New upstream version libtiff-4.1.0 (#1768276)

2019-11-06 13:14:27 +01:00 · 2019-11-06 13:14:27 +01:00 · a15512fd3c
commit a15512fd3c
parent 15d4f182c8
6 changed files with 7 additions and 205 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@
 /tiff-4.0.8.tar.gz
 /tiff-4.0.9.tar.gz
 /tiff-4.0.10.tar.gz
+/tiff-4.1.0.tar.gz
--- a/libtiff-CVE-2018-12900_CVE-2019-7663.patch
+++ b/libtiff-CVE-2018-12900_CVE-2019-7663.patch
@ -1,47 +0,0 @@
-From 2cd851937e887704aa6838b272015de93f48bb44 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Mon, 11 Feb 2019 10:05:33 +0100
-Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
-
-fixes bug 2833
---
- tools/tiffcp.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 2f406e2..8c81aa4 100644
--- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -41,6 +41,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
- 
- #include <ctype.h>
- 
-@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- 	int status = 1;
- 	uint32 imagew = TIFFRasterScanlineSize(in);
- 	uint32 tilew = TIFFTileRowSize(in);
-	int iskew  = imagew - tilew*spp;
-+	int iskew;
- 	tsize_t tilesize = TIFFTileSize(in);
- 	tdata_t tilebuf;
- 	uint8* bufp = (uint8*) buf;
-@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- 	uint32 row;
- 	uint16 bps = 0, bytes_per_sample;
- 
-+	if (spp > (INT_MAX / tilew))
-+	{
-+		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
-+		return 0;
-+	}
-+	iskew = imagew - tilew*spp;
- 	tilebuf = _TIFFmalloc(tilesize);
- 	if (tilebuf == 0)
- 		return 0;
-- 
-2.21.0
-
--- a/libtiff-CVE-2018-19210.patch
+++ b/libtiff-CVE-2018-19210.patch
@ -1,100 +0,0 @@
-From 6579f23f3019d8aa7ef0cd856c03d1497add85be Mon Sep 17 00:00:00 2001
-From: Hugo Lefeuvre <hle@debian.org>
-Date: Wed, 21 Nov 2018 18:50:34 +0100
-Subject: [PATCH] tif_dir: unset transferfunction field if necessary
-
-The number of entries in the transfer table is determined as following:
-
-(td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1
-
-This means that whenever td->td_samplesperpixel or td->td_extrasamples are
-modified we also need to make sure that the number of required entries in
-the transfer table didn't change.
-
-If it changed and the number of entries is higher than before we should
-invalidate the transfer table field and free previously allocated values.
-In the other case there's nothing to do, additional tf entries won't harm
-and properly written code will just ignore them since spp - es < 1.
-
-For instance this situation might happen when reading an OJPEG compressed
-image with missing SamplesPerPixel tag. In this case the SamplesPerPixel
-field might be updated after setting the transfer table.
-
-see http://bugzilla.maptools.org/show_bug.cgi?id=2500
-
-This commit addresses CVE-2018-19210.
---
- libtiff/tif_dir.c | 30 ++++++++++++++++++++++++++++--
- 1 file changed, 28 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index 6f0b487..028ea54 100644
--- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb)
-  * Install extra samples information.
-  */
- static int
-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
-+setExtraSamples(TIFF* tif, va_list ap, uint32* v)
- {
- /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
- #define EXTRASAMPLE_COREL_UNASSALPHA 999 
- 
- 	uint16* va;
- 	uint32 i;
-+        TIFFDirectory* td = &tif->tif_dir;
-+        static const char module[] = "setExtraSamples";
- 
- 	*v = (uint16) va_arg(ap, uint16_vap);
- 	if ((uint16) *v > td->td_samplesperpixel)
-@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
- 				return 0;
- 		}
- 	}
-+
-+        if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
-+                !(td->td_samplesperpixel - td->td_extrasamples > 1))
-+        {
-+                TIFFWarningExt(tif->tif_clientdata,module,
-+                    "ExtraSamples tag value is changing, "
-+                    "but TransferFunction was read with a different value. Cancelling it");
-+                TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
-+                _TIFFfree(td->td_transferfunction[0]);
-+                td->td_transferfunction[0] = NULL;
-+        }
-+
- 	td->td_extrasamples = (uint16) *v;
- 	_TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
- 	return 1;
-@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
-                 _TIFFfree(td->td_smaxsamplevalue);
-                 td->td_smaxsamplevalue = NULL;
-             }
-+            /* Test if 3 transfer functions instead of just one are now needed
-+               See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
-+            if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
-+                !(td->td_samplesperpixel - td->td_extrasamples > 1))
-+            {
-+                    TIFFWarningExt(tif->tif_clientdata,module,
-+                        "SamplesPerPixel tag value is changing, "
-+                        "but TransferFunction was read with a different value. Cancelling it");
-+                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
-+                    _TIFFfree(td->td_transferfunction[0]);
-+                    td->td_transferfunction[0] = NULL;
-+            }
-         }
- 		td->td_samplesperpixel = (uint16) v;
- 		break;
-@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
- 		_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
- 		break;
- 	case TIFFTAG_EXTRASAMPLES:
-		if (!setExtraSamples(td, ap, &v))
-+		if (!setExtraSamples(tif, ap, &v))
- 			goto badvalue;
- 		break;
- 	case TIFFTAG_MATTEING:
-- 
-2.21.0
-
--- a/libtiff-CVE-2019-6128.patch
+++ b/libtiff-CVE-2019-6128.patch
@ -1,49 +0,0 @@
-From 99cab41801c37588f67396d836c5b677aba498ce Mon Sep 17 00:00:00 2001
-From: Scott Gayou <github.scott@gmail.com>
-Date: Wed, 23 Jan 2019 15:03:53 -0500
-Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
-
-pal2rgb failed to free memory on a few errors. This was reported
-here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
---
- tools/pal2rgb.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
-index 01d8502..9492f1c 100644
--- a/tools/pal2rgb.c
-+++ b/tools/pal2rgb.c
-@@ -118,12 +118,14 @@ main(int argc, char* argv[])
- 	    shortv != PHOTOMETRIC_PALETTE) {
- 		fprintf(stderr, "%s: Expecting a palette image.\n",
- 		    argv[optind]);
-+		(void) TIFFClose(in);
- 		return (-1);
- 	}
- 	if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
- 		fprintf(stderr,
- 		    "%s: No colormap (not a valid palette image).\n",
- 		    argv[optind]);
-+		(void) TIFFClose(in);
- 		return (-1);
- 	}
- 	bitspersample = 0;
-@@ -131,11 +133,14 @@ main(int argc, char* argv[])
- 	if (bitspersample != 8) {
- 		fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
- 		    argv[optind]);
-+		(void) TIFFClose(in);
- 		return (-1);
- 	}
- 	out = TIFFOpen(argv[optind+1], "w");
-	if (out == NULL)
-+	if (out == NULL) {
-+		(void) TIFFClose(in);
- 		return (-2);
-+	}
- 	cpTags(in, out);
- 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
- 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
-- 
-2.17.2
-
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
-Version:       4.0.10
-Release:       6%{?dist}
+Version:       4.1.0
+Release:       1%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/

@ -9,9 +9,6 @@ Source:        ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz

 Patch0:        libtiff-am-version.patch
 Patch1:        libtiff-make-check.patch
-Patch2:        libtiff-CVE-2019-6128.patch
-Patch3:        libtiff-CVE-2018-12900_CVE-2019-7663.patch
-Patch4:        libtiff-CVE-2018-19210.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -62,9 +59,6 @@ image files using the libtiff library.

 %patch0 -p1
 %patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -169,6 +163,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Tue Nov 05 2019 Nikola Forró <nforro@redhat.com> - 4.1.0-1
+- New upstream version libtiff-4.1.0 (#1768276)
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.10-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (tiff-4.0.10.tar.gz) = d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8
+SHA512 (tiff-4.1.0.tar.gz) = fd541dcb11e3d5afaa1ec2f073c9497099727a52f626b338ef87dc93ca2e23ca5f47634015a4beac616d4e8f05acf7b7cd5797fb218758cc2ad31b390491c5a6