diff options
author | A. Wilcox <awilcox@wilcox-tech.com> | 2019-06-21 23:38:53 +0000 |
---|---|---|
committer | A. Wilcox <awilcox@wilcox-tech.com> | 2019-06-21 23:38:53 +0000 |
commit | fd45ed897742614bd2867cb46578557beb820026 (patch) | |
tree | 8eaa82bc50ad1a89272b146743ec1544163d48f3 /user | |
parent | 86d0de126ffdebdb8cee9581ce51c16a6f20b58b (diff) | |
parent | 332e0a40fabc1c4047a631273e5d5df46cbf4bb2 (diff) | |
download | packages-fd45ed897742614bd2867cb46578557beb820026.tar.gz packages-fd45ed897742614bd2867cb46578557beb820026.tar.bz2 packages-fd45ed897742614bd2867cb46578557beb820026.tar.xz packages-fd45ed897742614bd2867cb46578557beb820026.zip |
Merge branch 'cve' into 'master'
CVE bumps: part one
See merge request !249
Diffstat (limited to 'user')
-rw-r--r-- | user/cairo/APKBUILD | 13 | ||||
-rw-r--r-- | user/cairo/CVE-2018-19876.patch | 30 | ||||
-rw-r--r-- | user/flac/APKBUILD | 15 | ||||
-rw-r--r-- | user/flac/CVE-2017-6888.patch | 27 | ||||
-rw-r--r-- | user/libice/APKBUILD | 20 | ||||
-rw-r--r-- | user/libice/CVE-2017-2626.patch | 142 | ||||
-rw-r--r-- | user/libssh2/APKBUILD | 40 | ||||
-rw-r--r-- | user/postgresql/APKBUILD | 31 | ||||
-rw-r--r-- | user/tiff/APKBUILD | 13 | ||||
-rw-r--r-- | user/tiff/CVE-2019-6128.patch | 49 | ||||
-rw-r--r-- | user/tiff/CVE-2019-7663.patch | 37 |
11 files changed, 343 insertions, 74 deletions
diff --git a/user/cairo/APKBUILD b/user/cairo/APKBUILD index 36e88f395..bfb290d7b 100644 --- a/user/cairo/APKBUILD +++ b/user/cairo/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: pkgname=cairo pkgver=1.16.0 -pkgrel=0 +pkgrel=1 pkgdesc="A vector graphics library" url="https://cairographics.org/" arch="all" @@ -18,10 +18,14 @@ _ultver="2016-04-23" source="https://cairographics.org/releases/$pkgname-$pkgver.tar.xz fontconfig-ultimate-$_ultver.tar.gz::https://github.com/bohoomil/fontconfig-ultimate/archive/$_ultver.tar.gz musl-stacksize.patch + CVE-2018-19876.patch " +# secfixes: +# 1.16.0-r1: +# - CVE-2018-19876 + prepare() { - cd "$builddir" default_prepare # infinality @@ -32,7 +36,6 @@ prepare() { } build() { - cd "$builddir" autoreconf -vif ./configure \ --build=$CBUILD \ @@ -58,7 +61,6 @@ build() { } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } @@ -78,4 +80,5 @@ tools() { sha512sums="9eb27c4cf01c0b8b56f2e15e651f6d4e52c99d0005875546405b64f1132aed12fbf84727273f493d84056a13105e065009d89e94a8bfaf2be2649e232b82377f cairo-1.16.0.tar.xz d8185f4ec74f44c4746acf7e79bba7ff7ffd9d35bdabeb25e10b4e12825942d910931aa857f1645e5c8185bcb40a1f1ffe1e7e647428e9ea66618b2aec52fac3 fontconfig-ultimate-2016-04-23.tar.gz -86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch" +86f26fe41deb5e14f553c999090d1ec1d92a534fa7984112c9a7f1d6c6a8f1b7bb735947e8ec3f26e817f56410efe8cc46c5e682f6a278d49b40a683513740e0 musl-stacksize.patch +9020c596caa54a2ac435d5dae0f121d36d3c3f34d487b9c1032665b1bd15813506adf31984e34b5dd328ee0e068de0627e1d061230758328cae4fa993c3a9209 CVE-2018-19876.patch" diff --git a/user/cairo/CVE-2018-19876.patch b/user/cairo/CVE-2018-19876.patch new file mode 100644 index 000000000..33731e4fc --- /dev/null +++ b/user/cairo/CVE-2018-19876.patch @@ -0,0 +1,30 @@ +From 90e85c2493fdfa3551f202ff10282463f1e36645 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos <cgarcia@igalia.com> +Date: Mon, 19 Nov 2018 12:33:07 +0100 +Subject: [PATCH] ft: Use FT_Done_MM_Var instead of free when available in + cairo_ft_apply_variations + +Fixes a crash when using freetype >= 2.9 +--- + src/cairo-ft-font.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c +index 325dd61b4..981973f78 100644 +--- a/src/cairo-ft-font.c ++++ b/src/cairo-ft-font.c +@@ -2393,7 +2393,11 @@ skip: + done: + free (coords); + free (current_coords); ++#if HAVE_FT_DONE_MM_VAR ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); ++#else + free (ft_mm_var); ++#endif + } + } + +-- +2.21.0 + diff --git a/user/flac/APKBUILD b/user/flac/APKBUILD index 0588e8fc2..363d5b3ac 100644 --- a/user/flac/APKBUILD +++ b/user/flac/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=flac pkgver=1.3.2 -pkgrel=2 +pkgrel=3 pkgdesc="Free Lossless Audio Codec" url="https://xiph.org/flac/" arch="all" @@ -11,11 +11,13 @@ subpackages="$pkgname-dev $pkgname-doc" depends= makedepends="libogg-dev" source="https://downloads.xiph.org/releases/flac/flac-${pkgver}.tar.xz - " + CVE-2017-6888.patch" -build() { - cd "$builddir" +# secfixes: +# 1.3.2-r3: +# - CVE-2017-6888 +build() { local _arch_conf case "${CARCH}" in ppc*) _arch_conf="--enable-altivec" ;; @@ -37,16 +39,15 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install install -Dm0644 COPYING.Xiph \ "$pkgdir"/usr/share/licenses/$pkgname/COPYING.Xiph } -sha512sums="63910e8ebbe508316d446ffc9eb6d02efbd5f47d29d2ea7864da9371843c8e671854db6e89ba043fe08aef1845b8ece70db80f1cce853f591ca30d56ef7c3a15 flac-1.3.2.tar.xz" +sha512sums="63910e8ebbe508316d446ffc9eb6d02efbd5f47d29d2ea7864da9371843c8e671854db6e89ba043fe08aef1845b8ece70db80f1cce853f591ca30d56ef7c3a15 flac-1.3.2.tar.xz +ea241ba68a4e8d91d5db555ec8c459cff48ad8c3de511d0a92d4feb8b946a2173422015fdc9604240035ef315132fe4062ab3e6d4bc2d79aa1aed18defa32301 CVE-2017-6888.patch" diff --git a/user/flac/CVE-2017-6888.patch b/user/flac/CVE-2017-6888.patch new file mode 100644 index 000000000..080160bfb --- /dev/null +++ b/user/flac/CVE-2017-6888.patch @@ -0,0 +1,27 @@ +From 4f47b63e9c971e6391590caf00a0f2a5ed612e67 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo <erikd@mega-nerd.com> +Date: Sat, 8 Apr 2017 18:34:49 +1000 +Subject: [PATCH] stream_decoder.c: Fix a memory leak + +Leak reported by Secunia Research. +--- + src/libFLAC/stream_decoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c +index 14d5fe7f..a5527511 100644 +--- a/src/libFLAC/stream_decoder.c ++++ b/src/libFLAC/stream_decoder.c +@@ -1753,6 +1753,9 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre + } + memset (obj->comments[i].entry, 0, obj->comments[i].length) ; + if (!FLAC__bitreader_read_byte_block_aligned_no_crc(decoder->private_->input, obj->comments[i].entry, obj->comments[i].length)) { ++ /* Current i-th entry is bad, so we delete it. */ ++ free (obj->comments[i].entry) ; ++ obj->comments[i].entry = NULL ; + obj->num_comments = i; + goto skip; + } +-- +2.11.0 + diff --git a/user/libice/APKBUILD b/user/libice/APKBUILD index 8d2fea498..1ea5a767f 100644 --- a/user/libice/APKBUILD +++ b/user/libice/APKBUILD @@ -1,19 +1,28 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libice pkgver=1.0.9 -pkgrel=3 +pkgrel=4 pkgdesc="X11 Inter-Client Exchange library" url="https://www.X.Org/" arch="all" license="MIT" depends= -makedepends="util-macros xmlto xorgproto-dev xtrans" +makedepends="libbsd-dev util-macros xmlto xorgproto-dev xtrans" checkdepends="check-dev" subpackages="$pkgname-dev $pkgname-doc" -source="https://www.X.Org/releases/individual/lib/libICE-$pkgver.tar.bz2" - +source="https://www.X.Org/releases/individual/lib/libICE-$pkgver.tar.bz2 + CVE-2017-2626.patch" builddir="$srcdir/libICE-$pkgver" +# secfixes: +# 1.0.9-r4: +# - CVE-2017-2626 + +prepare() { + default_prepare + autoreconf -vif +} + build() { cd "$builddir" ./configure \ @@ -38,4 +47,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="daa8126ee5279c08f801274a2754132762dea2a40f4733c4b0bf8e8bdad61cba826939a2e067beb3524e256a98a2b83f23c8d4643f3e75a284ab02cc73da41b7 libICE-1.0.9.tar.bz2" +sha512sums="daa8126ee5279c08f801274a2754132762dea2a40f4733c4b0bf8e8bdad61cba826939a2e067beb3524e256a98a2b83f23c8d4643f3e75a284ab02cc73da41b7 libICE-1.0.9.tar.bz2 +83e53a4b48c429c7fad8f4feba1b9261e1ff26d995a729e7d38f1aac29cf5f69ffeb83a1733f3e624b09ae0ee97f09be8380ab0d59fb51436e1b537461a6943c CVE-2017-2626.patch" diff --git a/user/libice/CVE-2017-2626.patch b/user/libice/CVE-2017-2626.patch new file mode 100644 index 000000000..ea2d8835b --- /dev/null +++ b/user/libice/CVE-2017-2626.patch @@ -0,0 +1,142 @@ +From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires <benjamin.tissoires@gmail.com> +Date: Tue, 4 Apr 2017 19:12:53 +0200 +Subject: Use getentropy() if arc4random_buf() is not available + +This allows to fix CVE-2017-2626 on Linux platforms without pulling in +libbsd. +The libc getentropy() is available since glibc 2.25 but also on OpenBSD. +For Linux, we need at least a v3.17 kernel. If the recommended +arc4random_buf() function is not available, emulate it by first trying +to use getentropy() on a supported glibc and kernel. If the call fails, +fall back to the current (partly vulnerable) code. + +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> +Reviewed-by: Mark Kettenis <kettenis@openbsd.org> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +--- + configure.ac | 2 +- + src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++----------------- + 2 files changed, 47 insertions(+), 20 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 458882a..c971ab6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type]) + + # Checks for library functions. + AC_CHECK_LIB([bsd], [arc4random_buf]) +-AC_CHECK_FUNCS([asprintf arc4random_buf]) ++AC_CHECK_FUNCS([asprintf arc4random_buf getentropy]) + + # Allow checking code with lint, sparse, etc. + XORG_WITH_LINT +diff --git a/src/iceauth.c b/src/iceauth.c +index ed31683..de4785b 100644 +--- a/src/iceauth.c ++++ b/src/iceauth.c +@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium + + static int was_called_state; + +-/* +- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by +- * the SI. It is not part of standard ICElib. +- */ ++#ifndef HAVE_ARC4RANDOM_BUF + +- +-char * +-IceGenerateMagicCookie ( ++static void ++emulate_getrandom_buf ( ++ char *auth, + int len + ) + { +- char *auth; +-#ifndef HAVE_ARC4RANDOM_BUF + long ldata[2]; + int seed; + int value; + int i; +-#endif + +- if ((auth = malloc (len + 1)) == NULL) +- return (NULL); +- +-#ifdef HAVE_ARC4RANDOM_BUF +- arc4random_buf(auth, len); +-#else + #ifdef ITIMER_REAL + { + struct timeval now; +@@ -76,13 +64,13 @@ IceGenerateMagicCookie ( + ldata[0] = now.tv_sec; + ldata[1] = now.tv_usec; + } +-#else ++#else /* ITIMER_REAL */ + { + long time (); + ldata[0] = time ((long *) 0); + ldata[1] = getpid (); + } +-#endif ++#endif /* ITIMER_REAL */ + seed = (ldata[0]) + (ldata[1] << 16); + srand (seed); + for (i = 0; i < len; i++) +@@ -90,7 +78,46 @@ IceGenerateMagicCookie ( + value = rand (); + auth[i] = value & 0xff; + } +-#endif ++} ++ ++static void ++arc4random_buf ( ++ char *auth, ++ int len ++) ++{ ++ int ret; ++ ++#if HAVE_GETENTROPY ++ /* weak emulation of arc4random through the entropy libc */ ++ ret = getentropy (auth, len); ++ if (ret == 0) ++ return; ++#endif /* HAVE_GETENTROPY */ ++ ++ emulate_getrandom_buf (auth, len); ++} ++ ++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ ++ ++/* ++ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by ++ * the SI. It is not part of standard ICElib. ++ */ ++ ++ ++char * ++IceGenerateMagicCookie ( ++ int len ++) ++{ ++ char *auth; ++ ++ if ((auth = malloc (len + 1)) == NULL) ++ return (NULL); ++ ++ arc4random_buf (auth, len); ++ + auth[len] = '\0'; + return (auth); + } +-- +cgit v1.1 + diff --git a/user/libssh2/APKBUILD b/user/libssh2/APKBUILD deleted file mode 100644 index cb6e11f97..000000000 --- a/user/libssh2/APKBUILD +++ /dev/null @@ -1,40 +0,0 @@ -# Contributor: William Pitcock <nenolod@dereferenced.org> -# Maintainer: -pkgname=libssh2 -pkgver=1.8.2 -pkgrel=0 -pkgdesc="Library for accessing SSH servers" -url="https://libssh2.org/" -arch="all" -options="!check" # Requires deprecated UsePrivilegeSeparation option. -license="BSD-3-Clause" -makedepends_host="openssl-dev zlib-dev" -subpackages="$pkgname-dev $pkgname-doc" -source="https://libssh2.org/download/libssh2-$pkgver.tar.gz" - -build() { - cd "$builddir" - ./configure \ - --build=$CBUILD \ - --host=$CHOST \ - --prefix=/usr \ - --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --infodir=/usr/share/info \ - --localstatedir=/var \ - --with-libssl-prefix="${CBUILDROOT}"/usr \ - --disable-rpath - make -} - -check() { - cd "$builddir" - make check -} - -package() { - cd "$builddir" - make DESTDIR="$pkgdir" install -} - -sha512sums="390ab4ad93bb738415ec11a6eb92806c9b9e9e5d8ee7c442d841a58b4292c1c447a9bc99e153ba464e2e11f9c0d1913469303598c3046722d1ae821991e8cb93 libssh2-1.8.2.tar.gz" diff --git a/user/postgresql/APKBUILD b/user/postgresql/APKBUILD index 7fed2351e..996168875 100644 --- a/user/postgresql/APKBUILD +++ b/user/postgresql/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=postgresql -pkgver=10.5 +pkgver=10.8 pkgrel=0 pkgdesc="Featureful object-relational database system (RDBMS)" url="https://www.postgresql.org/" @@ -35,23 +35,26 @@ source="https://ftp.postgresql.org/pub/source/v$pkgver/$pkgname-$pkgver.tar.bz2 # secfixes: # 9.6.4-r0: -# - CVE-2017-7546 -# - CVE-2017-7547 -# - CVE-2017-7548 +# - CVE-2017-7546 +# - CVE-2017-7547 +# - CVE-2017-7548 # 9.6.3-r0: -# - CVE-2017-7484 -# - CVE-2017-7485 -# - CVE-2017-7486 +# - CVE-2017-7484 +# - CVE-2017-7485 +# - CVE-2017-7486 # 10.1-r0: -# - CVE-2017-15098 -# - CVE-2017-15099 +# - CVE-2017-15098 +# - CVE-2017-15099 # 10.2-r0: -# - CVE-2018-1052 -# - CVE-2018-1053 +# - CVE-2018-1052 +# - CVE-2018-1053 # 10.3-r0: -# - CVE-2018-1058 +# - CVE-2018-1058 # 10.4-r0: -# - CVE-2018-1115 +# - CVE-2018-1115 +# 10.8-r0: +# - CVE-2018-16850 +# - CVE-2019-10130 prepare() { default_prepare @@ -249,7 +252,7 @@ _submv() { done } -sha512sums="1bad30ae88beca66f7e8b99b82e7f02aac1e9230b328e6e5a762a704cdd9dc767d924f5a66c68c93586badfef91b7ff336120a567ce970eaa58bb44c662ad48c postgresql-10.5.tar.bz2 +sha512sums="c9cd0298f553e13e32d4315e17e9e61c1fd011391c5203282d9040f26fd08c85f749e6f2cea3bcc42d1ca153a1272bcd773196ef3bf2bdfb74cd12c5f523b7ca postgresql-10.8.tar.bz2 1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc initdb.patch 5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854 perl-rpath.patch 8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f conf-unix_socket_directories.patch diff --git a/user/tiff/APKBUILD b/user/tiff/APKBUILD index 7bb89ee3e..c3f0590f9 100644 --- a/user/tiff/APKBUILD +++ b/user/tiff/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=tiff pkgver=4.0.10 -pkgrel=0 +pkgrel=1 pkgdesc="Library to read, create, and manipulate TIFF image files" url="http://www.libtiff.org/" arch="all" @@ -13,8 +13,13 @@ depends_dev="zlib-dev libjpeg-turbo-dev" makedepends="libtool autoconf automake $depends_dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz + CVE-2019-6128.patch + CVE-2019-7663.patch " -# secfixes: +# secfixes: libtiff +# 4.0.10-r1: +# - CVE-2019-6128 +# - CVE-2019-7663 # 4.0.9-r1: # - CVE-2017-18013 # 4.0.9-r0: @@ -64,4 +69,6 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz" +sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz +8dc336e6c863524e3622f61ec6583eebe13fde55649cd8c812e3f6752242a23ff72cfb680dfcbe47d1503a058f5f9001415ae112220729e4ab50fe81190e327e CVE-2019-6128.patch +6fb7e9aa0afbae96fd6e78c2401262e496f5d62980ea02712bc43f8749341d030df3625f10413f5ed3e130e88d609c2374ae69807a1f9e54ed91cbd8411aab62 CVE-2019-7663.patch" diff --git a/user/tiff/CVE-2019-6128.patch b/user/tiff/CVE-2019-6128.patch new file mode 100644 index 000000000..1b15b6f01 --- /dev/null +++ b/user/tiff/CVE-2019-6128.patch @@ -0,0 +1,49 @@ +From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001 +From: Scott Gayou <github.scott@gmail.com> +Date: Wed, 23 Jan 2019 15:03:53 -0500 +Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. + +pal2rgb failed to free memory on a few errors. This was reported +here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. +--- + tools/pal2rgb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502e..9492f1cf 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); +-- +2.21.0 + diff --git a/user/tiff/CVE-2019-7663.patch b/user/tiff/CVE-2019-7663.patch new file mode 100644 index 000000000..8049566c6 --- /dev/null +++ b/user/tiff/CVE-2019-7663.patch @@ -0,0 +1,37 @@ +From 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard <miniupnp@free.fr> +Date: Tue, 29 Jan 2019 11:21:47 +0100 +Subject: [PATCH] TIFFWriteDirectoryTagTransferfunction() : fix NULL + dereferencing + +http://bugzilla.maptools.org/show_bug.cgi?id=2833 + +we must check the pointer is not NULL before memcmp() the memory +--- + libtiff/tif_dirwrite.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index c15a28db..ef30c869 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir + n=3; + if (n==3) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + n=2; + } + if (n==2) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[1] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + n=1; + } + if (n==0) +-- +2.21.0 + |