summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSamuli Suominen <ssuominen@gentoo.org>2010-02-26 20:31:34 +0000
committerSamuli Suominen <ssuominen@gentoo.org>2010-02-26 20:31:34 +0000
commit405f7893035cbc5301b05a6f09f838f643bbe650 (patch)
treea38ee8750150c23756adfedf15299859190839e1 /media-libs/tiff
parentBump (diff)
downloadgentoo-2-405f7893035cbc5301b05a6f09f838f643bbe650.tar.gz
gentoo-2-405f7893035cbc5301b05a6f09f838f643bbe650.tar.bz2
gentoo-2-405f7893035cbc5301b05a6f09f838f643bbe650.zip
Fix CVE-2009-2347 again wrt security #307001.
(Portage version: 2.2_rc63/cvs/Linux x86_64)
Diffstat (limited to 'media-libs/tiff')
-rw-r--r--media-libs/tiff/ChangeLog8
-rw-r--r--media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch89
-rw-r--r--media-libs/tiff/tiff-3.9.2-r1.ebuild53
3 files changed, 149 insertions, 1 deletions
diff --git a/media-libs/tiff/ChangeLog b/media-libs/tiff/ChangeLog
index e99404cb2a91..96213b510a53 100644
--- a/media-libs/tiff/ChangeLog
+++ b/media-libs/tiff/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for media-libs/tiff
# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/ChangeLog,v 1.144 2010/01/22 17:19:11 ssuominen Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/ChangeLog,v 1.145 2010/02/26 20:31:32 ssuominen Exp $
+
+*tiff-3.9.2-r1 (26 Feb 2010)
+
+ 26 Feb 2010; Samuli Suominen <ssuominen@gentoo.org> +tiff-3.9.2-r1.ebuild,
+ +files/tiff-3.9.2-CVE-2009-2347.patch:
+ Fix CVE-2009-2347 again wrt security #307001.
22 Jan 2010; Samuli Suominen <ssuominen@gentoo.org> tiff-3.9.2.ebuild:
Require SLOT="0" of media-libs/jpeg for headers.
diff --git a/media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch b/media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch
new file mode 100644
index 000000000000..8d30334da380
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.2-CVE-2009-2347.patch
@@ -0,0 +1,89 @@
+http://bugs.gentoo.org/show_bug.cgi?id=307001
+http://bugzilla.maptools.org/show_bug.cgi?id=2079
+
+--- tools/tiff2rgba.c
++++ tools/tiff2rgba.c
+@@ -125,6 +125,17 @@
+ return (0);
+ }
+
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++ tsize_t prod = m1 * m2;
++
++ if (m1 && prod / m1 != m2)
++ prod = 0; /* overflow */
++
++ return prod;
++}
++
+ static int
+ cvt_by_tile( TIFF *in, TIFF *out )
+
+@@ -134,6 +145,7 @@
+ uint32 tile_width, tile_height;
+ uint32 row, col;
+ uint32 *wrk_line;
++ tsize_t raster_size;
+ int ok = 1;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -151,7 +163,14 @@
+ /*
+ * Allocate tile buffer
+ */
+- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) tile_width, (unsigned long) tile_height);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -159,7 +178,7 @@
+
+ /*
+ * Allocate a scanline buffer for swapping during the vertical
+- * mirroring pass.
++ * mirroring pass. (Request can't overflow given prior checks.)
+ */
+ wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+ if (!wrk_line) {
+@@ -236,6 +255,7 @@
+ uint32 width, height; /* image width & height */
+ uint32 row;
+ uint32 *wrk_line;
++ tsize_t raster_size;
+ int ok = 1;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -251,7 +271,14 @@
+ /*
+ * Allocate strip buffer
+ */
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) width, (unsigned long) rowsperstrip);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -259,7 +286,7 @@
+
+ /*
+ * Allocate a scanline buffer for swapping during the vertical
+- * mirroring pass.
++ * mirroring pass. (Request can't overflow given prior checks.)
+ */
+ wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+ if (!wrk_line) {
diff --git a/media-libs/tiff/tiff-3.9.2-r1.ebuild b/media-libs/tiff/tiff-3.9.2-r1.ebuild
new file mode 100644
index 000000000000..bad4e457d06a
--- /dev/null
+++ b/media-libs/tiff/tiff-3.9.2-r1.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/tiff-3.9.2-r1.ebuild,v 1.1 2010/02/26 20:31:32 ssuominen Exp $
+
+EAPI=2
+inherit eutils libtool
+
+DESCRIPTION="Library for manipulation of TIFF (Tag Image File Format) images"
+HOMEPAGE="http://www.remotesensing.org/libtiff/"
+SRC_URI="ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="jpeg jbig +cxx zlib"
+
+DEPEND="jpeg? ( >=media-libs/jpeg-6b:0 )
+ jbig? ( media-libs/jbigkit )
+ zlib? ( sys-libs/zlib )"
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PN}-3.8.2-CVE-2009-2285.patch \
+ "${FILESDIR}"/${P}-CVE-2009-2347.patch
+ elibtoolize
+}
+
+src_configure() {
+ use prefix || EPREFIX=
+ econf \
+ --disable-dependency-tracking \
+ $(use_enable cxx) \
+ $(use_enable zlib) \
+ $(use_enable jpeg) \
+ $(use_enable jbig) \
+ --without-x \
+ --with-docdir="${EPREFIX}"/usr/share/doc/${PF}
+}
+
+src_install() {
+ emake DESTDIR="${D}" install || die
+ dodoc ChangeLog README TODO
+}
+
+pkg_postinst() {
+ if use jbig; then
+ echo
+ elog "JBIG support is intended for Hylafax fax compression, so we"
+ elog "really need more feedback in other areas (most testing has"
+ elog "been done with fax). Be sure to recompile anything linked"
+ elog "against tiff if you rebuild it with jbig support."
+ echo
+ fi
+}