7 files changed, 10 insertions(+), 300 deletions(-)
M gnu/local.mk
M gnu/packages/image.scm
D gnu/packages/patches/libtiff-CVE-2016-5652.patch
D gnu/packages/patches/libtiff-CVE-2016-9273.patch
D gnu/packages/patches/libtiff-CVE-2016-9297.patch
D gnu/packages/patches/libtiff-CVE-2016-9448.patch
D gnu/packages/patches/libtiff-uint32-overflow.patch
M gnu/local.mk => gnu/local.mk +0 -5
@@ 672,13 672,8 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-CVE-2016-5314.patch \
%D%/packages/patches/libtiff-CVE-2016-5321.patch \
%D%/packages/patches/libtiff-CVE-2016-5323.patch \
- %D%/packages/patches/libtiff-CVE-2016-5652.patch \
- %D%/packages/patches/libtiff-CVE-2016-9273.patch \
- %D%/packages/patches/libtiff-CVE-2016-9297.patch \
- %D%/packages/patches/libtiff-CVE-2016-9448.patch \
%D%/packages/patches/libtiff-oob-accesses-in-decode.patch \
%D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \
- %D%/packages/patches/libtiff-uint32-overflow.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
M gnu/packages/image.scm => gnu/packages/image.scm +10 -19
@@ 243,7 243,7 @@ extracting icontainer icon files.")
(define-public libtiff
(package
(name "libtiff")
- (replacement libtiff/fixed)
+ (replacement libtiff-4.0.7)
(version "4.0.6")
(source (origin
(method url-fetch)
@@ 283,27 283,18 @@ collection of tools for doing simple manipulations of TIFF images.")
"See COPYRIGHT in the distribution."))
(home-page "http://www.remotesensing.org/libtiff/")))
-(define libtiff/fixed
+(define libtiff-4.0.7
(package
(inherit libtiff)
+ (version "4.0.7")
(source (origin
- (inherit (package-source libtiff))
- (patches (search-patches
- "libtiff-oob-accesses-in-decode.patch"
- "libtiff-oob-write-in-nextdecode.patch"
- "libtiff-uint32-overflow.patch"
- "libtiff-CVE-2015-8665+CVE-2015-8683.patch"
- "libtiff-CVE-2016-3623.patch"
- "libtiff-CVE-2016-3945.patch"
- "libtiff-CVE-2016-3990.patch"
- "libtiff-CVE-2016-3991.patch"
- "libtiff-CVE-2016-5314.patch"
- "libtiff-CVE-2016-5321.patch"
- "libtiff-CVE-2016-5323.patch"
- "libtiff-CVE-2016-5652.patch"
- "libtiff-CVE-2016-9273.patch"
- "libtiff-CVE-2016-9297.patch"
- "libtiff-CVE-2016-9448.patch"))))))
+ (method url-fetch)
+ (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
+ (home-page "http://www.simplesystems.org/libtiff/")))
(define-public libwmf
(package
D gnu/packages/patches/libtiff-CVE-2016-5652.patch => gnu/packages/patches/libtiff-CVE-2016-5652.patch +0 -47
@@ 1,47 0,0 @@
-Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
-
-Patches exfiltrated from upstream CVS repo with:
-cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
-
-Index: tools/tiff2pdf.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
-retrieving revision 1.92
-retrieving revision 1.94
-diff -u -r1.92 -r1.94
---- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92
-+++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94
-@@ -2887,21 +2887,24 @@
- return(0);
- }
- if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
-- if (count > 0) {
-- _TIFFmemcpy(buffer, jpt, count);
-+ if (count >= 4) {
-+ /* Ignore EOI marker of JpegTables */
-+ _TIFFmemcpy(buffer, jpt, count - 2);
- bufferoffset += count - 2;
-+ /* Store last 2 bytes of the JpegTables */
- table_end[0] = buffer[bufferoffset-2];
- table_end[1] = buffer[bufferoffset-1];
-- }
-- if (count > 0) {
- xuint32 = bufferoffset;
-+ bufferoffset -= 2;
- bufferoffset += TIFFReadRawTile(
- input,
- tile,
-- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),
-+ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
- -1);
-- buffer[xuint32-2]=table_end[0];
-- buffer[xuint32-1]=table_end[1];
-+ /* Overwrite SOI marker of image scan with previously */
-+ /* saved end of JpegTables */
-+ buffer[xuint32-2]=table_end[0];
-+ buffer[xuint32-1]=table_end[1];
- } else {
- bufferoffset += TIFFReadRawTile(
- input,
D gnu/packages/patches/libtiff-CVE-2016-9273.patch => gnu/packages/patches/libtiff-CVE-2016-9273.patch +0 -41
@@ 1,41 0,0 @@
-Fix CVE-2016-9273:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
-http://bugzilla.maptools.org/show_bug.cgi?id=2587
-
-Patch extracted from upstream CVS repo:
-
-2016-11-10 Even Rouault <even.rouault at spatialys.com>
-
-revision 1.37
-date: 2016-11-09 18:00:49 -0500; author: erouault; state: Exp; lines: +10 -1; commitid: pzKipPxDJO2dxvtz;
-* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
-value when it is non-zero, instead of recomputing it. This is needed in
-TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
-array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
-
-Index: libtiff/tif_strip.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
-retrieving revision 1.36
-retrieving revision 1.37
-diff -u -r1.36 -r1.37
---- a/libtiff/tif_strip.c 7 Jun 2015 22:35:40 -0000 1.36
-+++ b/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37
-@@ -63,6 +63,15 @@
- TIFFDirectory *td = &tif->tif_dir;
- uint32 nstrips;
-
-+ /* If the value was already computed and store in td_nstrips, then return it,
-+ since ChopUpSingleUncompressedStrip might have altered and resized the
-+ since the td_stripbytecount and td_stripoffset arrays to the new value
-+ after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
-+ tif_dirread.c ~line 3612.
-+ See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
-+ if( td->td_nstrips )
-+ return td->td_nstrips;
-+
- nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
- TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
- if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
D gnu/packages/patches/libtiff-CVE-2016-9297.patch => gnu/packages/patches/libtiff-CVE-2016-9297.patch +0 -52
@@ 1,52 0,0 @@
-Fix CVE-2016-9297:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297
-http://bugzilla.maptools.org/show_bug.cgi?id=2590
-
-Patch copied from upstream source repository.
-
-2016-11-11 Even Rouault <even.rouault at spatialys.com>
-
- * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
- values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
- access are null terminated, to avoid potential read outside buffer
- in _TIFFPrintField().
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
-new revision: 1.1154; previous revision: 1.1153
-/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <--
-libtiff/tif_dirread.c
-new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.202
-retrieving revision 1.203
-diff -u -r1.202 -r1.203
---- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:01:55 -0000 1.202
-+++ libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203
-@@ -5000,6 +5000,11 @@
- if (err==TIFFReadDirEntryErrOk)
- {
- int m;
-+ if( data[dp->tdir_count-1] != '\0' )
-+ {
-+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-+ data[dp->tdir_count-1] = '\0';
-+ }
- m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
- if (data!=0)
- _TIFFfree(data);
-@@ -5172,6 +5177,11 @@
- if (err==TIFFReadDirEntryErrOk)
- {
- int m;
-+ if( data[dp->tdir_count-1] != '\0' )
-+ {
-+ TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-+ data[dp->tdir_count-1] = '\0';
-+ }
- m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
- if (data!=0)
- _TIFFfree(data);
D gnu/packages/patches/libtiff-CVE-2016-9448.patch => gnu/packages/patches/libtiff-CVE-2016-9448.patch +0 -34
@@ 1,34 0,0 @@
-Fix CVE-2016-9448 (regression caused by fix for CVE-2016-9297).
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2593
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
-
-Patch copied from upstream source repository with:
-$ cvs diff -u -r 1.203 -r 1.204 libtiff/libtiff/tif_dirread.c
-
-Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.203
-retrieving revision 1.204
-diff -u -r1.203 -r1.204
---- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203
-+++ libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204
-@@ -5000,7 +5000,7 @@
- if (err==TIFFReadDirEntryErrOk)
- {
- int m;
-- if( data[dp->tdir_count-1] != '\0' )
-+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
- {
- TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
- data[dp->tdir_count-1] = '\0';
-@@ -5177,7 +5177,7 @@
- if (err==TIFFReadDirEntryErrOk)
- {
- int m;
-- if( data[dp->tdir_count-1] != '\0' )
-+ if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
- {
- TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
- data[dp->tdir_count-1] = '\0';
D gnu/packages/patches/libtiff-uint32-overflow.patch => gnu/packages/patches/libtiff-uint32-overflow.patch +0 -102
@@ 1,102 0,0 @@
-Fix some buffer overflows:
-
-http://seclists.org/oss-sec/2016/q4/408
-http://bugzilla.maptools.org/show_bug.cgi?id=2592
-
-2016-11-11 Even Rouault <even.rouault at spatialys.com>
-
- * tools/tiffcrop.c: fix multiple uint32 overflows in
- writeBufferToSeparateStrips(), writeBufferToContigTiles() and
- writeBufferToSeparateTiles() that could cause heap buffer
-overflows.
- Reported by Henri Salo from Nixu Corporation.
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
-new revision: 1.1152; previous revision: 1.1151
-/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c
-new revision: 1.43; previous revision: 1.42
-
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.42
-retrieving revision 1.43
-diff -u -r1.42 -r1.43
---- libtiff/tools/tiffcrop.c 14 Oct 2016 19:13:20 -0000 1.42
-+++ libtiff/tools/tiffcrop.c 11 Nov 2016 19:33:06 -0000 1.43
-@@ -148,6 +148,8 @@
- #define PATH_MAX 1024
- #endif
-
-+#define TIFF_UINT32_MAX 0xFFFFFFFFU
-+
- #ifndef streq
- #define streq(a,b) (strcmp((a),(b)) == 0)
- #endif
-@@ -1164,7 +1166,24 @@
- (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
- bytes_per_sample = (bps + 7) / 8;
-- rowsize = ((bps * spp * width) + 7) / 8; /* source has interleaved samples */
-+ if( width == 0 ||
-+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
-+ bps * spp * width > TIFF_UINT32_MAX - 7U )
-+ {
-+ TIFFError(TIFFFileName(out),
-+ "Error, uint32 overflow when computing (bps * spp * width) + 7");
-+ return 1;
-+ }
-+ rowsize = ((bps * spp * width) + 7U) / 8; /* source has interleaved samples */
-+ if( bytes_per_sample == 0 ||
-+ rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample ||
-+ rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) )
-+ {
-+ TIFFError(TIFFFileName(out),
-+ "Error, uint32 overflow when computing rowsperstrip * "
-+ "bytes_per_sample * (width + 1)");
-+ return 1;
-+ }
- rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
-
- obuf = _TIFFmalloc (rowstripsize);
-@@ -1251,11 +1270,19 @@
- }
- }
-
-+ if( imagewidth == 0 ||
-+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
-+ bps * spp * imagewidth > TIFF_UINT32_MAX - 7U )
-+ {
-+ TIFFError(TIFFFileName(out),
-+ "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
-+ return 1;
-+ }
-+ src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
-+
- tilebuf = _TIFFmalloc(tile_buffsize);
- if (tilebuf == 0)
- return 1;
--
-- src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
- for (row = 0; row < imagelength; row += tl)
- {
- nrow = (row + tl > imagelength) ? imagelength - row : tl;
-@@ -1315,7 +1342,16 @@
- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
-- src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
-+
-+ if( imagewidth == 0 ||
-+ (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
-+ bps * spp * imagewidth > TIFF_UINT32_MAX - 7 )
-+ {
-+ TIFFError(TIFFFileName(out),
-+ "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
-+ return 1;
-+ }
-+ src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
-
- for (row = 0; row < imagelength; row += tl)
- {