commit 02af2476d530d2fd8e2c10bed0a44bd73174f584 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:58:29 2019 -0400 Package init diff --git a/CVE-2018-12900-pre.patch b/CVE-2018-12900-pre.patch new file mode 100644 index 0000000..5d38876 --- /dev/null +++ b/CVE-2018-12900-pre.patch @@ -0,0 +1,39 @@ +From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow + +fixes bug 2833 +--- + tools/tiffcp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 2f406e2d..f0ee2c02 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (0x7fffffff / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; +-- +2.18.1 + diff --git a/CVE-2018-12900.patch b/CVE-2018-12900.patch new file mode 100644 index 0000000..8607276 --- /dev/null +++ b/CVE-2018-12900.patch @@ -0,0 +1,33 @@ +From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 21:42:03 +0100 +Subject: [PATCH] tiffcp.c: use INT_MAX + +--- + tools/tiffcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index f0ee2c02..8c81aa4f 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + +- if (spp > (0x7fffffff / tilew)) ++ if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; +-- +2.18.1 + diff --git a/CVE-2018-19210-1.patch b/CVE-2018-19210-1.patch new file mode 100644 index 0000000..2f2d680 --- /dev/null +++ b/CVE-2018-19210-1.patch @@ -0,0 +1,40 @@ +t a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + _TIFFfree(td->td_smaxsamplevalue); + td->td_smaxsamplevalue = NULL; + } ++ /* Test if 3 transfer functions instead of just one are now needed ++ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */ ++ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "SamplesPerPixel tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } + } + td->td_samplesperpixel = (uint16) v; + break; +@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); + break; + case TIFFTAG_EXTRASAMPLES: ++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "ExtraSamples tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } + if (!setExtraSamples(td, ap, &v)) + goto badvalue; + break; diff --git a/CVE-2018-19210-2.patch b/CVE-2018-19210-2.patch new file mode 100644 index 0000000..2fc0254 --- /dev/null +++ b/CVE-2018-19210-2.patch @@ -0,0 +1,59 @@ +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 078fbcec20677f19f7f967a4834011fe60df1df3..028ea54a256b4123ac320138aaedd1b356c2132f 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb) + * Install extra samples information. + */ + static int +-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) ++setExtraSamples(TIFF* tif, va_list ap, uint32* v) + { + /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */ + #define EXTRASAMPLE_COREL_UNASSALPHA 999 + + uint16* va; + uint32 i; ++ TIFFDirectory* td = &tif->tif_dir; ++ static const char module[] = "setExtraSamples"; + + *v = (uint16) va_arg(ap, uint16_vap); + if ((uint16) *v > td->td_samplesperpixel) +@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) + return 0; + } + } ++ ++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "ExtraSamples tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } ++ + td->td_extrasamples = (uint16) *v; + _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples); + return 1; +@@ -373,17 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); + break; + case TIFFTAG_EXTRASAMPLES: +- if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) && +- !(td->td_samplesperpixel - td->td_extrasamples > 1)) +- { +- TIFFWarningExt(tif->tif_clientdata,module, +- "ExtraSamples tag value is changing, " +- "but TransferFunction was read with a different value. Cancelling it"); +- TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); +- _TIFFfree(td->td_transferfunction[0]); +- td->td_transferfunction[0] = NULL; +- } +- if (!setExtraSamples(td, ap, &v)) ++ if (!setExtraSamples(tif, ap, &v)) + goto badvalue; + break; + case TIFFTAG_MATTEING: diff --git a/CVE-2019-6128.patch b/CVE-2019-6128.patch new file mode 100644 index 0000000..f02c57e --- /dev/null +++ b/CVE-2019-6128.patch @@ -0,0 +1,35 @@ +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); diff --git a/libtiff-am-version.patch b/libtiff-am-version.patch new file mode 100644 index 0000000..c94c2e0 --- /dev/null +++ b/libtiff-am-version.patch @@ -0,0 +1,31 @@ +Back off the minimum required automake version to 1.11. There isn't +anything in libtiff currently that actually requires 1.12, and changing +this allows the package to be built on pre-F18 machines for easier testing. + +This patch can go away once we no longer care about testing on pre-F18. + + +diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am +--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400 ++++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400 +@@ -25,7 +25,7 @@ + + docdir = $(LIBTIFF_DOCDIR) + +-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign ++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign + ACLOCAL_AMFLAGS = -I m4 + + docfiles = \ +diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am +--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400 ++++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400 +@@ -23,7 +23,7 @@ + + # Process this file with automake to produce Makefile.in. + +-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign ++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign + + LIBTIFF = $(top_builddir)/libtiff/libtiff.la + diff --git a/libtiff-make-check.patch b/libtiff-make-check.patch new file mode 100644 index 0000000..e79dc94 --- /dev/null +++ b/libtiff-make-check.patch @@ -0,0 +1,12 @@ +diff --git a/html/man/Makefile.am b/html/man/Makefile.am +index 587296c..696005e 100644 +--- a/html/man/Makefile.am ++++ b/html/man/Makefile.am +@@ -92,7 +92,6 @@ docfiles = \ + tiffcrop.1.html \ + tiffdither.1.html \ + tiffdump.1.html \ +- tiffgt.1.html \ + tiffinfo.1.html \ + tiffmedian.1.html \ + tiffset.1.html \ diff --git a/libtiff.spec b/libtiff.spec new file mode 100644 index 0000000..954d0fe --- /dev/null +++ b/libtiff.spec @@ -0,0 +1,166 @@ +Name: libtiff +Version: 4.0.10 +Release: 1 +Summary: TIFF Library and Utilities +License: libtiff +URL: https://www.simplesystems.org/libtiff/ +Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz + +Patch0: libtiff-am-version.patch +Patch1: libtiff-make-check.patch + +Patch6001: CVE-2018-12900-pre.patch +Patch6002: CVE-2018-12900.patch +Patch6003: CVE-2018-19210-1.patch +Patch6004: CVE-2018-19210-2.patch +Patch6005: CVE-2019-6128.patch + +BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel +BuildRequires: libtool automake autoconf pkgconfig git + +Provides: %{name}-tools +Obsoletes: %{name}-tools + +%description +This %{name} provides support for the Tag Image File Format (TIFF), a widely +used format for storing image data. The latest version of the TIFF specification +is available on-line in several different formats.And contains command-line programs +for manipulating TIFF format image files using the libtiff library. + +%package devel +Summary: Development files for %{name} library +Requires: %{name} = %{version}-%{release} pkgconfig + +Provides: %{name}-static +Obsoletes: %{name}-static + +%description devel +This package contains the header files and documentation necessary for developing programs +which will manipulate TIFF format image files using the libtiff library. + +%package_help + +%prep +%autosetup -n tiff-%{version} -p1 -S git + +libtoolize --force --copy +aclocal -I . -I m4 +automake --add-missing --copy +autoconf +autoheader + +%build +export CFLAGS="%{optflags} -fno-strict-aliasing" +%configure --enable-ld-version-script +%make_build + +%install +%make_install +%delete_la + +rm -rf %{buildroot}/%{_datadir}/doc/ +rm -f %{buildroot}/%{_bindir}/tiffgt + +case `uname -i` in + x86_64 ) + wordsize="64" + ;; + *) + wordsize="" + ;; +esac + +if test -n "$wordsize" +then + mv %{buildroot}/%{_includedir}/tiffconf.h %{buildroot}/%{_includedir}/tiffconf-$wordsize.h + cat >%{buildroot}/%{_includedir}/tiffconf.h < + +#if __WORDSIZE == 32 +# include "tiffconf-32.h" +#elif __WORDSIZE == 64 +# include "tiffconf-64.h" +#else +# error "unexpected value for __WORDSIZE macro" +#endif + +#endif +EOF +fi + +%ldconfig_scriptlets + +%check +make check +find html -name 'Makefile*' | xargs rm + +%files +%defattr(-,root,root) +%doc COPYRIGHT README.md +%{_bindir}/* +%{_libdir}/*.so.* + +%files devel +%defattr(-,root,root) +%{_includedir}/* +%{_libdir}/*.a +%{_libdir}/*.so +%{_libdir}/pkgconfig/ + +%files help +%defattr(-,root,root) +%{_mandir}/man* +%doc RELEASE-DATE VERSION +%doc TODO ChangeLog html +%exclude %{_mandir}/man1/tiffgt.1 +%exclude %{_datadir}/html/man/tiffgt.1.html + +%changelog +* Fri Sep 06 2019 openEuler Buildteam - 4.0.10-1 +- Type:Enhance +- ID:NA +- SUG:NA +- DESC: openEuler Debranding + +* Mon Aug 19 2019 cangyi - 4.0.9-11.h6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:format patches + +* Fri Aug 09 2019 zhangyujing - 4.0.9-11.h5 +- Type:cves +- ID:CVE-2018-10779 +- SUG:NA +- DESC:fix CVE-2018-10779 + +* Wed Jul 31 2019 shenyangyang - 4.0.9-11.h4 +- Type:NA +- ID:NA +- SUG:NA +- DESC:openEuler Debrading + +* Mon Jul 15 2019 wangchan - 4.0.9-11.h3 +- Type:cves +- ID:CVE-2017-17095 +- SUG:NA +- DESC:fix CVE-2017-17095 + +* Mon Apr 29 2019 yuejiayan - 4.0.9-11.h2 +- Type:cves +- ID:CVE-2018-19210 CVE-2019-6128 +- SUG:NA +- DESC:fix above cves + +* Sun Apr 07 2019 wenjun - 4.0.9-11.h1 +- Type:cves +- ID:CVE-2018-18557 CVE-2018-17101 CVE-2018-17100 CVE-2018-12900 CVE-2018-18661 +- SUG:NA +- DESC:fix above cves + +* Fri Jul 13 2018 shenyangyang - 4.0.9-11 +- Package Initialization + diff --git a/tiff-4.0.10.tar.gz b/tiff-4.0.10.tar.gz new file mode 100644 index 0000000..28cb56d Binary files /dev/null and b/tiff-4.0.10.tar.gz differ