2012-04-23 Padraig O'Briain <
[email protected]>
CR 7158160 Problem with gnome/libraries
RTI 362135
* specs/SUNWTiff.spec:
* patches/tiff-01-CVE-2012-1173.diff:
--- a/ChangeLog Mon Apr 23 03:14:56 2012 +0000
+++ b/ChangeLog Mon Apr 23 07:10:23 2012 +0000
@@ -1,3 +1,10 @@
+2012-04-23 Padraig O'Briain <[email protected]>
+
+ CR 7158160 Problem with gnome/libraries
+ RTI 362135
+ * specs/SUNWTiff.spec:
+ * patches/tiff-01-CVE-2012-1173.diff:
+
2012-04-20 Jeff Cai <[email protected]>
Fix CR #7151417 - File-roller crashes when creating an
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/tiff-01-CVE-2012-1173.diff Mon Apr 23 07:10:23 2012 +0000
@@ -0,0 +1,66 @@
+--- libtiff/tif_getimage.c.orig 2012-04-19 08:49:47.367361776 +0100
++++ libtiff/tif_getimage.c 2012-04-19 09:42:41.967552598 +0100
+@@ -673,18 +673,24 @@
+ unsigned char* p2;
+ unsigned char* pa;
+ tsize_t tilesize;
++ tsize_t bufsize;
+ int32 fromskew, toskew;
+ int alpha = img->alpha;
+ uint32 nrow;
+ int ret = 1, flip;
+
+ tilesize = TIFFTileSize(tif);
+- buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);
++ if (bufsize == 0) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
++ return (0);
++ }
++ buf = (unsigned char*) _TIFFmalloc(bufsize);
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ return (0);
+ }
+- _TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
++ _TIFFmemset(buf, 0, bufsize);
+ p0 = buf;
+ p1 = p0 + tilesize;
+ p2 = p1 + tilesize;
+@@ -880,17 +886,23 @@
+ uint32 rowsperstrip, offset_row;
+ uint32 imagewidth = img->width;
+ tsize_t stripsize;
++ tsize_t bufsize;
+ int32 fromskew, toskew;
+ int alpha = img->alpha;
+ int ret = 1, flip;
+
+ stripsize = TIFFStripSize(tif);
+- p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
++ bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);
++ if (bufsize == 0) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
++ return (0);
++ }
++ p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ return (0);
+ }
+- _TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
++ _TIFFmemset(buf, 0, bufsize);
+ p1 = p0 + stripsize;
+ p2 = p1 + stripsize;
+ pa = (alpha?(p2+stripsize):NULL);
+--- libtiff/tiffiop.h.orig 2012-04-19 08:50:17.752392827 +0100
++++ libtiff/tiffiop.h 2012-04-19 08:50:51.586979922 +0100
+@@ -246,7 +246,7 @@
+ #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
+
+ /* Safe multiply which returns zero if there is an integer overflow */
+-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+ #define TIFFmin(A,B) ((A)<(B)?(A):(B))
--- a/specs/SUNWTiff.spec Mon Apr 23 03:14:56 2012 +0000
+++ b/specs/SUNWTiff.spec Mon Apr 23 07:10:23 2012 +0000
@@ -3,7 +3,7 @@
#
# includes module(s): tiff
#
-# Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -28,23 +28,23 @@
SUNW_BaseDir: %{_prefix}
SUNW_Copyright: %{name}.copyright
BuildRoot: %{_tmppath}/%{name}-%{version}-build
+# date:2012-04-19 owner:padraig type:bug bugster:7158160
+Patch1: tiff-01-CVE-2012-1173.diff
%include default-depend.inc
%include desktop-incorporation.inc
-Requires: SUNWlibms
-Requires: SUNWzlib
-BuildRequires: SUNWjpg
+Requires: system/library/math
+Requires: library/zlib
+BuildRequires: image/library/libjpeg
%package devel
Summary: %{summary} - development files
SUNW_BaseDir: %{_prefix}
-%include default-depend.inc
-%include desktop-incorporation.inc
-Requires: SUNWTiff
%prep
%setup -c -n %name-%version
cd tiff-%{tarball_version}
+%patch1 -p0
gzcat %SOURCE1 | tar -xf -
%ifarch amd64 sparcv9
@@ -147,6 +147,8 @@
%{_mandir}/man3tiff/*
%changelog
+* Thu Apr 19 2012 - [email protected]
+- Added patch tiff-01-CVE-2012-1173.
* Thu Mar 17 2011 - [email protected]
- Added patch tiff-01-CVE-2011-0192.diff & tiff-01-CVE-2011-1167.diff to fix security vulnerability CVE-2011-0192 & CVE-2011-1167.
* Thu Jul 29 2010 - [email protected]