diff options
author | James Meyer <james.meyer@operamail.com> | 2009-08-01 03:14:54 (GMT) |
---|---|---|
committer | James Meyer <james.meyer@operamail.com> | 2009-08-01 03:14:54 (GMT) |
commit | 7b35632e80f168d8c5f2220bf610ee7e24b81270 (patch) | |
tree | 8facf3fa565911f056a08e38f6a5eed0f756f9c6 /abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch | |
parent | 7e10f51870aa10be3b35d7912a7b54e30f608bb8 (diff) | |
parent | 7accc0f042acdfdca9f067b1d4011d6ac01b1a74 (diff) | |
download | linhes_pkgbuild-7b35632e80f168d8c5f2220bf610ee7e24b81270.zip linhes_pkgbuild-7b35632e80f168d8c5f2220bf610ee7e24b81270.tar.gz linhes_pkgbuild-7b35632e80f168d8c5f2220bf610ee7e24b81270.tar.bz2 |
Merge branch 'HEAD' of ssh://jams@knoppmyth.net/mount/repository/LinHES-PKGBUILD
Conflicts:
abs/core-testing/LinHES-config/PKGBUILD
Diffstat (limited to 'abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch')
-rw-r--r-- | abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch b/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch new file mode 100644 index 0000000..e6d74a6 --- /dev/null +++ b/abs/core-testing/libtiff/tiff-3.8.2-CVE-2008-2327.patch @@ -0,0 +1,64 @@ +Fixes security issues in libTIFF's handling of LZW-encoded +images. The use of uninitialized data could lead to a buffer +underflow and a crash or arbitrary code execution. + +CVE-ID: CVE-2008-2327 +Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 + +Index: tiff-3.8.2/libtiff/tif_lzw.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_lzw.c ++++ tiff-3.8.2/libtiff/tif_lzw.c +@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); ++ + } + return (1); + } +@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; |