head 1.2; access; symbols pkgsrc-2022Q1:1.1.0.2 pkgsrc-2022Q1-base:1.1; locks; strict; comment @# @; 1.2 date 2022.05.29.12.24.16; author gdt; state dead; branches; next 1.1; commitid KI7OGkMHkcxrPWFD; 1.1 date 2022.03.25.08.36.37; author nia; state Exp; branches; next ; commitid ngOljKb17O1tGzxD; desc @@ 1.2 log @graphics/tiff: Update to 4.4.0 Upstream does not provide NEWS. Skimming over 1300 lines of ChangeLog, this release contains mostly bufixes, speed improvemnents, and other minor improvements. This commit drops 5 patches for CVEs. These patches all appear to have been taken from the upstream repo. One CVE remains: https://nvd.nist.gov/vuln/detail/CVE-2018-10126 http://bugzilla.maptools.org/show_bug.cgi?id=2786 https://gitlab.com/libtiff/libtiff/-/issues/128 @ text @$NetBSD: patch-CVE-2022-22844,v 1.1 2022/03/25 08:36:37 nia Exp $ https://gitlab.com/libtiff/libtiff/-/issues/355 This fixes CVE-2022-22844. --- tools/tiffset.c.orig 2021-03-07 11:39:11.000000000 +0000 +++ tools/tiffset.c @@@@ -146,9 +146,19 @@@@ main(int argc, char* argv[]) arg_index++; if (TIFFFieldDataType(fip) == TIFF_ASCII) { - if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) - fprintf( stderr, "Failed to set %s=%s\n", - TIFFFieldName(fip), argv[arg_index] ); + if(TIFFFieldPassCount( fip )) { + size_t len; + len = strlen(argv[arg_index]) + 1; + if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), + (uint16_t)len, argv[arg_index]) != 1) + fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); + } else { + if (TIFFSetField(tiff, TIFFFieldTag(fip), + argv[arg_index]) != 1) + fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); + } } else if (TIFFFieldWriteCount(fip) > 0 || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { int ret = 1; @ 1.1 log @tiff: apply fixes for CVE-2022-22844 CVE-2022-0561 CVE-2022-0562 This is tiff-4.3.0nb1. @ text @d1 1 a1 1 $NetBSD$ @