From 45b34efc843b3da340cbe941e587ba45bf6328d2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Jan 2020 17:34:20 -0500 Subject: [PATCH] import libtiff-4.0.9-17.el8 --- .gitignore | 1 + .libtiff.metadata | 1 + SOURCES/libtiff-CVE-2017-18013.patch | 36 ++ SOURCES/libtiff-CVE-2017-9935.patch | 164 ++++++ SOURCES/libtiff-CVE-2018-10963.patch | 31 ++ SOURCES/libtiff-CVE-2018-12900.patch | 47 ++ SOURCES/libtiff-CVE-2018-17100.patch | 39 ++ SOURCES/libtiff-CVE-2018-18557.patch | 107 ++++ SOURCES/libtiff-CVE-2018-18661.patch | 121 +++++ SOURCES/libtiff-CVE-2018-5784.patch | 128 +++++ SOURCES/libtiff-CVE-2018-7456.patch | 170 +++++++ SOURCES/libtiff-CVE-2018-8905.patch | 53 ++ SOURCES/libtiff-CVE-2019-14973.patch | 424 ++++++++++++++++ SOURCES/libtiff-am-version.patch | 31 ++ SOURCES/libtiff-coverity.patch | 42 ++ SOURCES/libtiff-make-check.patch | 12 + SPECS/libtiff.spec | 726 +++++++++++++++++++++++++++ 17 files changed, 2133 insertions(+) create mode 100644 .gitignore create mode 100644 .libtiff.metadata create mode 100644 SOURCES/libtiff-CVE-2017-18013.patch create mode 100644 SOURCES/libtiff-CVE-2017-9935.patch create mode 100644 SOURCES/libtiff-CVE-2018-10963.patch create mode 100644 SOURCES/libtiff-CVE-2018-12900.patch create mode 100644 SOURCES/libtiff-CVE-2018-17100.patch create mode 100644 SOURCES/libtiff-CVE-2018-18557.patch create mode 100644 SOURCES/libtiff-CVE-2018-18661.patch create mode 100644 SOURCES/libtiff-CVE-2018-5784.patch create mode 100644 SOURCES/libtiff-CVE-2018-7456.patch create mode 100644 SOURCES/libtiff-CVE-2018-8905.patch create mode 100644 SOURCES/libtiff-CVE-2019-14973.patch create mode 100644 SOURCES/libtiff-am-version.patch create mode 100644 SOURCES/libtiff-coverity.patch create mode 100644 SOURCES/libtiff-make-check.patch create mode 100644 SPECS/libtiff.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0432824 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tiff-4.0.9.tar.gz diff --git a/.libtiff.metadata b/.libtiff.metadata new file mode 100644 index 0000000..0a25bcd --- /dev/null +++ b/.libtiff.metadata @@ -0,0 +1 @@ +87d4543579176cc568668617c22baceccd568296 SOURCES/tiff-4.0.9.tar.gz diff --git a/SOURCES/libtiff-CVE-2017-18013.patch b/SOURCES/libtiff-CVE-2017-18013.patch new file mode 100644 index 0000000..77afc48 --- /dev/null +++ b/SOURCES/libtiff-CVE-2017-18013.patch @@ -0,0 +1,36 @@ +From b1997b9c3ac0d6bac5effd7558141986487217a9 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH 2/4] libtiff/tif_print.c: TIFFPrintDirectory(): fix null + pointer dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 / CVE-2017-18013 + +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 10a588e..b9b53a0 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +2.17.0 + diff --git a/SOURCES/libtiff-CVE-2017-9935.patch b/SOURCES/libtiff-CVE-2017-9935.patch new file mode 100644 index 0000000..39327ff --- /dev/null +++ b/SOURCES/libtiff-CVE-2017-9935.patch @@ -0,0 +1,164 @@ +From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++---------------- + 2 files changed, 49 insertions(+), 23 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index f00f808..c36a5f3 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index bdb9126..bd23c9e 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -239,7 +239,7 @@ typedef struct { + float tiff_whitechromaticities[2]; + float tiff_primarychromaticities[6]; + float tiff_referenceblackwhite[2]; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + int pdf_image_interpolate; /* 0 (default) : do not interpolate, + 1 : interpolate */ + uint16 tiff_transferfunctioncount; +@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + if(directorycount > TIFF_DIR_MAX) { +@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (uint16*) NULL) && ++ (tiff_transferfunction[2] != (uint16*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && ++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; +-- +2.17.0 + diff --git a/SOURCES/libtiff-CVE-2018-10963.patch b/SOURCES/libtiff-CVE-2018-10963.patch new file mode 100644 index 0000000..039b7c1 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-10963.patch @@ -0,0 +1,31 @@ +From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 12 May 2018 14:24:15 +0200 +Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 + +--- + libtiff/tif_dirwrite.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index c68d6d2..5d0a669 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) + } + break; + default: +- assert(0); /* we should never get here */ +- break; ++ TIFFErrorExt(tif->tif_clientdata,module, ++ "Cannot write tag %d (%s)", ++ TIFFFieldTag(o), ++ o->field_name ? o->field_name : "unknown"); ++ goto bad; + } + } + } +-- +2.17.0 + diff --git a/SOURCES/libtiff-CVE-2018-12900.patch b/SOURCES/libtiff-CVE-2018-12900.patch new file mode 100644 index 0000000..c7c3d30 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-12900.patch @@ -0,0 +1,47 @@ +From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow + +fixes bug 2833 +--- + tools/tiffcp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 489459a..0c66229 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (tilew && spp > (INT_MAX / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; +-- +2.21.0 + diff --git a/SOURCES/libtiff-CVE-2018-17100.patch b/SOURCES/libtiff-CVE-2018-17100.patch new file mode 100644 index 0000000..8ed6dca --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-17100.patch @@ -0,0 +1,39 @@ +From 491e3acc55d7a54e2588de476733e93c4c7ffea0 Mon Sep 17 00:00:00 2001 +From: Young_X +Date: Sat, 8 Sep 2018 14:46:27 +0800 +Subject: [PATCH] avoid potential int32 overflows in multiply_ms() + +--- + tools/ppm2tiff.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c +index 91415e9..81ffa3d 100644 +--- a/tools/ppm2tiff.c ++++ b/tools/ppm2tiff.c +@@ -72,15 +72,16 @@ BadPPM(char* file) + exit(-2); + } + ++ ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- tmsize_t bytes = m1 * m2; +- +- if (m1 && bytes / m1 != m2) +- bytes = 0; +- +- return bytes; ++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) ++ return 0; ++ return m1 * m2; + } + + int +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-18557.patch b/SOURCES/libtiff-CVE-2018-18557.patch new file mode 100644 index 0000000..d2cd3c5 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-18557.patch @@ -0,0 +1,107 @@ +From 2683f6c21aefc760d2f7e56dac6b4383841886d6 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 14 Oct 2018 16:38:29 +0200 +Subject: [PATCH 2/2] JBIG: fix potential out-of-bounds write in JBIGDecode() + +JBIGDecode doesn't check if the user provided buffer is large enough +to store the JBIG decoded image, which can potentially cause out-of-bounds +write in the buffer. +This issue was reported and analyzed by Thomas Dullien. + +Also fixes a (harmless) potential use of uninitialized memory when +tif->tif_rawsize > tif->tif_rawcc + +And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure +that whole strip data is provided to JBIGDecode() +--- + libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------ + libtiff/tif_read.c | 6 ++++++ + 2 files changed, 32 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 7a14dd9..8136c77 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + struct jbg_dec_state decoder; + int decodeStatus = 0; + unsigned char* pImage = NULL; +- (void) size, (void) s; ++ unsigned long decodedSize; ++ (void) s; + + if (isFillOrder(tif, tif->tif_dir.td_fillorder)) + { +- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); ++ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); + } + + jbg_dec_init(&decoder); + + #if defined(HAVE_JBG_NEWLEN) +- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); ++ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); + /* + * I do not check the return status of jbg_newlen because even if this + * function fails it does not necessarily mean that decoding the image +@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + */ + #endif /* HAVE_JBG_NEWLEN */ + +- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, +- (size_t)tif->tif_rawdatasize, NULL); ++ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, ++ (size_t)tif->tif_rawcc, NULL); + if (JBG_EOK != decodeStatus) + { + /* +@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) + return 0; + } + ++ decodedSize = jbg_dec_getsize(&decoder); ++ if( (tmsize_t)decodedSize < size ) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "JBIG", ++ "Only decoded %lu bytes, whereas %lu requested", ++ decodedSize, (unsigned long)size); ++ } ++ else if( (tmsize_t)decodedSize > size ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "JBIG", ++ "Decoded %lu bytes, whereas %lu were requested", ++ decodedSize, (unsigned long)size); ++ jbg_dec_free(&decoder); ++ return 0; ++ } + pImage = jbg_dec_getimage(&decoder, 0); +- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); ++ _TIFFmemcpy(buffer, pImage, decodedSize); + jbg_dec_free(&decoder); ++ ++ tif->tif_rawcp += tif->tif_rawcc; ++ tif->tif_rawcc = 0; ++ + return 1; + } + +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 2ba985a..04100f4 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample ) + return 0; + whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 + || isMapped(tif); ++ if( td->td_compression == COMPRESSION_JBIG ) ++ { ++ /* Ideally plugins should have a way to declare they don't support ++ * chunk strip */ ++ whole_strip = 1; ++ } + #else + whole_strip = 1; + #endif +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-18661.patch b/SOURCES/libtiff-CVE-2018-18661.patch new file mode 100644 index 0000000..9a7430b --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-18661.patch @@ -0,0 +1,121 @@ +From 20dbecdf69cf0209ad0246707aaf142bb1fee96e Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 30 Oct 2018 18:50:27 +0100 +Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of + memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / + CVE-2018-18661 + +--- + libtiff/tiffiop.h | 1 + + tools/tiff2bw.c | 30 ++++++++++++++++++++++++++---- + tools/tiffcrop.c | 5 ----- + 3 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index daa291c..08e5dc4 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...); + #endif + + #define streq(a,b) (strcmp(a,b) == 0) ++#define strneq(a,b,n) (strncmp(a,b,n) == 0) + + #ifndef TRUE + #define TRUE 1 +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index dad54af..1f3bb2c 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -40,9 +40,7 @@ + #endif + + #include "tiffio.h" +- +-#define streq(a,b) (strcmp((a),(b)) == 0) +-#define strneq(a,b,n) (strncmp(a,b,n) == 0) ++#include "tiffiop.h" + + /* x% weighting -> fraction of full color */ + #define PCT(x) (((x)*256+50)/100) +@@ -223,6 +221,11 @@ main(int argc, char* argv[]) + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); + outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ if( !outbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, + TIFFDefaultStripSize(out, rowsperstrip)); + +@@ -246,6 +249,11 @@ main(int argc, char* argv[]) + #undef CVT + } + inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + if (TIFFReadScanline(in, inbuf, row, 0) < 0) + break; +@@ -256,6 +264,11 @@ main(int argc, char* argv[]) + break; + case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG): + inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + if (TIFFReadScanline(in, inbuf, row, 0) < 0) + break; +@@ -265,8 +278,16 @@ main(int argc, char* argv[]) + } + break; + case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE): ++ { ++ tmsize_t inbufsize; + rowsize = TIFFScanlineSize(in); +- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize); ++ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize); ++ inbuf = (unsigned char *)_TIFFmalloc(inbufsize); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ goto tiff2bw_error; ++ } + for (row = 0; row < h; row++) { + for (s = 0; s < 3; s++) + if (TIFFReadScanline(in, +@@ -278,6 +299,7 @@ main(int argc, char* argv[]) + break; + } + break; ++ } + } + #undef pack + if (inbuf) +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c60cb38..3862b1c 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + + #define TIFF_UINT32_MAX 0xFFFFFFFFU + +-#ifndef streq +-#define streq(a,b) (strcmp((a),(b)) == 0) +-#endif +-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0) +- + #define TRUE 1 + #define FALSE 0 + +-- +2.17.2 + diff --git a/SOURCES/libtiff-CVE-2018-5784.patch b/SOURCES/libtiff-CVE-2018-5784.patch new file mode 100644 index 0000000..5f26e5d --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-5784.patch @@ -0,0 +1,128 @@ +From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Fri, 23 Mar 2018 15:35:39 +0100 +Subject: [PATCH] Fix for bug 2772 + +It is possible to craft a TIFF document where the IFD list is circular, +leading to an infinite loop while traversing the chain. The libtiff +directory reader has a failsafe that will break out of this loop after +reading 65535 directory entries, but it will continue processing, +consuming time and resources to process what is essentially a bogus TIFF +document. + +This change fixes the above behavior by breaking out of processing when +a TIFF document has >= 65535 directories and terminating with an error. +--- + contrib/addtiffo/tif_overview.c | 14 +++++++++++++- + tools/tiff2pdf.c | 10 ++++++++++ + tools/tiffcrop.c | 13 +++++++++++-- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c +index c61ffbb..03b3573 100644 +--- a/contrib/addtiffo/tif_overview.c ++++ b/contrib/addtiffo/tif_overview.c +@@ -65,6 +65,8 @@ + # define MAX(a,b) ((a>b) ? a : b) + #endif + ++#define TIFF_DIR_MAX 65534 ++ + void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, + int (*)(double,void*), void * ); + +@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + { + toff_t nBaseDirOffset; + toff_t nOffset; ++ tdir_t iNumDir; + + (void) bUseSubIFDs; + +@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + return 0; + + TIFFWriteDirectory( hTIFF ); +- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); ++ iNumDir = TIFFNumberOfDirectories(hTIFF); ++ if( iNumDir > TIFF_DIR_MAX ) ++ { ++ TIFFErrorExt( TIFFClientdata(hTIFF), ++ "TIFF_WriteOverview", ++ "File `%s' has too many directories.\n", ++ TIFFFileName(hTIFF) ); ++ exit(-1); ++ } ++ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); + + nOffset = TIFFCurrentDirOffset( hTIFF ); + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 454befb..bdb9126 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); + + #define PS_UNIT_SIZE 72.0F + ++#define TIFF_DIR_MAX 65534 ++ + /* This type is of PDF color spaces. */ + typedef enum { + T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ +@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 xuint16=0; + + directorycount=TIFFNumberOfDirectories(input); ++ if(directorycount > TIFF_DIR_MAX) { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "TIFF contains too many directories, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); + if(t2p->tiff_pages==NULL){ + TIFFError( +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c69177e..c60cb38 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + #define DUMP_TEXT 1 + #define DUMP_RAW 2 + ++#define TIFF_DIR_MAX 65534 ++ + /* Offsets into buffer for margins and fixed width and length segments */ + struct offset { + uint32 tmargin; +@@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) + pageNum = -1; + else + total_images = 0; +- /* read multiple input files and write to output file(s) */ ++ /* Read multiple input files and write to output file(s) */ + while (optind < argc - 1) + { + in = TIFFOpen (argv[optind], "r"); +@@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) + return (-3); + + /* If only one input file is specified, we can use directory count */ +- total_images = TIFFNumberOfDirectories(in); ++ total_images = TIFFNumberOfDirectories(in); ++ if (total_images > TIFF_DIR_MAX) ++ { ++ TIFFError (TIFFFileName(in), "File contains too many directories"); ++ if (out != NULL) ++ (void) TIFFClose(out); ++ return (1); ++ } + if (image_count == 0) + { + dirnum = 0; +-- +2.13.6 + diff --git a/SOURCES/libtiff-CVE-2018-7456.patch b/SOURCES/libtiff-CVE-2018-7456.patch new file mode 100644 index 0000000..65a8947 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-7456.patch @@ -0,0 +1,170 @@ +From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Tue, 17 Apr 2018 18:42:09 +0200 +Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory + +The TIFFPrintDirectory function relies on the following assumptions, +supposed to be guaranteed by the specification: + +(a) A Transfer Function field is only present if the TIFF file has + photometric type < 3. + +(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field + has count SamplesPerPixel - (Color Channels) and contains + information about supplementary channels. + +While respect of (a) and (b) are essential for the well functioning of +TIFFPrintDirectory, no checks are realized neither by the callee nor +by TIFFPrintDirectory itself. Hence, following scenarios might happen +and trigger the NULL pointer dereference: + +(1) TIFF File of photometric type 4 or more has illegal Transfer + Function field. + +(2) TIFF File has photometric type 3 or less and defines a + SamplesPerPixel field such that SamplesPerPixel > Color Channels + without defining all extra samples in the ExtraSamples fields. + +In this patch, we address both issues with respect of the following +principles: + +(A) In the case of (1), the defined transfer table should be printed + safely even if it isn't 'legal'. This allows us to avoid expensive + checks in TIFFPrintDirectory. Also, it is quite possible that + an alternative photometric type would be developed (not part of the + standard) and would allow definition of Transfer Table. We want + libtiff to be able to handle this scenario out of the box. + +(B) In the case of (2), the transfer table should be printed at its + right size, that is if TIFF file has photometric type Palette + then the transfer table should have one row and not three, even + if two extra samples are declared. + +In order to fulfill (A) we simply add a new 'i < 3' end condition to +the broken TIFFPrintDirectory loop. This makes sure that in any case +where (b) would be respected but not (a), everything stays fine. + +(B) is fulfilled by the loop condition +'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as +long as (b) is respected. + +Naturally, we also make sure (b) is respected. This is done in the +TIFFReadDirectory function by making sure any non-color channel is +counted in ExtraSamples. + +This commit addresses CVE-2018-7456. +--- + libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++ + libtiff/tif_print.c | 2 +- + 2 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 5e62e81..80aaf8d 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin + static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); + static void ChopUpSingleUncompressedStrip(TIFF*); + static uint64 TIFFReadUInt64(const uint8 *value); ++static int _TIFFGetMaxColorChannels(uint16 photometric); + + static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); + +@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c + } + } + ++/* ++ * Return the maximum number of color channels specified for a given photometric ++ * type. 0 is returned if photometric type isn't supported or no default value ++ * is defined by the specification. ++ */ ++static int _TIFFGetMaxColorChannels( uint16 photometric ) ++{ ++ switch (photometric) { ++ case PHOTOMETRIC_PALETTE: ++ case PHOTOMETRIC_MINISWHITE: ++ case PHOTOMETRIC_MINISBLACK: ++ return 1; ++ case PHOTOMETRIC_YCBCR: ++ case PHOTOMETRIC_RGB: ++ case PHOTOMETRIC_CIELAB: ++ return 3; ++ case PHOTOMETRIC_SEPARATED: ++ case PHOTOMETRIC_MASK: ++ return 4; ++ case PHOTOMETRIC_LOGL: ++ case PHOTOMETRIC_LOGLUV: ++ case PHOTOMETRIC_CFA: ++ case PHOTOMETRIC_ITULAB: ++ case PHOTOMETRIC_ICCLAB: ++ default: ++ return 0; ++ } ++} ++ + /* + * Read the next TIFF directory from a file and convert it to the internal + * format. We read directories sequentially. +@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif) + uint32 fii=FAILED_FII; + toff_t nextdiroff; + int bitspersample_read = FALSE; ++ int color_channels; + + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) +@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif) + } + } + } ++ ++ /* ++ * Make sure all non-color channels are extrasamples. ++ * If it's not the case, define them as such. ++ */ ++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); ++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { ++ uint16 old_extrasamples; ++ uint16 *new_sampleinfo; ++ ++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " ++ "color channels and ExtraSamples doesn't match SamplesPerPixel. " ++ "Defining non-color channels as ExtraSamples."); ++ ++ old_extrasamples = tif->tif_dir.td_extrasamples; ++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); ++ ++ // sampleinfo should contain information relative to these new extra samples ++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); ++ if (!new_sampleinfo) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " ++ "temporary new sampleinfo array (%d 16 bit elements)", ++ tif->tif_dir.td_extrasamples); ++ goto bad; ++ } ++ ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); ++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); ++ _TIFFfree(new_sampleinfo); ++ } ++ + /* + * Verify Palette image has a Colormap. + */ +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 24d4b98..10a588e 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + uint16 i; + fprintf(fd, " %2ld: %5u", + l, td->td_transferfunction[0][l]); +- for (i = 1; i < td->td_samplesperpixel; i++) ++ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) + fprintf(fd, " %5u", + td->td_transferfunction[i][l]); + fputc('\n', fd); +-- +2.17.0 + diff --git a/SOURCES/libtiff-CVE-2018-8905.patch b/SOURCES/libtiff-CVE-2018-8905.patch new file mode 100644 index 0000000..be6bee4 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-8905.patch @@ -0,0 +1,53 @@ +From 1c127eb3cb7653bd61b61f9c3cfeb36fd10edab1 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 12 May 2018 15:32:31 +0200 +Subject: [PATCH 3/4] LZWDecodeCompat(): fix potential index-out-of-bounds + write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / + CVE-2018-8905 + +The fix consists in using the similar code LZWDecode() to validate we +don't write outside of the output buffer. +--- + libtiff/tif_lzw.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index bc8f9c8..186ea3c 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + char *tp; + unsigned char *bp; + int code, nbits; ++ int len; + long nextbits, nextdata, nbitsmask; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + +@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + } while (--occ); + break; + } +- assert(occ >= codep->length); +- op += codep->length; +- occ -= codep->length; +- tp = op; ++ len = codep->length; ++ tp = op + len; + do { +- *--tp = codep->value; +- } while( (codep = codep->next) != NULL ); ++ int t; ++ --tp; ++ t = codep->value; ++ codep = codep->next; ++ *tp = (char)t; ++ } while (codep && tp > op); ++ assert(occ >= len); ++ op += len; ++ occ -= len; + } else { + *op++ = (char)code; + occ--; +-- +2.17.0 + diff --git a/SOURCES/libtiff-CVE-2019-14973.patch b/SOURCES/libtiff-CVE-2019-14973.patch new file mode 100644 index 0000000..f98ea1e --- /dev/null +++ b/SOURCES/libtiff-CVE-2019-14973.patch @@ -0,0 +1,424 @@ +From 218c3753fba788c78a9b5e515e884043f6e2ba28 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 10 Aug 2019 18:25:03 +0200 +Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other + implementation-defined behaviour (CVE-2019-14973) + +_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow +in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus +signed), which was especially easily triggered on 32-bit builds (with recent +enough compilers that assume that signed multiplication cannot overflow, since +this is undefined behaviour by the C standard). The original issue which lead to +this fix was trigged from tif_fax3.c + +There were also unsafe (implementation defied), and broken in practice on 64bit +builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing +(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known +at that time exploits, but are better to fix in a more bullet-proof way. +Or similarly use of (int64)uint64_var <= 0. +--- + libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++----- + libtiff/tif_getimage.c | 6 ++---- + libtiff/tif_luv.c | 8 +------ + libtiff/tif_pixarlog.c | 7 +----- + libtiff/tif_read.c | 38 +++++++++----------------------- + libtiff/tif_strip.c | 35 ++++-------------------------- + libtiff/tif_tile.c | 27 +++-------------------- + libtiff/tiffiop.h | 7 +++++- + 8 files changed, 71 insertions(+), 106 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 10b8d00..38a98b6 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) + return bytes; + } + ++tmsize_t ++_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where) ++{ ++ if( first <= 0 || second <= 0 ) ++ { ++ if( tif != NULL && where != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, where, ++ "Invalid argument to _TIFFMultiplySSize() in %s", where); ++ } ++ return 0; ++ } ++ ++ if( first > TIFF_TMSIZE_T_MAX / second ) ++ { ++ if( tif != NULL && where != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, where, ++ "Integer overflow in %s", where); ++ } ++ return 0; ++ } ++ return first * second; ++} ++ ++tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module) ++{ ++ if( val > (uint64)TIFF_TMSIZE_T_MAX ) ++ { ++ if( tif != NULL && module != NULL ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); ++ } ++ return 0; ++ } ++ return (tmsize_t)val; ++} ++ + void* + _TIFFCheckRealloc(TIFF* tif, void* buffer, + tmsize_t nmemb, tmsize_t elem_size, const char* what) + { + void* cp = NULL; +- tmsize_t bytes = nmemb * elem_size; +- ++ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL); + /* +- * XXX: Check for integer overflow. ++ * Check for integer overflow. + */ +- if (nmemb && elem_size && bytes / elem_size == nmemb) +- cp = _TIFFrealloc(buffer, bytes); ++ if (count != 0) ++ { ++ cp = _TIFFrealloc(buffer, count); ++ } + + if (cp == NULL) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index fc554cc..ec09fea 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint32 leftmost_tw; + + tilesize = TIFFTileSize(tif); +- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize); ++ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate"); + if (bufsize == 0) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); + return (0); + } + +@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + uint16 colorchannels; + + stripsize = TIFFStripSize(tif); +- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize); ++ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate"); + if (bufsize == 0) { +- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); + return (0); + } + +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index 4b25244..c4cb73a 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td) + return (SGILOGDATAFMT_UNKNOWN); + } + +- +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) +- return 0; +- return m1 * m2; ++ return _TIFFMultiplySSize(NULL, m1, m2, NULL); + } + + static int +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 979858d..8e9eaa1 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td) + return guess; + } + +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) +- return 0; +- return m1 * m2; ++ return _TIFFMultiplySSize(NULL, m1, m2, NULL); + } + + static tmsize_t +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 04100f4..9a0e6e9 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -31,9 +31,6 @@ + #include "tiffiop.h" + #include + +-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) +-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) +- + int TIFFFillStrip(TIFF* tif, uint32 strip); + int TIFFFillTile(TIFF* tif, uint32 tile); + static int TIFFStartStrip(TIFF* tif, uint32 strip); +@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m + #define THRESHOLD_MULTIPLIER 10 + #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD) + ++#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF) ++ + /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset' + * Returns 1 in case of success, 0 otherwise. */ + static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size, +@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) + return ((tmsize_t)(-1)); + } + bytecount = td->td_stripbytecount[strip]; +- if ((int64)bytecount <= 0) { +-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) +- TIFFErrorExt(tif->tif_clientdata, module, +- "%I64u: Invalid strip byte count, strip %lu", +- (unsigned __int64) bytecount, +- (unsigned long) strip); +-#else +- TIFFErrorExt(tif->tif_clientdata, module, +- "%llu: Invalid strip byte count, strip %lu", +- (unsigned long long) bytecount, +- (unsigned long) strip); +-#endif +- return ((tmsize_t)(-1)); +- } +- bytecountm = (tmsize_t)bytecount; +- if ((uint64)bytecountm!=bytecount) { +- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow"); ++ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module); ++ if (bytecountm == 0) { + return ((tmsize_t)(-1)); + } + if (size != (tmsize_t)(-1) && size < bytecountm) +@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[strip]; +- if ((int64)bytecount <= 0) { ++ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "Invalid strip byte count %I64u, strip %lu", +@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; +- if( (int64)newbytecount >= 0 ) ++ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) + { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, +@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size) + bytecount64 = td->td_stripbytecount[tile]; + if (size != (tmsize_t)(-1) && (uint64)size < bytecount64) + bytecount64 = (uint64)size; +- bytecountm = (tmsize_t)bytecount64; +- if ((uint64)bytecountm!=bytecount64) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); ++ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module); ++ if( bytecountm == 0 ) { + return ((tmsize_t)(-1)); + } + return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module)); +@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[tile]; +- if ((int64)bytecount <= 0) { ++ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid tile byte count, tile %lu", +@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + (bytecount - 4096) / 10 > (uint64)stripsize ) + { + uint64 newbytecount = (uint64)stripsize * 10 + 4096; +- if( (int64)newbytecount >= 0 ) ++ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX ) + { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFWarningExt(tif->tif_clientdata, module, +diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c +index 6e9f2ef..321ad6b 100644 +--- a/libtiff/tif_strip.c ++++ b/libtiff/tif_strip.c +@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) + { + static const char module[] = "TIFFVStripSize"; + uint64 m; +- tmsize_t n; + m=TIFFVStripSize64(tif,nrows); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif) + { + static const char module[] = "TIFFStripSize"; + uint64 m; +- tmsize_t n; + m=TIFFStripSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif) + { + static const char module[] = "TIFFScanlineSize"; + uint64 m; +- tmsize_t n; + m=TIFFScanlineSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif) + { + static const char module[] = "TIFFRasterScanlineSize"; + uint64 m; +- tmsize_t n; + m=TIFFRasterScanlineSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* vim: set ts=8 sts=8 sw=8 noet: */ +diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c +index 388e168..7d05750 100644 +--- a/libtiff/tif_tile.c ++++ b/libtiff/tif_tile.c +@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif) + { + static const char module[] = "TIFFTileRowSize"; + uint64 m; +- tmsize_t n; + m=TIFFTileRowSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) + { + static const char module[] = "TIFFVTileSize"; + uint64 m; +- tmsize_t n; + m=TIFFVTileSize64(tif,nrows); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif) + { + static const char module[] = "TIFFTileSize"; + uint64 m; +- tmsize_t n; + m=TIFFTileSize64(tif); +- n=(tmsize_t)m; +- if ((uint64)n!=m) +- { +- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow"); +- n=0; +- } +- return(n); ++ return _TIFFCastUInt64ToSSize(tif, m, module); + } + + /* +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index 08e5dc4..d4b8631 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...); + #define FALSE 0 + #endif + ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + typedef struct client_info { + struct client_info *next; + void *data; +@@ -260,7 +263,7 @@ struct tiff { + #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3) + #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y)) + +-/* Safe multiply which returns zero if there is an integer overflow */ ++/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */ + #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) +@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt; + + extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*); + extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*); ++extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*); ++extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*); + extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); + extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); + +-- +2.21.0 + diff --git a/SOURCES/libtiff-am-version.patch b/SOURCES/libtiff-am-version.patch new file mode 100644 index 0000000..c94c2e0 --- /dev/null +++ b/SOURCES/libtiff-am-version.patch @@ -0,0 +1,31 @@ +Back off the minimum required automake version to 1.11. There isn't +anything in libtiff currently that actually requires 1.12, and changing +this allows the package to be built on pre-F18 machines for easier testing. + +This patch can go away once we no longer care about testing on pre-F18. + + +diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am +--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400 ++++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400 +@@ -25,7 +25,7 @@ + + docdir = $(LIBTIFF_DOCDIR) + +-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign ++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign + ACLOCAL_AMFLAGS = -I m4 + + docfiles = \ +diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am +--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400 ++++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400 +@@ -23,7 +23,7 @@ + + # Process this file with automake to produce Makefile.in. + +-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign ++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign + + LIBTIFF = $(top_builddir)/libtiff/libtiff.la + diff --git a/SOURCES/libtiff-coverity.patch b/SOURCES/libtiff-coverity.patch new file mode 100644 index 0000000..04a445a --- /dev/null +++ b/SOURCES/libtiff-coverity.patch @@ -0,0 +1,42 @@ +diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c +index 81ffa3d..a02e865 100644 +--- a/tools/ppm2tiff.c ++++ b/tools/ppm2tiff.c +@@ -285,6 +285,8 @@ main(int argc, char* argv[]) + if (TIFFWriteScanline(out, buf, row, 0) < 0) + break; + } ++ if (in != stdin) ++ fclose(in); + (void) TIFFClose(out); + if (buf) + _TIFFfree(buf); +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index bd23c9e..a15a3ef 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ + "for t2p_readwrite_pdf_image_tile, %s", + (unsigned long) t2p->tiff_datasize, + TIFFFileName(input)); ++ _TIFFfree(buffer); + t2p->t2p_error = T2P_ERR_ERROR; + return(0); + } +@@ -3747,11 +3748,11 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount) + { + uint32 i; + +- /* For the 3 first samples, there is overlapping between souce and +- destination, so use memmove(). +- See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */ +- for(i = 0; i < 3 && i < samplecount; i++) +- memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3); ++ /* For the 3 first samples, there is overlapping between souce and ++ destination, so use memmove(). ++ See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */ ++ for(i = 0; i < 3 && i < samplecount; i++) ++ memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3); + for(; i < samplecount; i++) + memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3); + diff --git a/SOURCES/libtiff-make-check.patch b/SOURCES/libtiff-make-check.patch new file mode 100644 index 0000000..e79dc94 --- /dev/null +++ b/SOURCES/libtiff-make-check.patch @@ -0,0 +1,12 @@ +diff --git a/html/man/Makefile.am b/html/man/Makefile.am +index 587296c..696005e 100644 +--- a/html/man/Makefile.am ++++ b/html/man/Makefile.am +@@ -92,7 +92,6 @@ docfiles = \ + tiffcrop.1.html \ + tiffdither.1.html \ + tiffdump.1.html \ +- tiffgt.1.html \ + tiffinfo.1.html \ + tiffmedian.1.html \ + tiffset.1.html \ diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec new file mode 100644 index 0000000..4ce6c17 --- /dev/null +++ b/SPECS/libtiff.spec @@ -0,0 +1,726 @@ +Summary: Library of functions for manipulating TIFF format image files +Name: libtiff +Version: 4.0.9 +Release: 17%{?dist} +License: libtiff +Group: System Environment/Libraries +URL: http://www.simplesystems.org/libtiff/ + +Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz + +Patch0: libtiff-am-version.patch +Patch1: libtiff-make-check.patch +Patch2: libtiff-CVE-2018-5784.patch +Patch3: libtiff-CVE-2018-7456.patch +Patch4: libtiff-CVE-2017-9935.patch +Patch5: libtiff-CVE-2017-18013.patch +Patch6: libtiff-CVE-2018-8905.patch +Patch7: libtiff-CVE-2018-10963.patch +Patch8: libtiff-CVE-2018-17100.patch +Patch9: libtiff-coverity.patch +Patch10: libtiff-CVE-2018-18557.patch +Patch11: libtiff-CVE-2018-18661.patch +Patch12: libtiff-CVE-2018-12900.patch +Patch13: libtiff-CVE-2019-14973.patch + +BuildRequires: gcc, gcc-c++ +BuildRequires: zlib-devel libjpeg-devel jbigkit-devel +BuildRequires: libtool automake autoconf pkgconfig + +%description +The libtiff package contains a library of functions for manipulating +TIFF (Tagged Image File Format) image format files. TIFF is a widely +used file format for bitmapped images. TIFF files usually end in the +.tif extension and they are often quite large. + +The libtiff package should be installed if you need to manipulate TIFF +format image files. + +%package devel +Summary: Development tools for programs which will use the libtiff library +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig%{?_isa} + +%description devel +This package contains the header files and documentation necessary for +developing programs which will manipulate TIFF format image files +using the libtiff library. + +If you need to develop programs which will manipulate TIFF format +image files, you should install this package. You'll also need to +install the libtiff package. + +%package static +Summary: Static TIFF image format file library +Group: Development/Libraries +Requires: %{name}-devel%{?_isa} = %{version}-%{release} + +%description static +The libtiff-static package contains the statically linkable version of libtiff. +Linking to static libraries is discouraged for most applications, but it is +necessary for some boot packages. + +%package tools +Summary: Command-line utility programs for manipulating TIFF files +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +This package contains command-line programs for manipulating TIFF format +image files using the libtiff library. + +%prep +%setup -q -n tiff-%{version} + +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 + +# Use build system's libtool.m4, not the one in the package. +rm -f libtool.m4 + +libtoolize --force --copy +aclocal -I . -I m4 +automake --add-missing --copy +autoconf +autoheader + +%build +export CFLAGS="%{optflags} -fno-strict-aliasing" +%configure --enable-ld-version-script +make %{?_smp_mflags} + +%install +make DESTDIR=$RPM_BUILD_ROOT install + +# remove what we didn't want installed +rm $RPM_BUILD_ROOT%{_libdir}/*.la +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/ + +# no libGL dependency, please +rm -f $RPM_BUILD_ROOT%{_bindir}/tiffgt + +# no sgi2tiff or tiffsv, either +rm -f $RPM_BUILD_ROOT%{_bindir}/sgi2tiff +rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv + +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1 +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1 +rm -f html/man/tiffgt.1.html +rm -f html/man/sgi2tiff.1.html +rm -f html/man/tiffsv.1.html + +# multilib header hack +# we only apply this to known Red Hat multilib arches, per bug #233091 +case `uname -i` in + i386 | ppc | s390 | sparc ) + wordsize="32" + ;; + x86_64 | ppc64 | s390x | sparc64 ) + wordsize="64" + ;; + *) + wordsize="" + ;; +esac + +if test -n "$wordsize" +then + mv $RPM_BUILD_ROOT%{_includedir}/tiffconf.h \ + $RPM_BUILD_ROOT%{_includedir}/tiffconf-$wordsize.h + + cat >$RPM_BUILD_ROOT%{_includedir}/tiffconf.h < + +#if __WORDSIZE == 32 +# include "tiffconf-32.h" +#elif __WORDSIZE == 64 +# include "tiffconf-64.h" +#else +# error "unexpected value for __WORDSIZE macro" +#endif + +#endif +EOF + +fi + +%ldconfig_scriptlets + +%check +LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check + +# don't include documentation Makefiles, they are a multilib hazard +find html -name 'Makefile*' | xargs rm + +%files +%doc COPYRIGHT README RELEASE-DATE VERSION +%{_libdir}/libtiff.so.* +%{_libdir}/libtiffxx.so.* + +%files devel +%doc TODO ChangeLog html +%{_includedir}/* +%{_libdir}/libtiff.so +%{_libdir}/libtiffxx.so +%{_libdir}/pkgconfig/libtiff*.pc +%{_mandir}/man3/* + +%files static +%{_libdir}/*.a + +%files tools +%{_bindir}/* +%{_mandir}/man1/* + +%changelog +* Thu Nov 28 2019 Nikola Forró - 4.0.9-17 +- Add upstream test suite and enable it in gating + +* Wed Nov 27 2019 Nikola Forró - 4.0.9-16 +- Fix CVE-2019-14973 (#1755705) + +* Wed Jun 12 2019 Nikola Forró - 4.0.9-15 +- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579) + +* Thu Jun 06 2019 Nikola Forró - 4.0.9-14 +- Fix CVE-2018-12900 (#1595579) + +* Thu Dec 13 2018 Nikola Forró - 4.0.9-13 +- Fix compiler warning introduced by patch for CVE-2018-18661 + +* Wed Nov 14 2018 Nikola Forró - 4.0.9-12 +- Fix CVE-2018-18557 (#1647738) and CVE-2018-18661 (#1644452) + +* Mon Oct 15 2018 Nikola Forró - 4.0.9-11 +- Fix important Covscan defects (#1602597) + +* Mon Oct 15 2018 Nikola Forró - 4.0.9-10 +- Fix CVE-2018-17100 (#1631073) + +* Wed May 30 2018 Nikola Forró - 4.0.9-9 +- Fix CVE-2017-9935, CVE-2017-18013, CVE-2018-8905 (#1559708) + and CVE-2018-10963 (#1579060) + +* Tue Apr 17 2018 Nikola Forró - 4.0.9-8 +- Fix CVE-2018-7456 (#1556709) + +* Fri Mar 23 2018 Nikola Forró - 4.0.9-7 +- Fix CVE-2018-5784 (#1537742) + +* Tue Feb 20 2018 Nikola Forró - 4.0.9-6 +- Add missing gcc-c++ build dependency + +* Tue Feb 20 2018 Nikola Forró - 4.0.9-5 +- Add missing gcc build dependency + +* Wed Feb 07 2018 Fedora Release Engineering - 4.0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 4.0.9-3 +- Switch to %%ldconfig_scriptlets + +* Mon Dec 11 2017 Nikola Forró - 4.0.9-2 +- Fix unescaped macro in changelog entry (#1523643) + +* Thu Nov 23 2017 Nikola Forró - 4.0.9-1 +- New upstream version libtiff-4.0.9 (#1514863) + +* Thu Aug 03 2017 Fedora Release Engineering - 4.0.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 4.0.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon May 22 2017 Nikola Forró - 4.0.8-1 +- New upstream version libtiff-4.0.8 (#1453030) + +* Wed Apr 12 2017 Nikola Forró - 4.0.7-5 +- Fix CVE-2017-759{2,3,4,5,6,7,8,9}, CVE-2017-760{0,1,2} (#1441273) + +* Wed Apr 05 2017 Nikola Forró - 4.0.7-4 +- Fix CVE-2016-1026{6,7,8,9}, CVE-2016-1027{0,1,2} (#1438464) + +* Fri Feb 10 2017 Fedora Release Engineering - 4.0.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jan 24 2017 Nikola Forró - 4.0.7-2 +- Fix Hylafax breakage (#1416042) + +* Mon Nov 21 2016 Nikola Forró - 4.0.7-1 +- New upstream version libtiff-4.0.7 (#1396769) + +* Thu Feb 04 2016 Fedora Release Engineering - 4.0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Oct 09 2015 Petr Hracek - 4.0.6-1 +- New upstream version libtiff-4.0.6 (#1262585) + +* Wed Sep 09 2015 Petr Hracek - 4.0.5-1 +- New upstream version libtiff-4.0.5 (#1258286) + +* Mon Jun 22 2015 Petr Hracek - 4.0.4-1 +- New upstream version libtiff-4.0.4 (#1234191) + +* Fri Jun 19 2015 Petr Hracek - 4.0.4beta-1 +- New upstream version libtiff-4.0.4beta (#1186219) + +* Wed Jun 17 2015 Fedora Release Engineering - 4.0.3-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 19 2015 Petr Hracek - 4.0.3-20 +- CVE-2014-9655 and CVE-2015-1547 #1190710 + +* Sat May 02 2015 Kalev Lember - 4.0.3-19 +- Rebuilt for GCC 5 C++11 ABI change + +* Sun Aug 17 2014 Fedora Release Engineering - 4.0.3-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Aug 12 2014 Kalev Lember - 4.0.3-17 +- Rebuilt for libjbig soname bump + +* Sat Jun 07 2014 Fedora Release Engineering - 4.0.3-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 21 2014 Petr Hracek - 4.0.3-15 +- Add upstream patches for CVE-2013-4243 (#996832) + +* Thu Dec 19 2013 Petr Hracek - 4.0.3-14 +- Fix: #1044609 Can't install both architectures + +* Wed Dec 18 2013 Petr Hracek - 4.0.3-13 +- Fix #510240 Correct tiff2ps man option -W + +* Wed Oct 16 2013 Petr Hracek - 4.0.3-12 +- make check moved to %%check section (#1017070) + +* Tue Oct 08 2013 Petr Hracek - 4.0.3-11 +- Resolves: #510258, #510240 - man page corrections + +* Mon Aug 19 2013 Petr Hracek 4.0.3-10 +- Add upstream patches for CVE-2013-4244 +Resolves: #996468 + +* Wed Aug 14 2013 Petr Hracek 4.0.3-9 +- Add upstream patches for CVE-2013-4231 CVE-2013-4232 +Resolves: #995965 #995975 + +* Mon Aug 12 2013 Petr Hracek - 4.0.3-8 +- Manpage fixing (#510240, #510258) + +* Sat Aug 03 2013 Fedora Release Engineering - 4.0.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu May 2 2013 Tom Lane 4.0.3-6 +- Add upstream patches for CVE-2013-1960, CVE-2013-1961 +Resolves: #958609 + +* Thu Feb 14 2013 Fedora Release Engineering - 4.0.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Adam Tkac - 4.0.3-4 +- rebuild due to "jpeg8-ABI" feature drop + +* Wed Dec 19 2012 Tom Lane 4.0.3-3 +- Add upstream patch to avoid bogus self-test failure with libjpeg-turbo v8 + +* Thu Dec 13 2012 Tom Lane 4.0.3-2 +- Add upstream patches for CVE-2012-4447, CVE-2012-4564 + (note: CVE-2012-5581 is already fixed in 4.0.3) +Resolves: #880907 + +* Thu Oct 4 2012 Tom Lane 4.0.3-1 +- Update to libtiff 4.0.3 + +* Fri Aug 3 2012 Tom Lane 4.0.2-6 +- Remove compat subpackage; no longer needed +- Minor specfile cleanup per suggestions from Tom Callaway +Related: #845110 + +* Thu Aug 2 2012 Tom Lane 4.0.2-5 +- Add accessor functions for opaque type TIFFField (backport of not-yet-released + upstream feature addition; needed to fix freeimage) + +* Sun Jul 22 2012 Tom Lane 4.0.2-4 +- Add patches for CVE-2012-3401 +Resolves: #841736 + +* Thu Jul 19 2012 Fedora Release Engineering - 4.0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 03 2012 Karsten Hopp 4.0.2-2 +- add opensuse bigendian patch to fix raw_decode self check failure on ppc*, s390* + +* Thu Jun 28 2012 Tom Lane 4.0.2-1 +- Update to libtiff 4.0.2, includes fix for CVE-2012-2113 + (note that CVE-2012-2088 does not apply to 4.0.x) +- Update libtiff-compat to 3.9.6 and add patches to it for + CVE-2012-2088, CVE-2012-2113 +Resolves: #832866 + +* Fri Jun 1 2012 Tom Lane 4.0.1-2 +- Enable JBIG support +Resolves: #826240 + +* Sun May 6 2012 Tom Lane 4.0.1-1 +- Update to libtiff 4.0.1, adds BigTIFF support and other features; + library soname is bumped from libtiff.so.3 to libtiff.so.5 +Resolves: #782383 +- Temporarily package 3.9.5 shared library (only) in libtiff-compat subpackage + so that dependent packages won't be broken while rebuilding proceeds + +* Thu Apr 5 2012 Tom Lane 3.9.5-3 +- Add fix for CVE-2012-1173 +Resolves: #CVE-2012-1173 + +* Fri Jan 13 2012 Fedora Release Engineering - 3.9.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Apr 12 2011 Tom Lane 3.9.5-1 +- Update to libtiff 3.9.5, incorporating all our previous patches plus other + fixes, notably the fix for CVE-2009-5022 +Related: #695885 + +* Mon Mar 21 2011 Tom Lane 3.9.4-4 +- Fix incorrect fix for CVE-2011-0192 +Resolves: #684007 +Related: #688825 +- Add fix for CVE-2011-1167 +Resolves: #689574 + +* Wed Mar 2 2011 Tom Lane 3.9.4-3 +- Add patch for CVE-2011-0192 +Resolves: #681672 +- Fix non-security-critical potential SIGSEGV in gif2tiff +Related: #648820 + +* Tue Feb 08 2011 Fedora Release Engineering - 3.9.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jun 22 2010 Tom Lane 3.9.4-1 +- Update to libtiff 3.9.4, for numerous bug fixes including fixes for + CVE-2010-1411, CVE-2010-2065, CVE-2010-2067 +Resolves: #554371 +Related: #460653, #588784, #601274, #599576, #592361, #603024 +- Add fixes for multiple SIGSEGV problems +Resolves: #583081 +Related: #603081, #603699, #603703 + +* Tue Jan 5 2010 Tom Lane 3.9.2-3 +- Apply Adam Goode's fix for Warmerdam's fix +Resolves: #552360 +Resolves: #533353 +- Add some defenses to prevent tiffcmp from crashing on downsampled JPEG + images; this isn't enough to make it really work correctly though +Related: #460322 + +* Wed Dec 16 2009 Tom Lane 3.9.2-2 +- Apply Warmerdam's partial fix for bug #460322 ... better than nothing. +Related: #460322 + +* Thu Dec 3 2009 Tom Lane 3.9.2-1 +- Update to libtiff 3.9.2; stop carrying a lot of old patches +Resolves: #520734 +- Split command-line tools into libtiff-tools subpackage +Resolves: #515170 +- Use build system's libtool instead of what package contains; + among other cleanup this gets rid of unwanted rpath specs in executables +Related: #226049 + +* Thu Oct 15 2009 Tom Lane 3.8.2-16 +- add sparc/sparc64 to multilib header support + +* Sat Jul 25 2009 Fedora Release Engineering - 3.8.2-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 13 2009 Tom Lane 3.8.2-14 +- Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347) +Related: #510041 + +* Wed Jul 1 2009 Tom Lane 3.8.2-13 +- Fix some more LZW decoding vulnerabilities (CVE-2009-2285) +Related: #507465 +- Update upstream URL + +* Wed Feb 25 2009 Fedora Release Engineering - 3.8.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Aug 26 2008 Tom Lane 3.8.2-11 +- Fix LZW decoding vulnerabilities (CVE-2008-2327) +Related: #458674 +- Use -fno-strict-aliasing per rpmdiff recommendation + +* Tue Feb 19 2008 Fedora Release Engineering - 3.8.2-10 +- Autorebuild for GCC 4.3 + +* Wed Aug 22 2007 Tom Lane 3.8.2-9 +- Update License tag +- Rebuild to fix Fedora toolchain issues + +* Thu Jul 19 2007 Tom Lane 3.8.2-8 +- Restore static library to distribution, in a separate -static subpackage +Resolves: #219905 +- Don't apply multilib header hack to unrecognized architectures +Resolves: #233091 +- Remove documentation for programs we don't ship +Resolves: #205079 +Related: #185145 + +* Tue Jan 16 2007 Tom Lane 3.8.2-7 +- Remove Makefiles from the shipped /usr/share/doc/html directories +Resolves: bz #222729 + +* Tue Sep 5 2006 Jindrich Novy - 3.8.2-6 +- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362) +- fix typo in man page for tiffset (#186297) +- use %%{?dist} + +* Mon Jul 24 2006 Matthias Clasen +- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461 + CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) + +* Wed Jul 12 2006 Jesse Keating - 3.8.2-4.1 +- rebuild + +* Fri Jun 2 2006 Matthias Clasen - 3.8.2-3 +- Fix multilib conflict + +* Thu May 25 2006 Matthias Clasen - 3.8.2-3 +- Fix overflows in tiffsplit + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-2 +- Drop tiffgt to get rid of the libGL dependency (#190768) + +* Wed Apr 26 2006 Matthias Clasen - 3.8.2-1 +- Update to 3.8.2 + +* Fri Feb 10 2006 Jesse Keating - 3.7.4-3.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.7.4-3.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Nov 16 2005 Matthias Clasen 3.7.4-3 +- Don't ship static libs + +* Fri Nov 11 2005 Matthias Saou 3.7.4-2 +- Remove useless explicit dependencies. +- Minor spec file cleanups. +- Move make check to %%check. +- Add _smp_mflags. + +* Thu Sep 29 2005 Matthias Clasen - 3.7.4-1 +- Update to 3.7.4 +- Drop upstreamed patches + +* Wed Jun 29 2005 Matthias Clasen - 3.7.2-1 +- Update to 3.7.2 +- Drop upstreamed patches + +* Fri May 6 2005 Matthias Clasen - 3.7.1-6 +- Fix a stack overflow + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-5 +- Don't use mktemp + +* Wed Mar 2 2005 Matthias Clasen - 3.7.1-4 +- Rebuild with gcc4 + +* Wed Jan 5 2005 Matthias Clasen - 3.7.1-3 +- Drop the largefile patch again +- Fix a problem with the handling of alpha channels +- Fix an integer overflow in tiffdump (#143576) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-2 +- Readd the largefile patch (#143560) + +* Wed Dec 22 2004 Matthias Clasen - 3.7.1-1 +- Upgrade to 3.7.1 +- Remove upstreamed patches +- Remove specfile cruft +- make check + +* Thu Oct 14 2004 Matthias Clasen 3.6.1-7 +- fix some integer and buffer overflows (#134853, #134848) + +* Tue Oct 12 2004 Matthias Clasen 3.6.1-6 +- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483 + +* Mon Sep 27 2004 Rik van Riel 3.6.1-4 +- compile using RPM_OPT_FLAGS (bz #133650) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu May 20 2004 Matthias Clasen 3.6.1-2 +- Fix and use the makeflags patch + +* Wed May 19 2004 Matthias Clasen 3.6.1-1 +- Upgrade to 3.6.1 +- Adjust patches +- Don't install tiffgt man page (#104864) + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Sat Feb 21 2004 Florian La Roche +- really add symlink to shared lib by running ldconfig at compile time + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Oct 09 2003 Florian La Roche +- link shared lib against -lm (Jakub Jelinek) + +* Thu Sep 25 2003 Jeremy Katz 3.5.7-13 +- rebuild to fix gzipped file md5sum (#91281) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Feb 11 2003 Phil Knirsch 3.5.7-11 +- Fixed rebuild problems. + +* Tue Feb 04 2003 Florian La Roche +- add symlink to shared lib + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Thu Dec 12 2002 Tim Powers 3.5.7-8 +- rebuild on all arches + +* Mon Aug 19 2002 Phil Knirsch 3.5.7-7 +- Added LFS support (#71593) + +* Tue Jun 25 2002 Phil Knirsch 3.5.7-6 +- Fixed wrong exit code of tiffcp app (#67240) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Wed May 15 2002 Phil Knirsch +- Fixed segfault in fax2tiff tool (#64708). + +* Mon Feb 25 2002 Phil Knirsch +- Fixed problem with newer bash versions setting CDPATH (#59741) + +* Tue Feb 19 2002 Phil Knirsch +- Update to current release 3.5.7 + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Tue Aug 28 2001 Phil Knirsch +- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x + and ia64 were missing (#52129). + +* Tue Jun 26 2001 Philipp Knirsch +- Hopefully final symlink fix + +* Thu Jun 21 2001 Than Ngo +- add missing libtiff symlink + +* Fri Mar 16 2001 Crutcher Dunnavant +- killed tiff-to-ps.fpi filter + +* Wed Feb 28 2001 Philipp Knirsch +- Fixed missing devel version dependancy. + +* Tue Dec 19 2000 Philipp Knirsch +- rebuild + +* Mon Aug 7 2000 Crutcher Dunnavant +- added a tiff-to-ps.fpi filter for printing + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Thu Jul 13 2000 Nalin Dahyabhai +- apply Peter Skarpetis's fix for the 32-bit conversion + +* Mon Jul 3 2000 Nalin Dahyabhai +- make man pages non-executable (#12811) + +* Mon Jun 12 2000 Nalin Dahyabhai +- remove CVS repo info from data directories + +* Thu May 18 2000 Nalin Dahyabhai +- fix build rooting +- fix syntax error in configure script +- move man pages to {_mandir} + +* Wed May 17 2000 Nalin Dahyabhai +- rebuild for an errata release + +* Wed Mar 29 2000 Nalin Dahyabhai +- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix + +* Tue Mar 28 2000 Nalin Dahyabhai +- fix fax2ps swapping height and width in the bounding box + +* Mon Mar 27 2000 Nalin Dahyabhai +- move man pages from devel package to the regular one +- integrate Frank Warmerdam's fixed .fax handling code (keep until next release + of libtiff) +- fix fax2ps breakage (bug #8345) + +* Sat Feb 05 2000 Nalin Dahyabhai +- set MANDIR=man3 to make multifunction man pages friendlier + +* Mon Jan 31 2000 Nalin Dahyabhai +- fix URLs + +* Fri Jan 28 2000 Nalin Dahyabhai +- link shared library against libjpeg and libz + +* Tue Jan 18 2000 Nalin Dahyabhai +- enable zip and jpeg codecs +- change defattr in normal package to 0755 +- add defattr to -devel package + +* Wed Dec 22 1999 Bill Nottingham +- update to 3.5.4 + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 6) + +* Wed Jan 13 1999 Cristian Gafton +- build for glibc 2.1 + +* Wed Jun 10 1998 Prospector System +- translations modified for de + +* Wed Jun 10 1998 Michael Fulbright +- rebuilt against fixed jpeg libs (libjpeg-6b) + +* Thu May 07 1998 Prospector System +- translations modified for de, fr, tr + +* Mon Oct 13 1997 Donnie Barnes +- new version to replace the one from libgr +- patched for glibc +- added shlib support