From 4e574b64ac30b77c767f6466eaced934c7a4ce54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucio=20Andr=C3=A9s=20Illanes=20Albornoz?= Date: Sat, 23 Mar 2019 17:56:18 +0000 Subject: vars/build.vars:{clzip,expat}{_host,}: updated to v{1.11,2.2.6} (via Redfoxmoon.) vars/build.vars:libxml2: updated to v2.9.9 (via Redfoxmoon.) vars/build.vars:libunistring: updated to v0.9.10 (via Redfoxmoon.) vars/build.vars:libpng: updated to v1.6.36 (via Redfoxmoon.) vars/build.vars:tiff: updated to v4.0.10 (via Redfoxmoon.) vars/build.vars:gdbm: updated to v1.18.1 (via Redfoxmoon.) vars/build.vars:pcre: updated to v8.43 (via Redfoxmoon.) vars/build.vars:gzip: updated to v1.10 (via Redfoxmoon.) vars/build.vars:gzip:${PKG_{CFLAGS_CONFIGURE_EXTRA,CONFIGURE_ARGS,MAKEFLAGS_{BUILD,INSTALL}_EXTRA}}: unset (via Redfoxmoon.) vars/build.vars:libvorbis: updated to v1.3.6 (via Redfoxmoon.) vars/build.vars:libxslt: updated to v1.1.33 (via Redfoxmoon.) vars/build.vars:libtirpc: updated to v1.1.4 (via Redfoxmoon.) patches/expat-2.2.{5,6}.local.patch: updated (via Redfoxmoon.) patches/libtirpc-1.{0.3,1.4}.local.patch: updated (via Redfoxmoon.) patches/libvorbis-1.3.5.local.patch: removes obsolete patch (via Redfoxmoon.) patches/libxslt-1.1.3{2,3}.local.patch: updated (via Redfoxmoon.) patches/pcre-8.4{2,3}.local.patch: updated (via Redfoxmoon.) patches/tiff/CVE-{2017-{11613,17095,18013,9935},2018-{10963,5784,7456,8905}}.patch: removes obsolete patches (via Redfoxmoon.) patches/tiff/CVE-2018-12900.patch: added (via Redfoxmoon.) --- patches/tiff/CVE-2018-5784.patch | 128 --------------------------------------- 1 file changed, 128 deletions(-) delete mode 100644 patches/tiff/CVE-2018-5784.patch (limited to 'patches/tiff/CVE-2018-5784.patch') diff --git a/patches/tiff/CVE-2018-5784.patch b/patches/tiff/CVE-2018-5784.patch deleted file mode 100644 index 92fc2daf..00000000 --- a/patches/tiff/CVE-2018-5784.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001 -From: Nathan Baker -Date: Tue, 6 Feb 2018 10:13:57 -0500 -Subject: [PATCH] Fix for bug 2772 - -It is possible to craft a TIFF document where the IFD list is circular, -leading to an infinite loop while traversing the chain. The libtiff -directory reader has a failsafe that will break out of this loop after -reading 65535 directory entries, but it will continue processing, -consuming time and resources to process what is essentially a bogus TIFF -document. - -This change fixes the above behavior by breaking out of processing when -a TIFF document has >= 65535 directories and terminating with an error. ---- - contrib/addtiffo/tif_overview.c | 14 +++++++++++++- - tools/tiff2pdf.c | 10 ++++++++++ - tools/tiffcrop.c | 13 +++++++++++-- - 3 files changed, 34 insertions(+), 3 deletions(-) - -diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c -index c61ffbb..03b3573 100644 ---- a/contrib/addtiffo/tif_overview.c -+++ b/contrib/addtiffo/tif_overview.c -@@ -65,6 +65,8 @@ - # define MAX(a,b) ((a>b) ? a : b) - #endif - -+#define TIFF_DIR_MAX 65534 -+ - void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, - int (*)(double,void*), void * ); - -@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - { - toff_t nBaseDirOffset; - toff_t nOffset; -+ tdir_t iNumDir; - - (void) bUseSubIFDs; - -@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, - return 0; - - TIFFWriteDirectory( hTIFF ); -- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); -+ iNumDir = TIFFNumberOfDirectories(hTIFF); -+ if( iNumDir > TIFF_DIR_MAX ) -+ { -+ TIFFErrorExt( TIFFClientdata(hTIFF), -+ "TIFF_WriteOverview", -+ "File `%s' has too many directories.\n", -+ TIFFFileName(hTIFF) ); -+ exit(-1); -+ } -+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); - - nOffset = TIFFCurrentDirOffset( hTIFF ); - -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index 984ef65..832a247 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); - - #define PS_UNIT_SIZE 72.0F - -+#define TIFF_DIR_MAX 65534 -+ - /* This type is of PDF color spaces. */ - typedef enum { - T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ -@@ -1049,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ - uint16* tiff_transferfunction[3]; - - directorycount=TIFFNumberOfDirectories(input); -+ if(directorycount > TIFF_DIR_MAX) { -+ TIFFError( -+ TIFF2PDF_MODULE, -+ "TIFF contains too many directories, %s", -+ TIFFFileName(input)); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return; -+ } - t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); - if(t2p->tiff_pages==NULL){ - TIFFError( -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 91a38f6..e466dae 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -217,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); - #define DUMP_TEXT 1 - #define DUMP_RAW 2 - -+#define TIFF_DIR_MAX 65534 -+ - /* Offsets into buffer for margins and fixed width and length segments */ - struct offset { - uint32 tmargin; -@@ -2233,7 +2234,7 @@ main(int argc, char* argv[]) - pageNum = -1; - else - total_images = 0; -- /* read multiple input files and write to output file(s) */ -+ /* Read multiple input files and write to output file(s) */ - while (optind < argc - 1) - { - in = TIFFOpen (argv[optind], "r"); -@@ -2241,7 +2242,14 @@ main(int argc, char* argv[]) - return (-3); - - /* If only one input file is specified, we can use directory count */ -- total_images = TIFFNumberOfDirectories(in); -+ total_images = TIFFNumberOfDirectories(in); -+ if (total_images > TIFF_DIR_MAX) -+ { -+ TIFFError (TIFFFileName(in), "File contains too many directories"); -+ if (out != NULL) -+ (void) TIFFClose(out); -+ return (1); -+ } - if (image_count == 0) - { - dirnum = 0; --- -libgit2 0.26.0 - -- cgit v1.2.3