import libtiff-4.0.9-15.el8

2019-11-05 14:03:30 -05:00 · 2019-11-05 14:03:30 -05:00 · cee0d49ecf
parent cb12b3dbf7
commit cee0d49ecf
2 changed files with 56 additions and 1 deletions
--- a/SOURCES/libtiff-CVE-2018-12900.patch
+++ b/SOURCES/libtiff-CVE-2018-12900.patch
@ -0,0 +1,47 @@
+From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 10:05:33 +0100
+Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
+
+fixes bug 2833
+---
+ tools/tiffcp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 489459a..0c66229 100644
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -43,6 +43,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <limits.h>
+ 
+ #include <ctype.h>
+ 
+@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 	int status = 1;
+ 	uint32 imagew = TIFFRasterScanlineSize(in);
+ 	uint32 tilew = TIFFTileRowSize(in);
+-	int iskew  = imagew - tilew*spp;
+	int iskew;
+ 	tsize_t tilesize = TIFFTileSize(in);
+ 	tdata_t tilebuf;
+ 	uint8* bufp = (uint8*) buf;
+@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 	uint32 row;
+ 	uint16 bps = 0, bytes_per_sample;
+ 
+	if (tilew && spp > (INT_MAX / tilew))
+	{
+		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+		return 0;
+	}
+	iskew = imagew - tilew*spp;
+ 	tilebuf = _TIFFmalloc(tilesize);
+ 	if (tilebuf == 0)
+ 		return 0;
+-- 
+2.21.0
+
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       13%{?dist}
+Release:       15%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -20,6 +20,7 @@ Patch8:        libtiff-CVE-2018-17100.patch
 Patch9:        libtiff-coverity.patch
 Patch10:       libtiff-CVE-2018-18557.patch
 Patch11:       libtiff-CVE-2018-18661.patch
+Patch12:       libtiff-CVE-2018-12900.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -83,6 +84,7 @@ image files using the libtiff library.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -186,6 +188,12 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-15
+- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579)
+
+* Thu Jun 06 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-14
+- Fix CVE-2018-12900 (#1595579)
+
 * Thu Dec 13 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-13
 - Fix compiler warning introduced by patch for CVE-2018-18661