3
5
Fork 0
mirror of git://git.savannah.gnu.org/guix.git synced 2023-12-14 03:33:07 +01:00

gnu: libtiff: Update to 4.0.9.

* gnu/packages/image.scm (libtiff): Update to 4.0.9.
[source]: Remove obsolete patches.
* gnu/packages/patches/libtiff-CVE-2016-10688.patch,
gnu/packages/patches/libtiff-CVE-2017-9936.patch,
gnu/packages/patches/libtiff-tiffgetfield-bugs.patch,
gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch,
gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch: Delete
files.
* gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
Leo Famulari 2017-11-30 16:33:24 -05:00
parent ee3ebf1a35
commit 2fc4709368
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
7 changed files with 2 additions and 453 deletions

View file

@ -809,11 +809,6 @@ dist_patch_DATA = \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
%D%/packages/patches/libtasn1-CVE-2017-10790.patch \
%D%/packages/patches/libtheora-config-guess.patch \
%D%/packages/patches/libtiff-CVE-2016-10688.patch \
%D%/packages/patches/libtiff-CVE-2017-9936.patch \
%D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
%D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \
%D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \
%D%/packages/patches/libtirpc-CVE-2017-8779.patch \
%D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \
%D%/packages/patches/libtool-skip-tests2.patch \

View file

@ -386,21 +386,15 @@ extracting icontainer icon files.")
(define-public libtiff
(package
(name "libtiff")
(version "4.0.8")
(version "4.0.9")
(source
(origin
(method url-fetch)
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
version ".tar.gz"))
(patches
(search-patches "libtiff-tiffgetfield-bugs.patch"
"libtiff-CVE-2016-10688.patch"
"libtiff-CVE-2017-9936.patch"
"libtiff-tiffycbcrtorgb-integer-overflow.patch"
"libtiff-tiffycbcrtorgbinit-integer-overflow.patch"))
(sha256
(base32
"0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))
"1kfg4q01r4mqn7dj63ifhi6pmqzbf4xax6ni6kkk81ri5kndwyvf"))))
(build-system gnu-build-system)
(outputs '("out"
"doc")) ;1.3 MiB of HTML documentation

View file

@ -1,92 +0,0 @@
Fix CVE-2017-10688:
http://bugzilla.maptools.org/show_bug.cgi?id=2712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688
https://security-tracker.debian.org/tracker/CVE-2017-10688
Patch lifted from upstream source repository (the changes to 'ChangeLog'
don't apply to the libtiff 4.0.8 release tarball).
3rd party Git reference:
https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
2017-06-30 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
functions associated with LONG8/SLONG8 data type, replace assertion
that
the file is BigTIFF, by a non-fatal error.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
Reported by team OWL337
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1259; previous revision: 1.1258
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <--
libtiff/tif_dirwrite.c
new revision: 1.86; previous revision: 1.85
Index: libtiff/libtiff/tif_dirwrite.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -r1.85 -r1.86
--- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85
+++ libtiff/libtiff/tif_dirwrite.c 30 Jun 2017 17:29:44 -0000 1.86
@@ -1,4 +1,4 @@
-/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
+/* $Id: tif_dirwrite.c,v 1.86 2017-06-30 17:29:44 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -2111,7 +2111,10 @@
{
uint64 m;
assert(sizeof(uint64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
m=value;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8(&m);
@@ -2124,7 +2127,10 @@
{
assert(count<0x20000000);
assert(sizeof(uint64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong8(value,count);
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
@@ -2136,7 +2142,10 @@
{
int64 m;
assert(sizeof(int64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
m=value;
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong8((uint64*)(&m));
@@ -2149,7 +2158,10 @@
{
assert(count<0x20000000);
assert(sizeof(int64)==8);
- assert(tif->tif_flags&TIFF_BIGTIFF);
+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+ return(0);
+ }
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabArrayOfLong8((uint64*)value,count);
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));

View file

@ -1,47 +0,0 @@
Fix CVE-2017-9936:
http://bugzilla.maptools.org/show_bug.cgi?id=2706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936
https://security-tracker.debian.org/tracker/CVE-2017-9936
Patch lifted from upstream source repository (the changes to 'ChangeLog'
don't apply to the libtiff 4.0.8 release tarball).
3rd party Git reference:
https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a
2017-06-26 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_jbig.c: fix memory leak in error code path of
JBIGDecode()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
Reported by team OWL337
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1254; previous revision: 1.1253
/cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v <-- libtiff/tif_jbig.c
new revision: 1.16; previous revision: 1.15
Index: libtiff/libtiff/tif_jbig.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- libtiff/libtiff/tif_jbig.c 10 Mar 2010 18:56:48 -0000 1.15
+++ libtiff/libtiff/tif_jbig.c 26 Jun 2017 15:20:00 -0000 1.16
@@ -1,4 +1,4 @@
-/* $Id: tif_jbig.c,v 1.15 2010-03-10 18:56:48 bfriesen Exp $ */
+/* $Id: tif_jbig.c,v 1.16 2017-06-26 15:20:00 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -94,6 +94,7 @@
jbg_strerror(decodeStatus)
#endif
);
+ jbg_dec_free(&decoder);
return 0;
}

View file

@ -1,201 +0,0 @@
Fix several bugs in libtiff related to use of TIFFGetField():
http://bugzilla.maptools.org/show_bug.cgi?id=2580
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095
Patch copied from upstream CVS. 3rd-party Git reference:
https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
2017-06-01 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as tiffsplit, tiffcmp, thumbnail, etc.
Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
Fixes:
http://bugzilla.maptools.org/show_bug.cgi?id=2580
http://bugzilla.maptools.org/show_bug.cgi?id=2693
http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
http://bugzilla.maptools.org/show_bug.cgi?id=2441
http://bugzilla.maptools.org/show_bug.cgi?id=2433
Index: libtiff/libtiff/tif_dirread.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
retrieving revision 1.208
retrieving revision 1.209
diff -u -r1.208 -r1.209
--- libtiff/libtiff/tif_dirread.c 27 Apr 2017 15:46:22 -0000 1.208
+++ libtiff/libtiff/tif_dirread.c 1 Jun 2017 12:44:04 -0000 1.209
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -3580,6 +3580,10 @@
goto bad;
dp->tdir_tag=IGNORE;
break;
+ default:
+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
+ dp->tdir_tag=IGNORE;
+ break;
}
}
}
Index: libtiff/libtiff/tif_dirinfo.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
retrieving revision 1.126
retrieving revision 1.127
diff -u -r1.126 -r1.127
--- libtiff/libtiff/tif_dirinfo.c 18 Nov 2016 02:52:13 -0000 1.126
+++ libtiff/libtiff/tif_dirinfo.c 1 Jun 2017 12:44:04 -0000 1.127
@@ -1,4 +1,4 @@
-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -956,6 +956,109 @@
return 0;
}
+int
+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+{
+ /* Filter out non-codec specific tags */
+ switch (tag) {
+ /* Shared tags */
+ case TIFFTAG_PREDICTOR:
+ /* JPEG tags */
+ case TIFFTAG_JPEGTABLES:
+ /* OJPEG tags */
+ case TIFFTAG_JPEGIFOFFSET:
+ case TIFFTAG_JPEGIFBYTECOUNT:
+ case TIFFTAG_JPEGQTABLES:
+ case TIFFTAG_JPEGDCTABLES:
+ case TIFFTAG_JPEGACTABLES:
+ case TIFFTAG_JPEGPROC:
+ case TIFFTAG_JPEGRESTARTINTERVAL:
+ /* CCITT* */
+ case TIFFTAG_BADFAXLINES:
+ case TIFFTAG_CLEANFAXDATA:
+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
+ case TIFFTAG_GROUP3OPTIONS:
+ case TIFFTAG_GROUP4OPTIONS:
+ break;
+ default:
+ return 1;
+ }
+ /* Check if codec specific tags are allowed for the current
+ * compression scheme (codec) */
+ switch (tif->tif_dir.td_compression) {
+ case COMPRESSION_LZW:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_PACKBITS:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_THUNDERSCAN:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_NEXT:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_JPEG:
+ if (tag == TIFFTAG_JPEGTABLES)
+ return 1;
+ break;
+ case COMPRESSION_OJPEG:
+ switch (tag) {
+ case TIFFTAG_JPEGIFOFFSET:
+ case TIFFTAG_JPEGIFBYTECOUNT:
+ case TIFFTAG_JPEGQTABLES:
+ case TIFFTAG_JPEGDCTABLES:
+ case TIFFTAG_JPEGACTABLES:
+ case TIFFTAG_JPEGPROC:
+ case TIFFTAG_JPEGRESTARTINTERVAL:
+ return 1;
+ }
+ break;
+ case COMPRESSION_CCITTRLE:
+ case COMPRESSION_CCITTRLEW:
+ case COMPRESSION_CCITTFAX3:
+ case COMPRESSION_CCITTFAX4:
+ switch (tag) {
+ case TIFFTAG_BADFAXLINES:
+ case TIFFTAG_CLEANFAXDATA:
+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
+ return 1;
+ case TIFFTAG_GROUP3OPTIONS:
+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
+ return 1;
+ break;
+ case TIFFTAG_GROUP4OPTIONS:
+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
+ return 1;
+ break;
+ }
+ break;
+ case COMPRESSION_JBIG:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_DEFLATE:
+ case COMPRESSION_ADOBE_DEFLATE:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_PIXARLOG:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_SGILOG:
+ case COMPRESSION_SGILOG24:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_LZMA:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+
+ }
+ return 0;
+}
+
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
Index: libtiff/libtiff/tif_dir.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- libtiff/libtiff/tif_dir.h 18 Feb 2011 20:53:05 -0000 1.54
+++ libtiff/libtiff/tif_dir.h 1 Jun 2017 12:44:04 -0000 1.55
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -291,6 +291,7 @@
extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
#if defined(__cplusplus)
}

View file

@ -1,57 +0,0 @@
Fix an integer overflow TIFFYCbCrtoRGB():
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
3rd party Git reference:
https://github.com/vadz/libtiff/commit/02669064e927074819ce1ed39aba0fccaa167717
2017-05-29 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
int32 overflow in TIFFYCbCrtoRGB().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
Credit to OSS Fuzz
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1241; previous revision: 1.1240
/cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v <-- libtiff/tif_color.c
new revision: 1.24; previous revision: 1.23
Index: libtiff/libtiff/tif_color.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- libtiff/libtiff/tif_color.c 13 May 2017 18:17:34 -0000 1.23
+++ libtiff/libtiff/tif_color.c 29 May 2017 10:12:54 -0000 1.24
@@ -1,4 +1,4 @@
-/* $Id: tif_color.c,v 1.23 2017-05-13 18:17:34 erouault Exp $ */
+/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -275,10 +275,10 @@
for (i = 0, x = -128; i < 256; i++, x++) {
int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F,
refBlackWhite[5] - 128.0F, 127),
- -128.0F * 64, 128.0F * 64);
+ -128.0F * 32, 128.0F * 32);
int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F,
refBlackWhite[3] - 128.0F, 127),
- -128.0F * 64, 128.0F * 64);
+ -128.0F * 32, 128.0F * 32);
ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT);
ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT);
@@ -286,7 +286,7 @@
ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF;
ycbcr->Y_tab[i] =
(int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255),
- -128.0F * 64, 128.0F * 64);
+ -128.0F * 32, 128.0F * 32);
}
}

View file

@ -1,43 +0,0 @@
Fix an integer overflow in initYCbCrConversion():
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
3rd party Git reference
https://github.com/vadz/libtiff/commit/468988860e0dae62ebbf991627c74bcbb4bd256f
* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
refBlackWhite coefficients values. To avoid invalid float->int32 conversion
(when refBlackWhite[0] == 2147483648.f)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
Credit to OSS Fuzz
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1243; previous revision: 1.1242
/cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v <-- libtiff/tif_getimage.c
new revision: 1.107; previous revision: 1.106
Index: libtiff/libtiff/tif_getimage.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -r1.106 -r1.107
--- libtiff/libtiff/tif_getimage.c 20 May 2017 11:29:02 -0000 1.106
+++ libtiff/libtiff/tif_getimage.c 29 May 2017 11:29:06 -0000 1.107
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */
+/* $Id: tif_getimage.c,v 1.107 2017-05-29 11:29:06 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -2241,7 +2241,7 @@
static int isInRefBlackWhiteRange(float f)
{
- return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF;
+ return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF;
}
static int