1 |
rbu 08/08/26 14:51:21 |
2 |
|
3 |
Added: tiff-3.8.2-CVE-2008-2327.patch |
4 |
Log: |
5 |
+ Fix buffer underflow in LZW encoding (CVE-2008-2327), straight to stable for |
6 |
+ alpha amd64 hppa ppc64 x86 (seccurity bug #234080) |
7 |
(Portage version: 2.2_rc8/cvs/Linux 2.6.27-rc4-git1 x86_64, RepoMan options: --force) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 media-libs/tiff/files/tiff-3.8.2-CVE-2008-2327.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/tiff/files/tiff-3.8.2-CVE-2008-2327.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/tiff/files/tiff-3.8.2-CVE-2008-2327.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: tiff-3.8.2-CVE-2008-2327.patch |
16 |
=================================================================== |
17 |
Fixes security issues in libTIFF's handling of LZW-encoded |
18 |
images. The use of uninitialized data could lead to a buffer |
19 |
underflow and a crash or arbitrary code execution. |
20 |
|
21 |
CVE-ID: CVE-2008-2327 |
22 |
Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 |
23 |
|
24 |
Index: tiff-3.8.2/libtiff/tif_lzw.c |
25 |
=================================================================== |
26 |
--- tiff-3.8.2.orig/libtiff/tif_lzw.c |
27 |
+++ tiff-3.8.2/libtiff/tif_lzw.c |
28 |
@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) |
29 |
sp->dec_codetab[code].length = 1; |
30 |
sp->dec_codetab[code].next = NULL; |
31 |
} while (code--); |
32 |
+ /* |
33 |
+ * Zero-out the unused entries |
34 |
+ */ |
35 |
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, |
36 |
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); |
37 |
+ |
38 |
} |
39 |
return (1); |
40 |
} |
41 |
@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize |
42 |
break; |
43 |
if (code == CODE_CLEAR) { |
44 |
free_entp = sp->dec_codetab + CODE_FIRST; |
45 |
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); |
46 |
nbits = BITS_MIN; |
47 |
nbitsmask = MAXCODE(BITS_MIN); |
48 |
maxcodep = sp->dec_codetab + nbitsmask-1; |
49 |
NextCode(tif, sp, bp, code, GetNextCode); |
50 |
if (code == CODE_EOI) |
51 |
break; |
52 |
+ if (code == CODE_CLEAR) { |
53 |
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |
54 |
+ "LZWDecode: Corrupted LZW table at scanline %d", |
55 |
+ tif->tif_row); |
56 |
+ return (0); |
57 |
+ } |
58 |
*op++ = (char)code, occ--; |
59 |
oldcodep = sp->dec_codetab + code; |
60 |
continue; |
61 |
@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, |
62 |
break; |
63 |
if (code == CODE_CLEAR) { |
64 |
free_entp = sp->dec_codetab + CODE_FIRST; |
65 |
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); |
66 |
nbits = BITS_MIN; |
67 |
nbitsmask = MAXCODE(BITS_MIN); |
68 |
maxcodep = sp->dec_codetab + nbitsmask; |
69 |
NextCode(tif, sp, bp, code, GetNextCodeCompat); |
70 |
if (code == CODE_EOI) |
71 |
break; |
72 |
+ if (code == CODE_CLEAR) { |
73 |
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |
74 |
+ "LZWDecode: Corrupted LZW table at scanline %d", |
75 |
+ tif->tif_row); |
76 |
+ return (0); |
77 |
+ } |
78 |
*op++ = code, occ--; |
79 |
oldcodep = sp->dec_codetab + code; |
80 |
continue; |