head 1.3; access; symbols pkgsrc-2014Q4:1.2.0.12 pkgsrc-2014Q4-base:1.2 pkgsrc-2014Q3:1.2.0.10 pkgsrc-2014Q3-base:1.2 pkgsrc-2014Q2:1.2.0.8 pkgsrc-2014Q2-base:1.2 pkgsrc-2014Q1:1.2.0.6 pkgsrc-2014Q1-base:1.2 pkgsrc-2013Q4:1.2.0.4 pkgsrc-2013Q4-base:1.2 pkgsrc-2013Q3:1.2.0.2 pkgsrc-2013Q3-base:1.2 pkgsrc-2013Q2:1.1.0.2 pkgsrc-2013Q2-base:1.1; locks; strict; comment @# @; 1.3 date 2015.03.29.14.47.03; author bsiegert; state dead; branches; next 1.2; commitid 3mL0zkxEOwrPMvfy; 1.2 date 2013.08.15.14.58.46; author drochner; state Exp; branches; next 1.1; commitid xpKPqsphRhJPQy1x; 1.1 date 2013.05.02.14.52.44; author drochner; state Exp; branches; next ; desc @@ 1.3 log @SECURITY: Update libtiff to 4.0.4beta to fix CVE-2014-8127 CVE-2014-8128 CVE-2014-8129 CVE-2014-8130 (likely) Remaining unfixed vulnerabilities: CVE-2014-9655, CVE-2015-1547 (but these are unfixed upstream AFAICS). ok wiz @ text @$NetBSD: patch-CVE-2013-1960_1961,v 1.2 2013/08/15 14:58:46 drochner Exp $ see https://bugzilla.redhat.com/show_bug.cgi?id=952131 and https://bugzilla.redhat.com/show_bug.cgi?id=952158 also fixes CVE-2013-4232 see http://bugzilla.maptools.org/show_bug.cgi?id=2449 --- contrib/dbs/xtiff/xtiff.c.orig 2010-06-08 20:55:15.000000000 +0200 +++ contrib/dbs/xtiff/xtiff.c 2013-05-02 16:27:43.000000000 +0200 @@@@ -512,9 +512,9 @@@@ SetNameLabel() Arg args[1]; if (tfMultiPage) - sprintf(buffer, "%s - page %d", fileName, tfDirectory); + snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory); else - strcpy(buffer, fileName); + snprintf(buffer, sizeof(buffer), "%s", fileName); XtSetArg(args[0], XtNlabel, buffer); XtSetValues(labelWidget, args, 1); } --- libtiff/tif_codec.c.orig 2010-12-14 15:18:28.000000000 +0100 +++ libtiff/tif_codec.c 2013-05-02 16:27:43.000000000 +0200 @@@@ -108,7 +108,8 @@@@ _notConfigured(TIFF* tif) const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression); char compression_code[20]; - sprintf( compression_code, "%d", tif->tif_dir.td_compression ); + snprintf(compression_code, sizeof(compression_code), "%d", + tif->tif_dir.td_compression ); TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "%s compression support is not configured", c ? c->name : compression_code ); --- libtiff/tif_dirinfo.c.orig 2012-08-19 18:56:34.000000000 +0200 +++ libtiff/tif_dirinfo.c 2013-05-02 16:27:43.000000000 +0200 @@@@ -711,7 +711,7 @@@@ _TIFFCreateAnonField(TIFF *tif, uint32 t * note that this name is a special sign to TIFFClose() and * _TIFFSetupFields() to free the field */ - sprintf(fld->field_name, "Tag %d", (int) tag); + snprintf(fld->field_name, 32, "Tag %d", (int) tag); return fld; } --- tools/rgb2ycbcr.c.orig 2011-05-31 19:03:16.000000000 +0200 +++ tools/rgb2ycbcr.c 2013-05-02 16:27:43.000000000 +0200 @@@@ -332,7 +332,8 @@@@ tiffcvt(TIFF* in, TIFF* out) TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG); { char buf[2048]; char *cp = strrchr(TIFFFileName(in), '/'); - sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in)); + snprintf(buf, sizeof(buf), "YCbCr conversion of %s", + cp ? cp+1 : TIFFFileName(in)); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf); } TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); --- tools/tiff2bw.c.orig 2010-07-08 18:10:24.000000000 +0200 +++ tools/tiff2bw.c 2013-05-02 16:27:43.000000000 +0200 @@@@ -205,7 +205,7 @@@@ main(int argc, char* argv[]) } } TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK); - sprintf(thing, "B&W version of %s", argv[optind]); + snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); --- tools/tiff2pdf.c.orig 2012-07-26 02:56:43.000000000 +0000 +++ tools/tiff2pdf.c @@@@ -2462,6 +2462,7 @@@@ tsize_t t2p_readwrite_pdf_image(T2P* t2p TIFFFileName(input)); t2p->t2p_error = T2P_ERR_ERROR; _TIFFfree(buffer); + return(0); } else { buffer=samplebuffer; t2p->tiff_datasize *= t2p->tiff_samplesperpixel; @@@@ -3341,33 +3342,56 @@@@ int t2p_process_jpeg_strip( uint32 height){ tsize_t i=0; - uint16 ri =0; - uint16 v_samp=1; - uint16 h_samp=1; - int j=0; - - i++; - - while(i<(*striplength)){ + + while (i < *striplength) { + tsize_t datalen; + uint16 ri; + uint16 v_samp; + uint16 h_samp; + int j; + int ncomp; + + /* marker header: one or more FFs */ + if (strip[i] != 0xff) + return(0); + i++; + while (i < *striplength && strip[i] == 0xff) + i++; + if (i >= *striplength) + return(0); + /* SOI is the only pre-SOS marker without a length word */ + if (strip[i] == 0xd8) + datalen = 0; + else { + if ((*striplength - i) <= 2) + return(0); + datalen = (strip[i+1] << 8) | strip[i+2]; + if (datalen < 2 || datalen >= (*striplength - i)) + return(0); + } switch( strip[i] ){ - case 0xd8: - /* SOI - start of image */ + case 0xd8: /* SOI - start of image */ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; - i+=2; break; - case 0xc0: - case 0xc1: - case 0xc3: - case 0xc9: - case 0xca: + case 0xc0: /* SOF0 */ + case 0xc1: /* SOF1 */ + case 0xc3: /* SOF3 */ + case 0xc9: /* SOF9 */ + case 0xca: /* SOF10 */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - for(j=0;j>4) > h_samp) - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + ncomp = buffer[*bufferoffset+9]; + if (ncomp < 1 || ncomp > 4) + return(0); + v_samp=1; + h_samp=1; + for(j=0;j>4) > h_samp) + h_samp = (samp>>4); + if( (samp & 0x0f) > v_samp) + v_samp = (samp & 0x0f); } v_samp*=8; h_samp*=8; @@@@ -3381,45 +3405,43 @@@@ int t2p_process_jpeg_strip( (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; - + *bufferoffset+=datalen+2; + /* insert a DRI marker */ buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]=0xdd; buffer[(*bufferoffset)++]=0x00; buffer[(*bufferoffset)++]=0x04; buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; buffer[(*bufferoffset)++]= ri & 0xff; - } else { - i+=strip[i+2]+2; } break; - case 0xc4: - case 0xdb: - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + case 0xc4: /* DHT */ + case 0xdb: /* DQT */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; break; - case 0xda: + case 0xda: /* SOS */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; } else { buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); - i+=strip[i+2]+2; } - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); - *bufferoffset+=(*striplength)-i-1; + i += datalen + 1; + /* copy remainder of strip */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); + *bufferoffset+= *striplength - i; return(1); default: - i+=strip[i+2]+2; + /* ignore any other marker */ + break; } + i += datalen + 1; } - + /* failed to find SOS marker */ return(0); } #endif --- tools/tiff2ps.c.orig 2011-05-31 19:10:18.000000000 +0200 +++ tools/tiff2ps.c 2013-05-02 16:27:43.000000000 +0200 @@@@ -1781,8 +1781,8 @@@@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui imageOp = "imagemask"; (void)strcpy(im_x, "0"); - (void)sprintf(im_y, "%lu", (long) h); - (void)sprintf(im_h, "%lu", (long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h); + (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h); tile_width = w; tile_height = h; if (TIFFIsTiled(tif)) { @@@@ -1803,7 +1803,7 @@@@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui } if (tile_height < h) { fputs("/im_y 0 def\n", fd); - (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); } } else { repeat_count = tf_numberstrips; @@@@ -1815,7 +1815,7 @@@@ PS_Lvl2ImageDict(FILE* fd, TIFF* tif, ui fprintf(fd, "/im_h %lu def\n", (unsigned long) tile_height); (void)strcpy(im_h, "im_h"); - (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h); + (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h); } } --- tools/tiffcrop.c.orig 2010-12-14 15:18:28.000000000 +0100 +++ tools/tiffcrop.c 2013-05-02 16:27:43.000000000 +0200 @@@@ -2077,7 +2077,7 @@@@ update_output_file (TIFF **tiffout, char return 1; } - sprintf (filenum, "-%03d%s", findex, export_ext); + snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext); filenum[14] = '\0'; strncat (exportname, filenum, 15); } @@@@ -2230,8 +2230,8 @@@@ main(int argc, char* argv[]) /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes fewer than PATH_MAX */ - memset (temp_filename, '\0', PATH_MAX + 1); - sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images, + snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s", + dump.infilename, dump_images, (dump.format == DUMP_TEXT) ? "txt" : "raw"); if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL) { @@@@ -2249,8 +2249,8 @@@@ main(int argc, char* argv[]) /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes fewer than PATH_MAX */ - memset (temp_filename, '\0', PATH_MAX + 1); - sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images, + snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s", + dump.outfilename, dump_images, (dump.format == DUMP_TEXT) ? "txt" : "raw"); if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL) { --- tools/tiffdither.c.orig 2010-03-10 19:56:50.000000000 +0100 +++ tools/tiffdither.c 2013-05-02 16:27:43.000000000 +0200 @@@@ -260,7 +260,7 @@@@ main(int argc, char* argv[]) TIFFSetField(out, TIFFTAG_FILLORDER, fillorder); else CopyField(TIFFTAG_FILLORDER, shortv); - sprintf(thing, "Dithered B&W version of %s", argv[optind]); + snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]); TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); CopyField(TIFFTAG_PHOTOMETRIC, shortv); CopyField(TIFFTAG_ORIENTATION, shortv); @ 1.2 log @add patches from upstream CVS and Redhat bugzilla to fix buffer overflow and use-after-free problems in the "gif2tiff" and "tiff2pdf" command line tools (the library is not affected) (CVE-2013-4231, CVE-2013-4232, CVE-2013-4244) bump PKGREV @ text @d1 1 a1 1 $NetBSD: patch-CVE-2013-1960_1961,v 1.1 2013/05/02 14:52:44 drochner Exp $ @ 1.1 log @add patches from Redhat to fix possible buffer overflows in the "tiff2pdf" tool by crafted TIFF image files (CVE-2013-1960/61) bump PKGREV @ text @d1 1 a1 1 $NetBSD$ d6 3 d69 11 a79 3 --- tools/tiff2pdf.c.orig 2013-05-02 16:27:43.000000000 +0200 +++ tools/tiff2pdf.c 2013-05-02 16:32:49.000000000 +0200 @@@@ -3341,33 +3341,56 @@@@ int t2p_process_jpeg_strip( d158 1 a158 1 @@@@ -3381,45 +3404,43 @@@@ int t2p_process_jpeg_strip( @