From ddc956408c409074b27df103c6dba746c62f3f39 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@fedoraproject.org>
Date: Tue, 26 Aug 2008 15:52:30 +0000
Subject: [PATCH] Fix LZW decoding vulnerabilities (CVE-2008-2327)

---
 libtiff-3.8.2-lzw-bugs.patch | 58 ++++++++++++++++++++++++++++++++++++
 libtiff.spec                 | 10 ++++++-
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 libtiff-3.8.2-lzw-bugs.patch

diff --git a/libtiff-3.8.2-lzw-bugs.patch b/libtiff-3.8.2-lzw-bugs.patch
new file mode 100644
index 0000000..874e5e3
--- /dev/null
+++ b/libtiff-3.8.2-lzw-bugs.patch
@@ -0,0 +1,58 @@
+Fixes for CVE-2008-2327
+
+
+diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c
+--- tiff-3.8.2.orig/libtiff/tif_lzw.c	2006-03-21 11:42:50.000000000 -0500
++++ tiff-3.8.2/libtiff/tif_lzw.c	2008-08-22 16:26:01.000000000 -0400
+@@ -237,6 +237,11 @@
+                     sp->dec_codetab[code].length = 1;
+                     sp->dec_codetab[code].next = NULL;
+                 } while (code--);
++		/*
++		 * Zero-out the unused entries
++		 */
++		_TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++			    (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
+ 	}
+ 	return (1);
+ }
+@@ -408,12 +413,19 @@
+ 			break;
+ 		if (code == CODE_CLEAR) {
+ 			free_entp = sp->dec_codetab + CODE_FIRST;
++			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ 			nbits = BITS_MIN;
+ 			nbitsmask = MAXCODE(BITS_MIN);
+ 			maxcodep = sp->dec_codetab + nbitsmask-1;
+ 			NextCode(tif, sp, bp, code, GetNextCode);
+ 			if (code == CODE_EOI)
+ 				break;
++			if (code == CODE_CLEAR) {
++				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++				"LZWDecode: Corrupted LZW table at scanline %d",
++				tif->tif_row);
++				return (0);
++			}
+ 			*op++ = (char)code, occ--;
+ 			oldcodep = sp->dec_codetab + code;
+ 			continue;
+@@ -604,12 +616,19 @@
+ 			break;
+ 		if (code == CODE_CLEAR) {
+ 			free_entp = sp->dec_codetab + CODE_FIRST;
++			_TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ 			nbits = BITS_MIN;
+ 			nbitsmask = MAXCODE(BITS_MIN);
+ 			maxcodep = sp->dec_codetab + nbitsmask;
+ 			NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ 			if (code == CODE_EOI)
+ 				break;
++			if (code == CODE_CLEAR) {
++				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++				"LZWDecodeCompat: Corrupted LZW table at scanline %d",
++				tif->tif_row);
++				return (0);
++			}
+ 			*op++ = code, occ--;
+ 			oldcodep = sp->dec_codetab + code;
+ 			continue;
diff --git a/libtiff.spec b/libtiff.spec
index 6ef5f95..2f125b6 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
 Version: 3.8.2
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: libtiff
 Group: System Environment/Libraries
 URL: http://www.libtiff.org/
@@ -11,6 +11,7 @@ Patch0: tiffsplit-overflow.patch
 Patch1: libtiff-3.8.2-ormandy.patch
 Patch2: libtiff-3.8.2-CVE-2006-2193.patch
 Patch3: libtiff-3.8.2-mantypo.patch
+Patch4: libtiff-3.8.2-lzw-bugs.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@@ -56,8 +57,10 @@ necessary for some boot packages.
 %patch1 -p1 -b .ormandy
 %patch2 -p1 -b .CVE-2006-2193
 %patch3 -p1 -b .mantypo
+%patch4 -p1
 
 %build
+export CFLAGS="%{optflags} -fno-strict-aliasing"
 %configure
 make %{?_smp_mflags}
 
@@ -154,6 +157,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/*.a
 
 %changelog
+* Tue Aug 26 2008 Tom Lane <tgl@redhat.com> 3.8.2-11
+- Fix LZW decoding vulnerabilities (CVE-2008-2327)
+Related: #458674
+- Use -fno-strict-aliasing per rpmdiff recommendation
+
 * Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 3.8.2-10
 - Autorebuild for GCC 4.3