| 1 |
rbu 08/08/26 14:51:21 |
| 2 |
|
| 3 |
Added: tiff-3.8.2-CVE-2008-2327.patch |
| 4 |
Log: |
| 5 |
+ Fix buffer underflow in LZW encoding (CVE-2008-2327), straight to stable for |
| 6 |
+ alpha amd64 hppa ppc64 x86 (seccurity bug #234080) |
| 7 |
(Portage version: 2.2_rc8/cvs/Linux 2.6.27-rc4-git1 x86_64, RepoMan options: --force) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 media-libs/tiff/files/tiff-3.8.2-CVE-2008-2327.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/tiff/files/tiff-3.8.2-CVE-2008-2327.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/tiff/files/tiff-3.8.2-CVE-2008-2327.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: tiff-3.8.2-CVE-2008-2327.patch |
| 16 |
=================================================================== |
| 17 |
Fixes security issues in libTIFF's handling of LZW-encoded |
| 18 |
images. The use of uninitialized data could lead to a buffer |
| 19 |
underflow and a crash or arbitrary code execution. |
| 20 |
|
| 21 |
CVE-ID: CVE-2008-2327 |
| 22 |
Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 |
| 23 |
|
| 24 |
Index: tiff-3.8.2/libtiff/tif_lzw.c |
| 25 |
=================================================================== |
| 26 |
--- tiff-3.8.2.orig/libtiff/tif_lzw.c |
| 27 |
+++ tiff-3.8.2/libtiff/tif_lzw.c |
| 28 |
@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) |
| 29 |
sp->dec_codetab[code].length = 1; |
| 30 |
sp->dec_codetab[code].next = NULL; |
| 31 |
} while (code--); |
| 32 |
+ /* |
| 33 |
+ * Zero-out the unused entries |
| 34 |
+ */ |
| 35 |
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, |
| 36 |
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); |
| 37 |
+ |
| 38 |
} |
| 39 |
return (1); |
| 40 |
} |
| 41 |
@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize |
| 42 |
break; |
| 43 |
if (code == CODE_CLEAR) { |
| 44 |
free_entp = sp->dec_codetab + CODE_FIRST; |
| 45 |
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); |
| 46 |
nbits = BITS_MIN; |
| 47 |
nbitsmask = MAXCODE(BITS_MIN); |
| 48 |
maxcodep = sp->dec_codetab + nbitsmask-1; |
| 49 |
NextCode(tif, sp, bp, code, GetNextCode); |
| 50 |
if (code == CODE_EOI) |
| 51 |
break; |
| 52 |
+ if (code == CODE_CLEAR) { |
| 53 |
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |
| 54 |
+ "LZWDecode: Corrupted LZW table at scanline %d", |
| 55 |
+ tif->tif_row); |
| 56 |
+ return (0); |
| 57 |
+ } |
| 58 |
*op++ = (char)code, occ--; |
| 59 |
oldcodep = sp->dec_codetab + code; |
| 60 |
continue; |
| 61 |
@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, |
| 62 |
break; |
| 63 |
if (code == CODE_CLEAR) { |
| 64 |
free_entp = sp->dec_codetab + CODE_FIRST; |
| 65 |
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); |
| 66 |
nbits = BITS_MIN; |
| 67 |
nbitsmask = MAXCODE(BITS_MIN); |
| 68 |
maxcodep = sp->dec_codetab + nbitsmask; |
| 69 |
NextCode(tif, sp, bp, code, GetNextCodeCompat); |
| 70 |
if (code == CODE_EOI) |
| 71 |
break; |
| 72 |
+ if (code == CODE_CLEAR) { |
| 73 |
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, |
| 74 |
+ "LZWDecode: Corrupted LZW table at scanline %d", |
| 75 |
+ tif->tif_row); |
| 76 |
+ return (0); |
| 77 |
+ } |
| 78 |
*op++ = code, occ--; |
| 79 |
oldcodep = sp->dec_codetab + code; |
| 80 |
continue; |
Archives