summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2018-12-12 20:36:46 +0100
committerMarius Bakke <mbakke@fastmail.com>2018-12-12 21:31:42 +0100
commit3f2848a5f91bf7bb9c5643776be13196f587f952 (patch)
treee3c6ac56356ddb6d7c695bb8f6a97bf17e4fafb7 /gnu
parentb35c9a165f0cf01d63daede5388f3ebc20edae45 (diff)
downloadguix-3f2848a5f91bf7bb9c5643776be13196f587f952.tar.gz
gnu: libtiff: Update to 4.0.10.
* gnu/packages/patches/libtiff-CVE-2017-18013.patch,
gnu/packages/patches/libtiff-CVE-2017-9935.patch,
gnu/packages/patches/libtiff-CVE-2018-10963.patch,
gnu/packages/patches/libtiff-CVE-2018-8905.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/image.scm (libtiff): Update to 4.0.10.
[source](patches): Remove.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk4
-rw-r--r--gnu/packages/image.scm8
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-18013.patch45
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-9935.patch162
-rw-r--r--gnu/packages/patches/libtiff-CVE-2018-10963.patch40
-rw-r--r--gnu/packages/patches/libtiff-CVE-2018-8905.patch61
6 files changed, 2 insertions, 318 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 03627b98c1..fe5224c7de 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -909,10 +909,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
   %D%/packages/patches/libtheora-config-guess.patch		\
-  %D%/packages/patches/libtiff-CVE-2017-9935.patch		\
-  %D%/packages/patches/libtiff-CVE-2017-18013.patch		\
-  %D%/packages/patches/libtiff-CVE-2018-8905.patch		\
-  %D%/packages/patches/libtiff-CVE-2018-10963.patch		\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libusb-0.1-disable-tests.patch		\
   %D%/packages/patches/libusb-for-axoloti.patch			\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 92447c23e2..1a6b8fe1c9 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -461,7 +461,7 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (version "4.0.9")
+   (version "4.0.10")
    (source
      (origin
        (method url-fetch)
@@ -469,11 +469,7 @@ extracting icontainer icon files.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "1kfg4q01r4mqn7dj63ifhi6pmqzbf4xax6ni6kkk81ri5kndwyvf"))
-       (patches (search-patches "libtiff-CVE-2017-9935.patch"
-                                "libtiff-CVE-2017-18013.patch"
-                                "libtiff-CVE-2018-8905.patch"
-                                "libtiff-CVE-2018-10963.patch"))))
+         "1r4np635gr6zlc0bic38dzvxia6iqzcrary4n1ylarzpr8fd2lic"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
deleted file mode 100644
index ba03c83847..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2017-18013.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-18013:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2770
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
-
-From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 31 Dec 2017 15:09:41 +0100
-Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
- dereference on corrupted file. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2770
-
----
- libtiff/tif_print.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 9959d353..8deceb2b 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
- 			    (unsigned long) s,
--			    (unsigned __int64) td->td_stripoffset[s],
--			    (unsigned __int64) td->td_stripbytecount[s]);
-+			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
-+			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
- #else
- 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
- 			    (unsigned long) s,
--			    (unsigned long long) td->td_stripoffset[s],
--			    (unsigned long long) td->td_stripbytecount[s]);
-+			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
-+			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
- #endif
- 	}
- }
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
deleted file mode 100644
index 5685d81f68..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2017-9935.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-Fix CVE-2017-9935
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
-http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
-
-From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
-From: Brian May <brian@linuxpenguins.xyz>
-Date: Thu, 7 Dec 2017 07:46:47 +1100
-Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
-
-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-This vulnerability - at least for the supplied test case - is because we
-assume that a tiff will only have one transfer function that is the same
-for all pages. This is not required by the TIFF standards.
-
-We than read the transfer function for every page.  Depending on the
-transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
-We allocate this memory after we read in the transfer function for the
-page.
-
-For the first exploit - POC1, this file has 3 pages. For the first page
-we allocate 2 extra extra XREF entries. Then for the next page 2 more
-entries. Then for the last page the transfer function changes and we
-allocate 4 more entries.
-
-When we read the file into memory, we assume we have 4 bytes extra for
-each and every page (as per the last transfer function we read). Which
-is not correct, we only have 2 bytes extra for the first 2 pages. As a
-result, we end up writing past the end of the buffer.
-
-There are also some related issues that this also fixes. For example,
-TIFFGetField can return uninitalized pointer values, and the logic to
-detect a N=3 vs N=1 transfer function seemed rather strange.
-
-It is also strange that we declare the transfer functions to be of type
-float, when the standard says they are unsigned 16 bit values. This is
-fixed in another patch.
-
-This patch will check to ensure that the N value for every transfer
-function is the same for every page. If this changes, we abort with an
-error. In theory, we should perhaps check that the transfer function
-itself is identical for every page, however we don't do that due to the
-confusion of the type of the data in the transfer function.
----
- libtiff/tif_dir.c |  3 +++
- tools/tiff2pdf.c  | 65 +++++++++++++++++++++++++++++++++++++------------------
- 2 files changed, 47 insertions(+), 21 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index 2ccaf448..cbf2b693 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
- 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
- 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
- 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
-+			} else {
-+				*va_arg(ap, uint16**) = NULL;
-+				*va_arg(ap, uint16**) = NULL;
- 			}
- 			break;
- 		case TIFFTAG_REFERENCEBLACKWHITE:
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index d1a9b095..c3ec0746 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- 	uint16 pagen=0;
- 	uint16 paged=0;
- 	uint16 xuint16=0;
-+	uint16 tiff_transferfunctioncount=0;
-+	float* tiff_transferfunction[3];
- 
- 	directorycount=TIFFNumberOfDirectories(input);
- 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
-@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
-                 }
- #endif
- 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
--                                 &(t2p->tiff_transferfunction[0]),
--                                 &(t2p->tiff_transferfunction[1]),
--                                 &(t2p->tiff_transferfunction[2]))) {
--			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[1] !=
--                            t2p->tiff_transferfunction[0])) {
--				t2p->tiff_transferfunctioncount = 3;
--				t2p->tiff_pages[i].page_extra += 4;
--				t2p->pdf_xrefcount += 4;
--			} else {
--				t2p->tiff_transferfunctioncount = 1;
--				t2p->tiff_pages[i].page_extra += 2;
--				t2p->pdf_xrefcount += 2;
--			}
--			if(t2p->pdf_minorversion < 2)
--				t2p->pdf_minorversion = 2;
-+                                 &(tiff_transferfunction[0]),
-+                                 &(tiff_transferfunction[1]),
-+                                 &(tiff_transferfunction[2]))) {
-+
-+                        if((tiff_transferfunction[1] != (float*) NULL) &&
-+                           (tiff_transferfunction[2] != (float*) NULL)
-+                          ) {
-+                            tiff_transferfunctioncount=3;
-+                        } else {
-+                            tiff_transferfunctioncount=1;
-+                        }
-                 } else {
--			t2p->tiff_transferfunctioncount=0;
-+			tiff_transferfunctioncount=0;
- 		}
-+
-+                if (i > 0){
-+                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
-+                        TIFFError(
-+                            TIFF2PDF_MODULE,
-+                            "Different transfer function on page %d",
-+                            i);
-+                        t2p->t2p_error = T2P_ERR_ERROR;
-+                        return;
-+                    }
-+                }
-+
-+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
-+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
-+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
-+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
-+                if(tiff_transferfunctioncount == 3){
-+                        t2p->tiff_pages[i].page_extra += 4;
-+                        t2p->pdf_xrefcount += 4;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                } else if (tiff_transferfunctioncount == 1){
-+                        t2p->tiff_pages[i].page_extra += 2;
-+                        t2p->pdf_xrefcount += 2;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                }
-+
- 		if( TIFFGetField(
- 			input, 
- 			TIFFTAG_ICCPROFILE, 
-@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- 			 &(t2p->tiff_transferfunction[1]),
- 			 &(t2p->tiff_transferfunction[2]))) {
- 		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[1] !=
--                    t2p->tiff_transferfunction[0])) {
-+                   (t2p->tiff_transferfunction[2] != (float*) NULL)
-+                  ) {
- 			t2p->tiff_transferfunctioncount=3;
- 		} else {
- 			t2p->tiff_transferfunctioncount=1;
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/libtiff-CVE-2018-10963.patch b/gnu/packages/patches/libtiff-CVE-2018-10963.patch
deleted file mode 100644
index d31c12399d..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2018-10963.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Fix CVE-2018-10963:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2795
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9
-
-From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 14:24:15 +0200
-Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
-
----
- libtiff/tif_dirwrite.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index 2430de6d..c15a28db 100644
---- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
- 								}
- 								break;
- 							default:
--								assert(0);   /* we should never get here */
--								break;
-+								TIFFErrorExt(tif->tif_clientdata,module,
-+								            "Cannot write tag %d (%s)",
-+								            TIFFFieldTag(o),
-+                                                                            o->field_name ? o->field_name : "unknown");
-+								goto bad;
- 						}
- 					}
- 				}
--- 
-2.17.0
-
diff --git a/gnu/packages/patches/libtiff-CVE-2018-8905.patch b/gnu/packages/patches/libtiff-CVE-2018-8905.patch
deleted file mode 100644
index f49815789e..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2018-8905.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-Fix CVE-2018-8095:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2780
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d
-
-From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 15:32:31 +0200
-Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
-
-The fix consists in using the similar code LZWDecode() to validate we
-don't write outside of the output buffer.
----
- libtiff/tif_lzw.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index 4ccb443c..94d85e38 100644
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 	char *tp;
- 	unsigned char *bp;
- 	int code, nbits;
-+	int len;
- 	long nextbits, nextdata, nbitsmask;
- 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
- 
-@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 				}  while (--occ);
- 				break;
- 			}
--			assert(occ >= codep->length);
--			op += codep->length;
--			occ -= codep->length;
--			tp = op;
-+			len = codep->length;
-+			tp = op + len;
- 			do {
--				*--tp = codep->value;
--			} while( (codep = codep->next) != NULL );
-+				int t;
-+				--tp;
-+				t = codep->value;
-+				codep = codep->next;
-+				*tp = (char)t;
-+			} while (codep && tp > op);
-+			assert(occ >= len);
-+			op += len;
-+			occ -= len;
- 		} else {
- 			*op++ = (char)code;
- 			occ--;
--- 
-2.17.0
-