wok rev 9544

tiff: Patched overflows that could lead to aribitrary code execution when parsing a malformed image file. Thanks slackware for having this.
author Christopher Rogers <slaxemulator@gmail.com>
date Sat Apr 09 07:21:58 2011 +0000 (2011-04-09)
parents c3cd2c0689de
children d36e3f34f5c0
files linux/receipt tiff/receipt tiff/stuff/libtiff-CVE-2011-0192.patch tiff/stuff/libtiff-CVE-2011-1167.patch wxpython/receipt
line diff
     1.1 --- a/linux/receipt	Sat Apr 09 13:01:20 2011 +0200
     1.2 +++ b/linux/receipt	Sat Apr 09 07:21:58 2011 +0000
     1.3 @@ -1,13 +1,20 @@
     1.4  # SliTaz package receipt.
     1.5  
     1.6  PACKAGE="linux"
     1.7 -VERSION="2.6.37"
     1.8 +VERSION="2.6.37.6"
     1.9 +BASE_VERSION="${VERSION%.*}"
    1.10 +# the one below is when your using the newer base version
    1.11 +#BASE_VERSION="$VERSION"
    1.12  CATEGORY="base-system"
    1.13  SHORT_DESC="The Linux kernel and modules."
    1.14  DEPENDS="depmod"
    1.15 -BUILD_DEPENDS="slitaz-toolchain perl git lzma patch"
    1.16 +if [ "$BASE_VERSION" != "$VERSION" ]; then
    1.17 +	BUILD_DEPENDS="linux-patch perl git lzma patch"
    1.18 +else
    1.19 +	BUILD_DEPENDS="perl git lzma patch"
    1.20 +fi
    1.21  MAINTAINER="devel@slitaz.org"
    1.22 -TARBALL="$PACKAGE-$VERSION.tar.bz2"
    1.23 +TARBALL="$PACKAGE-$BASE_VERSION.tar.bz2"
    1.24  WEB_SITE="http://www.kernel.org/"
    1.25  WGET_URL="http://www.eu.kernel.org/pub/linux/kernel/v${VERSION:0:3}/$TARBALL"
    1.26  CONFIG_FILES="/lib/modules/$VERSION-slitaz/modules.dep"
    1.27 @@ -48,10 +55,10 @@
    1.28  		patch -p1 < $WOK/$PACKAGE/slitaz/$patch_file || { report close-bloc; return 1; }
    1.29  		touch done.$patch_file
    1.30  	done <<EOT
    1.31 -$PACKAGE-diff-$VERSION.u
    1.32 -$PACKAGE-unlzma-$VERSION.u
    1.33 -$PACKAGE-header-$VERSION.u
    1.34 -$PACKAGE-freeinitrd-$VERSION.u
    1.35 +$PACKAGE-diff-$BASE_VERSION.u
    1.36 +$PACKAGE-unlzma-$BASE_VERSION.u
    1.37 +$PACKAGE-header-$BASE_VERSION.u
    1.38 +$PACKAGE-freeinitrd-$BASE_VERSION.u
    1.39  aufs2-base.patch
    1.40  aufs2-standalone.patch
    1.41  001-squashfs-decompressors-add-xz-decompressor-module.patch
    1.42 @@ -68,7 +75,7 @@
    1.43  
    1.44  	report step "Make bzImage without modules first"
    1.45  	# Build bzImage without modules first
    1.46 -	cp -f $stuff/$PACKAGE-$VERSION-slitaz.config .config
    1.47 +	cp -f $stuff/$PACKAGE-$BASE_VERSION-slitaz.config .config
    1.48  	sed -i 's/CONFIG_MODULES=y/# CONFIG_MODULES is not set/' .config
    1.49  	# We can't keep every driver in staging 
    1.50  	sed -i -e 's/^CONFIG_RTL8192/#&/' \
    1.51 @@ -82,7 +89,7 @@
    1.52  
    1.53  	report step "Now build bzImage with modules"
    1.54  	# Build bzImage with modules
    1.55 -	cp -f $stuff/$PACKAGE-$VERSION-slitaz.config .config
    1.56 +	cp -f $stuff/$PACKAGE-$BASE_VERSION-slitaz.config .config
    1.57  	make oldconfig
    1.58  	ln .config $WOK/$PACKAGE/slitaz/config
    1.59  	make -j 4 bzImage &&
    1.60 @@ -116,7 +123,7 @@
    1.61      export _pkg
    1.62      mkdir $WOK/$PACKAGE/tmp
    1.63      $WOK/$PACKAGE/stuff/list_modules.sh \
    1.64 -	$(cat stuff/modules-$VERSION.list) > $WOK/$PACKAGE/tmp/modules.list
    1.65 +	$(cat $stuff/modules-$BASE_VERSION.list) > $WOK/$PACKAGE/tmp/modules.list
    1.66      while read module; do
    1.67      	dir=$(dirname $module)
    1.68      	[ -d $path/$dir ] || mkdir -p $path/$dir

     2.1 --- a/tiff/receipt	Sat Apr 09 13:01:20 2011 +0200
     2.2 +++ b/tiff/receipt	Sat Apr 09 07:21:58 2011 +0000
     2.3 @@ -20,16 +20,19 @@
     2.4      # allows context-dependent attackers to cause a denial of service 
     2.5      # (crash) via a crafted TIFF imag.
     2.6  
     2.7 -    patch -p1 -i $stuff/libtiff-CVE-2009-2285.patch
     2.8 -    ./configure --prefix=/usr --infodir=/usr/share/info \
     2.9 -    --mandir=/usr/share/man $CONFIGURE_ARGS &&
    2.10 +    patch -Np1 -i $stuff/libtiff-CVE-2009-2285.patch
    2.11 +    #http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0192
    2.12 +    patch -Np1 -i $stuff/libtiff-CVE-2011-0192.patch
    2.13 +    #http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1167
    2.14 +    patch -Np1 -i $stuff/libtiff-CVE-2011-1167.patch
    2.15 +    ./configure &&
    2.16      make &&
    2.17 -    make DESTDIR=$PWD/_pkg install
    2.18 +    make install
    2.19  }
    2.20  
    2.21  # Rules to gen a SliTaz package suitable for Tazpkg.
    2.22  genpkg_rules()
    2.23  {
    2.24 -	mkdir -p $fs/usr/lib
    2.25 +    mkdir -p $fs/usr/lib
    2.26      cp -a $_pkg/usr/lib/*.so* $fs/usr/lib
    2.27  }

     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/tiff/stuff/libtiff-CVE-2011-0192.patch	Sat Apr 09 07:21:58 2011 +0000
     3.3 @@ -0,0 +1,27 @@
     3.4 +Protect against a fax VL(n) codeword commanding a move left.  Without
     3.5 +this, a malicious input file can generate an indefinitely large series
     3.6 +of runs without a0 ever reaching the right margin, thus overrunning
     3.7 +our buffer of run lengths.  Per CVE-2011-0192.  This is a modified
     3.8 +version of a patch proposed by Drew Yao of Apple Product Security.
     3.9 +It adds an unexpected() report, and disallows the equality case except
    3.10 +for the first run of a line, since emitting a run without increasing a0
    3.11 +still allows buffer overrun.  (We have to allow it for the first run to
    3.12 +cover the case of encoding a zero-length run at start of line using VL.)
    3.13 +
    3.14 +
    3.15 +diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
    3.16 +--- tiff-3.9.4.orig/libtiff/tif_fax3.h	2010-06-08 14:50:42.000000000 -0400
    3.17 ++++ tiff-3.9.4/libtiff/tif_fax3.h	2011-03-10 12:11:20.850839162 -0500
    3.18 +@@ -478,6 +478,12 @@
    3.19 + 	    break;							\
    3.20 + 	case S_VL:							\
    3.21 + 	    CHECK_b1;							\
    3.22 ++	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
    3.23 ++		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
    3.24 ++		    unexpected("VL", a0);				\
    3.25 ++		    goto eol2d;						\
    3.26 ++		}							\
    3.27 ++	    }								\
    3.28 + 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
    3.29 + 	    b1 -= *--pb;						\
    3.30 + 	    break;							\

     4.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.2 +++ b/tiff/stuff/libtiff-CVE-2011-1167.patch	Sat Apr 09 07:21:58 2011 +0000
     4.3 @@ -0,0 +1,53 @@
     4.4 +Upstream patch for CVE-2011-1167, heap-based buffer overflow in thunder
     4.5 +decoder (ZDI-CAN-1004).
     4.6 +
     4.7 +
     4.8 +diff -Naur tiff-3.9.4.orig/libtiff/tif_thunder.c tiff-3.9.4/libtiff/tif_thunder.c
     4.9 +--- tiff-3.9.4.orig/libtiff/tif_thunder.c	2010-06-08 14:50:43.000000000 -0400
    4.10 ++++ tiff-3.9.4/libtiff/tif_thunder.c	2011-03-18 12:17:13.635796403 -0400
    4.11 +@@ -55,12 +55,32 @@
    4.12 + static const int twobitdeltas[4] = { 0, 1, 0, -1 };
    4.13 + static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
    4.14 + 
    4.15 +-#define	SETPIXEL(op, v) { \
    4.16 +-	lastpixel = (v) & 0xf; \
    4.17 +-	if (npixels++ & 1) \
    4.18 +-	    *op++ |= lastpixel; \
    4.19 +-	else \
    4.20 ++#define	SETPIXEL(op, v) {                     \
    4.21 ++	lastpixel = (v) & 0xf;                \
    4.22 ++        if ( npixels < maxpixels )         \
    4.23 ++        {                                     \
    4.24 ++	  if (npixels++ & 1)                  \
    4.25 ++	    *op++ |= lastpixel;               \
    4.26 ++	  else                                \
    4.27 + 	    op[0] = (tidataval_t) (lastpixel << 4); \
    4.28 ++        }                                     \
    4.29 ++}
    4.30 ++
    4.31 ++static int
    4.32 ++ThunderSetupDecode(TIFF* tif)
    4.33 ++{
    4.34 ++	static const char module[] = "ThunderSetupDecode";
    4.35 ++
    4.36 ++        if( tif->tif_dir.td_bitspersample != 4 )
    4.37 ++        {
    4.38 ++                TIFFErrorExt(tif->tif_clientdata, module,
    4.39 ++                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
    4.40 ++                             (int) tif->tif_dir.td_bitspersample );
    4.41 ++                return 0;
    4.42 ++        }
    4.43 ++        
    4.44 ++
    4.45 ++	return (1);
    4.46 + }
    4.47 + 
    4.48 + static int
    4.49 +@@ -151,6 +171,7 @@
    4.50 + 	(void) scheme;
    4.51 + 	tif->tif_decoderow = ThunderDecodeRow;
    4.52 + 	tif->tif_decodestrip = ThunderDecodeRow;
    4.53 ++	tif->tif_setupdecode = ThunderSetupDecode;
    4.54 + 	return (1);
    4.55 + }
    4.56 + #endif /* THUNDER_SUPPORT */

     5.1 --- a/wxpython/receipt	Sat Apr 09 13:01:20 2011 +0200
     5.2 +++ b/wxpython/receipt	Sat Apr 09 07:21:58 2011 +0000
     5.3 @@ -5,8 +5,8 @@
     5.4  CATEGORY="x-window"
     5.5  SHORT_DESC="GUI toolkit for the Python programming language."
     5.6  MAINTAINER="pankso@slitaz.org"
     5.7 -DEPENDS="python gtk+"
     5.8 -BUILD_DEPENDS="python-dev gtk+-dev"
     5.9 +DEPENDS="python wxWidgets"
    5.10 +BUILD_DEPENDS="python-dev wxWidgets-dev"
    5.11  SOURCE="wxPython-src"
    5.12  TARBALL="$SOURCE-$VERSION.tar.bz2"
    5.13  WEB_SITE="http://www.wxpython.org/"
    5.14 @@ -17,12 +17,14 @@
    5.15  {
    5.16      cd $src
    5.17      ./configure \
    5.18 -    	--prefix=/usr \
    5.19 -    	--mandir=/usr/share/man \
    5.20 -    	--without-sdl \
    5.21 -    	$CONFIGURE_ARGS &&
    5.22 -    make -j 4 &&
    5.23 -    make DESTDIR=$PWD/_pkg install
    5.24 +	--with-gtk=2 \
    5.25 +	--with-libpng=sys \
    5.26 +	--with-libjpeg=sys \
    5.27 +	--with-libtiff=sys &&
    5.28 +    cd wxPython &&
    5.29 +    python setup.py WXPORT=gtk2 UNICODE=1 build &&
    5.30 +    python setup.py WXPORT=gtk2 UNICODE=1 install --root=$DESTDIR
    5.31 +
    5.32  }
    5.33  
    5.34  # Rules to gen a SliTaz package suitable for Tazpkg.