summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk5
-rw-r--r--gnu/packages/image.scm29
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-5652.patch47
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-9273.patch41
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-9297.patch52
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-9448.patch34
-rw-r--r--gnu/packages/patches/libtiff-uint32-overflow.patch102
7 files changed, 10 insertions, 300 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 430d05ff3e..7c6306b5f6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -672,13 +672,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtiff-CVE-2016-5314.patch		\
   %D%/packages/patches/libtiff-CVE-2016-5321.patch		\
   %D%/packages/patches/libtiff-CVE-2016-5323.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5652.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9273.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9297.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9448.patch		\
   %D%/packages/patches/libtiff-oob-accesses-in-decode.patch	\
   %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch	\
-  %D%/packages/patches/libtiff-uint32-overflow.patch		\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libunwind-CVE-2015-3239.patch		\
   %D%/packages/patches/libupnp-CVE-2016-6255.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index af412b4c44..526c87cf86 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -243,7 +243,7 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (replacement libtiff/fixed)
+   (replacement libtiff-4.0.7)
    (version "4.0.6")
    (source (origin
             (method url-fetch)
@@ -283,27 +283,18 @@ collection of tools for doing simple manipulations of TIFF images.")
                                   "See COPYRIGHT in the distribution."))
    (home-page "http://www.remotesensing.org/libtiff/")))
 
-(define libtiff/fixed
+(define libtiff-4.0.7
   (package
     (inherit libtiff)
+    (version "4.0.7")
     (source (origin
-              (inherit (package-source libtiff))
-              (patches (search-patches
-                         "libtiff-oob-accesses-in-decode.patch"
-                         "libtiff-oob-write-in-nextdecode.patch"
-                         "libtiff-uint32-overflow.patch"
-                         "libtiff-CVE-2015-8665+CVE-2015-8683.patch"
-                         "libtiff-CVE-2016-3623.patch"
-                         "libtiff-CVE-2016-3945.patch"
-                         "libtiff-CVE-2016-3990.patch"
-                         "libtiff-CVE-2016-3991.patch"
-                         "libtiff-CVE-2016-5314.patch"
-                         "libtiff-CVE-2016-5321.patch"
-                         "libtiff-CVE-2016-5323.patch"
-                         "libtiff-CVE-2016-5652.patch"
-                         "libtiff-CVE-2016-9273.patch"
-                         "libtiff-CVE-2016-9297.patch"
-                         "libtiff-CVE-2016-9448.patch"))))))
+              (method url-fetch)
+              (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
+    (home-page "http://www.simplesystems.org/libtiff/")))
 
 (define-public libwmf
   (package
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5652.patch b/gnu/packages/patches/libtiff-CVE-2016-5652.patch
deleted file mode 100644
index 54b87d0185..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5652.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
-
-Patches exfiltrated from upstream CVS repo with:
-cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
-
-Index: tools/tiff2pdf.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
-retrieving revision 1.92
-retrieving revision 1.94
-diff -u -r1.92 -r1.94
---- a/tools/tiff2pdf.c	23 Sep 2016 22:12:18 -0000	1.92
-+++ b/tools/tiff2pdf.c	9 Oct 2016 11:03:36 -0000	1.94
-@@ -2887,21 +2887,24 @@
- 				return(0);
- 			}
- 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
--				if (count > 0) {
--					_TIFFmemcpy(buffer, jpt, count);
-+				if (count >= 4) {
-+                    /* Ignore EOI marker of JpegTables */
-+					_TIFFmemcpy(buffer, jpt, count - 2);
- 					bufferoffset += count - 2;
-+                    /* Store last 2 bytes of the JpegTables */
- 					table_end[0] = buffer[bufferoffset-2];
- 					table_end[1] = buffer[bufferoffset-1];
--				}
--				if (count > 0) {
- 					xuint32 = bufferoffset;
-+                    bufferoffset -= 2;
- 					bufferoffset += TIFFReadRawTile(
- 						input, 
- 						tile, 
--						(tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), 
-+						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
- 						-1);
--						buffer[xuint32-2]=table_end[0];
--						buffer[xuint32-1]=table_end[1];
-+                    /* Overwrite SOI marker of image scan with previously */
-+                    /* saved end of JpegTables */
-+					buffer[xuint32-2]=table_end[0];
-+					buffer[xuint32-1]=table_end[1];
- 				} else {
- 					bufferoffset += TIFFReadRawTile(
- 						input, 
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9273.patch b/gnu/packages/patches/libtiff-CVE-2016-9273.patch
deleted file mode 100644
index 9cd6b3d8c5..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9273.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fix CVE-2016-9273:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
-http://bugzilla.maptools.org/show_bug.cgi?id=2587
-
-Patch extracted from upstream CVS repo:
-
-2016-11-10 Even Rouault <even.rouault at spatialys.com>
-
-revision 1.37
-date: 2016-11-09 18:00:49 -0500;  author: erouault;  state: Exp;  lines: +10 -1;  commitid: pzKipPxDJO2dxvtz;
-* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
-value when it is non-zero, instead of recomputing it. This is needed in
-TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
-array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
-
-Index: libtiff/tif_strip.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
-retrieving revision 1.36
-retrieving revision 1.37
-diff -u -r1.36 -r1.37
---- a/libtiff/tif_strip.c	7 Jun 2015 22:35:40 -0000	1.36
-+++ b/libtiff/tif_strip.c	9 Nov 2016 23:00:49 -0000	1.37
-@@ -63,6 +63,15 @@
- 	TIFFDirectory *td = &tif->tif_dir;
- 	uint32 nstrips;
- 
-+    /* If the value was already computed and store in td_nstrips, then return it,
-+       since ChopUpSingleUncompressedStrip might have altered and resized the
-+       since the td_stripbytecount and td_stripoffset arrays to the new value
-+       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
-+       tif_dirread.c ~line 3612.
-+       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
-+    if( td->td_nstrips )
-+        return td->td_nstrips;
-+
- 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
- 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
- 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9297.patch b/gnu/packages/patches/libtiff-CVE-2016-9297.patch
deleted file mode 100644
index c9207bbd25..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9297.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Fix CVE-2016-9297:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297
-http://bugzilla.maptools.org/show_bug.cgi?id=2590
-
-Patch copied from upstream source repository.
-
-2016-11-11 Even Rouault <even.rouault at spatialys.com>
-
-        * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
-        values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
-        access are null terminated, to avoid potential read outside buffer
-        in _TIFFPrintField().
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1154; previous revision: 1.1153
-/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- 
-libtiff/tif_dirread.c
-new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.202
-retrieving revision 1.203
-diff -u -r1.202 -r1.203
---- libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:01:55 -0000	1.202
-+++ libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:22:01 -0000	1.203
-@@ -5000,6 +5000,11 @@
- 					if (err==TIFFReadDirEntryErrOk)
- 					{
- 						int m;
-+                        if( data[dp->tdir_count-1] != '\0' )
-+                        {
-+                            TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-+                            data[dp->tdir_count-1] = '\0';
-+                        }
- 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
- 						if (data!=0)
- 							_TIFFfree(data);
-@@ -5172,6 +5177,11 @@
- 				if (err==TIFFReadDirEntryErrOk)
- 				{
- 					int m;
-+                    if( data[dp->tdir_count-1] != '\0' )
-+                    {
-+                        TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-+                        data[dp->tdir_count-1] = '\0';
-+                    }
- 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
- 					if (data!=0)
- 						_TIFFfree(data);
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9448.patch b/gnu/packages/patches/libtiff-CVE-2016-9448.patch
deleted file mode 100644
index 05a3af8a84..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9448.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix CVE-2016-9448 (regression caused by fix for CVE-2016-9297).
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2593
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
-
-Patch copied from upstream source repository with:
-$ cvs diff -u -r 1.203 -r 1.204 libtiff/libtiff/tif_dirread.c
-
-Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.203
-retrieving revision 1.204
-diff -u -r1.203 -r1.204
---- libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:22:01 -0000	1.203
-+++ libtiff/libtiff/tif_dirread.c	16 Nov 2016 15:14:15 -0000	1.204
-@@ -5000,7 +5000,7 @@
- 					if (err==TIFFReadDirEntryErrOk)
- 					{
- 						int m;
--                        if( data[dp->tdir_count-1] != '\0' )
-+                        if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
-                         {
-                             TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-                             data[dp->tdir_count-1] = '\0';
-@@ -5177,7 +5177,7 @@
- 				if (err==TIFFReadDirEntryErrOk)
- 				{
- 					int m;
--                    if( data[dp->tdir_count-1] != '\0' )
-+                    if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
-                     {
-                         TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-                         data[dp->tdir_count-1] = '\0';
diff --git a/gnu/packages/patches/libtiff-uint32-overflow.patch b/gnu/packages/patches/libtiff-uint32-overflow.patch
deleted file mode 100644
index c95126f9a1..0000000000
--- a/gnu/packages/patches/libtiff-uint32-overflow.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-Fix some buffer overflows:
-
-http://seclists.org/oss-sec/2016/q4/408
-http://bugzilla.maptools.org/show_bug.cgi?id=2592
-
-2016-11-11 Even Rouault <even.rouault at spatialys.com>
-
-        * tools/tiffcrop.c: fix multiple uint32 overflows in
-        writeBufferToSeparateStrips(), writeBufferToContigTiles() and
-        writeBufferToSeparateTiles() that could cause heap buffer
-overflows.
-        Reported by Henri Salo from Nixu Corporation.
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1152; previous revision: 1.1151
-/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
-new revision: 1.43; previous revision: 1.42
-
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.42
-retrieving revision 1.43
-diff -u -r1.42 -r1.43
---- libtiff/tools/tiffcrop.c	14 Oct 2016 19:13:20 -0000	1.42
-+++ libtiff/tools/tiffcrop.c	11 Nov 2016 19:33:06 -0000	1.43
-@@ -148,6 +148,8 @@
- #define PATH_MAX 1024
- #endif
- 
-+#define TIFF_UINT32_MAX     0xFFFFFFFFU
-+
- #ifndef streq
- #define	streq(a,b)	(strcmp((a),(b)) == 0)
- #endif
-@@ -1164,7 +1166,24 @@
-   (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
-   (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
-   bytes_per_sample = (bps + 7) / 8;
--  rowsize = ((bps * spp * width) + 7) / 8; /* source has interleaved samples */
-+  if( width == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
-+      bps * spp * width > TIFF_UINT32_MAX - 7U )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (bps * spp * width) + 7");
-+      return 1;
-+  }
-+  rowsize = ((bps * spp * width) + 7U) / 8; /* source has interleaved samples */
-+  if( bytes_per_sample == 0 ||
-+      rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample ||
-+      rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) )
-+  {
-+      TIFFError(TIFFFileName(out),
-+                "Error, uint32 overflow when computing rowsperstrip * "
-+                "bytes_per_sample * (width + 1)");
-+      return 1;
-+  }
-   rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); 
- 
-   obuf = _TIFFmalloc (rowstripsize);
-@@ -1251,11 +1270,19 @@
-     }
-     }
- 
-+  if( imagewidth == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
-+      bps * spp * imagewidth > TIFF_UINT32_MAX - 7U )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
-+      return 1;
-+  }
-+  src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
-+
-   tilebuf = _TIFFmalloc(tile_buffsize);
-   if (tilebuf == 0)
-     return 1;
--
--  src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
-   for (row = 0; row < imagelength; row += tl)
-     {
-     nrow = (row + tl > imagelength) ? imagelength - row : tl;
-@@ -1315,7 +1342,16 @@
-   TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
-   TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
-   TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
--  src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
-+
-+  if( imagewidth == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
-+      bps * spp * imagewidth > TIFF_UINT32_MAX - 7 )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
-+      return 1;
-+  }
-+  src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
-          
-   for (row = 0; row < imagelength; row += tl)
-     {