Author: rjones Update of /cvs/pkgs/rpms/ocaml-camlimages/F-10 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28679 Modified Files: ocaml-camlimages.spec Added Files: camlimages-oversized-tiff-check-CVE-2009-3296.patch Log Message: * Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 3.0.1-3.fc10.3 - ocaml-camlimages: TIFF reader multiple integer overflows (CVE 2009-3296 / RHBZ#528732). camlimages-oversized-tiff-check-CVE-2009-3296.patch: tiffread.c | 11 +++++++++++ 1 file changed, 11 insertions(+) --- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch --- --- camlimages-3.0.1.old/src/tiffread.c 2007-01-18 10:29:57.000000000 +0000 +++ camlimages-3.0.1/src/tiffread.c 2009-10-16 10:26:53.841258260 +0100 @@ -21,6 +21,13 @@ #include <caml/memory.h> #include <caml/fail.h> +#include <limits.h> +#define oversized(x, y) \ + ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) + +#define failwith_oversized(lib) \ + failwith("#lib error: image contains oversized or bogus width and height"); + /* These are defined in caml/config.h */ #define int16 int16tiff #define uint16 uint16tiff @@ -64,6 +71,10 @@ TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres); TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric); + if (oversized (imagewidth, imagelength)) { + failwith_oversized("tiff"); + } + if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){ if( imagebits != 8 ){ failwith("Sorry, tiff rgb file must be 24bit-color"); Index: ocaml-camlimages.spec =================================================================== RCS file: /cvs/pkgs/rpms/ocaml-camlimages/F-10/ocaml-camlimages.spec,v retrieving revision 1.12 retrieving revision 1.13 diff -u -p -r1.12 -r1.13 --- ocaml-camlimages.spec 3 Jul 2009 18:30:05 -0000 1.12 +++ ocaml-camlimages.spec 16 Oct 2009 09:39:25 -0000 1.13 @@ -4,7 +4,7 @@ Name: ocaml-camlimages Version: 3.0.1 -Release: 3%{?dist}.2 +Release: 3%{?dist}.3 Summary: OCaml image processing library Group: Development/Libraries @@ -19,6 +19,9 @@ Patch0: camlimages-3.0.1-display # https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4 Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=528732 +Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch + BuildRequires: ocaml >= 3.10.1 BuildRequires: ocaml-lablgtk-devel BuildRequires: ocaml-x11 @@ -66,6 +69,7 @@ Includes documentation provided by ocaml # the examples/liv directory, so rename it: %patch0 -p1 %patch1 -p1 +%patch2 -p1 aclocal -I . automake autoconf @@ -111,6 +115,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 3.0.1-3.fc10.3 +- ocaml-camlimages: TIFF reader multiple integer overflows + (CVE 2009-3296 / RHBZ#528732). + * Fri Jul 3 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 3.0.1-3.fc10.2 - ocaml-camlimages: PNG reader multiple integer overflows (CVE 2009-2295 / RHBZ#509531). _______________________________________________ Fedora-ocaml-list mailing list Fedora-ocaml-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-ocaml-list