Package: tiff / 4.0.10-4

Metadata

Package Version Patches format
tiff 4.0.10-4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
fix_TIFFReadRawStrip_man_page_typo.patch | (download)

html/man/TIFFReadRawStrip.3tiff.html | 2 1 + 1 - 0 !
man/TIFFReadRawStrip.3tiff | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix tiffreadrawstrip man page typo
 Change TIFFReadEncodedStrip to TIFFReadRawStrip as needed.
fixed_lossless_webp_compression_config.patch | (download)

libtiff/tif_webp.c | 25 16 + 9 - 0 !
1 file changed, 16 insertions(+), 9 deletions(-)

 [patch] fixed lossless webp compression config


CVE 2018 12900_part1.patch | (download)

tools/tiffcp.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch] prevent integer overflow


CVE 2018 12900_part2.patch | (download)

tools/tiffcp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] not bitspersample, but sampleperpixel


CVE 2018 17000.patch | (download)

libtiff/tif_dirwrite.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 [patch] tiffwritedirectorytagtransferfunction() : fix null
 dereferencing

http://bugzilla.maptools.org/show_bug.cgi?id=2833

we must check the pointer is not NULL before memcmp() the memory

CVE 2018 19210_part1.patch | (download)

libtiff/tif_dir.c | 22 22 + 0 - 0 !
1 file changed, 22 insertions(+)

 [patch] tif_dir: unset transferfunction field if necessary

The number of entries in the transfer table is determined as following:

(td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1

This means that whenever td->td_samplesperpixel or td->td_extrasamples are
modified we also need to make sure that the number of required entries in
the transfer table didn't change.

If it changed and the number of entries is higher than before we should
invalidate the transfer table field and free previously allocated values.
In the other case there's nothing to do, additional tf entries won't harm
and properly written code will just ignore them since spp - es < 1.

For instance this situation might happen when reading an OJPEG compressed
image with missing SamplesPerPixel tag. In this case the SamplesPerPixel
field might be updated after setting the transfer table.

see http://bugzilla.maptools.org/show_bug.cgi?id=2500

This commit addresses CVE-2018-19210.

CVE 2018 19210_part2.patch | (download)

libtiff/tif_dir.c | 28 16 + 12 - 0 !
1 file changed, 16 insertions(+), 12 deletions(-)

 [patch] fix warning (use of uninitialized value) added per
 d0a842c5dbad2609aed43c701a12ed12461d3405 (fixes
 https://gitlab.com/libtiff/libtiff/merge_requests/54#note_137742985)


CVE 2019 6128.patch | (download)

tools/pal2rgb.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 [patch] fix for simple memory leak that was assigned cve-2019-6128.

pal2rgb failed to free memory on a few errors. This was reported
here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.