head 1.2; access; symbols pkgsrc-2019Q3:1.1.0.4 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2019.11.04.01.11.38; author gdt; state dead; branches; next 1.1; commitid uboDUgQRD1QsetJB; 1.1 date 2019.07.17.09.25.45; author nia; state Exp; branches 1.1.2.1; next ; commitid GvQSd6T8h9IawnvB; 1.1.2.1 date 2019.07.17.09.25.45; author bsiegert; state dead; branches; next 1.1.2.2; commitid MpquoBA57O3eRwvB; 1.1.2.2 date 2019.07.18.13.32.31; author bsiegert; state Exp; branches; next ; commitid MpquoBA57O3eRwvB; desc @@ 1.2 log @graphics/tiff: Update to 4.1.0 Upstream changes are basically minor improvements and bugfixes. Specifically upstream states that there are no ABI changes. Multiple security bugs are fixed due to fuzzing; patches are dropped because they were backported from upstream. @ text @$NetBSD: patch-CVE-2018-12900,v 1.1 2019/07/17 09:25:45 nia Exp $ Fixes CVE-2018-12900 Upstream commit: https://gitlab.com/libtiff/libtiff/commit/27124e9148b2056d0e0bf4033b4924d5d2a38d01.patch --- tools/tiffcp.c.orig 2018-10-13 13:58:55.000000000 +0000 +++ tools/tiffcp.c @@@@ -41,6 +41,7 @@@@ #include #include #include +#include #include @@@@ -1408,7 +1409,7 @@@@ DECLAREreadFunc(readSeparateTilesIntoBuf int status = 1; uint32 imagew = TIFFRasterScanlineSize(in); uint32 tilew = TIFFTileRowSize(in); - int iskew = imagew - tilew*spp; + int iskew; tsize_t tilesize = TIFFTileSize(in); tdata_t tilebuf; uint8* bufp = (uint8*) buf; @@@@ -1416,6 +1417,12 @@@@ DECLAREreadFunc(readSeparateTilesIntoBuf uint32 row; uint16 bps = 0, bytes_per_sample; + if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; + } + iskew = imagew - tilew*spp; tilebuf = _TIFFmalloc(tilesize); if (tilebuf == 0) return 0; @ 1.1 log @tiff: Apply patches from upstream's git for the following CVEs: CVE-2018-12900 - buffer-overflow CVE-2018-17000 - denial-of-service CVE-2018-19210 - null-pointer-dereference CVE-2019-6128 - memory-leak Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2018-12900 was added on branch pkgsrc-2019Q2 on 2019-07-18 13:32:31 +0000 @ text @d1 39 @ 1.1.2.2 log @Pullup ticket #6004 - requested by nia graphics/tiff: security fix Revisions pulled up: - graphics/tiff/Makefile 1.145 - graphics/tiff/distinfo 1.94 - graphics/tiff/patches/patch-CVE-2018-12900 1.1 - graphics/tiff/patches/patch-CVE-2018-17000 1.1 - graphics/tiff/patches/patch-CVE-2018-19210 1.1 - graphics/tiff/patches/patch-CVE-2019-6128 1.1 --- Module Name: pkgsrc Committed By: nia Date: Wed Jul 17 09:25:45 UTC 2019 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo Added Files: pkgsrc/graphics/tiff/patches: patch-CVE-2018-12900 patch-CVE-2018-17000 patch-CVE-2018-19210 patch-CVE-2019-6128 Log Message: tiff: Apply patches from upstream's git for the following CVEs: CVE-2018-12900 - buffer-overflow CVE-2018-17000 - denial-of-service CVE-2018-19210 - null-pointer-dereference CVE-2019-6128 - memory-leak Bump PKGREVISION. @ text @a0 39 $NetBSD: patch-CVE-2018-12900,v 1.1 2019/07/17 09:25:45 nia Exp $ Fixes CVE-2018-12900 Upstream commit: https://gitlab.com/libtiff/libtiff/commit/27124e9148b2056d0e0bf4033b4924d5d2a38d01.patch --- tools/tiffcp.c.orig 2018-10-13 13:58:55.000000000 +0000 +++ tools/tiffcp.c @@@@ -41,6 +41,7 @@@@ #include #include #include +#include #include @@@@ -1408,7 +1409,7 @@@@ DECLAREreadFunc(readSeparateTilesIntoBuf int status = 1; uint32 imagew = TIFFRasterScanlineSize(in); uint32 tilew = TIFFTileRowSize(in); - int iskew = imagew - tilew*spp; + int iskew; tsize_t tilesize = TIFFTileSize(in); tdata_t tilebuf; uint8* bufp = (uint8*) buf; @@@@ -1416,6 +1417,12 @@@@ DECLAREreadFunc(readSeparateTilesIntoBuf uint32 row; uint16 bps = 0, bytes_per_sample; + if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; + } + iskew = imagew - tilew*spp; tilebuf = _TIFFmalloc(tilesize); if (tilebuf == 0) return 0; @