git.99rst.org / openwrt-packages.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 8938517)
tiff: Fix CVE-2017-17095
authorRosen Penev <redacted>
Mon, 27 Aug 2018 04:23:50 +0000 (21:23 -0700)
committerRosen Penev <redacted>
Mon, 27 Aug 2018 04:23:50 +0000 (21:23 -0700)
Fedora does not have a fix for this but Debian does. Took fix from there.

There are two more CVEs as reported by uscan but I can't seem to find
patches for those.

Signed-off-by: Rosen Penev <redacted>
libs/tiff/Makefile patch | blob | history
libs/tiff/patches/027-CVE-2017-17095.patch [new file with mode: 0644] patch | blob

diff --git a/libs/tiff/Makefile b/libs/tiff/Makefile
index 59d6ee8f1b6fcdd30a755a78892406f6e3715e61..9830c33d1541d9bb941388ba0f6e4e126ff4c3a6 100644 (file)
--- a/libs/tiff/Makefile
+++ b/libs/tiff/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tiff
 PKG_VERSION:=4.0.9
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.osgeo.org/libtiff
diff --git a/libs/tiff/patches/027-CVE-2017-17095.patch b/libs/tiff/patches/027-CVE-2017-17095.patch
new file mode 100644 (file)
index 0000000..04dd635
--- /dev/null
+++ b/libs/tiff/patches/027-CVE-2017-17095.patch
@@ -0,0 +1,40 @@
+From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
+From: Nathan Baker <elitebadger@gmail.com>
+Date: Thu, 25 Jan 2018 21:28:15 +0000
+Subject: [PATCH] Add workaround to pal2rgb buffer overflow.
+
+---
+ tools/pal2rgb.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 0423598..01fcf94 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -184,8 +184,21 @@ main(int argc, char* argv[])
+       { unsigned char *ibuf, *obuf;
+         register unsigned char* pp;
+         register uint32 x;
+-        ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
+-        obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
++        tmsize_t tss_in = TIFFScanlineSize(in);
++        tmsize_t tss_out = TIFFScanlineSize(out);
++        if (tss_out / tss_in < 3) {
++              /*
++               * BUG 2750: The following code does not know about chroma
++               * subsampling of JPEG data. It assumes that the output buffer is 3x
++               * the length of the input buffer due to exploding the palette into
++               * RGB tuples. If this assumption is incorrect, it could lead to a
++               * buffer overflow. Go ahead and fail now to prevent that.
++               */
++              fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
++              return -1;
++      }
++        ibuf = (unsigned char*)_TIFFmalloc(tss_in);
++        obuf = (unsigned char*)_TIFFmalloc(tss_out);
+         switch (config) {
+         case PLANARCONFIG_CONTIG:
+               for (row = 0; row < imagelength; row++) {
+--
+libgit2 0.27.0
+
git clone https://git.99rst.org/PROJECT