From fc637fb28da700da71ec2064d65ca5a7a31b9c6c Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@redcorelinux.org>
Date: Sun, 18 Aug 2019 18:16:17 +0100
Subject: gentoo resync : 18.08.2019

---
 media-libs/tiff/Manifest                           |  4 +
 ...-2018-17000-tif_dirwrite-null-dereference.patch | 33 +++++++++
 .../tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch   | 48 ++++++++++++
 ....0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch | 73 ++++++++++++++++++
 media-libs/tiff/tiff-4.0.10-r1.ebuild              | 86 ++++++++++++++++++++++
 5 files changed, 244 insertions(+)
 create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
 create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
 create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
 create mode 100644 media-libs/tiff/tiff-4.0.10-r1.ebuild

(limited to 'media-libs/tiff')

diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest
index 8ade85a50dc8..a3cc5dc282db 100644
--- a/media-libs/tiff/Manifest
+++ b/media-libs/tiff/Manifest
@@ -1,5 +1,9 @@
+AUX tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch 1301 BLAKE2B 0f4875ff1f4ae06c56018f6ecfe4ce7dc015f9cf77475f61e4b9c898afdfebbeda53ea1cef1d5a7a6237af77dcf8eaa4884ecf8fa9593f2513e84021b47efd02 SHA512 902a01411b8b45bb16757aa34b27cbac9f1f01981a169538b97f3a4cb47fb6597c753c0660182cf4f2cb8a7156049cdf93c5fa8b9c202e89d6cdb44204d94df1
+AUX tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch 1427 BLAKE2B e2c392cd2bfe6f90dc510403d5cc1c383a8ee77e5ce2c1435acdbb9f9bb4c9010e85f19b9f2329f14fb82d0dab4cacdc2e6a5367ff95f940b5535eefd1b24903 SHA512 0a3103dae94b3362da1c5ebf087926ec82bf4e16ba7b5bc13e998fad1e9a970604dd80554f5b0a45d2d4f55a4b6e68dfb180b032f83b4b1335d011e25eb754b5
+AUX tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch 1996 BLAKE2B 1e654cc81d66b050e17a1234016b103332dcfcf03f3d7670d35942efc56fbeff0d66d9b6cc71a059ff6602a7c7cef1a3644ae7ea4ca59e88e9004914bea1be32 SHA512 93d386c62d29715b7e84177c7caaba0a9e284f8b9c730db93cf8fbc76faab2e798c81aab20b1210f0342fa6651e56fcbd07655205957b06bf9236ed0903f00a4
 AUX tiff-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch 930 BLAKE2B 52d77fcdd773ce52232257da2c60f8b90417f102238df2039262e3afa7275908c74817ddd6958e430d7cfcff58d2d04ebd6ddd49f553f0f261883b67f557c599 SHA512 822ccc22304d23b4f50efe1f0fb7890fda8b9edf2075b8add814c0bac0a153fa0ed5d7ee5f47e23799b24f11678c8e0bf9c90ad59c5cc61fd9546b2dca4714a9
 AUX tiff-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch 924 BLAKE2B 03160ce33639620b1deb918d358f559b8bc6296d28530b440d0d770438453c25aecc393b8cfcc582ed2d0ec1decd557a212c91f43f7923c9e94387e235680021 SHA512 43973cc5512eb8fe2e0beab1a98ff0d3bd999ed1adbf7c08c344b3442559cc2cdc99a9f2e9c1bb2bffa4be027945b12b120fa27ec6c8006367932039b8d8dd37
 DIST tiff-4.0.10.tar.gz 2402867 BLAKE2B 0305453f22150c31d00d2de756736f58c49a288e19b2a66bdd01319ce4688742f6eab4009eaf1817125d41f53a23de17eb6265a3ebae458ec24f5dbb3d49764e SHA512 d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8
+EBUILD tiff-4.0.10-r1.ebuild 2491 BLAKE2B f6be096bf9b99b9dd9626043df11d965e5282b87c6ae48098efa30a565604e16c21fa81a5723925ec8061b332b68fd0da43fb3782b59b446b739234ccfb929f1 SHA512 da78f5770d10676770ab31d8c5fe490a5ba41a49f9ba7db5da6f26f52be988125425168e8ff163692373d35df17f29ba7f1a1c16a12c0b4a750ead111eef840a
 EBUILD tiff-4.0.10.ebuild 2278 BLAKE2B 590019a51d49fe8486427702957bbf51680a69fc4e4158f74fdfde44bc85d7243ff1fbc08cec658287a742f14069a3c231df5d5388b7ad1db7940c3cc3d2cf3f SHA512 3d6285a44f2744091f2e321c96934986fbdfeb81eee94f340fa969a81f462c7c4a2658821827d317f2313319de079dc08217c2f3849701fba391845b1e09b2b1
 MISC metadata.xml 565 BLAKE2B 3d487835599974795ba6007439bf1d08756ab1c5dbe191509832b302f3199e4ffc05be64df3e26b4d4a1c11d1292c48cbb59ffa6e412831d16d7415e076f1062 SHA512 289043206dbb512c97e4bb703b32549ac4a77f40e212548b80ea865052b80fed9d4562f9fc94638fda54da9bc3e0c19ba303c027e66e7b75c772aeec91aebe6f
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
new file mode 100644
index 000000000000..321c6a428afa
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
@@ -0,0 +1,33 @@
+https://crbug.com/901306
+
+commit 802d3cbf3043be5dce5317e140ccb1c17a6a2d39
+Author: Thomas Bernard <miniupnp@free.fr>
+Date:   Tue Jan 29 11:21:47 2019 +0100
+
+    TIFFWriteDirectoryTagTransferfunction() : fix NULL dereferencing
+
+    http://bugzilla.maptools.org/show_bug.cgi?id=2833
+
+    we must check the pointer is not NULL before memcmp() the memory
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index c15a28dbd8fcb99b81fa5a1d44fcbcda881f42a7..ef30c869d30e210d90be16ce91f44087925fbad3 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
+ 		n=3;
+ 	if (n==3)
+ 	{
+-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
++		if (tif->tif_dir.td_transferfunction[2] == NULL ||
++		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ 			n=2;
+ 	}
+ 	if (n==2)
+ 	{
+-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
++		if (tif->tif_dir.td_transferfunction[1] == NULL ||
++		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ 			n=1;
+ 	}
+ 	if (n==0)
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
new file mode 100644
index 000000000000..38d020fec246
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
@@ -0,0 +1,48 @@
+https://crbug.com/923647
+
+commit ae0bed1fe530a82faf2e9ea1775109dbf301a971
+Merge: 933784a1 0c74a9f4
+Author: Even Rouault <even.rouault@spatialys.com>
+Date:   Sat Feb 2 14:46:05 2019 +0000
+
+    Merge branch 'master' into 'master'
+
+    Fix for simple memory leak that was assigned CVE-2019-6128.
+
+    See merge request libtiff/libtiff!50
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -118,12 +118,14 @@ main(int argc, char* argv[])
+ 	    shortv != PHOTOMETRIC_PALETTE) {
+ 		fprintf(stderr, "%s: Expecting a palette image.\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
+ 		fprintf(stderr,
+ 		    "%s: No colormap (not a valid palette image).\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	bitspersample = 0;
+@@ -131,11 +133,14 @@ main(int argc, char* argv[])
+ 	if (bitspersample != 8) {
+ 		fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	out = TIFFOpen(argv[optind+1], "w");
+-	if (out == NULL)
++	if (out == NULL) {
++		(void) TIFFClose(in);
+ 		return (-2);
++	}
+ 	cpTags(in, out);
+ 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
+ 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
new file mode 100644
index 000000000000..a68ba2f4bbd2
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
@@ -0,0 +1,73 @@
+From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 10:05:33 +0100
+Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
+
+fixes bug 2833
+---
+ tools/tiffcp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 2f406e2d7..f0ee2c029 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 	int status = 1;
+ 	uint32 imagew = TIFFRasterScanlineSize(in);
+ 	uint32 tilew = TIFFTileRowSize(in);
+-	int iskew  = imagew - tilew*spp;
++	int iskew;
+ 	tsize_t tilesize = TIFFTileSize(in);
+ 	tdata_t tilebuf;
+ 	uint8* bufp = (uint8*) buf;
+@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 	uint32 row;
+ 	uint16 bps = 0, bytes_per_sample;
+ 
++	if (spp > (0x7fffffff / tilew))
++	{
++		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
++		return 0;
++	}
++	iskew = imagew - tilew*spp;
+ 	tilebuf = _TIFFmalloc(tilesize);
+ 	if (tilebuf == 0)
+ 		return 0;
+-- 
+2.21.0
+
+
+From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 21:42:03 +0100
+Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
+
+---
+ tools/tiffcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index f0ee2c029..8c81aa4f2 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -41,6 +41,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ #include <ctype.h>
+ 
+@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 	uint32 row;
+ 	uint16 bps = 0, bytes_per_sample;
+ 
+-	if (spp > (0x7fffffff / tilew))
++	if (spp > (INT_MAX / tilew))
+ 	{
+ 		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ 		return 0;
+-- 
+2.21.0
+
diff --git a/media-libs/tiff/tiff-4.0.10-r1.ebuild b/media-libs/tiff/tiff-4.0.10-r1.ebuild
new file mode 100644
index 000000000000..b6af817e8800
--- /dev/null
+++ b/media-libs/tiff/tiff-4.0.10-r1.ebuild
@@ -0,0 +1,86 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools libtool multilib-minimal
+
+DESCRIPTION="Tag Image File Format (TIFF) library"
+HOMEPAGE="http://libtiff.maptools.org"
+SRC_URI="https://download.osgeo.org/libtiff/${P}.tar.gz"
+
+LICENSE="libtiff"
+SLOT="0"
+KEYWORDS="alpha amd64 ~arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~riscv s390 ~sh sparc x86 ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+cxx jbig jpeg lzma static-libs test webp zlib zstd"
+
+RDEPEND="
+	jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] )
+	jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] )
+	lzma? ( >=app-arch/xz-utils-5.0.5-r1[${MULTILIB_USEDEP}] )
+	webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+	zstd? ( >=app-arch/zstd-1.3.7-r1:=[${MULTILIB_USEDEP}] )
+"
+DEPEND="${RDEPEND}"
+
+REQUIRED_USE="test? ( jpeg )" #483132
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
+	"${FILESDIR}"/${PN}-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
+	"${FILESDIR}"/${PN}-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
+	"${FILESDIR}"/${PN}-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
+	"${FILESDIR}"/${PN}-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/tiffconf.h
+)
+
+src_prepare() {
+	default
+
+	# tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7
+	sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die
+
+	eautoreconf
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		--without-x
+		--with-docdir="${EPREFIX}"/usr/share/doc/${PF}
+		$(use_enable cxx)
+		$(use_enable jbig)
+		$(use_enable jpeg)
+		$(use_enable lzma)
+		$(use_enable static-libs static)
+		$(use_enable webp)
+		$(use_enable zlib)
+		$(use_enable zstd)
+	)
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+
+	# remove useless subdirs
+	if ! multilib_is_native_abi ; then
+		sed -i \
+			-e 's/ tools//' \
+			-e 's/ contrib//' \
+			-e 's/ man//' \
+			-e 's/ html//' \
+			Makefile || die
+	fi
+}
+
+multilib_src_test() {
+	if ! multilib_is_native_abi ; then
+		emake -C tools
+	fi
+	emake check
+}
+
+multilib_src_install_all() {
+	find "${ED}" -name '*.la' -delete || die
+	rm "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION} || die
+}
-- 
cgit v1.2.3