diff options
author | prspkt <prspkt@protonmail.com> | 2018-05-14 16:12:46 +0000 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-24 22:03:50 +0200 |
commit | e6a6453651a9c3c80af79c2193ce5ba2d9204c4c (patch) | |
tree | 988e7476214c83d3ab1265deaf904ba8a3062088 | |
parent | f46f25bfbff5fb6a1ecef30c54ad0c6b40ab6818 (diff) | |
download | aports-e6a6453651a9c3c80af79c2193ce5ba2d9204c4c.tar.bz2 aports-e6a6453651a9c3c80af79c2193ce5ba2d9204c4c.tar.xz |
main/tiff: fix CVE-2018-8905
-rw-r--r-- | main/tiff/APKBUILD | 8 | ||||
-rw-r--r-- | main/tiff/CVE-2018-8905.patch | 51 |
2 files changed, 57 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 2a9b5e9267..a662558c21 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Michael Mason <ms13sp@gmail.com> pkgname=tiff pkgver=4.0.9 -pkgrel=4 +pkgrel=5 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org" arch="all" @@ -17,8 +17,11 @@ source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz CVE-2017-18013.patch CVE-2018-5784.patch CVE-2018-7456.patch + CVE-2018-8905.patch " # secfixes: +# 4.0.9-r5: +# - CVE-2018-8905 # 4.0.9-r4: # - CVE-2018-7456 # 4.0.9-r2: @@ -80,4 +83,5 @@ tools() { sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd tiff-4.0.9.tar.gz 3a31e4315ecc5c5bf709e2ca0fefb5bc7ff50c79f911b8b8366be38d007d3f79e89982700a620b2d82739313fbd79041428dbf3ecf0a790c9ec3bc2e211d6fce CVE-2017-18013.patch c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch -8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch" +8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch +ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch" diff --git a/main/tiff/CVE-2018-8905.patch b/main/tiff/CVE-2018-8905.patch new file mode 100644 index 0000000000..f951092c1f --- /dev/null +++ b/main/tiff/CVE-2018-8905.patch @@ -0,0 +1,51 @@ +From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 12 May 2018 15:32:31 +0200 +Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 + +The fix consists in using the similar code LZWDecode() to validate we +don't write outside of the output buffer. +--- + libtiff/tif_lzw.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index 4ccb443..94d85e3 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + char *tp; + unsigned char *bp; + int code, nbits; ++ int len; + long nextbits, nextdata, nbitsmask; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + +@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + } while (--occ); + break; + } +- assert(occ >= codep->length); +- op += codep->length; +- occ -= codep->length; +- tp = op; ++ len = codep->length; ++ tp = op + len; + do { +- *--tp = codep->value; +- } while( (codep = codep->next) != NULL ); ++ int t; ++ --tp; ++ t = codep->value; ++ codep = codep->next; ++ *tp = (char)t; ++ } while (codep && tp > op); ++ assert(occ >= len); ++ op += len; ++ occ -= len; + } else { + *op++ = (char)code; + occ--; +-- +libgit2 0.27.0 + |