Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/media-libs
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs')
-rw-r--r--media-libs/tiff/ChangeLog9
-rw-r--r--media-libs/tiff/Manifest19
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch191
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch77
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch245
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-printdir-width.patch36
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch59
-rw-r--r--media-libs/tiff/tiff-3.9.7.ebuild7
8 files changed, 636 insertions, 7 deletions
diff --git a/media-libs/tiff/ChangeLog b/media-libs/tiff/ChangeLog
index cd6e01ae80a2..ac26067396b8 100644
--- a/media-libs/tiff/ChangeLog
+++ b/media-libs/tiff/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for media-libs/tiff
# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/ChangeLog,v 1.226 2013/05/03 12:00:09 vincent Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/ChangeLog,v 1.227 2013/05/03 12:13:47 ssuominen Exp $
+
+ 03 May 2013; Samuli Suominen <ssuominen@gentoo.org> tiff-3.9.7.ebuild,
+ +files/tiff-3.9.7-CVE-2012-4447.patch, +files/tiff-3.9.7-CVE-2012-4564.patch,
+ +files/tiff-3.9.7-CVE-2012-5581.patch,
+ +files/tiff-3.9.7-printdir-width.patch,
+ +files/tiff-3.9.7-tiffinfo-exif.patch:
+ Import Fedora 17 security patchset for the compability SLOT.
03 May 2013; Vicente Olivert Riera <vincent@gentoo.org> tiff-3.9.7.ebuild,
tiff-4.0.3-r2.ebuild:
diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest
index 979a1a2eae09..c15e591b5813 100644
--- a/media-libs/tiff/Manifest
+++ b/media-libs/tiff/Manifest
@@ -2,6 +2,11 @@
Hash: SHA256
AUX tiff-3.9.5-CVE-2012-1173.patch 1621 SHA256 1697dda50fcd92599f8e567a55783d699d919964df895c5c9098eed41715621f SHA512 262ad17d9fb2c0e03dd5ead72b27d446efb44104db5330a1a0cb4998712b59e70a945eb5bbf4f0216dde475c56ef1d4977cf46ee189619402727921dadacbde6 WHIRLPOOL 2b9dcccd9c0a0285cdbd35ccad2fb0525fba3212b3b84ef9347f47a425ff4c92ed55a2cb2bd3f0af4e93cca3a0e78a76133006e5cab130b53b2dd8e422e51d39
+AUX tiff-3.9.7-CVE-2012-4447.patch 5706 SHA256 373020d6c383778ee40f642d90e5d9f3a878f0c17a529825e43e1647d27332cf SHA512 defb8251401b7d65c2cd8f60df30d35551c1b1d0a1dcf514dd95da89572873177ea116e9373dd07cd260e00434235090e1d8864199d5fdfa84c445cb6905ddd6 WHIRLPOOL ac54215b65806681ae5e337a538ce91357247f28815eee7a29ff5eef179075ec43b473a7f62195056a37318e84ae15a2d503fd94b54a0dee173ac6851858f342
+AUX tiff-3.9.7-CVE-2012-4564.patch 1987 SHA256 525f667e2148229520b50d6136c0ecd345b8db9acc62fde945a5f13dae4d51f3 SHA512 24ebe60ce6361561c15c8c5fb46b47942e58912de5efbf128374defc4382a7e800fae3dc0a9fe04876a5e2f61a109edc1c9533be2f8a15b4b0ed7215d7b08c9b WHIRLPOOL c59dfed1f43b75372e9e6bf3381db608d42291e8613c6f38d8b1310868b4f373b15a279144a8f06cb0d9ba5d147a81ca753b6ef118e23e47893902d1d00cf880
+AUX tiff-3.9.7-CVE-2012-5581.patch 8156 SHA256 f47b30c8fc0578df7285f6cf318f29d410db4b82550b3fbc9582beeb9a834415 SHA512 2e215edeb6f4f5d6e14753874a67d76cfec34b3f6ffc420e1c7ede2007a6b2f64c09505e879e83db1de87f28c82c806c4379b38bf7f8735bb2bae675543683f0 WHIRLPOOL 8f7cdca5ec968eab6ec8749e2185c7416fb2055da56ce3b159a637ede9f296e9a37af7c91ff8da1c743bb05371662725374d3febdde2109f18baa57391ac8e16
+AUX tiff-3.9.7-printdir-width.patch 1523 SHA256 597406f727b26fd06106e1e22a1e4e4620b3ffa54a49c2c4b0b8ee6b1d54908b SHA512 9bf2edcbda2ed5dba01839cf1bb34316801b4c5a2b6c71ed46f8777518cf1bc77084db94eaf1ebde84583fa2e1749a5fc5151e321b4d83975b13c3e9ebe96436 WHIRLPOOL 3f9a830622866cbc1fab8109fa9ad787c50230871286e6bdc3594b0d33c887acdca03b19df8d4537ff0e21a6f6a2e48062ff731616b300ead923d8e61253094b
+AUX tiff-3.9.7-tiffinfo-exif.patch 1847 SHA256 2b333f3161f88aef3f764de316c4e8f10906932d33ee575b98f7723b2bff1db7 SHA512 6f211dc864bfb314a1c7edb8855b68cfbbdbbde1ba9422c1c578acbb15e5769323eec366bef618a8100b0ccb8057b2997762ebbd0f943be10882411861ec72fb WHIRLPOOL 4fb1375cc34c889f2148d8b998929f29f8901c38ac3af0839abcd827adf707045b00e7516e7b92df6cd2968dcbbe98ac135662300bc4fe05fb4b43b30f340baa
AUX tiff-4.0.2-CVE-2012-3401.patch 296 SHA256 e0fbff1fdcb9189fde303edb378fce999beffb78e1cf3ab955e24accf489e807 SHA512 143aeab0c6008cb107343c757239ad7045a573f157b06b6771514c963405ac8b1a199b0978ca393e312da1587071b74a5e299f67d218e37a85d82e9e978c5d28 WHIRLPOOL 1039df55dac487f748d30670574efa85d24f274f3b750a14f2407a04cb423e8a6e45318e8977feba7be67d3dfcd9707d470f5ca83b40e081801a45126fb58427
AUX tiff-4.0.2-bigendian.patch 897 SHA256 dfddd377370c4114cde09fed335edd40f4fc5411cf191b0048bb76466e3909f0 SHA512 b94084a6e3750e68fd4cd283bd39491e445b8907a4342e4239a5e4237e1e8847a5759d82636be20d152943bb85fd83f9d84d5de09e68668a67c4b93d9742a0e3 WHIRLPOOL 5cf1342132d7eda75a653bca5f4df71bd9cd8ede2e47bb590fff7485ceaad80d550c882b7f11ddd294abed3dbc666a218f366c94c15a5198d7ddb9a1115c6dbc
AUX tiff-4.0.3-CVE-2012-4447.patch 1263 SHA256 917187494cd3f80929e4919951637683aaccd98ffa23a6f1f97e49f6db85baa9 SHA512 1377b675cfbeffbe810518053fb2e683f889cf1274d0b1adc6060beb9ef70dcd504038b02d569d08bf497511b99ea9c237e581b4a66676d0a69370b78c98736b WHIRLPOOL 5c17a0026f65ca2ede6b4ec4c1bf174578070cc413aadc411650fe65af4c79476bfdf413927328cac08c1c7688ddc9018d77a2cf73bf815583821b8c4fe7d6b2
@@ -15,17 +20,21 @@ DIST tiff-3.9.7.tar.gz 1468097 SHA256 f5d64dd4ce61c55f5e9f6dc3920fbe5a41e02c2e60
DIST tiff-4.0.2.tar.gz 2022814 SHA256 aa29f1f5bfe3f443c3eb4dac472ebde15adc8ff0464b83376f35e3b2fef935da SHA512 bfc82b2780f2a7d89b1cd6d73ba45091fc74de996b2dad616cfdba59770b192449d6a9effba305f478a8e527d7246443a4e2bc1c5e2e6673a0037972f4a13413 WHIRLPOOL 1c89f2760413035f37dfde47d7c8884fa899e86b7911fd6b52b2920c830898b8f26f8d9a287ed6dc3820feb7fa21c50fb1dba278c57fb548806e8700c23e1ec9
DIST tiff-4.0.3.tar.gz 2051630 SHA256 ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872 SHA512 d80e18b00e9e696a30b954c0d92e5f2f773fd9a7a0a944cf6cabb69c1798e671506580daa1cd2ebf493ae922000170c2491dfc6d4c0a9cd0b865684070595a73 WHIRLPOOL 762ace7c66dec7a6f350bc8c000a9e1f4b775e7b148b1d923eb3f7c015f47bda65a54bc0b5974ce665c7d836ec0b275c9307d1f18f3b6bee8b0949a6cceb319e
EBUILD tiff-3.9.5-r3.ebuild 1799 SHA256 10fc18a8ada9f8763ff295b6f42326b0f6866e235aeac1261f42dd1ad62a12fd SHA512 9434a31ccb4603d0278cfa0b51df4d902a627466f8243045585064db73627418ea871ea4a6f749acbe9f4792bddb6b7f2d28bc3a035da5daea8067338ae8d157 WHIRLPOOL 1cbc9bd3e518d48c8b42420c7db495bd95810ed571dc13ee4be5378c816383f75ae19e2d02f711c61a95642777458840340b15e8e438bc48cd2d72309955ce15
-EBUILD tiff-3.9.7.ebuild 1754 SHA256 a3040b551fa8c53808f13488cb64c98d7132ff0c7605fa3a14c353d84d9f6204 SHA512 66f9bb1969e3c9b5bccf9135ddbc1c7cb6146f75b2e48570e706c23ab370f89ee2304d17316c1686facaf63546a42e191f163a26323ceb5bf1237a872e48bf70 WHIRLPOOL d657c820d00fc6e86ed4f69e23866bc7252a342b15908f4242d322b3cab30307c4a136eed5687918d450e8753ad71ea2f06be60d3b85fae10d5eee14d76aae1a
+EBUILD tiff-3.9.7.ebuild 1907 SHA256 8e90d128b9e71ce70b38c7ccae6244a6a378bcd194a790c6e4e20b9c7cc9b818 SHA512 ed0ced2b2c7afb075cfed1b6615688d998375a3c6a8f6af644fb717e467bdf72b32e01c245c2ce10a89577ccc8acf3330f961e329a579f881ad3f7f98b8204f0 WHIRLPOOL 7aeb075cf0a00378a482deb4d2a758defa01b80b8b6ffb668b122d85a1f850eb821891a35dcae51b58045231eed74857d618c13b40e1486ee81007e0057aa382
EBUILD tiff-4.0.2-r1.ebuild 1446 SHA256 4301e356a342b75d9425d94ca7fc0f29eb956265136d23219851cbd7532c9c86 SHA512 f3f5ccd83c300a3acd445e9fe420c9c3150ad3933a80db1a315ff55afd73ca0829f6848bca49e0dab44246c506c12d8595eeb6d442cf414f28d20397da8034ea WHIRLPOOL ebe9c1d649335cdedf6630fb943cd916f2a64898a18015c0a389e3299b850b9a2c50ccc54a93519c7f2e72988bfa492969db52afe1068429cbca7b3cab049941
EBUILD tiff-4.0.3-r1.ebuild 1429 SHA256 2fc720bbe56409b73d782a68bd2476caf5e0eb4449f5df775088cb24e989ada0 SHA512 d53620a858fbd774b36723d33f0c129edd634ef4913647319d76e60d3a87edb3cbe52c42b1e2e7a7155c9ce14540e158a3d1081f2046f6677c03570dae121ee4 WHIRLPOOL 021e573bc100640b1efceac2f42635645bb79bd729d113dd200676decaa863febb45bca37c721575043e23e60aa203419927c7aae7736f01e946ecb35fe10e00
EBUILD tiff-4.0.3-r2.ebuild 1605 SHA256 72986ee727d64ade7423e3a25025fffd70ef086096f8a6bad968865ddc3ae641 SHA512 e63815a55c4153d5a93e3a88a0affbcfdccb515791266db7f9cc76d46fa76204fb4bcc87d83f996f92c0e01f7cf3b56ff795b3fc5587edeb436d6d6ecf55adc9 WHIRLPOOL 7bc2966842d21290e5e7c1c95fd3bccc56f8292f1ea37fbc580aab7b6e7523e65670826c5669ef7f4cc7fe1ad80f28672e7044c803712f09d070331d13b37657
EBUILD tiff-4.0.3.ebuild 1353 SHA256 ae60d4451163f8fde953b0ba1120f3a10d01601a23d457ecf05f2ea0007c477f SHA512 a5aabfa782dc9c97e9a93e7f1a224152d7a561d0c8131042ca24e5ab40744125be8fc1e1a892a4f6f808003bd2d8c881ccaafd1165522f829adf15956d9d3689 WHIRLPOOL 4841ce497247a05952c1b83f718983422b819642a133acea9ab5daa6daeccc2ceb6f6faa2b26957fa9f965751d99ed533575c550e93205386d0c427965745eb2
-MISC ChangeLog 31567 SHA256 daacdf164025ea6ce66e00d1415af486caad836528d87a37069001acf2d9258b SHA512 f3805f531d61701a5393e7514cb64638536f337cbb0e13c47efc9920e0de62340df4a45edbd2d61179409b6f106d8d48e32919b3e429708c02c9aa55216e5595 WHIRLPOOL 4e3d79203da0bd5295f84dce1504e440dc056c65202a7f8d7e27aa7fa3316dd210db38fe4ecc905da6af886cd41b773fbd897a20ade04e87c7f28195efea826a
+MISC ChangeLog 31910 SHA256 05db6accb39a653f13a4ca76d36fc26cee990ba72d6cbc57763fa12e8028ef49 SHA512 6dd1c0cb12b852c4dbe13df1e1562b21971c224299b5d315dd27601acb0e6d2ea04e8d6cefc3a8cd939262b7944c4cd4aea942246fe77eda66277d04a9186bd6 WHIRLPOOL bb5695f8f75ee5a5eac40e3ee9df2aab93cb968f9eaef7ba72b6281c7419d4d3a4a41b9b2e3a9455b82e3badd08e587f2e90e3c23555abfbf81a363581aa5280
MISC metadata.xml 309 SHA256 c1893fd7aaa763da14257353ceca7356500d8c8112f635f587c4ef407bd6ca51 SHA512 435eddb4a4280b37dd5948f305f88c5b3c8d193d50776a4c608132addcff03016fb00b218ad8be93a59dfdde28b57fc9d1327b18dc772344057147a5d3826f4b WHIRLPOOL b3323fa861535082bd475896c3cd5490c584cfe0262ffa25288bcda76e36ee58c42c825811ccc34078ed624e48467842012750cd650cf91398313cf4c6b60892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
-iEYEAREIAAYFAlGDprcACgkQWunnsum7y6jB2QCfc0tNtjPNBhl5xrlnCTrfF5d8
-jZIAn11ReqPdnPFv6G1Wia8VwpDJkpCj
-=9hmJ
+iQEcBAEBCAAGBQJRg6n3AAoJEEdUh39IaPFNQXsIAJbEP8nABJdyO41P5Gf6zg+j
+Dhjb21vM9SxS9/+CdyOg2SCzcm9nvvDe/vulJ675qZgvSq18l82Qflt+X5US7d9R
+SAYD2pXfnsytguPLxDrW7f0Wglp0KtgZgck2E0WwiB0InTHgSNs5vqFF3CJ6fzS1
+pKtvmBVPb2vkw7xwofNRzmks5xSovuI4vgGglEkEkSA0Zk2gzhcD9xL+wYb0+QBZ
+pk3WX3jBp89GgY+Bj71RJUmG69Jk70p37EY2l3gp5oE7RescKLfpLq/tPBBHpdwJ
+8gH5zASlrmozKSXTUQopbKHopLs/KSEjUR0ewBeB6OXWFw1uOXBRlZUFsArWw7c=
+=UIMq
-----END PGP SIGNATURE-----
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
new file mode 100644
index 000000000000..6c28dc6ec9a8
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
@@ -0,0 +1,191 @@
+Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read
+possibility in the same file, which wasn't given a separate CVE.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c
+--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500
+@@ -117,9 +117,9 @@
+ if (n >= stride) {
+ mask = CODE_MASK;
+ if (stride == 3) {
+- t0 = ToLinearF[cr = wp[0]];
+- t1 = ToLinearF[cg = wp[1]];
+- t2 = ToLinearF[cb = wp[2]];
++ t0 = ToLinearF[cr = (wp[0] & mask)];
++ t1 = ToLinearF[cg = (wp[1] & mask)];
++ t2 = ToLinearF[cb = (wp[2] & mask)];
+ op[0] = t0;
+ op[1] = t1;
+ op[2] = t2;
+@@ -136,10 +136,10 @@
+ op[2] = t2;
+ }
+ } else if (stride == 4) {
+- t0 = ToLinearF[cr = wp[0]];
+- t1 = ToLinearF[cg = wp[1]];
+- t2 = ToLinearF[cb = wp[2]];
+- t3 = ToLinearF[ca = wp[3]];
++ t0 = ToLinearF[cr = (wp[0] & mask)];
++ t1 = ToLinearF[cg = (wp[1] & mask)];
++ t2 = ToLinearF[cb = (wp[2] & mask)];
++ t3 = ToLinearF[ca = (wp[3] & mask)];
+ op[0] = t0;
+ op[1] = t1;
+ op[2] = t2;
+@@ -183,9 +183,9 @@
+ if (n >= stride) {
+ mask = CODE_MASK;
+ if (stride == 3) {
+- t0 = ToLinearF[cr = wp[0]] * SCALE12;
+- t1 = ToLinearF[cg = wp[1]] * SCALE12;
+- t2 = ToLinearF[cb = wp[2]] * SCALE12;
++ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
++ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
++ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
+ op[0] = CLAMP12(t0);
+ op[1] = CLAMP12(t1);
+ op[2] = CLAMP12(t2);
+@@ -202,10 +202,10 @@
+ op[2] = CLAMP12(t2);
+ }
+ } else if (stride == 4) {
+- t0 = ToLinearF[cr = wp[0]] * SCALE12;
+- t1 = ToLinearF[cg = wp[1]] * SCALE12;
+- t2 = ToLinearF[cb = wp[2]] * SCALE12;
+- t3 = ToLinearF[ca = wp[3]] * SCALE12;
++ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
++ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
++ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
++ t3 = ToLinearF[ca = (wp[3] & mask)] * SCALE12;
+ op[0] = CLAMP12(t0);
+ op[1] = CLAMP12(t1);
+ op[2] = CLAMP12(t2);
+@@ -247,9 +247,9 @@
+ if (n >= stride) {
+ mask = CODE_MASK;
+ if (stride == 3) {
+- op[0] = ToLinear16[cr = wp[0]];
+- op[1] = ToLinear16[cg = wp[1]];
+- op[2] = ToLinear16[cb = wp[2]];
++ op[0] = ToLinear16[cr = (wp[0] & mask)];
++ op[1] = ToLinear16[cg = (wp[1] & mask)];
++ op[2] = ToLinear16[cb = (wp[2] & mask)];
+ n -= 3;
+ while (n > 0) {
+ wp += 3;
+@@ -260,10 +260,10 @@
+ op[2] = ToLinear16[(cb += wp[2]) & mask];
+ }
+ } else if (stride == 4) {
+- op[0] = ToLinear16[cr = wp[0]];
+- op[1] = ToLinear16[cg = wp[1]];
+- op[2] = ToLinear16[cb = wp[2]];
+- op[3] = ToLinear16[ca = wp[3]];
++ op[0] = ToLinear16[cr = (wp[0] & mask)];
++ op[1] = ToLinear16[cg = (wp[1] & mask)];
++ op[2] = ToLinear16[cb = (wp[2] & mask)];
++ op[3] = ToLinear16[ca = (wp[3] & mask)];
+ n -= 4;
+ while (n > 0) {
+ wp += 4;
+@@ -342,9 +342,9 @@
+ if (n >= stride) {
+ mask = CODE_MASK;
+ if (stride == 3) {
+- op[0] = ToLinear8[cr = wp[0]];
+- op[1] = ToLinear8[cg = wp[1]];
+- op[2] = ToLinear8[cb = wp[2]];
++ op[0] = ToLinear8[cr = (wp[0] & mask)];
++ op[1] = ToLinear8[cg = (wp[1] & mask)];
++ op[2] = ToLinear8[cb = (wp[2] & mask)];
+ n -= 3;
+ while (n > 0) {
+ n -= 3;
+@@ -355,10 +355,10 @@
+ op[2] = ToLinear8[(cb += wp[2]) & mask];
+ }
+ } else if (stride == 4) {
+- op[0] = ToLinear8[cr = wp[0]];
+- op[1] = ToLinear8[cg = wp[1]];
+- op[2] = ToLinear8[cb = wp[2]];
+- op[3] = ToLinear8[ca = wp[3]];
++ op[0] = ToLinear8[cr = (wp[0] & mask)];
++ op[1] = ToLinear8[cg = (wp[1] & mask)];
++ op[2] = ToLinear8[cb = (wp[2] & mask)];
++ op[3] = ToLinear8[ca = (wp[3] & mask)];
+ n -= 4;
+ while (n > 0) {
+ n -= 4;
+@@ -393,9 +393,9 @@
+ mask = CODE_MASK;
+ if (stride == 3) {
+ op[0] = 0;
+- t1 = ToLinear8[cb = wp[2]];
+- t2 = ToLinear8[cg = wp[1]];
+- t3 = ToLinear8[cr = wp[0]];
++ t1 = ToLinear8[cb = (wp[2] & mask)];
++ t2 = ToLinear8[cg = (wp[1] & mask)];
++ t3 = ToLinear8[cr = (wp[0] & mask)];
+ op[1] = t1;
+ op[2] = t2;
+ op[3] = t3;
+@@ -413,10 +413,10 @@
+ op[3] = t3;
+ }
+ } else if (stride == 4) {
+- t0 = ToLinear8[ca = wp[3]];
+- t1 = ToLinear8[cb = wp[2]];
+- t2 = ToLinear8[cg = wp[1]];
+- t3 = ToLinear8[cr = wp[0]];
++ t0 = ToLinear8[ca = (wp[3] & mask)];
++ t1 = ToLinear8[cb = (wp[2] & mask)];
++ t2 = ToLinear8[cg = (wp[1] & mask)];
++ t3 = ToLinear8[cr = (wp[0] & mask)];
+ op[0] = t0;
+ op[1] = t1;
+ op[2] = t2;
+@@ -630,10 +630,10 @@
+ return guess;
+ }
+
+-static uint32
+-multiply(size_t m1, size_t m2)
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
+ {
+- uint32 bytes = m1 * m2;
++ tsize_t bytes = m1 * m2;
+
+ if (m1 && bytes / m1 != m2)
+ bytes = 0;
+@@ -641,6 +641,20 @@
+ return bytes;
+ }
+
++static tsize_t
++add_ms(tsize_t m1, tsize_t m2)
++{
++ tsize_t bytes = m1 + m2;
++
++ /* if either input is zero, assume overflow already occurred */
++ if (m1 == 0 || m2 == 0)
++ bytes = 0;
++ else if (bytes <= m1 || bytes <= m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ static int
+ PixarLogSetupDecode(TIFF* tif)
+ {
+@@ -661,6 +675,8 @@
+ td->td_samplesperpixel : 1);
+ tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth),
+ td->td_rowsperstrip), sizeof(uint16));
++ /* add one more stride in case input ends mid-stride */
++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ if (tbuf_size == 0)
+ return (0);
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
new file mode 100644
index 000000000000..98a6e6c4409d
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
@@ -0,0 +1,77 @@
+Upstream patch for CVE-2012-4564.
+
+
+diff -Naur tiff-3.9.4.orig/tools/ppm2tiff.c tiff-3.9.4/tools/ppm2tiff.c
+--- tiff-3.9.4.orig/tools/ppm2tiff.c 2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/ppm2tiff.c 2012-12-10 16:16:05.154045877 -0500
+@@ -68,6 +68,17 @@
+ exit(-2);
+ }
+
++static tsize_t
++multiply_ms(tsize_t m1, tsize_t m2)
++{
++ tsize_t bytes = m1 * m2;
++
++ if (m1 && bytes / m1 != m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ int
+ main(int argc, char* argv[])
+ {
+@@ -85,6 +96,7 @@
+ int c;
+ extern int optind;
+ extern char* optarg;
++ tsize_t scanline_size;
+
+ if (argc < 2) {
+ fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -217,7 +229,8 @@
+ }
+ switch (bpp) {
+ case 1:
+- linebytes = (spp * w + (8 - 1)) / 8;
++ /* if round-up overflows, result will be zero, OK */
++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ if (rowsperstrip == (uint32) -1) {
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+ } else {
+@@ -226,15 +239,31 @@
+ }
+ break;
+ case 8:
+- linebytes = spp * w;
++ linebytes = multiply_ms(spp, w);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ TIFFDefaultStripSize(out, rowsperstrip));
+ break;
+ }
+- if (TIFFScanlineSize(out) > linebytes)
++ if (linebytes == 0) {
++ fprintf(stderr, "%s: scanline size overflow\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ scanline_size = TIFFScanlineSize(out);
++ if (scanline_size == 0) {
++ /* overflow - TIFFScanlineSize already printed a message */
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ if (scanline_size < linebytes)
+ buf = (unsigned char *)_TIFFmalloc(linebytes);
+ else
+- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++ buf = (unsigned char *)_TIFFmalloc(scanline_size);
++ if (buf == NULL) {
++ fprintf(stderr, "%s: Not enough memory\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
+ if (resolution > 0) {
+ TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch
new file mode 100644
index 000000000000..a6bdca137029
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch
@@ -0,0 +1,245 @@
+Fix unsafe handling of DotRange and related tags. Back-port of upstream
+patch for CVE-2012-5581. (Note: I have not pushed this into upstream CVS
+for the 3.9 branch, because I'm not entirely convinced that it won't create
+application compatibility issues --- tgl)
+
+
+diff -Naur tiff-3.9.7.orig/libtiff/tif_dir.c tiff-3.9.7/libtiff/tif_dir.c
+--- tiff-3.9.7.orig/libtiff/tif_dir.c 2012-09-22 10:48:09.000000000 -0400
++++ tiff-3.9.7/libtiff/tif_dir.c 2012-12-13 13:39:20.448864070 -0500
+@@ -494,32 +494,28 @@
+ goto end;
+ }
+
+- if ((fip->field_passcount
++ if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ uint16 v[2];
++ v[0] = (uint16)va_arg(ap, int);
++ v[1] = (uint16)va_arg(ap, int);
++ _TIFFmemcpy(tv->value, v, 4);
++ }
++ else if (fip->field_passcount
+ || fip->field_writecount == TIFF_VARIABLE
+ || fip->field_writecount == TIFF_VARIABLE2
+ || fip->field_writecount == TIFF_SPP
+- || tv->count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE
+- && fip->field_tag != TIFFTAG_WHITELEVEL) {
++ || tv->count > 1) {
+ _TIFFmemcpy(tv->value, va_arg(ap, void *),
+ tv->count * tv_size);
+ } else {
+- /*
+- * XXX: The following loop required to handle
+- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
+- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
+- * These tags are actually arrays and should be passed as
+- * array pointers to TIFFSetField() function, but actually
+- * passed as a list of separate values. This behaviour
+- * must be changed in the future!
+- */
+- int i;
+ char *val = (char *)tv->value;
+
+- for (i = 0; i < tv->count; i++, val += tv_size) {
++ assert( tv->count == 1 );
+ switch (fip->field_type) {
+ case TIFF_BYTE:
+ case TIFF_UNDEFINED:
+@@ -578,7 +574,6 @@
+ status = 0;
+ break;
+ }
+- }
+ }
+ }
+ }
+@@ -869,24 +864,27 @@
+ *va_arg(ap, uint16*) = (uint16)tv->count;
+ *va_arg(ap, void **) = tv->value;
+ ret_val = 1;
+- } else {
+- if ((fip->field_type == TIFF_ASCII
++ } else if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0];
++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1];
++ ret_val = 1;
++ } else {
++ if (fip->field_type == TIFF_ASCII
+ || fip->field_readcount == TIFF_VARIABLE
+ || fip->field_readcount == TIFF_VARIABLE2
+ || fip->field_readcount == TIFF_SPP
+- || tv->count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
++ || tv->count > 1) {
+ *va_arg(ap, void **) = tv->value;
+ ret_val = 1;
+ } else {
+- int j;
+ char *val = (char *)tv->value;
+
+- for (j = 0; j < tv->count;
+- j++, val += _TIFFDataSize(tv->info->field_type)) {
++ assert( tv->count == 1 );
+ switch (fip->field_type) {
+ case TIFF_BYTE:
+ case TIFF_UNDEFINED:
+@@ -936,7 +934,6 @@
+ ret_val = 0;
+ break;
+ }
+- }
+ }
+ }
+ break;
+diff -Naur tiff-3.9.7.orig/libtiff/tif_print.c tiff-3.9.7/libtiff/tif_print.c
+--- tiff-3.9.7.orig/libtiff/tif_print.c 2010-07-08 12:17:59.000000000 -0400
++++ tiff-3.9.7/libtiff/tif_print.c 2012-12-13 13:42:12.773478278 -0500
+@@ -112,16 +112,22 @@
+ }
+
+ static int
+-_TIFFPrettyPrintField(TIFF* tif, FILE* fd, ttag_t tag,
++_TIFFPrettyPrintField(TIFF* tif, const TIFFFieldInfo *fip, FILE* fd, ttag_t tag,
+ uint32 value_count, void *raw_data)
+ {
+ TIFFDirectory *td = &tif->tif_dir;
+
++ /* do not try to pretty print auto-defined fields */
++ if (strncmp(fip->field_name,"Tag ", 4) == 0) {
++ return 0;
++ }
++
+ switch (tag)
+ {
+ case TIFFTAG_INKSET:
+- fprintf(fd, " Ink Set: ");
+- switch (*((uint16*)raw_data)) {
++ if (value_count == 2 && fip->field_type == TIFF_SHORT) {
++ fprintf(fd, " Ink Set: ");
++ switch (*((uint16*)raw_data)) {
+ case INKSET_CMYK:
+ fprintf(fd, "CMYK\n");
+ break;
+@@ -130,11 +136,18 @@
+ *((uint16*)raw_data),
+ *((uint16*)raw_data));
+ break;
++ }
++ return 1;
+ }
+- return 1;
++ return 0;
++
+ case TIFFTAG_WHITEPOINT:
+- fprintf(fd, " White Point: %g-%g\n",
+- ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1;
++ if (value_count == 2 && fip->field_type == TIFF_RATIONAL) {
++ fprintf(fd, " White Point: %g-%g\n",
++ ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1;
++ }
++ return 0;
++
+ case TIFFTAG_REFERENCEBLACKWHITE:
+ {
+ uint16 i;
+@@ -174,10 +187,13 @@
+ (unsigned long) value_count);
+ return 1;
+ case TIFFTAG_STONITS:
+- fprintf(fd,
+- " Sample to Nits conversion factor: %.4e\n",
+- *((double*)raw_data));
+- return 1;
++ if (value_count == 1 && fip->field_type == TIFF_DOUBLE) {
++ fprintf(fd,
++ " Sample to Nits conversion factor: %.4e\n",
++ *((double*)raw_data));
++ return 1;
++ }
++ return 0;
+ }
+
+ return 0;
+@@ -524,44 +540,28 @@
+ value_count = td->td_samplesperpixel;
+ else
+ value_count = fip->field_readcount;
+- if ((fip->field_type == TIFF_ASCII
++ if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ static uint16 dotrange[2];
++ raw_data = dotrange;
++ TIFFGetField(tif, tag, dotrange+0, dotrange+1);
++ } else if (fip->field_type == TIFF_ASCII
+ || fip->field_readcount == TIFF_VARIABLE
+ || fip->field_readcount == TIFF_VARIABLE2
+ || fip->field_readcount == TIFF_SPP
+- || value_count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
++ || value_count > 1) {
+ if(TIFFGetField(tif, tag, &raw_data) != 1)
+ continue;
+- } else if (fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
+- raw_data = _TIFFmalloc(
+- _TIFFDataSize(fip->field_type)
+- * value_count);
+- mem_alloc = 1;
+- if(TIFFGetField(tif, tag, raw_data) != 1) {
+- _TIFFfree(raw_data);
+- continue;
+- }
+ } else {
+- /*
+- * XXX: Should be fixed and removed, see the
+- * notes related to TIFFTAG_PAGENUMBER,
+- * TIFFTAG_HALFTONEHINTS,
+- * TIFFTAG_YCBCRSUBSAMPLING and
+- * TIFFTAG_DOTRANGE tags in tif_dir.c. */
+- char *tmp;
+ raw_data = _TIFFmalloc(
+ _TIFFDataSize(fip->field_type)
+ * value_count);
+- tmp = raw_data;
+ mem_alloc = 1;
+- if(TIFFGetField(tif, tag, tmp,
+- tmp + _TIFFDataSize(fip->field_type)) != 1) {
++ if(TIFFGetField(tif, tag, raw_data) != 1) {
+ _TIFFfree(raw_data);
+ continue;
+ }
+@@ -574,7 +574,7 @@
+ * _TIFFPrettyPrintField() fall down and print it as any other
+ * tag.
+ */
+- if (_TIFFPrettyPrintField(tif, fd, tag, value_count, raw_data)) {
++ if (_TIFFPrettyPrintField(tif, fip, fd, tag, value_count, raw_data)) {
+ if(mem_alloc)
+ _TIFFfree(raw_data);
+ continue;
diff --git a/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch b/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch
new file mode 100644
index 000000000000..6ad7534ac6fe
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch
@@ -0,0 +1,36 @@
+Make TIFFPrintDirectory cope with both TIFF_VARIABLE and TIFF_VARIABLE2
+conventions for field_passcount fields, ie, either 16- or 32-bit counts.
+This patch is taken from upstream commits dated 2012-05-23 ("fix crash
+with odd 16bit count types for some custom fields") and 2012-12-12 ("Fix
+TIFF_VARIABLE/TIFF_VARIABLE2 confusion in TIFFPrintDirectory").
+
+This doesn't qualify as a security issue in itself, mainly because
+TIFFPrintDirectory is unlikely to be used in any security-exposed
+scenarios; but we need to fix it so that our test case for CVE-2012-5581
+works on all platforms.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_print.c tiff-3.9.4/libtiff/tif_print.c
+--- tiff-3.9.4.orig/libtiff/tif_print.c 2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_print.c 2012-12-13 12:17:33.726765771 -0500
+@@ -518,8 +518,19 @@
+ continue;
+
+ if(fip->field_passcount) {
+- if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
++ if (fip->field_readcount == TIFF_VARIABLE2 ) {
++ if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
++ continue;
++ } else if (fip->field_readcount == TIFF_VARIABLE ) {
++ uint16 small_value_count;
++ if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
++ continue;
++ value_count = small_value_count;
++ } else {
++ assert (fip->field_readcount == TIFF_VARIABLE
++ || fip->field_readcount == TIFF_VARIABLE2);
+ continue;
++ }
+ } else {
+ if (fip->field_readcount == TIFF_VARIABLE
+ || fip->field_readcount == TIFF_VARIABLE2)
diff --git a/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch b/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch
new file mode 100644
index 000000000000..a326e21e298b
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch
@@ -0,0 +1,59 @@
+Teach "tiffinfo -D" to not try to print image data inside an EXIF subdirectory,
+because there isn't any. Back-patched from an upstream 4.0.2 fix.
+
+This is not a security issue in itself (it crashes, but with a simple NULL
+pointer dereference). However, our test case for CVE-2012-5581 tickles this
+bug, so it seems easier to fix this than make a new test case.
+
+
+diff -Naur tiff-3.9.4.orig/tools/tiffinfo.c tiff-3.9.4/tools/tiffinfo.c
+--- tiff-3.9.4.orig/tools/tiffinfo.c 2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/tiffinfo.c 2012-12-11 16:33:17.062228558 -0500
+@@ -49,7 +49,7 @@
+ int stoponerr = 1; /* stop on first read error */
+
+ static void usage(void);
+-static void tiffinfo(TIFF*, uint16, long);
++static void tiffinfo(TIFF*, uint16, long, int);
+
+ int
+ main(int argc, char* argv[])
+@@ -124,19 +124,20 @@
+ if (tif != NULL) {
+ if (dirnum != -1) {
+ if (TIFFSetDirectory(tif, (tdir_t) dirnum))
+- tiffinfo(tif, order, flags);
++ tiffinfo(tif, order, flags, 1);
+ } else if (diroff != 0) {
+ if (TIFFSetSubDirectory(tif, diroff))
+- tiffinfo(tif, order, flags);
++ tiffinfo(tif, order, flags, 1);
+ } else {
+ do {
+ uint32 offset;
+
+- tiffinfo(tif, order, flags);
++ tiffinfo(tif, order, flags, 1);
+ if (TIFFGetField(tif, TIFFTAG_EXIFIFD,
+ &offset)) {
+- if (TIFFReadEXIFDirectory(tif, offset))
+- tiffinfo(tif, order, flags);
++ if (TIFFReadEXIFDirectory(tif, offset)) {
++ tiffinfo(tif, order, flags, 0);
++ }
+ }
+ } while (TIFFReadDirectory(tif));
+ }
+@@ -426,10 +427,10 @@
+ }
+
+ static void
+-tiffinfo(TIFF* tif, uint16 order, long flags)
++tiffinfo(TIFF* tif, uint16 order, long flags, int is_image)
+ {
+ TIFFPrintDirectory(tif, stdout, flags);
+- if (!readdata)
++ if (!readdata || !is_image)
+ return;
+ if (rawdata) {
+ if (order) {
diff --git a/media-libs/tiff/tiff-3.9.7.ebuild b/media-libs/tiff/tiff-3.9.7.ebuild
index d60113e429b1..378870584738 100644
--- a/media-libs/tiff/tiff-3.9.7.ebuild
+++ b/media-libs/tiff/tiff-3.9.7.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/tiff-3.9.7.ebuild,v 1.4 2013/05/03 12:00:09 vincent Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/tiff-3.9.7.ebuild,v 1.5 2013/05/03 12:13:47 ssuominen Exp $
EAPI=5
@@ -25,6 +25,11 @@ RDEPEND="jpeg? ( virtual/jpeg )
DEPEND="${RDEPEND}"
src_prepare() {
+ epatch \
+ "${FILESDIR}"/${P}-CVE-2012-{4447,4564,5581}.patch \
+ "${FILESDIR}"/${P}-tiffinfo-exif.patch \
+ "${FILESDIR}"/${P}-printdir-width.patch
+
elibtoolize
}