diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-01-17 15:22:03 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-01-17 15:30:11 +0000 |
commit | eda2e96a21e8586530375f6ef00d01bff0a8519b (patch) | |
tree | a5c2fdefbf9a8448f838d9d819211e9fe439bfb5 | |
parent | 9e3c4c8431fcb4ee6175eefef0db3aefad7b7e4f (diff) | |
download | alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.tar.bz2 alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.tar.xz alpine_aports-eda2e96a21e8586530375f6ef00d01bff0a8519b.zip |
main/tiff: fix CVE-2012-5581
fixes #1561
-rw-r--r-- | main/tiff/APKBUILD | 6 | ||||
-rw-r--r-- | main/tiff/CVE-2012-5581.patch | 245 |
2 files changed, 249 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index ad02acb4c1..67f7143932 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD | |||
@@ -2,7 +2,7 @@ | |||
2 | # Maintainer: Michael Mason <ms13sp@gmail.com> | 2 | # Maintainer: Michael Mason <ms13sp@gmail.com> |
3 | pkgname=tiff | 3 | pkgname=tiff |
4 | pkgver=3.9.7 | 4 | pkgver=3.9.7 |
5 | pkgrel=0 | 5 | pkgrel=1 |
6 | pkgdesc="Provides support for the Tag Image File Format or TIFF" | 6 | pkgdesc="Provides support for the Tag Image File Format or TIFF" |
7 | url="http://www.libtiff.org/" | 7 | url="http://www.libtiff.org/" |
8 | arch="all" | 8 | arch="all" |
@@ -14,6 +14,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" | |||
14 | source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz | 14 | source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz |
15 | CVE-2012-4447.patch | 15 | CVE-2012-4447.patch |
16 | CVE-2012-4564.patch | 16 | CVE-2012-4564.patch |
17 | CVE-2012-5581.patch | ||
17 | " | 18 | " |
18 | 19 | ||
19 | _builddir="$srcdir"/$pkgname-$pkgver | 20 | _builddir="$srcdir"/$pkgname-$pkgver |
@@ -52,4 +53,5 @@ tools() { | |||
52 | 53 | ||
53 | md5sums="626102f448ba441d42e3212538ad67d2 tiff-3.9.7.tar.gz | 54 | md5sums="626102f448ba441d42e3212538ad67d2 tiff-3.9.7.tar.gz |
54 | f85847db8d4cf8d9564f0f9af5bb060a CVE-2012-4447.patch | 55 | f85847db8d4cf8d9564f0f9af5bb060a CVE-2012-4447.patch |
55 | e7b151b4a5acc8eb4b4428a98d6aa779 CVE-2012-4564.patch" | 56 | e7b151b4a5acc8eb4b4428a98d6aa779 CVE-2012-4564.patch |
57 | 072dc152f5acc1ff1195fdf03e67ee52 CVE-2012-5581.patch" | ||
diff --git a/main/tiff/CVE-2012-5581.patch b/main/tiff/CVE-2012-5581.patch new file mode 100644 index 0000000000..a6bdca1370 --- /dev/null +++ b/main/tiff/CVE-2012-5581.patch | |||
@@ -0,0 +1,245 @@ | |||
1 | Fix unsafe handling of DotRange and related tags. Back-port of upstream | ||
2 | patch for CVE-2012-5581. (Note: I have not pushed this into upstream CVS | ||
3 | for the 3.9 branch, because I'm not entirely convinced that it won't create | ||
4 | application compatibility issues --- tgl) | ||
5 | |||
6 | |||
7 | diff -Naur tiff-3.9.7.orig/libtiff/tif_dir.c tiff-3.9.7/libtiff/tif_dir.c | ||
8 | --- tiff-3.9.7.orig/libtiff/tif_dir.c 2012-09-22 10:48:09.000000000 -0400 | ||
9 | +++ tiff-3.9.7/libtiff/tif_dir.c 2012-12-13 13:39:20.448864070 -0500 | ||
10 | @@ -494,32 +494,28 @@ | ||
11 | goto end; | ||
12 | } | ||
13 | |||
14 | - if ((fip->field_passcount | ||
15 | + if (fip->field_tag == TIFFTAG_DOTRANGE | ||
16 | + && strcmp(fip->field_name,"DotRange") == 0) { | ||
17 | + /* TODO: This is an evil exception and should not have been | ||
18 | + handled this way ... likely best if we move it into | ||
19 | + the directory structure with an explicit field in | ||
20 | + libtiff 4.1 and assign it a FIELD_ value */ | ||
21 | + uint16 v[2]; | ||
22 | + v[0] = (uint16)va_arg(ap, int); | ||
23 | + v[1] = (uint16)va_arg(ap, int); | ||
24 | + _TIFFmemcpy(tv->value, v, 4); | ||
25 | + } | ||
26 | + else if (fip->field_passcount | ||
27 | || fip->field_writecount == TIFF_VARIABLE | ||
28 | || fip->field_writecount == TIFF_VARIABLE2 | ||
29 | || fip->field_writecount == TIFF_SPP | ||
30 | - || tv->count > 1) | ||
31 | - && fip->field_tag != TIFFTAG_PAGENUMBER | ||
32 | - && fip->field_tag != TIFFTAG_HALFTONEHINTS | ||
33 | - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING | ||
34 | - && fip->field_tag != TIFFTAG_DOTRANGE | ||
35 | - && fip->field_tag != TIFFTAG_WHITELEVEL) { | ||
36 | + || tv->count > 1) { | ||
37 | _TIFFmemcpy(tv->value, va_arg(ap, void *), | ||
38 | tv->count * tv_size); | ||
39 | } else { | ||
40 | - /* | ||
41 | - * XXX: The following loop required to handle | ||
42 | - * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS, | ||
43 | - * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags. | ||
44 | - * These tags are actually arrays and should be passed as | ||
45 | - * array pointers to TIFFSetField() function, but actually | ||
46 | - * passed as a list of separate values. This behaviour | ||
47 | - * must be changed in the future! | ||
48 | - */ | ||
49 | - int i; | ||
50 | char *val = (char *)tv->value; | ||
51 | |||
52 | - for (i = 0; i < tv->count; i++, val += tv_size) { | ||
53 | + assert( tv->count == 1 ); | ||
54 | switch (fip->field_type) { | ||
55 | case TIFF_BYTE: | ||
56 | case TIFF_UNDEFINED: | ||
57 | @@ -578,7 +574,6 @@ | ||
58 | status = 0; | ||
59 | break; | ||
60 | } | ||
61 | - } | ||
62 | } | ||
63 | } | ||
64 | } | ||
65 | @@ -869,24 +864,27 @@ | ||
66 | *va_arg(ap, uint16*) = (uint16)tv->count; | ||
67 | *va_arg(ap, void **) = tv->value; | ||
68 | ret_val = 1; | ||
69 | - } else { | ||
70 | - if ((fip->field_type == TIFF_ASCII | ||
71 | + } else if (fip->field_tag == TIFFTAG_DOTRANGE | ||
72 | + && strcmp(fip->field_name,"DotRange") == 0) { | ||
73 | + /* TODO: This is an evil exception and should not have been | ||
74 | + handled this way ... likely best if we move it into | ||
75 | + the directory structure with an explicit field in | ||
76 | + libtiff 4.1 and assign it a FIELD_ value */ | ||
77 | + *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0]; | ||
78 | + *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1]; | ||
79 | + ret_val = 1; | ||
80 | + } else { | ||
81 | + if (fip->field_type == TIFF_ASCII | ||
82 | || fip->field_readcount == TIFF_VARIABLE | ||
83 | || fip->field_readcount == TIFF_VARIABLE2 | ||
84 | || fip->field_readcount == TIFF_SPP | ||
85 | - || tv->count > 1) | ||
86 | - && fip->field_tag != TIFFTAG_PAGENUMBER | ||
87 | - && fip->field_tag != TIFFTAG_HALFTONEHINTS | ||
88 | - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING | ||
89 | - && fip->field_tag != TIFFTAG_DOTRANGE) { | ||
90 | + || tv->count > 1) { | ||
91 | *va_arg(ap, void **) = tv->value; | ||
92 | ret_val = 1; | ||
93 | } else { | ||
94 | - int j; | ||
95 | char *val = (char *)tv->value; | ||
96 | |||
97 | - for (j = 0; j < tv->count; | ||
98 | - j++, val += _TIFFDataSize(tv->info->field_type)) { | ||
99 | + assert( tv->count == 1 ); | ||
100 | switch (fip->field_type) { | ||
101 | case TIFF_BYTE: | ||
102 | case TIFF_UNDEFINED: | ||
103 | @@ -936,7 +934,6 @@ | ||
104 | ret_val = 0; | ||
105 | break; | ||
106 | } | ||
107 | - } | ||
108 | } | ||
109 | } | ||
110 | break; | ||
111 | diff -Naur tiff-3.9.7.orig/libtiff/tif_print.c tiff-3.9.7/libtiff/tif_print.c | ||
112 | --- tiff-3.9.7.orig/libtiff/tif_print.c 2010-07-08 12:17:59.000000000 -0400 | ||
113 | +++ tiff-3.9.7/libtiff/tif_print.c 2012-12-13 13:42:12.773478278 -0500 | ||
114 | @@ -112,16 +112,22 @@ | ||
115 | } | ||
116 | |||
117 | static int | ||
118 | -_TIFFPrettyPrintField(TIFF* tif, FILE* fd, ttag_t tag, | ||
119 | +_TIFFPrettyPrintField(TIFF* tif, const TIFFFieldInfo *fip, FILE* fd, ttag_t tag, | ||
120 | uint32 value_count, void *raw_data) | ||
121 | { | ||
122 | TIFFDirectory *td = &tif->tif_dir; | ||
123 | |||
124 | + /* do not try to pretty print auto-defined fields */ | ||
125 | + if (strncmp(fip->field_name,"Tag ", 4) == 0) { | ||
126 | + return 0; | ||
127 | + } | ||
128 | + | ||
129 | switch (tag) | ||
130 | { | ||
131 | case TIFFTAG_INKSET: | ||
132 | - fprintf(fd, " Ink Set: "); | ||
133 | - switch (*((uint16*)raw_data)) { | ||
134 | + if (value_count == 2 && fip->field_type == TIFF_SHORT) { | ||
135 | + fprintf(fd, " Ink Set: "); | ||
136 | + switch (*((uint16*)raw_data)) { | ||
137 | case INKSET_CMYK: | ||
138 | fprintf(fd, "CMYK\n"); | ||
139 | break; | ||
140 | @@ -130,11 +136,18 @@ | ||
141 | *((uint16*)raw_data), | ||
142 | *((uint16*)raw_data)); | ||
143 | break; | ||
144 | + } | ||
145 | + return 1; | ||
146 | } | ||
147 | - return 1; | ||
148 | + return 0; | ||
149 | + | ||
150 | case TIFFTAG_WHITEPOINT: | ||
151 | - fprintf(fd, " White Point: %g-%g\n", | ||
152 | - ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1; | ||
153 | + if (value_count == 2 && fip->field_type == TIFF_RATIONAL) { | ||
154 | + fprintf(fd, " White Point: %g-%g\n", | ||
155 | + ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1; | ||
156 | + } | ||
157 | + return 0; | ||
158 | + | ||
159 | case TIFFTAG_REFERENCEBLACKWHITE: | ||
160 | { | ||
161 | uint16 i; | ||
162 | @@ -174,10 +187,13 @@ | ||
163 | (unsigned long) value_count); | ||
164 | return 1; | ||
165 | case TIFFTAG_STONITS: | ||
166 | - fprintf(fd, | ||
167 | - " Sample to Nits conversion factor: %.4e\n", | ||
168 | - *((double*)raw_data)); | ||
169 | - return 1; | ||
170 | + if (value_count == 1 && fip->field_type == TIFF_DOUBLE) { | ||
171 | + fprintf(fd, | ||
172 | + " Sample to Nits conversion factor: %.4e\n", | ||
173 | + *((double*)raw_data)); | ||
174 | + return 1; | ||
175 | + } | ||
176 | + return 0; | ||
177 | } | ||
178 | |||
179 | return 0; | ||
180 | @@ -524,44 +540,28 @@ | ||
181 | value_count = td->td_samplesperpixel; | ||
182 | else | ||
183 | value_count = fip->field_readcount; | ||
184 | - if ((fip->field_type == TIFF_ASCII | ||
185 | + if (fip->field_tag == TIFFTAG_DOTRANGE | ||
186 | + && strcmp(fip->field_name,"DotRange") == 0) { | ||
187 | + /* TODO: This is an evil exception and should not have been | ||
188 | + handled this way ... likely best if we move it into | ||
189 | + the directory structure with an explicit field in | ||
190 | + libtiff 4.1 and assign it a FIELD_ value */ | ||
191 | + static uint16 dotrange[2]; | ||
192 | + raw_data = dotrange; | ||
193 | + TIFFGetField(tif, tag, dotrange+0, dotrange+1); | ||
194 | + } else if (fip->field_type == TIFF_ASCII | ||
195 | || fip->field_readcount == TIFF_VARIABLE | ||
196 | || fip->field_readcount == TIFF_VARIABLE2 | ||
197 | || fip->field_readcount == TIFF_SPP | ||
198 | - || value_count > 1) | ||
199 | - && fip->field_tag != TIFFTAG_PAGENUMBER | ||
200 | - && fip->field_tag != TIFFTAG_HALFTONEHINTS | ||
201 | - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING | ||
202 | - && fip->field_tag != TIFFTAG_DOTRANGE) { | ||
203 | + || value_count > 1) { | ||
204 | if(TIFFGetField(tif, tag, &raw_data) != 1) | ||
205 | continue; | ||
206 | - } else if (fip->field_tag != TIFFTAG_PAGENUMBER | ||
207 | - && fip->field_tag != TIFFTAG_HALFTONEHINTS | ||
208 | - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING | ||
209 | - && fip->field_tag != TIFFTAG_DOTRANGE) { | ||
210 | - raw_data = _TIFFmalloc( | ||
211 | - _TIFFDataSize(fip->field_type) | ||
212 | - * value_count); | ||
213 | - mem_alloc = 1; | ||
214 | - if(TIFFGetField(tif, tag, raw_data) != 1) { | ||
215 | - _TIFFfree(raw_data); | ||
216 | - continue; | ||
217 | - } | ||
218 | } else { | ||
219 | - /* | ||
220 | - * XXX: Should be fixed and removed, see the | ||
221 | - * notes related to TIFFTAG_PAGENUMBER, | ||
222 | - * TIFFTAG_HALFTONEHINTS, | ||
223 | - * TIFFTAG_YCBCRSUBSAMPLING and | ||
224 | - * TIFFTAG_DOTRANGE tags in tif_dir.c. */ | ||
225 | - char *tmp; | ||
226 | raw_data = _TIFFmalloc( | ||
227 | _TIFFDataSize(fip->field_type) | ||
228 | * value_count); | ||
229 | - tmp = raw_data; | ||
230 | mem_alloc = 1; | ||
231 | - if(TIFFGetField(tif, tag, tmp, | ||
232 | - tmp + _TIFFDataSize(fip->field_type)) != 1) { | ||
233 | + if(TIFFGetField(tif, tag, raw_data) != 1) { | ||
234 | _TIFFfree(raw_data); | ||
235 | continue; | ||
236 | } | ||
237 | @@ -574,7 +574,7 @@ | ||
238 | * _TIFFPrettyPrintField() fall down and print it as any other | ||
239 | * tag. | ||
240 | */ | ||
241 | - if (_TIFFPrettyPrintField(tif, fd, tag, value_count, raw_data)) { | ||
242 | + if (_TIFFPrettyPrintField(tif, fip, fd, tag, value_count, raw_data)) { | ||
243 | if(mem_alloc) | ||
244 | _TIFFfree(raw_data); | ||
245 | continue; | ||