From a15512fd3cd2c0efa045b5e8332f3d9a8f164e01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Wed, 6 Nov 2019 13:14:27 +0100 Subject: [PATCH] New upstream version libtiff-4.1.0 (#1768276) --- .gitignore | 1 + libtiff-CVE-2018-12900_CVE-2019-7663.patch | 47 ---------- libtiff-CVE-2018-19210.patch | 100 --------------------- libtiff-CVE-2019-6128.patch | 49 ---------- libtiff.spec | 13 ++- sources | 2 +- 6 files changed, 7 insertions(+), 205 deletions(-) delete mode 100644 libtiff-CVE-2018-12900_CVE-2019-7663.patch delete mode 100644 libtiff-CVE-2018-19210.patch delete mode 100644 libtiff-CVE-2019-6128.patch diff --git a/.gitignore b/.gitignore index 3294cb7..2e71505 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /tiff-4.0.8.tar.gz /tiff-4.0.9.tar.gz /tiff-4.0.10.tar.gz +/tiff-4.1.0.tar.gz diff --git a/libtiff-CVE-2018-12900_CVE-2019-7663.patch b/libtiff-CVE-2018-12900_CVE-2019-7663.patch deleted file mode 100644 index a412080..0000000 --- a/libtiff-CVE-2018-12900_CVE-2019-7663.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 2cd851937e887704aa6838b272015de93f48bb44 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Mon, 11 Feb 2019 10:05:33 +0100 -Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow - -fixes bug 2833 ---- - tools/tiffcp.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 2f406e2..8c81aa4 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -41,6 +41,7 @@ - #include - #include - #include -+#include - - #include - -@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - int status = 1; - uint32 imagew = TIFFRasterScanlineSize(in); - uint32 tilew = TIFFTileRowSize(in); -- int iskew = imagew - tilew*spp; -+ int iskew; - tsize_t tilesize = TIFFTileSize(in); - tdata_t tilebuf; - uint8* bufp = (uint8*) buf; -@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - uint32 row; - uint16 bps = 0, bytes_per_sample; - -+ if (spp > (INT_MAX / tilew)) -+ { -+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); -+ return 0; -+ } -+ iskew = imagew - tilew*spp; - tilebuf = _TIFFmalloc(tilesize); - if (tilebuf == 0) - return 0; --- -2.21.0 - diff --git a/libtiff-CVE-2018-19210.patch b/libtiff-CVE-2018-19210.patch deleted file mode 100644 index fa5149c..0000000 --- a/libtiff-CVE-2018-19210.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 6579f23f3019d8aa7ef0cd856c03d1497add85be Mon Sep 17 00:00:00 2001 -From: Hugo Lefeuvre -Date: Wed, 21 Nov 2018 18:50:34 +0100 -Subject: [PATCH] tif_dir: unset transferfunction field if necessary - -The number of entries in the transfer table is determined as following: - -(td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1 - -This means that whenever td->td_samplesperpixel or td->td_extrasamples are -modified we also need to make sure that the number of required entries in -the transfer table didn't change. - -If it changed and the number of entries is higher than before we should -invalidate the transfer table field and free previously allocated values. -In the other case there's nothing to do, additional tf entries won't harm -and properly written code will just ignore them since spp - es < 1. - -For instance this situation might happen when reading an OJPEG compressed -image with missing SamplesPerPixel tag. In this case the SamplesPerPixel -field might be updated after setting the transfer table. - -see http://bugzilla.maptools.org/show_bug.cgi?id=2500 - -This commit addresses CVE-2018-19210. ---- - libtiff/tif_dir.c | 30 ++++++++++++++++++++++++++++-- - 1 file changed, 28 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index 6f0b487..028ea54 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb) - * Install extra samples information. - */ - static int --setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) -+setExtraSamples(TIFF* tif, va_list ap, uint32* v) - { - /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */ - #define EXTRASAMPLE_COREL_UNASSALPHA 999 - - uint16* va; - uint32 i; -+ TIFFDirectory* td = &tif->tif_dir; -+ static const char module[] = "setExtraSamples"; - - *v = (uint16) va_arg(ap, uint16_vap); - if ((uint16) *v > td->td_samplesperpixel) -@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) - return 0; - } - } -+ -+ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) && -+ !(td->td_samplesperpixel - td->td_extrasamples > 1)) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "ExtraSamples tag value is changing, " -+ "but TransferFunction was read with a different value. Cancelling it"); -+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); -+ _TIFFfree(td->td_transferfunction[0]); -+ td->td_transferfunction[0] = NULL; -+ } -+ - td->td_extrasamples = (uint16) *v; - _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples); - return 1; -@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - _TIFFfree(td->td_smaxsamplevalue); - td->td_smaxsamplevalue = NULL; - } -+ /* Test if 3 transfer functions instead of just one are now needed -+ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */ -+ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) && -+ !(td->td_samplesperpixel - td->td_extrasamples > 1)) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "SamplesPerPixel tag value is changing, " -+ "but TransferFunction was read with a different value. Cancelling it"); -+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); -+ _TIFFfree(td->td_transferfunction[0]); -+ td->td_transferfunction[0] = NULL; -+ } - } - td->td_samplesperpixel = (uint16) v; - break; -@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); - break; - case TIFFTAG_EXTRASAMPLES: -- if (!setExtraSamples(td, ap, &v)) -+ if (!setExtraSamples(tif, ap, &v)) - goto badvalue; - break; - case TIFFTAG_MATTEING: --- -2.21.0 - diff --git a/libtiff-CVE-2019-6128.patch b/libtiff-CVE-2019-6128.patch deleted file mode 100644 index 192ea59..0000000 --- a/libtiff-CVE-2019-6128.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 99cab41801c37588f67396d836c5b677aba498ce Mon Sep 17 00:00:00 2001 -From: Scott Gayou -Date: Wed, 23 Jan 2019 15:03:53 -0500 -Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. - -pal2rgb failed to free memory on a few errors. This was reported -here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. ---- - tools/pal2rgb.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c -index 01d8502..9492f1c 100644 ---- a/tools/pal2rgb.c -+++ b/tools/pal2rgb.c -@@ -118,12 +118,14 @@ main(int argc, char* argv[]) - shortv != PHOTOMETRIC_PALETTE) { - fprintf(stderr, "%s: Expecting a palette image.\n", - argv[optind]); -+ (void) TIFFClose(in); - return (-1); - } - if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { - fprintf(stderr, - "%s: No colormap (not a valid palette image).\n", - argv[optind]); -+ (void) TIFFClose(in); - return (-1); - } - bitspersample = 0; -@@ -131,11 +133,14 @@ main(int argc, char* argv[]) - if (bitspersample != 8) { - fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", - argv[optind]); -+ (void) TIFFClose(in); - return (-1); - } - out = TIFFOpen(argv[optind+1], "w"); -- if (out == NULL) -+ if (out == NULL) { -+ (void) TIFFClose(in); - return (-2); -+ } - cpTags(in, out); - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); --- -2.17.2 - diff --git a/libtiff.spec b/libtiff.spec index d6dae95..fd33ba9 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff -Version: 4.0.10 -Release: 6%{?dist} +Version: 4.1.0 +Release: 1%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -9,9 +9,6 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz Patch0: libtiff-am-version.patch Patch1: libtiff-make-check.patch -Patch2: libtiff-CVE-2019-6128.patch -Patch3: libtiff-CVE-2018-12900_CVE-2019-7663.patch -Patch4: libtiff-CVE-2018-19210.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -62,9 +59,6 @@ image files using the libtiff library. %patch0 -p1 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -169,6 +163,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Tue Nov 05 2019 Nikola Forró - 4.1.0-1 +- New upstream version libtiff-4.1.0 (#1768276) + * Thu Jul 25 2019 Fedora Release Engineering - 4.0.10-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sources b/sources index 451761e..ce855e7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tiff-4.0.10.tar.gz) = d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 +SHA512 (tiff-4.1.0.tar.gz) = fd541dcb11e3d5afaa1ec2f073c9497099727a52f626b338ef87dc93ca2e23ca5f47634015a4beac616d4e8f05acf7b7cd5797fb218758cc2ad31b390491c5a6