From cab4b718abc4b3179498c45354d0adf651156789 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Tue, 24 Jun 2014 12:22:39 +0000 Subject: main/tiff: security fix es for CVE-2013-4243 and CVE-2013-4244 ref #3081 --- main/tiff/APKBUILD | 16 ++++++++++---- main/tiff/libtiff-CVE-2013-4243.patch | 41 +++++++++++++++++++++++++++++++++++ main/tiff/libtiff-CVE-2013-4244.patch | 15 +++++++++++++ 3 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 main/tiff/libtiff-CVE-2013-4243.patch create mode 100644 main/tiff/libtiff-CVE-2013-4244.patch diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index a181f00c8..c57efe6c8 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Michael Mason pkgname=tiff pkgver=4.0.3 -pkgrel=2 +pkgrel=3 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" arch="all" @@ -18,6 +18,8 @@ source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz libtiff-CVE-2013-1961.patch tiff-4.0.3-CVE-2013-4231.patch tiff-4.0.3-CVE-2013-4232.patch + libtiff-CVE-2013-4243.patch + libtiff-CVE-2013-4244.patch " _builddir="$srcdir"/$pkgname-$pkgver @@ -66,18 +68,24 @@ a4b9f293f706b5668df62833cf0b56d2 libtiff-CVE-2012-4564.patch e9de577a81571ab8ffac84aac8c64381 libtiff-CVE-2013-1960.patch e484981da6d2366a30a89dc0217c115a libtiff-CVE-2013-1961.patch fd604fe47922cbb0c271f84b2fe7f119 tiff-4.0.3-CVE-2013-4231.patch -cea05bfff32ed3982980320cc0e16bbb tiff-4.0.3-CVE-2013-4232.patch" +cea05bfff32ed3982980320cc0e16bbb tiff-4.0.3-CVE-2013-4232.patch +74138a7605520ce47014e2ce05df1eeb libtiff-CVE-2013-4243.patch +677f69995dd2e7710b4bca672c96ed8d libtiff-CVE-2013-4244.patch" sha256sums="ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872 tiff-4.0.3.tar.gz 917187494cd3f80929e4919951637683aaccd98ffa23a6f1f97e49f6db85baa9 libtiff-CVE-2012-4447.patch 0ef1f4055930c8b38246a4f6ed66e393bb2f2a3d5238f5c5f5d57d1f4b230d3e libtiff-CVE-2012-4564.patch 688e577d3266b1cd7df5321b5e63fed82d088407a447a022eea2188d643b5a5b libtiff-CVE-2013-1960.patch 2f0a1cf4826416d248ff5288db7702b80245d02c624c415836053a762c1e3fd4 libtiff-CVE-2013-1961.patch 3c9c56f83fec5c6be3f69feb2b457d0706ad52c424ed2c9e830d48367446971d tiff-4.0.3-CVE-2013-4231.patch -772d9ab61e94b9ef40e1446c31a373e52b5345f8c1d18438d52bf8d4f4f008ff tiff-4.0.3-CVE-2013-4232.patch" +772d9ab61e94b9ef40e1446c31a373e52b5345f8c1d18438d52bf8d4f4f008ff tiff-4.0.3-CVE-2013-4232.patch +13612aba82c219f16a6079dc2bc23feb8ba399ae92117eda60d870e4cbd33362 libtiff-CVE-2013-4243.patch +8a53027a837cf7840844a23bc0bfd4230a48e73e1eddf4e76dadf12b5cdd4e8d libtiff-CVE-2013-4244.patch" sha512sums="d80e18b00e9e696a30b954c0d92e5f2f773fd9a7a0a944cf6cabb69c1798e671506580daa1cd2ebf493ae922000170c2491dfc6d4c0a9cd0b865684070595a73 tiff-4.0.3.tar.gz 1377b675cfbeffbe810518053fb2e683f889cf1274d0b1adc6060beb9ef70dcd504038b02d569d08bf497511b99ea9c237e581b4a66676d0a69370b78c98736b libtiff-CVE-2012-4447.patch d8e9ffaefd9ce9f38c117faa6368fd858422b870d1afa3e9ce7b05218f35c29a84e23a1da00879aedade4c1d1d578c06be08aa51ed4e2e7d2a3ca819614be8e8 libtiff-CVE-2012-4564.patch db160c93453db8f4b611028bca48622eebfa54b320b780b7491bdc9c3385d227928a7e9016073a64cdd85388284aa2bb0f0af04daa235d45cdb28e4e6fcf82fa libtiff-CVE-2013-1960.patch c9870c7b85d2a3c666e2c9f932c815a1b4c9fb0bf2485c7cfff3ab3435222214fa7900adc0ded0f49866f28db2124121012bac7186b675955613fa983dbf45d7 libtiff-CVE-2013-1961.patch 077dc58b99d6ab2689cfde9d427a719692758aab971a0e6c3edbab1688be6e5078705f251c8aa50b74182cf4d230f38eaa35308388958a319204ca60a30b578f tiff-4.0.3-CVE-2013-4231.patch -2b384beeeed9717593a223427ec4a7ff7ec438cc8040e747b63fa1ef411008e3702bbb7dabf95dee605b88d72ef1fd50c6e496942630e4742687540855f4b612 tiff-4.0.3-CVE-2013-4232.patch" +2b384beeeed9717593a223427ec4a7ff7ec438cc8040e747b63fa1ef411008e3702bbb7dabf95dee605b88d72ef1fd50c6e496942630e4742687540855f4b612 tiff-4.0.3-CVE-2013-4232.patch +4442ebdbcd935db5324496b191c34c566bef77c1a7f34e04bd4f2e73c0e031c4fe7b7e746740cf4ce9b1160b60aa3084fa1510d347ce6b76fae2c7ab87c2a6b1 libtiff-CVE-2013-4243.patch +0d4b0470710ec300e9d41df1c5d50eee13a105580e2f216ab0468d0613b3cab69e8ee5ff88cfdbb1cc81a1ccf301002ae96fe4e72755cf6f611efc566b1efff1 libtiff-CVE-2013-4244.patch" diff --git a/main/tiff/libtiff-CVE-2013-4243.patch b/main/tiff/libtiff-CVE-2013-4243.patch new file mode 100644 index 000000000..c365d992b --- /dev/null +++ b/main/tiff/libtiff-CVE-2013-4243.patch @@ -0,0 +1,41 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 2731273..ca824e2 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -280,6 +280,10 @@ readgifimage(char* mode) + fprintf(stderr, "no colormap present for image\n"); + return (0); + } ++ if (width == 0 || height == 0) { ++ fprintf(stderr, "Invalid value of width or height\n"); ++ return(0); ++ } + if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { + fprintf(stderr, "not enough memory for image\n"); + return (0); +@@ -406,7 +410,11 @@ process(register int code, unsigned char** fill) + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } +- *(*fill)++ = suffix[code]; ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } ++ *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; + } +@@ -436,7 +444,11 @@ process(register int code, unsigned char** fill) + } + oldcode = incode; + do { +- *(*fill)++ = *--stackp; ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } ++ *(*fill)++ = *--stackp; + } while (stackp > stack); + return 1; + } diff --git a/main/tiff/libtiff-CVE-2013-4244.patch b/main/tiff/libtiff-CVE-2013-4244.patch new file mode 100644 index 000000000..792e07698 --- /dev/null +++ b/main/tiff/libtiff-CVE-2013-4244.patch @@ -0,0 +1,15 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 375b152..2731273 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -402,6 +402,10 @@ process(register int code, unsigned char** fill) + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; -- cgit v1.2.3