 && (h & 1) == 0) {
+         for (; h >= 2; h -= 2) {
+             x = w>>2;
+-            do {
++            while(x>0) {
+                 int32 Cb = pp[8];
+                 int32 Cr = pp[9];
+                 
+@@ -1870,7 +1870,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+                 
+                 cp += 4, cp1 += 4;
+                 pp += 10;
+-            } while (--x);
++                x--;
++            }
+             cp += incr, cp1 += incr;
+             pp += fromskew;
+         }
+@@ -2031,7 +2032,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ 	fromskew = (fromskew * 4) / 2;
+ 	do {
+ 		x = w>>1;
+-		do {
++		while(x>0) {
+ 			int32 Cb = pp[2];
+ 			int32 Cr = pp[3];
+ 
+@@ -2040,7 +2041,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ 
+ 			cp += 2;
+ 			pp += 4;
+-		} while (--x);
++            x--;
++		}
+ 
+ 		if( (w&1) != 0 )
+ 		{
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 524e127..a6f4577 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ 		TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
+ 		return (0);
+ 	}
+-	for (row = buf; occ > 0; occ -= scanline, row += scanline) {
++	for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
+ 		n = *bp++, cc--;
+ 		switch (n) {
+ 		case LITERALROW:
+@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ 			 * The scanline has a literal span that begins at some
+ 			 * offset.
+ 			 */
++            if( cc < 4 )
++                goto bad;
+ 			off = (bp[0] * 256) + bp[1];
+ 			n = (bp[2] * 256) + bp[3];
+ 			if (cc < 4+n || off+n > scanline)
diff --git a/libtiff.spec b/libtiff.spec
index cd2bc2e..2ac8255 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,27 +1,27 @@
-Summary: Library of functions for manipulating TIFF format image files
-Name: libtiff
-Version: 4.0.3
-Release: 19%{?dist}
-
-License: libtiff
-Group: System Environment/Libraries
-URL: http://www.remotesensing.org/libtiff/
-
-Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
-
-Patch0: libtiff-am-version.patch
-Patch1: libtiff-CVE-2012-4447.patch
-Patch2: libtiff-CVE-2012-4564.patch
-Patch3: libtiff-printdir-width.patch
-Patch4: libtiff-jpeg-test.patch
-Patch5: libtiff-CVE-2013-1960.patch
-Patch6: libtiff-CVE-2013-1961.patch
-Patch7: libtiff-manpage-update.patch
-Patch8: libtiff-CVE-2013-4231.patch
-Patch9: libtiff-CVE-2013-4232.patch
-Patch10: libtiff-CVE-2013-4244.patch
-Patch11: libtiff-make-check.patch
-Patch12: libtiff-CVE-2013-4243.patch
+Summary:    Library of functions for manipulating TIFF format image files
+Name:       libtiff
+Version:    4.0.3
+Release:    20%{?dist}
+License:    libtiff
+Group:      System Environment/Libraries
+URL:        http://www.remotesensing.org/libtiff/
+
+Source:     ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
+
+Patch0:     libtiff-am-version.patch
+Patch1:     libtiff-CVE-2012-4447.patch
+Patch2:     libtiff-CVE-2012-4564.patch
+Patch3:     libtiff-printdir-width.patch
+Patch4:     libtiff-jpeg-test.patch
+Patch5:     libtiff-CVE-2013-1960.patch
+Patch6:     libtiff-CVE-2013-1961.patch
+Patch7:     libtiff-manpage-update.patch
+Patch8:     libtiff-CVE-2013-4231.patch
+Patch9:     libtiff-CVE-2013-4232.patch
+Patch10:    libtiff-CVE-2013-4244.patch
+Patch11:    libtiff-make-check.patch
+Patch12:    libtiff-CVE-2013-4243.patch
+Patch13:    libtiff-CVE-2014-9655.patch
 
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires: libtool automake autoconf pkgconfig
@@ -36,10 +36,10 @@ The libtiff package should be installed if you need to manipulate TIFF
 format image files.
 
 %package devel
-Summary: Development tools for programs which will use the libtiff library
-Group: Development/Libraries
-Requires: %{name}%{?_isa} = %{version}-%{release}
-Requires: pkgconfig%{?_isa}
+Summary:    Development tools for programs which will use the libtiff library
+Group:      Development/Libraries
+Requires:   %{name}%{?_isa} = %{version}-%{release}
+Requires:   pkgconfig%{?_isa}
 
 %description devel
 This package contains the header files and documentation necessary for
@@ -51,9 +51,9 @@ image files, you should install this package.  You'll also need to
 install the libtiff package.
 
 %package static
-Summary: Static TIFF image format file library
-Group: Development/Libraries
-Requires: %{name}-devel%{?_isa} = %{version}-%{release}
+Summary:     Static TIFF image format file library
+Group:       Development/Libraries
+Requires:    %{name}-devel%{?_isa} = %{version}-%{release}
 
 %description static
 The libtiff-static package contains the statically linkable version of libtiff.
@@ -61,9 +61,9 @@ Linking to static libraries is discouraged for most applications, but it is
 necessary for some boot packages.
 
 %package tools
-Summary: Command-line utility programs for manipulating TIFF files
-Group: Development/Libraries
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Summary:    Command-line utility programs for manipulating TIFF files
+Group:      Development/Libraries
+Requires:   %{name}%{?_isa} = %{version}-%{release}
 
 %description tools
 This package contains command-line programs for manipulating TIFF format
@@ -85,6 +85,7 @@ image files using the libtiff library.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -190,6 +191,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Tue May 19 2015 Petr Hracek <phracek at redhat.com> - 4.0.3-20
+- CVE-2014-9655 and CVE-2015-1547 #1190710
+
 * Sat May 02 2015 Kalev Lember <kalevlember at gmail.com> - 4.0.3-19
 - Rebuilt for GCC 5 C++11 ABI change
 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/libtiff.git/commit/?h=f21&id=37199ad8a2c39a409aa5be879c7aa709f8d55a49

More information about the scm-commits mailing list