From owner-svn-ports-branches@freebsd.org Fri Jul 15 16:24:49 2016 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3AC7B9AD87; Fri, 15 Jul 2016 16:24:48 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CD0B013D3; Fri, 15 Jul 2016 16:24:48 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u6FGOm3x020371; Fri, 15 Jul 2016 16:24:48 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u6FGOln0020367; Fri, 15 Jul 2016 16:24:47 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201607151624.u6FGOln0020367@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Fri, 15 Jul 2016 16:24:47 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r418586 - in branches/2016Q3/graphics/tiff: . files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2016 16:24:49 -0000 Author: feld Date: Fri Jul 15 16:24:47 2016 New Revision: 418586 URL: https://svnweb.freebsd.org/changeset/ports/418586 Log: MFH: r418585 graphics/tiff: Patch vulnerabilities These two patches were obtained from OpenBSD. An additional CVE is not yet addressed, but upstream indicates they are removing the gif2tiff utility as the mitigation in the upcoming 4.0.7. PR: 211113 Security: CVE-2016-5875 Security: CVE-2016-3186 Approved by: ports-secteam (with hat) Added: branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c - copied unchanged from r418585, head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c - copied unchanged from r418585, head/graphics/tiff/files/patch-tools_gif2tiff.c Modified: branches/2016Q3/graphics/tiff/Makefile Directory Properties: branches/2016Q3/ (props changed) Modified: branches/2016Q3/graphics/tiff/Makefile ============================================================================== --- branches/2016Q3/graphics/tiff/Makefile Fri Jul 15 16:22:53 2016 (r418585) +++ branches/2016Q3/graphics/tiff/Makefile Fri Jul 15 16:24:47 2016 (r418586) @@ -3,7 +3,7 @@ PORTNAME= tiff PORTVERSION= 4.0.6 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \ http://download.osgeo.org/libtiff/ Copied: branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c (from r418585, head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c Fri Jul 15 16:24:47 2016 (r418586, copy of r418585, head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c) @@ -0,0 +1,34 @@ +CVE-2016-5875(, dup?) +https://marc.info/?l=oss-security&m=146720235906569&w=2 + +--- libtiff/tif_pixarlog.c.orig Sat Aug 29 00:16:22 2015 ++++ libtiff/tif_pixarlog.c Fri Jul 1 13:04:52 2016 +@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int strid + typedef struct { + TIFFPredictorState predict; + z_stream stream; ++ tmsize_t tbuf_size; /* only set/used on reading for now */ + uint16 *tbuf; + uint16 stride; + int state; +@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif) + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + if (sp->tbuf == NULL) + return (0); ++ sp->tbuf_size = tbuf_size; + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) + sp->user_datafmt = PixarLogGuessDataFmt(td); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { +@@ -779,6 +781,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uin + if (sp->stream.avail_out != nsamples * sizeof(uint16)) + { + TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); ++ return (0); ++ } ++ /* Check that we will not fill more than what was allocated */ ++ if (sp->stream.avail_out > sp->tbuf_size) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); + return (0); + } + do { Copied: branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c (from r418585, head/graphics/tiff/files/patch-tools_gif2tiff.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c Fri Jul 15 16:24:47 2016 (r418586, copy of r418585, head/graphics/tiff/files/patch-tools_gif2tiff.c) @@ -0,0 +1,14 @@ +CVE-2016-3186, patch from: +https://bugzilla.redhat.com/show_bug.cgi?id=1319666 + +--- tools/gif2tiff.c.orig Fri Jul 1 13:11:43 2016 ++++ tools/gif2tiff.c Fri Jul 1 13:12:07 2016 +@@ -349,7 +349,7 @@ readextension(void) + int status = 1; + + (void) getc(infile); +- while ((count = getc(infile)) && count <= 255) ++ while ((count = getc(infile)) && count >= 0 && count <= 255) + if (fread(buf, 1, count, infile) != (size_t) count) { + fprintf(stderr, "short read from file %s (%s)\n", + filename, strerror(errno));