commit b049fc6c70f8409810706e7da318f82cb78d3ba2 Author: Fredrik Rinnestam <fredrik@crux.nu> Date: Tue Aug 27 18:51:52 2013 +0200 [notify] libtiff: patched for CVE-2013-4244 diff --git a/libtiff/.md5sum b/libtiff/.md5sum index 40fe639..502f704 100644 --- a/libtiff/.md5sum +++ b/libtiff/.md5sum @@ -1,3 +1,4 @@ 6c1189a715708edc8ba926977b33895f gif2tiff-buffer-overflow.patch +2c0dabc854c95e7453fc56d2fd50a503 lzw-oob-write.patch 051c1068e6a0627f461948c365290410 tiff-4.0.3.tar.gz 35aee7eea6949c2d26ffa52872991115 tiff2pdf_use-after-free.patch diff --git a/libtiff/Pkgfile b/libtiff/Pkgfile index 6e9a6cd..fa8a104 100644 --- a/libtiff/Pkgfile +++ b/libtiff/Pkgfile @@ -1,18 +1,20 @@ # Description: Library for manipulation of TIFF (Tag Image File Format) images -# URL: http://libtiff.maptools.org/ +# URL: http://www.remotesensing.org/libtiff/ # Maintainer: Fredrik Rinnestam, fredrik at crux dot nu # Depends on: libjpeg, zlib name=libtiff version=4.0.3 -release=2 +release=3 source=(http://download.osgeo.org/libtiff/tiff-$version.tar.gz \ - gif2tiff-buffer-overflow.patch tiff2pdf_use-after-free.patch) + gif2tiff-buffer-overflow.patch tiff2pdf_use-after-free.patch lzw-oob-write.patch) build() { cd tiff-$version patch -d tools -p0 -i $SRC/tiff2pdf_use-after-free.patch patch -d tools -p0 -i $SRC/gif2tiff-buffer-overflow.patch + patch -d tools -p0 -i $SRC/lzw-oob-write.patch + ./configure --prefix=/usr --mandir=/usr/man make make DESTDIR=$PKG install diff --git a/libtiff/lzw-oob-write.patch b/libtiff/lzw-oob-write.patch new file mode 100644 index 0000000..674afc6 --- /dev/null +++ b/libtiff/lzw-oob-write.patch @@ -0,0 +1,18 @@ +Index: gif2tiff.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/gif2tiff.c,v +retrieving revision 1.12 +diff -u -r1.12 gif2tiff.c +--- gif2tiff.c 15 Dec 2010 00:22:44 -0000 1.12 ++++ gif2tiff.c 14 Aug 2013 04:28:07 -0000 +@@ -398,6 +398,10 @@ + } + + if (oldcode == -1) { ++ if (code >= clear) { ++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear); ++ return 0; ++ } + *(*fill)++ = suffix[code]; + firstchar = oldcode = code; + return 1;