@@ 689,6 689,7 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-CVE-2016-10092.patch \
%D%/packages/patches/libtiff-CVE-2016-10093.patch \
%D%/packages/patches/libtiff-CVE-2016-10094.patch \
+ %D%/packages/patches/libtiff-CVE-2017-5225.patch \
%D%/packages/patches/libtiff-assertion-failure.patch \
%D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \
%D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \
@@ 312,7 312,8 @@ collection of tools for doing simple manipulations of TIFF images.")
"libtiff-CVE-2016-10093.patch"
"libtiff-divide-by-zero-tiffcp.patch"
"libtiff-assertion-failure.patch"
- "libtiff-CVE-2016-10094.patch"))))))
+ "libtiff-CVE-2016-10094.patch"
+ "libtiff-CVE-2017-5225.patch"))))))
(define-public libwmf
(package
@@ 0,0 1,86 @@
+Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2656
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225
+https://security-tracker.debian.org/tracker/CVE-2017-5225
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+ cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
+overflow.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+
+less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1210; previous revision: 1.1209
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c
+new revision: 1.61; previous revision: 1.60
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.60
+retrieving revision 1.61
+diff -u -r1.60 -r1.61
+--- libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60
++++ libtiff/tools/tiffcp.c 11 Jan 2017 19:26:14 -0000 1.61
+#@@ -1,4 +1,4 @@
+#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */
+#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */
+#
+# /*
+# * Copyright (c) 1988-1997 Sam Leffler
+@@ -591,7 +591,7 @@
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+- uint16 bitspersample, samplesperpixel = 1;
++ uint16 bitspersample = 1, samplesperpixel = 1;
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ copyFunc cf;
+ uint32 width, length;
+@@ -1067,6 +1067,16 @@
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpContig2SeparateByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1120,6 +1130,16 @@
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpSeparate2ContigByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1784,7 +1804,7 @@
+ uint32 w, l, tw, tl;
+ int bychunk;
+
+- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ fprintf(stderr,
+ "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",