Slackware 14.0slackware-14.0

Wed Sep 26 01:10:42 UTC 2012
Slackware 14.0 x86_64 stable is released!

We're perfectionists here at Slackware, so this release has been a long
time a-brewing.  But we think you'll agree that it was worth the wait.
Slackware 14.0 combines modern components, ease of use, and flexible
configuration... our "KISS" philosophy demands it.

The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a
dual-sided
32-bit/64-bit x86/x86_64 DVD.  Please consider supporting the Slackware
project by picking up a copy from store.slackware.com.  We're taking
pre-orders now, and offer a discount if you sign up for a subscription.

Thanks to everyone who helped make this happen.  The Slackware team, the
upstream developers, and (of course) the awesome Slackware user
community.

Have fun!  :-)

4 files changed, 74 insertions, 84 deletions

diff --git a/source/l/libtiff/libtiff-CVE-2011-0192.patch b/source/l/libtiff/libtiff-CVE-2011-0192.patch
deleted file mode 100644
index 892f70e01..000000000
--- a/source/l/libtiff/libtiff-CVE-2011-0192.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Protect against a fax VL(n) codeword commanding a move left.  Without
-this, a malicious input file can generate an indefinitely large series
-of runs without a0 ever reaching the right margin, thus overrunning
-our buffer of run lengths.  Per CVE-2011-0192.  This is a modified
-version of a patch proposed by Drew Yao of Apple Product Security.
-It adds an unexpected() report, and disallows the equality case except
-for the first run of a line, since emitting a run without increasing a0
-still allows buffer overrun.  (We have to allow it for the first run to
-cover the case of encoding a zero-length run at start of line using VL.)
-
-
-diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
---- tiff-3.9.4.orig/libtiff/tif_fax3.h	2010-06-08 14:50:42.000000000 -0400
-+++ tiff-3.9.4/libtiff/tif_fax3.h	2011-03-10 12:11:20.850839162 -0500
-@@ -478,6 +478,12 @@
- 	    break;							\
- 	case S_VL:							\
- 	    CHECK_b1;							\
-+	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
-+		if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) {	\
-+		    unexpected("VL", a0);				\
-+		    goto eol2d;						\
-+		}							\
-+	    }								\
- 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
- 	    b1 -= *--pb;						\
- 	    break;							\
diff --git a/source/l/libtiff/libtiff-CVE-2011-1167.patch b/source/l/libtiff/libtiff-CVE-2011-1167.patch
deleted file mode 100644
index d3fcf6f64..000000000
--- a/source/l/libtiff/libtiff-CVE-2011-1167.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Upstream patch for CVE-2011-1167, heap-based buffer overflow in thunder
-decoder (ZDI-CAN-1004).
-
-
-diff -Naur tiff-3.9.4.orig/libtiff/tif_thunder.c tiff-3.9.4/libtiff/tif_thunder.c
---- tiff-3.9.4.orig/libtiff/tif_thunder.c	2010-06-08 14:50:43.000000000 -0400
-+++ tiff-3.9.4/libtiff/tif_thunder.c	2011-03-18 12:17:13.635796403 -0400
-@@ -55,12 +55,32 @@
- static const int twobitdeltas[4] = { 0, 1, 0, -1 };
- static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
- 
--#define	SETPIXEL(op, v) { \
--	lastpixel = (v) & 0xf; \
--	if (npixels++ & 1) \
--	    *op++ |= lastpixel; \
--	else \
-+#define	SETPIXEL(op, v) {                     \
-+	lastpixel = (v) & 0xf;                \
-+        if ( npixels < maxpixels )         \
-+        {                                     \
-+	  if (npixels++ & 1)                  \
-+	    *op++ |= lastpixel;               \
-+	  else                                \
- 	    op[0] = (tidataval_t) (lastpixel << 4); \
-+        }                                     \
-+}
-+
-+static int
-+ThunderSetupDecode(TIFF* tif)
-+{
-+	static const char module[] = "ThunderSetupDecode";
-+
-+        if( tif->tif_dir.td_bitspersample != 4 )
-+        {
-+                TIFFErrorExt(tif->tif_clientdata, module,
-+                             "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
-+                             (int) tif->tif_dir.td_bitspersample );
-+                return 0;
-+        }
-+        
-+
-+	return (1);
- }
- 
- static int
-@@ -151,6 +171,7 @@
- 	(void) scheme;
- 	tif->tif_decoderow = ThunderDecodeRow;
- 	tif->tif_decodestrip = ThunderDecodeRow;
-+	tif->tif_setupdecode = ThunderSetupDecode;
- 	return (1);
- }
- #endif /* THUNDER_SUPPORT */
diff --git a/source/l/libtiff/libtiff-CVE-2012-1173.patch b/source/l/libtiff/libtiff-CVE-2012-1173.patch
new file mode 100644
index 000000000..0ada700b4
--- /dev/null
+++ b/source/l/libtiff/libtiff-CVE-2012-1173.patch
@@ -0,0 +1,71 @@
+This patch is submitted to upstream for CVE-2012-1173
+
+
+diff -Naur tiff-3.9.5.orig/libtiff/tif_getimage.c tiff-3.9.5/libtiff/tif_getimage.c
+--- tiff-3.9.5.orig/libtiff/tif_getimage.c	2010-07-08 12:17:59.000000000 -0400
++++ tiff-3.9.5/libtiff/tif_getimage.c	2012-03-14 14:49:25.796728783 -0400
+@@ -673,18 +673,24 @@
+ 	unsigned char* p2;
+ 	unsigned char* pa;
+ 	tsize_t tilesize;
++	tsize_t bufsize;
+ 	int32 fromskew, toskew;
+ 	int alpha = img->alpha;
+ 	uint32 nrow;
+ 	int ret = 1, flip;
+ 
+ 	tilesize = TIFFTileSize(tif);
+-	buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize);
++	bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize);
++	if (bufsize == 0) {
++		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
++		return (0);
++	}
++	buf = (unsigned char*) _TIFFmalloc(bufsize);
+ 	if (buf == 0) {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ 		return (0);
+ 	}
+-	_TIFFmemset(buf, 0, (alpha?4:3)*tilesize);
++	_TIFFmemset(buf, 0, bufsize);
+ 	p0 = buf;
+ 	p1 = p0 + tilesize;
+ 	p2 = p1 + tilesize;
+@@ -880,17 +886,23 @@
+ 	uint32 rowsperstrip, offset_row;
+ 	uint32 imagewidth = img->width;
+ 	tsize_t stripsize;
++	tsize_t bufsize;
+ 	int32 fromskew, toskew;
+ 	int alpha = img->alpha;
+ 	int ret = 1, flip;
+ 
+ 	stripsize = TIFFStripSize(tif);
+-	p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize);
++	bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize);
++	if (bufsize == 0) {
++		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
++		return (0);
++	}
++	p0 = buf = (unsigned char *)_TIFFmalloc(bufsize);
+ 	if (buf == 0) {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer");
+ 		return (0);
+ 	}
+-	_TIFFmemset(buf, 0, (alpha?4:3)*stripsize);
++	_TIFFmemset(buf, 0, bufsize);
+ 	p1 = p0 + stripsize;
+ 	p2 = p1 + stripsize;
+ 	pa = (alpha?(p2+stripsize):NULL);
+diff -Naur tiff-3.9.5.orig/libtiff/tiffiop.h tiff-3.9.5/libtiff/tiffiop.h
+--- tiff-3.9.5.orig/libtiff/tiffiop.h	2011-03-28 09:43:43.000000000 -0400
++++ tiff-3.9.5/libtiff/tiffiop.h	2012-03-14 14:49:25.797728754 -0400
+@@ -246,7 +246,7 @@
+ #define	TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
+ 
+ /* Safe multiply which returns zero if there is an integer overflow */
+-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+ 
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+ #define TIFFmin(A,B) ((A)<(B)?(A):(B))
diff --git a/source/l/libtiff/libtiff.SlackBuild b/source/l/libtiff/libtiff.SlackBuild
index 33e871f35..91ec64fad 100755
--- a/source/l/libtiff/libtiff.SlackBuild
+++ b/source/l/libtiff/libtiff.SlackBuild
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2005-2011  Patrick J. Volkerding, Sebeka, Minnesota, USA
+# Copyright 2005-2012  Patrick J. Volkerding, Sebeka, Minnesota, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -21,7 +21,7 @@
 #  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 VERSION=${VERSION:-$(echo tiff-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=2
+BUILD=1
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
@@ -63,8 +63,7 @@ rm -rf tiff-$VERSION
 tar xvf $CWD/tiff-$VERSION.tar.?z* || exit 1
 cd tiff-$VERSION
 
-zcat $CWD/libtiff-CVE-2011-0192.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/libtiff-CVE-2011-1167.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libtiff-CVE-2012-1173.patch.gz | patch -p1 --verbose || exit 1
 
 chown -R root:root .
 find . \