gentoo resync : 27.01.2018

3 files changed, 234 insertions, 0 deletions

diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest
index e442f31a6904..9264e358b124 100644
--- a/media-libs/tiff/Manifest
+++ b/media-libs/tiff/Manifest
@@ -11,10 +11,12 @@ AUX tiff-4.0.7-pdfium-0013-validate-refblackwhite.patch 1278 BLAKE2B d2e9406584c
 AUX tiff-4.0.7-pdfium-0017-safe_skews_in_gtTileContig.patch 2992 BLAKE2B f588838219ba3323a15b35d04b168180229ce1ad9c018c2104d2663905aaafc2aae001f188f6c6c722190d086b1fd1422ca5bfd2a55b45c7120dfe1792b4d728 SHA512 0fc1b6b8a57629730b10c0c30d915ce8a9575cac5e1daa91ae74be4e866e4c9cf49031897c001b3ade8182274d875988d40c1d4214b2a427d4676762ca7f2c4c
 AUX tiff-4.0.7-pdfium-0018-fix-leak-in-PredictorSetupDecode.patch 849 BLAKE2B b0087382944185e1b91e65ae5b1a8998d31c4285308a1d9a2db20064f92b8aea07341a4a93242678f7ff332bf21d091a902907f74d320d2739b151efff25bec1 SHA512 9da30e7223522dfb4d8a8bc8b5bd545615cfe60a509f8583d29817ecbb1ff28ca38a6e00ee845e9484d9bc02666f99b0144ea08e5083eef2035e99b1825f4bd3
 AUX tiff-4.0.7-pdfium-0021-oom-TIFFFillStrip.patch 1228 BLAKE2B ca3babb8a10c96ecfb72914651f8e737ec4d2a7a7fbdc4b9c153e2a7f540fa1a0b5907bad374ddbce53364caba0282d848b03992b793c14490740ecb786fe47c SHA512 4add933c6b7e2938affb03e00da0bb28789cd9998f5496f4b592ae14d35175f6ce8a4e83ee639ef42211a8683bddad5b4c8375a1ba0a331bc72a40c45e691162
+AUX tiff-4.0.9-CVE-2017-9935.patch 6636 BLAKE2B b7660dee9e379aea59f7225024697ea35b820837502e9e19157391c569c6b85473c4da5163f2e6fa8934c68cc32cbc45d025a2c336d21d79f461723a68a6e49f SHA512 ca1beda6e1550ac8a4bdf2bdefaba38f5fc40d2e842709ed1a803aeef5c34cd466f93fc6e7bb8e7ffb7e21a702d54584b84615e7c3dc3a8d2d29ceeadaeca7f6
 DIST tiff-3.9.7.tar.gz 1468097 BLAKE2B 303339acf9bb48558695b13fcc2b41acacbbf2ce6d2ec497067761895cb2de7674108e8ca2f35f845dcd2e45801777fe25d234af1c308acf59846c2f5617ab53 SHA512 ca89584a9ffa33b4986e4bc2165043cec239896f1f0ab73db00818d0442b570efaa6345b2ed422e884202324d359713df849bf14782bb0cf3b959655febddd77
 DIST tiff-4.0.8.tar.gz 2065574 BLAKE2B b9ece26d3549836d2cbbce1b90ce724a6eae51adae0abbd6193942ced8be965df63d1aa8e774b83d9ae689e5d08033705ef62b77276b40c34913cd535caa72b9 SHA512 5d010ec4ce37aca733f7ab7db9f432987b0cd21664bd9d99452a146833c40f0d1e7309d1870b0395e947964134d5cfeb1366181e761fe353ad585803ff3d6be6
 DIST tiff-4.0.9.tar.gz 2305681 BLAKE2B 3de03408d2974b9f9f5f2444029cc3018ef43beb67e9fd21be68ee400cdcc6deca1247f055d880841a18b92284ce81f112682c8b5f083ddc61e5255d73a7de3f SHA512 04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd
 EBUILD tiff-3.9.7-r1.ebuild 2072 BLAKE2B 1a1fbd60077b9d98c591041006443f2074d78d86dc6e165b9ca0e8d8b1578ec7b4a610046a1bb3a5860dac17f7dcfc7da142ae7a4f15ea2ca388ded15e4c9d6e SHA512 735b3fc6b18d754463f0b3b7e8c4ce31c9bf66a89bc5f761dcf1a8cdad28e494107784dd1a49a496095e0eec3dfca792bb62632190a95c9cb9e5c4ced03e3336
 EBUILD tiff-4.0.8.ebuild 2619 BLAKE2B ea84c84c765588cd4e148e4f62f3182062532cea1ec5a1460bf0fc0be286df2619b6daabbe999ba9446d4d4e9f16e6d8d8197e6696b6952d3593e9c5a2db48c3 SHA512 c2754d6d0a097319f2b1ac9122e16ec2e0f25ddd434f4158f806631670cfa00a9a5a838cb50fb9336d70e0baa54c6cfabaec9fe7380c65fb0f58e65dc0a39900
+EBUILD tiff-4.0.9-r1.ebuild 2260 BLAKE2B 4bf6af1f52b2990ffe3ec4a6169ee8ac774f3bdb52bdfe46450a6b724b4ca0ac04d4d7f849e390125403e0aa8555465b32ce5a824d8344403688321a6708f2de SHA512 1b47e588d6578cc2d6d3c0b1264f896854f2279ee8f9dd07b377ed4f78d680306eefa3cd462e27e460af18289d8734fa69128b55d5d0352a0199ba93a4377e09
 EBUILD tiff-4.0.9.ebuild 2486 BLAKE2B 39a931e22b9cc13b7ca8a863ddfa07e5812a3299465799b0bd156b044edb3154cb94a6d4cfe11cb1a3ff09a99df5d19485fd4f606a0072a898e848b3be0cba90 SHA512 fc596b278c56d07fa5f58a053528f73d4486935a3783d4d1653f0d83bd891697b70a9e0fc3098c419dc34a9f674398299037ea47870eed9d596a98109ff7f4c5
 MISC metadata.xml 565 BLAKE2B 3d487835599974795ba6007439bf1d08756ab1c5dbe191509832b302f3199e4ffc05be64df3e26b4d4a1c11d1292c48cbb59ffa6e412831d16d7415e076f1062 SHA512 289043206dbb512c97e4bb703b32549ac4a77f40e212548b80ea865052b80fed9d4562f9fc94638fda54da9bc3e0c19ba303c027e66e7b75c772aeec91aebe6f
diff --git a/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935.patch b/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935.patch
new file mode 100644
index 000000000000..96a10aa9b373
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.9-CVE-2017-9935.patch
@@ -0,0 +1,153 @@
+From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
+
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+
+We than read the transfer function for every page.  Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+
+It is also strange that we declare the transfer functions to be of type
+float, when the standard says they are unsigned 16 bit values. This is
+fixed in another patch.
+
+This patch will check to ensure that the N value for every transfer
+function is the same for every page. If this changes, we abort with an
+error. In theory, we should perhaps check that the transfer function
+itself is identical for every page, however we don't do that due to the
+confusion of the type of the data in the transfer function.
+---
+ libtiff/tif_dir.c |  3 +++
+ tools/tiff2pdf.c  | 65 +++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 47 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 2ccaf448fc40..cbf2b6933a40 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+ 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
+ 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
++			} else {
++				*va_arg(ap, uint16**) = NULL;
++				*va_arg(ap, uint16**) = NULL;
+ 			}
+ 			break;
+ 		case TIFFTAG_REFERENCEBLACKWHITE:
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index d1a9b0959f84..c3ec07465e5a 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ 	uint16 pagen=0;
+ 	uint16 paged=0;
+ 	uint16 xuint16=0;
++	uint16 tiff_transferfunctioncount=0;
++	float* tiff_transferfunction[3];
+ 
+ 	directorycount=TIFFNumberOfDirectories(input);
+ 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+                 }
+ #endif
+ 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+-                                 &(t2p->tiff_transferfunction[0]),
+-                                 &(t2p->tiff_transferfunction[1]),
+-                                 &(t2p->tiff_transferfunction[2]))) {
+-			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[1] !=
+-                            t2p->tiff_transferfunction[0])) {
+-				t2p->tiff_transferfunctioncount = 3;
+-				t2p->tiff_pages[i].page_extra += 4;
+-				t2p->pdf_xrefcount += 4;
+-			} else {
+-				t2p->tiff_transferfunctioncount = 1;
+-				t2p->tiff_pages[i].page_extra += 2;
+-				t2p->pdf_xrefcount += 2;
+-			}
+-			if(t2p->pdf_minorversion < 2)
+-				t2p->pdf_minorversion = 2;
++                                 &(tiff_transferfunction[0]),
++                                 &(tiff_transferfunction[1]),
++                                 &(tiff_transferfunction[2]))) {
++
++                        if((tiff_transferfunction[1] != (float*) NULL) &&
++                           (tiff_transferfunction[2] != (float*) NULL)
++                          ) {
++                            tiff_transferfunctioncount=3;
++                        } else {
++                            tiff_transferfunctioncount=1;
++                        }
+                 } else {
+-			t2p->tiff_transferfunctioncount=0;
++			tiff_transferfunctioncount=0;
+ 		}
++
++                if (i > 0){
++                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
++                        TIFFError(
++                            TIFF2PDF_MODULE,
++                            "Different transfer function on page %d",
++                            i);
++                        t2p->t2p_error = T2P_ERR_ERROR;
++                        return;
++                    }
++                }
++
++                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
++                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
++                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
++                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
++                if(tiff_transferfunctioncount == 3){
++                        t2p->tiff_pages[i].page_extra += 4;
++                        t2p->pdf_xrefcount += 4;
++                        if(t2p->pdf_minorversion < 2)
++                                t2p->pdf_minorversion = 2;
++                } else if (tiff_transferfunctioncount == 1){
++                        t2p->tiff_pages[i].page_extra += 2;
++                        t2p->pdf_xrefcount += 2;
++                        if(t2p->pdf_minorversion < 2)
++                                t2p->pdf_minorversion = 2;
++                }
++
+ 		if( TIFFGetField(
+ 			input, 
+ 			TIFFTAG_ICCPROFILE, 
+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ 			 &(t2p->tiff_transferfunction[1]),
+ 			 &(t2p->tiff_transferfunction[2]))) {
+ 		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[1] !=
+-                    t2p->tiff_transferfunction[0])) {
++                   (t2p->tiff_transferfunction[2] != (float*) NULL)
++                  ) {
+ 			t2p->tiff_transferfunctioncount=3;
+ 		} else {
+ 			t2p->tiff_transferfunctioncount=1;
+-- 
+2.15.1
+
diff --git a/media-libs/tiff/tiff-4.0.9-r1.ebuild b/media-libs/tiff/tiff-4.0.9-r1.ebuild
new file mode 100644
index 000000000000..fbb216176cdd
--- /dev/null
+++ b/media-libs/tiff/tiff-4.0.9-r1.ebuild
@@ -0,0 +1,79 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+inherit autotools eutils libtool multilib-minimal
+
+DESCRIPTION="Tag Image File Format (TIFF) library"
+HOMEPAGE="http://libtiff.maptools.org"
+SRC_URI="http://download.osgeo.org/libtiff/${P}.tar.gz
+	ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"
+
+LICENSE="libtiff"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="+cxx jbig jpeg lzma static-libs test zlib"
+
+RDEPEND="jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] )
+	jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] )
+	lzma? ( >=app-arch/xz-utils-5.0.5-r1:=[${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1:=[${MULTILIB_USEDEP}] )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20130224-r9
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${RDEPEND}"
+
+REQUIRED_USE="test? ( jpeg )" #483132
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
+	"${FILESDIR}"/${PN}-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
+	"${FILESDIR}"/${P}-CVE-2017-9935.patch #624696
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/tiffconf.h
+)
+
+src_prepare() {
+	default
+
+	# tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7
+	sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die
+
+	eautoreconf
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE="${S}" econf \
+		$(use_enable static-libs static) \
+		$(use_enable zlib) \
+		$(use_enable jpeg) \
+		$(use_enable jbig) \
+		$(use_enable lzma) \
+		$(use_enable cxx) \
+		--without-x
+
+	# remove useless subdirs
+	if ! multilib_is_native_abi ; then
+		sed -i \
+			-e 's/ tools//' \
+			-e 's/ contrib//' \
+			-e 's/ man//' \
+			-e 's/ html//' \
+			Makefile || die
+	fi
+}
+
+multilib_src_test() {
+	if ! multilib_is_native_abi ; then
+		emake -C tools
+	fi
+	emake check
+}
+
+multilib_src_install_all() {
+	prune_libtool_files --all
+	rm -f "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION}
+}