From 5830f1bf29bbc4459ffe7b47c84decbb2888eee6 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sun, 22 Jul 2012 17:55:34 -0400 Subject: [PATCH] Add patches for CVE-2012-3401 --- libtiff-CVE-2012-3401-3.9.patch | 11 +++++++++++ libtiff-CVE-2012-3401.patch | 11 +++++++++++ libtiff.spec | 28 +++++++++++++++++++--------- 3 files changed, 41 insertions(+), 9 deletions(-) create mode 100644 libtiff-CVE-2012-3401-3.9.patch create mode 100644 libtiff-CVE-2012-3401.patch diff --git a/libtiff-CVE-2012-3401-3.9.patch b/libtiff-CVE-2012-3401-3.9.patch new file mode 100644 index 0000000..1cdd9fa --- /dev/null +++ b/libtiff-CVE-2012-3401-3.9.patch @@ -0,0 +1,11 @@ +diff -Naur tiff-3.9.6.orig/tools/tiff2pdf.c tiff-3.9.6/tools/tiff2pdf.c +--- tiff-3.9.6.orig/tools/tiff2pdf.c 2010-12-13 20:45:51.000000000 -0500 ++++ tiff-3.9.6/tools/tiff2pdf.c 2012-07-05 13:37:20.143798126 -0400 +@@ -1035,6 +1035,7 @@ + "Can't set directory %u of input file %s", + i, + TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ diff --git a/libtiff-CVE-2012-3401.patch b/libtiff-CVE-2012-3401.patch new file mode 100644 index 0000000..847bd0d --- /dev/null +++ b/libtiff-CVE-2012-3401.patch @@ -0,0 +1,11 @@ +diff -Naur tiff-4.0.2.orig/tools/tiff2pdf.c tiff-4.0.2/tools/tiff2pdf.c +--- tiff-4.0.2.orig/tools/tiff2pdf.c 2012-06-15 17:51:54.000000000 -0400 ++++ tiff-4.0.2/tools/tiff2pdf.c 2012-07-05 13:34:36.569691068 -0400 +@@ -1066,6 +1066,7 @@ + "Can't set directory %u of input file %s", + i, + TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ diff --git a/libtiff.spec b/libtiff.spec index 31c4bc4..2528391 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.2 -Release: 3%{?dist} +Release: 4%{?dist} License: libtiff Group: System Environment/Libraries @@ -18,11 +18,14 @@ Source0: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz Source1: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{prevversion}.tar.gz +Patch1: libtiff-4.0.2-bigendian.patch +Patch2: libtiff-CVE-2012-3401.patch + # these patches are only needed for prevversion: -Patch2: libtiff-CVE-2012-1173-3.9.patch -Patch3: libtiff-CVE-2012-2088.patch -Patch4: libtiff-CVE-2012-2113.patch -Patch5: libtiff-4.0.2-bigendian.patch +Patch10: libtiff-CVE-2012-1173-3.9.patch +Patch11: libtiff-CVE-2012-2088.patch +Patch12: libtiff-CVE-2012-2113.patch +Patch13: libtiff-CVE-2012-3401-3.9.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -81,6 +84,9 @@ This package contains shared libraries (only) for libtiff 3.9.x. %prep %setup -q -n tiff-%{version} +%patch1 -p1 +%patch2 -p1 + # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -93,9 +99,10 @@ autoheader # And the same for the compatibility package ... tar xfz %{SOURCE1} pushd tiff-%{prevversion} -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 libtoolize --force --copy @@ -104,7 +111,6 @@ autoheader autoconf autoheader popd -%patch5 -p1 %build export CFLAGS="%{optflags} -fno-strict-aliasing" @@ -235,6 +241,10 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libtiffxx.so.3* %changelog +* Sun Jul 22 2012 Tom Lane 4.0.2-4 +- Add patches for CVE-2012-3401 +Resolves: #841736 + * Thu Jul 19 2012 Fedora Release Engineering - 4.0.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild