slackware-current/source/l/libtiff/patches/CVE-2022-2056_2057_2058.patch

181 lines
7.4 KiB
Diff
Raw Normal View History

Wed Jan 4 02:18:08 UTC 2023 ap/lsof-4.96.5-x86_64-1.txz: Upgraded. ap/sqlite-3.40.1-x86_64-1.txz: Upgraded. kde/bluedevil-5.26.5-x86_64-1.txz: Upgraded. kde/breeze-5.26.5-x86_64-1.txz: Upgraded. kde/breeze-grub-5.26.5-x86_64-1.txz: Upgraded. kde/breeze-gtk-5.26.5-x86_64-1.txz: Upgraded. kde/digikam-7.9.0-x86_64-2.txz: Rebuilt. Recompiled against opencv-4.7.0. kde/drkonqi-5.26.5-x86_64-1.txz: Upgraded. kde/kactivitymanagerd-5.26.5-x86_64-1.txz: Upgraded. kde/kde-cli-tools-5.26.5-x86_64-1.txz: Upgraded. kde/kde-gtk-config-5.26.5-x86_64-1.txz: Upgraded. kde/kdecoration-5.26.5-x86_64-1.txz: Upgraded. kde/kdeplasma-addons-5.26.5-x86_64-1.txz: Upgraded. kde/kgamma5-5.26.5-x86_64-1.txz: Upgraded. kde/khotkeys-5.26.5-x86_64-1.txz: Upgraded. kde/kinfocenter-5.26.5-x86_64-1.txz: Upgraded. kde/kmenuedit-5.26.5-x86_64-1.txz: Upgraded. kde/kpipewire-5.26.5-x86_64-1.txz: Upgraded. kde/kscreen-5.26.5-x86_64-1.txz: Upgraded. kde/kscreenlocker-5.26.5-x86_64-1.txz: Upgraded. kde/ksshaskpass-5.26.5-x86_64-1.txz: Upgraded. kde/ksystemstats-5.26.5-x86_64-1.txz: Upgraded. kde/kwallet-pam-5.26.5-x86_64-1.txz: Upgraded. kde/kwayland-integration-5.26.5-x86_64-1.txz: Upgraded. kde/kwin-5.26.5-x86_64-1.txz: Upgraded. kde/kwrited-5.26.5-x86_64-1.txz: Upgraded. kde/layer-shell-qt-5.26.5-x86_64-1.txz: Upgraded. kde/libkscreen-5.26.5-x86_64-1.txz: Upgraded. kde/libksysguard-5.26.5-x86_64-1.txz: Upgraded. kde/milou-5.26.5-x86_64-1.txz: Upgraded. kde/oxygen-5.26.5-x86_64-1.txz: Upgraded. kde/oxygen-sounds-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-browser-integration-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-desktop-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-disks-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-firewall-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-integration-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-nm-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-pa-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-sdk-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-systemmonitor-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-vault-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-workspace-5.26.5-x86_64-1.txz: Upgraded. kde/plasma-workspace-wallpapers-5.26.5-x86_64-1.txz: Upgraded. kde/polkit-kde-agent-1-5.26.5-x86_64-1.txz: Upgraded. kde/powerdevil-5.26.5-x86_64-1.txz: Upgraded. kde/qqc2-breeze-style-5.26.5-x86_64-1.txz: Upgraded. kde/sddm-kcm-5.26.5-x86_64-1.txz: Upgraded. kde/systemsettings-5.26.5-x86_64-1.txz: Upgraded. kde/xdg-desktop-portal-kde-5.26.5-x86_64-1.txz: Upgraded. l/SDL2-2.26.2-x86_64-1.txz: Upgraded. l/gst-plugins-bad-free-1.20.5-x86_64-2.txz: Rebuilt. Recompiled against opencv-4.7.0. l/imagemagick-7.1.0_57-x86_64-1.txz: Upgraded. l/libpcap-1.10.2-x86_64-1.txz: Upgraded. l/libpsl-0.21.2-x86_64-1.txz: Upgraded. l/librevenge-0.0.5-x86_64-1.txz: Upgraded. l/libsndfile-1.2.0-x86_64-1.txz: Upgraded. l/libtiff-4.4.0-x86_64-2.txz: Rebuilt. Patched various security bugs. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-2056 https://www.cve.org/CVERecord?id=CVE-2022-2057 https://www.cve.org/CVERecord?id=CVE-2022-2058 https://www.cve.org/CVERecord?id=CVE-2022-3970 https://www.cve.org/CVERecord?id=CVE-2022-34526 (* Security fix *) l/netpbm-11.01.00-x86_64-1.txz: Upgraded. l/opencv-4.7.0-x86_64-1.txz: Upgraded. Shared library .so-version bump. l/poppler-23.01.0-x86_64-1.txz: Upgraded. n/getmail-6.18.11-x86_64-1.txz: Upgraded. n/tcpdump-4.99.2-x86_64-1.txz: Upgraded. n/whois-5.5.15-x86_64-1.txz: Upgraded. Updated the .bd, .nz and .tv TLD servers. Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers. Updated the .ac.uk and .gov.uk SLD servers. Recursion has been enabled for whois.nic.tv. Updated the list of new gTLDs with four generic TLDs assigned in October 2013 which were missing due to a bug. Removed 4 new gTLDs which are no longer active. Added the Georgian translation, contributed by Temuri Doghonadze. Updated the Finnish translation, contributed by Lauri Nurmi. xap/pidgin-2.14.12-x86_64-1.txz: Upgraded. xap/rxvt-unicode-9.26-x86_64-4.txz: Rebuilt. When the "background" extension was loaded, an attacker able to control the data written to the terminal would be able to execute arbitrary code as the terminal's user. Thanks to David Leadbeater and Ben Collver. For more information, see: https://www.openwall.com/lists/oss-security/2022/12/05/1 https://www.cve.org/CVERecord?id=CVE-2022-4170 (* Security fix *)
2023-01-04 03:18:08 +01:00
From dd1bcc7abb26094e93636e85520f0d8f81ab0fab Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428)
---
libtiff/tif_aux.c | 9 +++++++
libtiff/tiffiop.h | 1 +
tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
3 files changed, 44 insertions(+), 28 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 140f26c7..5b88c8d0 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
return (float)val;
}
+uint32_t _TIFFClampDoubleToUInt32(double val)
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32_t)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index e3af461d..4e8bdac2 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
extern float _TIFFUInt64ToFloat(uint64_t);
extern float _TIFFClampDoubleToFloat(double);
+extern uint32_t _TIFFClampDoubleToUInt32(double);
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 1f827b2b..90286a5e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
{
- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
}
else
{
- x1 = (uint32_t) (crop->corners[i].X1);
- x2 = (uint32_t) (crop->corners[i].X2);
- y1 = (uint32_t) (crop->corners[i].Y1);
- y2 = (uint32_t) (crop->corners[i].Y2);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
/* a) Region needs to be within image sizes 0.. width-1; 0..length-1
* b) Corners are expected to be submitted as top-left to bottom-right.
@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{ /* User has specified pixels as reference unit */
- tmargin = (uint32_t)(crop->margins[0]);
- lmargin = (uint32_t)(crop->margins[1]);
- bmargin = (uint32_t)(crop->margins[2]);
- rmargin = (uint32_t)(crop->margins[3]);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
}
else
{ /* inches or centimeters specified */
- tmargin = (uint32_t)(crop->margins[0] * scale * yres);
- lmargin = (uint32_t)(crop->margins[1] * scale * xres);
- bmargin = (uint32_t)(crop->margins[2] * scale * yres);
- rmargin = (uint32_t)(crop->margins[3] * scale * xres);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
}
if ((lmargin + rmargin) > image->width)
@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)crop->width;
+ width = _TIFFClampDoubleToUInt32(crop->width);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)crop->length;
+ length = _TIFFClampDoubleToUInt32(crop->length);
else
length = image->length - tmargin - bmargin;
}
else
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)(crop->width * scale * image->xres);
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)(crop->length * scale * image->yres);
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
else
length = image->length - tmargin - bmargin;
}
@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
{ /* inches or centimeters specified */
- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
}
else
{ /* Otherwise user has specified pixels as reference unit */
- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
}
if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->mode & PAGE_MODE_PAPERSIZE )
{
- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
}
else
{
- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
}
}
@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
if (olength > ilength)
olength = ilength;
+ if (owidth == 0 || olength == 0)
+ {
+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+ exit(EXIT_FAILURE);
+ }
+
/* Compute the number of pages required for Portrait or Landscape */
switch (page->orient)
{
--
GitLab