Resolves: #1419650 - CVE-2017-5849

2017-02-08 15:08:06 +01:00 · 2017-02-08 15:08:06 +01:00 · a66d53ca30
commit a66d53ca30
parent c16a8b893e
2 changed files with 15 additions and 0 deletions
--- a/netpbm-CVE-2017-5849.patch
+++ b/netpbm-CVE-2017-5849.patch
@ -0,0 +1,12 @@
+diff -urpN old/converter/other/tifftopnm.c new/converter/other/tifftopnm.c
+--- old/converter/other/tifftopnm.c	2017-02-08 13:58:14.515058955 +0100
+++ new/converter/other/tifftopnm.c	2017-02-08 14:47:25.684420520 +0100
+@@ -1526,7 +1526,7 @@ convertRasterInMemory(pnmOut *
+                     *statusP = CONV_FAILED;
+                 } else {
+                     int ok;
+-                    ok = TIFFRGBAImageGet(&img, raster, cols, rows);
+                    ok = TIFFRGBAImageGet(&img, raster, rows, cols);
+                     TIFFRGBAImageEnd(&img) ;
+                     if (!ok) {
+                         pm_message("%s", emsg);
--- a/netpbm.spec
+++ b/netpbm.spec
@ -19,6 +19,7 @@ Patch2:          netpbm-ppmfadeusage.patch
 Patch3:          netpbm-noppmtompeg.patch
 Patch4:          netpbm-CVE-2017-2586.patch
 Patch5:          netpbm-CVE-2017-2587.patch
+Patch6:          netpbm-CVE-2017-5849.patch
 BuildRequires:   libjpeg-devel, libpng-devel, libtiff-devel, flex
 BuildRequires:   libX11-devel, perl-generators, python, jasper-devel, libxml2-devel
 BuildRequires:   ghostscript-core
@ -80,6 +81,7 @@ netpbm-doc.  You'll also need to install the netpbm-progs package.
 %patch3 -p1 -b .noppmtompeg
 %patch4 -p1 -b .CVE-2586
 %patch5 -p1 -b .CVE-2587
+%patch6 -p1 -b .CVE-5849

 %build
 ./configure <<EOF
@ -227,6 +229,7 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Wed Feb 08 2017 Josef Ridky <jridky@redhat.com> - 10.77.00-3
 - fix CVE-2017-2586, CVE-2017-2587 (#1419545)
+- fix CVE-2017-5849 (#1419650)

 * Mon Jan 23 2017 Josef Ridky <jridky@redhat.com> - 10.77.00-2
 - fix #1404757 - add copyright_summary to doc section