diff --git a/SOURCES/libtiff-CVE-2013-4231.patch b/SOURCES/libtiff-CVE-2013-4231.patch new file mode 100644 index 0000000..8ae1e12 --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-4231.patch @@ -0,0 +1,15 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 17f7a19..375b152 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -333,6 +333,10 @@ readraster(void) + int status = 1; + + datasize = getc(infile); ++ ++ if (datasize > 12) ++ return 0; ++ + clear = 1 << datasize; + eoi = clear + 1; + avail = clear + 2; diff --git a/SOURCES/libtiff-CVE-2013-4232.patch b/SOURCES/libtiff-CVE-2013-4232.patch new file mode 100644 index 0000000..5e8612c --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-4232.patch @@ -0,0 +1,12 @@ +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 92a1a3d..26a1acb 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){ + TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; + _TIFFfree(buffer); ++ return(0); + } else { + buffer=samplebuffer; + t2p->tiff_datasize *= t2p->tiff_samplesperpixel; diff --git a/SOURCES/libtiff-CVE-2013-4243.patch b/SOURCES/libtiff-CVE-2013-4243.patch new file mode 100644 index 0000000..3ffc207 --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-4243.patch @@ -0,0 +1,37 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 2731273..1e9b4b9 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -280,6 +280,10 @@ readgifimage(char* mode) + fprintf(stderr, "no colormap present for image\n"); + return (0); + } ++ if (width == 0 || height == 0) { ++ fprintf(stderr, "Invalid value of width or height\n"); ++ return(0); ++ } + if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) { + fprintf(stderr, "not enough memory for image\n"); + return (0); +@@ -406,6 +410,10 @@ process(register int code, unsigned char** fill) + fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); + return 0; + } ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; +@@ -436,6 +444,10 @@ process(register int code, unsigned char** fill) + } + oldcode = incode; + do { ++ if (*fill >= raster + width*height) { ++ fprintf(stderr, "raster full before eoi code\n"); ++ return 0; ++ } + *(*fill)++ = *--stackp; + } while (stackp > stack); + return 1; diff --git a/SOURCES/libtiff-CVE-2013-4244.patch b/SOURCES/libtiff-CVE-2013-4244.patch new file mode 100644 index 0000000..792e076 --- /dev/null +++ b/SOURCES/libtiff-CVE-2013-4244.patch @@ -0,0 +1,15 @@ +diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c +index 375b152..2731273 100644 +--- a/tools/gif2tiff.c ++++ b/tools/gif2tiff.c +@@ -402,6 +402,10 @@ process(register int code, unsigned char** fill) + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1; diff --git a/SOURCES/libtiff-manpage-update.patch b/SOURCES/libtiff-manpage-update.patch index cb2aee4..12d2aef 100644 --- a/SOURCES/libtiff-manpage-update.patch +++ b/SOURCES/libtiff-manpage-update.patch @@ -105,3 +105,15 @@ index 0f81b19..8c696db 100644 " -i ignore read errors", " -b file[,#] bias (dark) monochrome image to be subtracted from all others", " -,=% use % rather than , to separate image #'s (per Note below)", +diff --git a/man/tiff2ps.1 b/man/tiff2ps.1 +index b4a304a..0d672b0 100644 +--- a/man/tiff2ps.1 ++++ b/man/tiff2ps.1 +@@ -149,6 +149,7 @@ be split in several pages. Options + and + .B \-W + are mutually exclusive. ++.TP + .B \-i + Enable/disable pixel interpolation. This option requires a + single numeric value: zero to disable pixel interpolation and diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index 4d9eeda..9892c94 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.3 -Release: 9%{?dist} +Release: 14%{?dist} License: libtiff Group: System Environment/Libraries @@ -18,6 +18,10 @@ Patch5: libtiff-CVE-2013-1960.patch Patch6: libtiff-CVE-2013-1961.patch Patch7: libtiff-manpage-update.patch Patch8: libtiff-make-check.patch +Patch9: libtiff-CVE-2013-4231.patch +Patch10: libtiff-CVE-2013-4232.patch +Patch11: libtiff-CVE-2013-4244.patch +Patch12: libtiff-CVE-2013-4243.patch BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -77,6 +81,10 @@ image files using the libtiff library. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -181,6 +189,23 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Thu Feb 13 2014 Petr Hracek - 4.0.3-14 +- Resolves: #996827 CVE-2013-4243 libtiff various flaws + +* Fri Jan 24 2014 Daniel Mach - 4.0.3-13 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 4.0.3-12 +- Mass rebuild 2013-12-27 + +* Wed Dec 18 2013 Petr Hracek - 4.0.3-11 +- Correct man page option -W +Resolves: #510240 + +* Thu Dec 12 2013 Petr Hracek - 4.0.3-10 +- Resolves: #996827 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 + libtiff various flaws + * Mon Oct 21 2013 Petr Hracek - 4.0.3-9 - Resolves: #1017070 - make check moved to %check section