Hi,
On Thu, May 18, 2017 at 08:12:50PM +0200, László Böszörményi (GCS) wrote:
> Hi Moritz,
>
> On Thu, May 18, 2017 at 7:36 PM, Moritz Muehlenhoff <j...@debian.org> wrote:
> > On Sat, Dec 26, 2015 at 10:21:52PM +0100, Salvatore Bonaccorso wrote:
> >> Source: tiff
> >> Version: 4.0.5-1
> >> Severity: important
> >> Tags: security upstream
> >>
> >> the following vulnerability was published for tiff.
> >>
> >> CVE-2015-7554[0]:
> >> invalid write
> >
> > I'm attaching the patch used by Red Hat for RHEL. It doesn't
> > seem to have been sent upstream, but seems sane.
> I miss the patch, did you attach it?
This one should basically correspond:
https://git.centos.org/raw/rpms!libtiff/1ad9335dc0c1325262c62842eda01476243ec821/SOURCES!libtiff-CVE-2015-7554.patch
Regards,
Salvatore
diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c
--- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200
+++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100
@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out)
TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);
}
}
+ uint32 count = 0;
CopyField(TIFFTAG_PHOTOMETRIC, shortv);
- CopyField(TIFFTAG_PREDICTOR, shortv);
+ CopyField2(TIFFTAG_PREDICTOR, count, shortv);
CopyField(TIFFTAG_THRESHHOLDING, shortv);
CopyField(TIFFTAG_FILLORDER, shortv);
CopyField(TIFFTAG_ORIENTATION, shortv);
@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out)
CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);
CopyField(TIFFTAG_XRESOLUTION, floatv);
CopyField(TIFFTAG_YRESOLUTION, floatv);
- CopyField(TIFFTAG_GROUP3OPTIONS, longv);
+ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);
CopyField(TIFFTAG_GROUP4OPTIONS, longv);
CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);
CopyField(TIFFTAG_PLANARCONFIG, shortv);
