From 8e28d22c914122aa7bfb70847370d8ae0f070688 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Tue, 16 Jun 2015 00:59:15 -0400
Subject: gnu: libtiff: Add fixes for several CVEs.

* gnu/packages/patches/libtiff-CVE-2012-4564.patch,
  gnu/packages/patches/libtiff-CVE-2013-1960.patch,
  gnu/packages/patches/libtiff-CVE-2013-1961.patch,
  gnu/packages/patches/libtiff-CVE-2013-4231.patch,
  gnu/packages/patches/libtiff-CVE-2013-4232.patch,
  gnu/packages/patches/libtiff-CVE-2013-4243.patch,
  gnu/packages/patches/libtiff-CVE-2013-4244.patch,
  gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch,
  gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch,
  gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch,
  gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch,
  gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch,
  gnu/packages/patches/libtiff-CVE-2014-8129.patch,
  gnu/packages/patches/libtiff-CVE-2014-9330.patch,
  gnu/packages/patches/libtiff-CVE-2014-9655.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[source]: Add patches.
---
 gnu/packages/patches/libtiff-CVE-2013-4243.patch | 39 ++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 gnu/packages/patches/libtiff-CVE-2013-4243.patch

(limited to 'gnu/packages/patches/libtiff-CVE-2013-4243.patch')

diff --git a/gnu/packages/patches/libtiff-CVE-2013-4243.patch b/gnu/packages/patches/libtiff-CVE-2013-4243.patch
new file mode 100644
index 0000000000..a10884cd89
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2013-4243.patch
@@ -0,0 +1,39 @@
+Copied from Debian
+
+Index: tiff/tools/gif2tiff.c
+===================================================================
+--- tiff.orig/tools/gif2tiff.c
++++ tiff/tools/gif2tiff.c
+@@ -280,6 +280,10 @@ readgifimage(char* mode)
+         fprintf(stderr, "no colormap present for image\n");
+         return (0);
+     }
++    if (width == 0 || height == 0) {
++        fprintf(stderr, "Invalid value of width or height\n");
++        return(0);
++    }
+     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+         fprintf(stderr, "not enough memory for image\n");
+         return (0);
+@@ -404,6 +408,10 @@ process(register int code, unsigned char
+             fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+             return 0;
+         }
++        if (*fill >= raster + width*height) {
++            fprintf(stderr, "raster full before eoi code\n");
++            return 0;
++        }
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+ 	return 1;
+@@ -434,6 +442,10 @@ process(register int code, unsigned char
+     }
+     oldcode = incode;
+     do {
++        if (*fill >= raster + width*height) {
++            fprintf(stderr, "raster full before eoi code\n");
++            return 0;
++        }
+ 	*(*fill)++ = *--stackp;
+     } while (stackp > stack);
+     return 1;
-- 
cgit v1.2.3

1-04-08 17:12:06 +0200'>2021-04-08</span></td><td><a href='/guix/commit/etc?id=c762df54786fd6f005f3b5307323f1d2df3cbf0b'>etc/committer: Disable diff colors.</a><span class='msg-avail'>...</span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-04-08 03:10:14 +0200'>2021-04-08</span></td><td><a href='/guix/commit/etc?id=83991a34d5c1d4985e54dd029a81412277ad062a'>etc/committer: Recompute hunks before processing changes.</a><span class='msg-avail'>...</span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-04-08 03:10:14 +0200'>2021-04-08</span></td><td><a href='/guix/commit/etc?id=43fb6b765d82ea5acfdc83f61472d99594ee1cbf'>etc/committer: Record minimal context for hunks to avoid problems.</a><span class='msg-avail'>...</span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-04-08 03:10:14 +0200'>2021-04-08</span></td><td><a href='/guix/commit/etc?id=56270c1275d8dcdec80c04c032079b694204052a'>etc/committer: Define delay duration as a variable.</a><span class='msg-avail'>...</span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-04-08 03:10:13 +0200'>2021-04-08</span></td><td><a href='/guix/commit/etc?id=c8c3afe8485bd614692f13e1e8a4200136da1302'>etc/committer: Handle package additions.</a><span class='msg-avail'>...</span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-04-04 07:47:12 +0200'>2021-04-04</span></td><td><a href='/guix/commit/etc?id=86617c92c6a795668b2eca3d3c3b285cb742cb24'>news: Add 'de' translation.</a><span class='msg-avail'>...</span></td><td>Florian Pelz</td></tr>
<tr><td><span title='2021-04-03 22:19:28 +0200'>2021-04-03</span></td><td><a href='/guix/commit/etc?id=3b6247ba6d531be61b85e8b0c02ff4d7118593f5'>news: Clarify time window for account activation vulnerability.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-04-03 22:13:28 +0200'>2021-04-03</span></td><td><a href='/guix/commit/etc?id=c9960ad67c7644225343e913d5fea620d97bb293'>news: Recommend upgrade for account activation vulnerability.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-04-03 22:09:56 +0200'>2021-04-03</span></td><td><a href='/guix/commit/etc?id=72f911bf059ec3d984dbc2d22e02165940cb9983'>news: Add entry for user account activation vulnerability.</a><span class='msg-avail'>...</span></td><td>Maxime Devos</td></tr>
<tr><td><span title='2021-04-01 19:51:32 +0200'>2021-04-01</span></td><td><a href='/guix/commit/etc?id=2743a0b28dc55837f118b87cc04aa2baf1386faf'>news: Add 'de' translation.</a><span class='msg-avail'>...</span></td><td>Florian Pelz</td></tr>
<tr><td><span title='2021-03-31 17:18:14 +0200'>2021-03-31</span></td><td><a href='/guix/commit/etc?id=f73b4ecb0c265987be1cb03ffc68171223c1c443'>news: Add 'fr' translation.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-03-30 23:02:17 -0700'>2021-03-30</span></td><td><a href='/guix/commit/etc?id=0374617920e3d278e68c71826fec1f590921e31b'>news: Add entry announcing powerpc64le-linux support.</a><span class='msg-avail'>...</span></td><td>Chris Marusich</td></tr>
<tr><td><span title='2021-03-23 23:19:57 -0700'>2021-03-23</span></td><td><a href='/guix/commit/etc?id=a16eb6c5f97f136b678540ba61f12b2c08e43e13'>Add powerpc64le-linux as a supported Guix architecture.</a><span class='msg-avail'>...</span></td><td>Chris Marusich</td></tr>
<tr><td><span title='2021-03-18 22:33:53 +0000'>2021-03-18</span></td><td><a href='/guix/commit/etc?id=5dd33960bc773774dd3c2fd508e1b9ed3f8a73e2'>news: Add ‘de’ translation.</a><span class='msg-avail'>...</span></td><td>Florian Pelz</td></tr>
<tr><td><span title='2021-03-18 22:30:46 +0100'>2021-03-18</span></td><td><a href='/guix/commit/etc?id=1cf49786f02e2fcb791e24d6678a3f54f22bf85a'>news: Add ‘nl’ translation.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-03-18 22:15:00 +0100'>2021-03-18</span></td><td><a href='/guix/commit/etc?id=79f9091b0f2d96d829340606d3e924d175285cf1'>news: Update erratum for '--keep-failed' vulnerability.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-03-18 21:52:02 +0100'>2021-03-18</span></td><td><a href='/guix/commit/etc?id=f62633a527a7b54ab2c552b493dce382ab2365e6'>news: Add erratum for '--keep-failed' vulnerability.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-03-18 17:47:07 +0100'>2021-03-18</span></td><td><a href='/guix/commit/etc?id=a12de215e3e744e2fc4cbb33ca0b2a7b48c22405'>news: Fix ‘nl’ typo.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-03-18 17:08:11 +0100'>2021-03-18</span></td><td><a href='/guix/commit/etc?id=6ce80c900810e692150d168eddeae4d7de935488'>news: Add ‘nl’ translation.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-03-18 14:38:57 +0000'>2021-03-18</span></td><td><a href='/guix/commit/etc?id=9783645ee8eaf9c33ce952131e692fb2ff47ffc9'>news: Add ‘de’ translation.</a></td><td>Florian Pelz</td></tr>
<tr><td><span title='2021-03-18 12:34:02 +0100'>2021-03-18</span></td><td><a href='/guix/commit/etc?id=1955ef93b76e51cab5bed4c90f7eb9df7035355a'>news: Add entry for '--keep-failed' vulnerability.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-03-17 13:31:43 +0100'>2021-03-17</span></td><td><a href='/guix/commit/etc?id=bf6a1dbae1c08d6ee4ea1d169a1dd2f1ba7769ba'>news: Add 'fr' translation.</a><span class='msg-avail'>...</span></td><td>Julien Lepiller</td></tr>
<tr><td><span title='2021-03-16 13:43:32 +0000'>2021-03-16</span></td><td><a href='/guix/commit/etc?id=9ed2a26d047799a36803e3e69ec9612e8301840c'>news: Add ‘de’ translation.</a></td><td>Florian Pelz</td></tr>
<tr><td><span title='2021-03-15 18:03:16 -0400'>2021-03-15</span></td><td><a href='/guix/commit/etc?id=1ea2c82355d81d95c39c9a6b29c43f85e48baa19'>news: Add news entry about changes to the QEMU binfmt service.</a><span class='msg-avail'>...</span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2021-03-11 16:23:02 +0000'>2021-03-11</span></td><td><a href='/guix/commit/etc?id=526b5b106e66a82cdc53f3a06d4bd6521eeb0daf'>news: Update copyright.</a><span class='msg-avail'>...</span></td><td>Florian Pelz</td></tr>
<tr><td><span title='2021-03-11 15:20:50 +0100'>2021-03-11</span></td><td><a href='/guix/commit/etc?id=8f359cd9ff05d5d10225648d0198c7929a661761'>news: Add ‘nl’ translation.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-03-11 13:00:00 +0000'>2021-03-11</span></td><td><a href='/guix/commit/etc?id=c6079b0278a94fa1a9477a9ab667fd419acc388b'>news: Add ‘de’ translation.</a></td><td>Florian Pelz</td></tr>
<tr><td><span title='2021-03-10 18:03:34 +0100'>2021-03-10</span></td><td><a href='/guix/commit/etc?id=2673324efac039d9986c5bf440e8806f853d4220'>news: Add entry for 'guix import go'.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-03-10 08:49:48 +0100'>2021-03-10</span></td><td><a href='/guix/commit/etc?id=76bea3f8bcd951ded88dfb7f8cad5bc3e5a1701f'>ci: Remove hydra support.</a><span class='msg-avail'>...</span></td><td>Mathieu Othacehe</td></tr>