svn commit: r418586 - in branches/2016Q3/graphics/tiff: . files

Fri Jul 15 16:24:49 UTC 2016

Author: feld
Date: Fri Jul 15 16:24:47 2016
New Revision: 418586
URL: https://svnweb.freebsd.org/changeset/ports/418586

Log:
  MFH: r418585
  
  graphics/tiff: Patch vulnerabilities
  
  These two patches were obtained from OpenBSD. An additional CVE is not
  yet addressed, but upstream indicates they are removing the gif2tiff
  utility as the mitigation in the upcoming 4.0.7.
  
  PR:		211113
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186
  
  Approved by:	ports-secteam (with hat)

Added:
  branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
     - copied unchanged from r418585, head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
  branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c
     - copied unchanged from r418585, head/graphics/tiff/files/patch-tools_gif2tiff.c
Modified:
  branches/2016Q3/graphics/tiff/Makefile
Directory Properties:
  branches/2016Q3/   (props changed)

Modified: branches/2016Q3/graphics/tiff/Makefile
==============================================================================

--- branches/2016Q3/graphics/tiff/Makefile	Fri Jul 15 16:22:53 2016	(r418585)
+++ branches/2016Q3/graphics/tiff/Makefile	Fri Jul 15 16:24:47 2016	(r418586)
@@ -3,7 +3,7 @@
 
 PORTNAME=	tiff
 PORTVERSION=	4.0.6
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.remotesensing.org/pub/libtiff/ \
 		http://download.osgeo.org/libtiff/

Copied: branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c (from r418585, head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c	Fri Jul 15 16:24:47 2016	(r418586, copy of r418585, head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c)
@@ -0,0 +1,34 @@
+CVE-2016-5875(, dup?)
+https://marc.info/?l=oss-security&m=146720235906569&w=2
+
+--- libtiff/tif_pixarlog.c.orig	Sat Aug 29 00:16:22 2015
++++ libtiff/tif_pixarlog.c	Fri Jul  1 13:04:52 2016
+@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid
+ typedef	struct {
+ 	TIFFPredictorState	predict;
+ 	z_stream		stream;
++	tmsize_t		tbuf_size; /* only set/used on reading for now */
+ 	uint16			*tbuf; 
+ 	uint16			stride;
+ 	int			state;
+@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
+ 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
++	sp->tbuf_size = tbuf_size;
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+ 		sp->user_datafmt = PixarLogGuessDataFmt(td);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin
+ 	if (sp->stream.avail_out != nsamples * sizeof(uint16))
+ 	{
+ 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
++		return (0);
++	}
++	/* Check that we will not fill more than what was allocated */
++	if (sp->stream.avail_out > sp->tbuf_size)
++	{
++		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ 		return (0);
+ 	}
+ 	do {

Copied: branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c (from r418585, head/graphics/tiff/files/patch-tools_gif2tiff.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c	Fri Jul 15 16:24:47 2016	(r418586, copy of r418585, head/graphics/tiff/files/patch-tools_gif2tiff.c)
@@ -0,0 +1,14 @@
+CVE-2016-3186, patch from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1319666
+
+--- tools/gif2tiff.c.orig	Fri Jul  1 13:11:43 2016
++++ tools/gif2tiff.c	Fri Jul  1 13:12:07 2016
+@@ -349,7 +349,7 @@ readextension(void)
+     int status = 1;
+ 
+     (void) getc(infile);
+-    while ((count = getc(infile)) && count <= 255)
++    while ((count = getc(infile)) && count >= 0 && count <= 255)
+         if (fread(buf, 1, count, infile) != (size_t) count) {
+             fprintf(stderr, "short read from file %s (%s)\n",
+                     filename, strerror(errno));
