From 7d356a6d159ee3230bde46a3f4d8139b09be11b8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2019 19:03:30 +0000 Subject: import libtiff-4.0.9-15.el8 --- diff --git a/SOURCES/libtiff-CVE-2018-12900.patch b/SOURCES/libtiff-CVE-2018-12900.patch new file mode 100644 index 0000000..c7c3d30 --- /dev/null +++ b/SOURCES/libtiff-CVE-2018-12900.patch @@ -0,0 +1,47 @@ +From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow + +fixes bug 2833 +--- + tools/tiffcp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 489459a..0c66229 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (tilew && spp > (INT_MAX / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; +-- +2.21.0 + diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index 1c0ca25..42dd6a0 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 13%{?dist} +Release: 15%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -20,6 +20,7 @@ Patch8: libtiff-CVE-2018-17100.patch Patch9: libtiff-coverity.patch Patch10: libtiff-CVE-2018-18557.patch Patch11: libtiff-CVE-2018-18661.patch +Patch12: libtiff-CVE-2018-12900.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -83,6 +84,7 @@ image files using the libtiff library. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -186,6 +188,12 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Wed Jun 12 2019 Nikola Forró - 4.0.9-15 +- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579) + +* Thu Jun 06 2019 Nikola Forró - 4.0.9-14 +- Fix CVE-2018-12900 (#1595579) + * Thu Dec 13 2018 Nikola Forró - 4.0.9-13 - Fix compiler warning introduced by patch for CVE-2018-18661