Fix CVE-2018-8095:

http://bugzilla.maptools.org/show_bug.cgi?id=2780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905

Patch copied from upstream source repository:

https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d

From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 12 May 2018 15:32:31 +0200
Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905

The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.
---
 libtiff/tif_lzw.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 4ccb443c..94d85e38 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
 	char *tp;
 	unsigned char *bp;
 	int code, nbits;
+	int len;
 	long nextbits, nextdata, nbitsmask;
 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
 
@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
 				}  while (--occ);
 				break;
 			}
-			assert(occ >= codep->length);
-			op += codep->length;
-			occ -= codep->length;
-			tp = op;
+			len = codep->length;
+			tp = op + len;
 			do {
-				*--tp = codep->value;
-			} while( (codep = codep->next) != NULL );
+				int t;
+				--tp;
+				t = codep->value;
+				codep = codep->next;
+				*tp = (char)t;
+			} while (codep && tp > op);
+			assert(occ >= len);
+			op += len;
+			occ -= len;
 		} else {
 			*op++ = (char)code;
 			occ--;
-- 
2.17.0

n value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=c8f16c7f7e043bdcfbdffdd09909778adecb9160'>root</a>/<a href='/guix/log/gnu?id=c8f16c7f7e043bdcfbdffdd09909778adecb9160'>gnu</a>/<a href='/guix/log/gnu/tests?id=c8f16c7f7e043bdcfbdffdd09909778adecb9160'>tests</a>/<a href='/guix/log/gnu/tests/rsync.scm?id=c8f16c7f7e043bdcfbdffdd09909778adecb9160'>rsync.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/tests/rsync.scm?id=c8f16c7f7e043bdcfbdffdd09909778adecb9160&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2018-10-18 01:12:22 +0200'>2018-10-18</span></td><td><a href='/guix/commit/gnu/tests/rsync.scm?id=39d7fdce453b0ca23ecbed72048647debbaa58a6'>services: dhcp-client: Deprecate 'dhcp-client-service' procedure.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/services/networking.scm (dhcp-client-service-type): Add default
value.
* gnu/system/examples/bare-bones.tmpl: Use (service
dhcp-client-service-type) instead of (dhcp-client-service).
* gnu/system/examples/beaglebone-black.tmpl: Likewise.
* gnu/tests/base.scm (%avahi-os): Likewise.
* gnu/tests/databases.scm (%memcached-os): Likewise.
(%mongodb-os): Likewise.
* gnu/tests/dict.scm (%dicod-os): Likewise.
* gnu/tests/mail.scm (%opensmtpd-os): Likewise.
(%exim-os): Likewise.
(%dovecot-os): Likewise.
* gnu/tests/messaging.scm (run-xmpp-test): Likewise.
(run-bitlbee-test): Likewise.
* gnu/tests/monitoring.scm (%prometheus-node-exporter-os): Likewise.
* gnu/tests/networking.scm (%inetd-os): Likewise.
(run-iptables-test): Likewise.
* gnu/tests/nfs.scm (%base-os): Likewise.
* gnu/tests/rsync.scm (%rsync-os): Likewise.
* gnu/tests/ssh.scm (run-ssh-test): Likewise.
* gnu/tests/version-control.scm (%cgit-os): Likewise.
(%git-http-os): Likewise.
(%gitolite-os): Likewise.
* gnu/tests/virtualization.scm (%libvirt-os): Likewise.
* gnu/tests/web.scm (%httpd-os): Likewise.
(%nginx-os): Likewise.
(%varnish-os): Likewise.
(%php-fpm-os): Likewise.
(%hpcguix-web-os): Likewise.
(%tailon-os): Likewise.
* tests/guix-system.sh: Likewise.
* doc/guix.texi (Networking Services): Document
'dhcp-client-service-type' and remove 'dhcp-client-service'.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2018-06-13 09:11:45 +0200'>2018-06-13</span></td><td><a href='/guix/commit/gnu/tests/rsync.scm?id=c24b15472baaa7ec67d48cbf296bbe5ab727b78f'>tests: Honor the return value of 'start-service'.</a><span class='msg-avail'>...<span class='msg-tooltip'>Since commit dc7b3e56337ee9d8dcd8fe7d5cab71ef536d024f, 'start-service' returns
the Shepherd's representation of the service as a sexp, and '#f' if the
service fails to start.  Also, it doesn't throw an exception when the service
fails to start, so relying on an exception instead of relying on its return
value is a false positive.

* gnu/tests/base.scm (run-nss-mdns-test): Split tests so to check the return
value of 'start-service'.
(run-mcron-test, run-nss-mdns-test): Use 'test-assert' with the return value
of 'start-service'.
* gnu/tests/admin.scm (run-tailon-test): Idem.
* gnu/tests/dict.scm (run-dicod-test): Idem.
* gnu/tests/mail.scm (run-opensmtpd-test, run-exim-test, run-dovecot-test):
Idem.
* gnu/tests/messaging.scm (run-xmpp-test, run-bitlbee-test): Idem.
* gnu/tests/nfs.scm (run-nfs-test): Idem.
* gnu/tests/rsync.scm (run-rsync-test): Idem.
* gnu/tests/ssh.scm (run-ssh-test): Idem.
* gnu/tests/version-control.scm (run-cgit-test, run-git-http-test): Idem.
* gnu/tests/web.scm (run-php-fpm-test): Idem.
</span></span></td><td>Clément Lassieur</td></tr>
<tr><td><span title='2017-09-23 21:07:27 +0100'>2017-09-23</span></td><td><a href='/guix/commit/gnu/tests/rsync.scm?id=9db7e9be59820190a97de22ba72e71fa25f9d168'>gnu: Add rsync service.</a><span class='msg-avail'>...<span class='msg-tooltip'>* doc/guix.texi (Networking Services): Add rsync service documentation.
* gnu/services/rsync.scm (&lt;rsync-configuration&gt;): New file.
* gnu/tests/rsync.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add new files.

Signed-off-by: Christopher Baines &lt;mail@cbaines.net&gt;
</span></span></td><td>Oleg Pykhalov</td></tr>

Age	Commit message (Expand)	Author
2018-10-18	services: dhcp-client: Deprecate 'dhcp-client-service' procedure....* gnu/services/networking.scm (dhcp-client-service-type): Add default value. * gnu/system/examples/bare-bones.tmpl: Use (service dhcp-client-service-type) instead of (dhcp-client-service). * gnu/system/examples/beaglebone-black.tmpl: Likewise. * gnu/tests/base.scm (%avahi-os): Likewise. * gnu/tests/databases.scm (%memcached-os): Likewise. (%mongodb-os): Likewise. * gnu/tests/dict.scm (%dicod-os): Likewise. * gnu/tests/mail.scm (%opensmtpd-os): Likewise. (%exim-os): Likewise. (%dovecot-os): Likewise. * gnu/tests/messaging.scm (run-xmpp-test): Likewise. (run-bitlbee-test): Likewise. * gnu/tests/monitoring.scm (%prometheus-node-exporter-os): Likewise. * gnu/tests/networking.scm (%inetd-os): Likewise. (run-iptables-test): Likewise. * gnu/tests/nfs.scm (%base-os): Likewise. * gnu/tests/rsync.scm (%rsync-os): Likewise. * gnu/tests/ssh.scm (run-ssh-test): Likewise. * gnu/tests/version-control.scm (%cgit-os): Likewise. (%git-http-os): Likewise. (%gitolite-os): Likewise. * gnu/tests/virtualization.scm (%libvirt-os): Likewise. * gnu/tests/web.scm (%httpd-os): Likewise. (%nginx-os): Likewise. (%varnish-os): Likewise. (%php-fpm-os): Likewise. (%hpcguix-web-os): Likewise. (%tailon-os): Likewise. * tests/guix-system.sh: Likewise. * doc/guix.texi (Networking Services): Document 'dhcp-client-service-type' and remove 'dhcp-client-service'.	Ludovic Courtès
2018-06-13	tests: Honor the return value of 'start-service'....Since commit dc7b3e56337ee9d8dcd8fe7d5cab71ef536d024f, 'start-service' returns the Shepherd's representation of the service as a sexp, and '#f' if the service fails to start. Also, it doesn't throw an exception when the service fails to start, so relying on an exception instead of relying on its return value is a false positive. * gnu/tests/base.scm (run-nss-mdns-test): Split tests so to check the return value of 'start-service'. (run-mcron-test, run-nss-mdns-test): Use 'test-assert' with the return value of 'start-service'. * gnu/tests/admin.scm (run-tailon-test): Idem. * gnu/tests/dict.scm (run-dicod-test): Idem. * gnu/tests/mail.scm (run-opensmtpd-test, run-exim-test, run-dovecot-test): Idem. * gnu/tests/messaging.scm (run-xmpp-test, run-bitlbee-test): Idem. * gnu/tests/nfs.scm (run-nfs-test): Idem. * gnu/tests/rsync.scm (run-rsync-test): Idem. * gnu/tests/ssh.scm (run-ssh-test): Idem. * gnu/tests/version-control.scm (run-cgit-test, run-git-http-test): Idem. * gnu/tests/web.scm (run-php-fpm-test): Idem.	Clément Lassieur
2017-09-23	gnu: Add rsync service....* doc/guix.texi (Networking Services): Add rsync service documentation. * gnu/services/rsync.scm (<rsync-configuration>): New file. * gnu/tests/rsync.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add new files. Signed-off-by: Christopher Baines <mail@cbaines.net>	Oleg Pykhalov