diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-07-30 17:10:13 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-02 11:24:25 +0200 |
commit | a7f6a9958c48146e719ecc1f6e2c38812af75c4b (patch) | |
tree | eb6aeaebec66969039436a5c9f211b7f566208fb | |
parent | bc0a209d2a3136d9a26a496ffd43ccdb56190fa2 (diff) | |
download | alpine_aports-a7f6a9958c48146e719ecc1f6e2c38812af75c4b.tar.bz2 alpine_aports-a7f6a9958c48146e719ecc1f6e2c38812af75c4b.tar.xz alpine_aports-a7f6a9958c48146e719ecc1f6e2c38812af75c4b.zip |
main/tiff: various security fixes
- CVE-2017-9935
- CVE-2017-11613
- CVE-2017-17095
- CVE-2018-10963
fixes #8242
fixes #9165
-rw-r--r-- | main/tiff/APKBUILD | 17 | ||||
-rw-r--r-- | main/tiff/CVE-2017-11613.patch | 44 | ||||
-rw-r--r-- | main/tiff/CVE-2017-17095.patch | 28 | ||||
-rw-r--r-- | main/tiff/CVE-2017-9935.patch | 164 | ||||
-rw-r--r-- | main/tiff/CVE-2018-10963.patch | 31 |
5 files changed, 282 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 14b9f21ec7..0068211bbc 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | # Maintainer: Michael Mason <ms13sp@gmail.com> | 3 | # Maintainer: Michael Mason <ms13sp@gmail.com> |
4 | pkgname=tiff | 4 | pkgname=tiff |
5 | pkgver=4.0.9 | 5 | pkgver=4.0.9 |
6 | pkgrel=4 | 6 | pkgrel=5 |
7 | pkgdesc="Provides support for the Tag Image File Format or TIFF" | 7 | pkgdesc="Provides support for the Tag Image File Format or TIFF" |
8 | url="http://www.libtiff.org/" | 8 | url="http://www.libtiff.org/" |
9 | arch="all" | 9 | arch="all" |
@@ -13,13 +13,22 @@ depends_dev="zlib-dev libjpeg-turbo-dev" | |||
13 | makedepends="libtool autoconf automake $depends_dev" | 13 | makedepends="libtool autoconf automake $depends_dev" |
14 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" | 14 | subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" |
15 | source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz | 15 | source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz |
16 | CVE-2017-9935.patch | ||
17 | CVE-2017-11613.patch | ||
18 | CVE-2017-17095.patch | ||
16 | CVE-2017-18013.patch | 19 | CVE-2017-18013.patch |
17 | CVE-2018-5784.patch | 20 | CVE-2018-5784.patch |
18 | CVE-2018-7456.patch | 21 | CVE-2018-7456.patch |
19 | CVE-2018-8905.patch | 22 | CVE-2018-8905.patch |
23 | CVE-2018-10963.patch | ||
20 | " | 24 | " |
21 | 25 | ||
22 | # secfixes: | 26 | # secfixes: |
27 | # 4.0.9-r5: | ||
28 | # - CVE-2017-9935 | ||
29 | # - CVE-2017-11613 | ||
30 | # - CVE-2017-17095 | ||
31 | # - CVE-2018-10963 | ||
23 | # 4.0.9-r4: | 32 | # 4.0.9-r4: |
24 | # - CVE-2018-8905 | 33 | # - CVE-2018-8905 |
25 | # 4.0.9-r3: | 34 | # 4.0.9-r3: |
@@ -86,7 +95,11 @@ tools() { | |||
86 | } | 95 | } |
87 | 96 | ||
88 | sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd tiff-4.0.9.tar.gz | 97 | sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd tiff-4.0.9.tar.gz |
98 | 75160265be98350706b90f69e0a432183ce51105b713da32a50030ed3123b956e68c19a21540a5c7fb02253bf33ddfb3e0ea4f3a0977aa7b19404ea3e6d6d5d8 CVE-2017-9935.patch | ||
99 | 61fbc0fa3256ebdde2a42a482a39d4c63d68e16fc47e3e9f76f5719e7c7dce01f5d3897b53280494334f8be33d48517c24a9739f3be8118f097ff3a7814f0326 CVE-2017-11613.patch | ||
100 | 78c8593033a5c8b91a03bbca7dd05f3de2abfc2965096cc8e828df50a66069544e0221fd573f25eda0726cd5fd8b527bd018bfd74f3e8aac8816f6cc9b462489 CVE-2017-17095.patch | ||
89 | 3a31e4315ecc5c5bf709e2ca0fefb5bc7ff50c79f911b8b8366be38d007d3f79e89982700a620b2d82739313fbd79041428dbf3ecf0a790c9ec3bc2e211d6fce CVE-2017-18013.patch | 101 | 3a31e4315ecc5c5bf709e2ca0fefb5bc7ff50c79f911b8b8366be38d007d3f79e89982700a620b2d82739313fbd79041428dbf3ecf0a790c9ec3bc2e211d6fce CVE-2017-18013.patch |
90 | c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch | 102 | c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch |
91 | 8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch | 103 | 8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch |
92 | ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch" | 104 | ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch |
105 | 8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e CVE-2018-10963.patch" | ||
diff --git a/main/tiff/CVE-2017-11613.patch b/main/tiff/CVE-2017-11613.patch new file mode 100644 index 0000000000..b3f600a974 --- /dev/null +++ b/main/tiff/CVE-2017-11613.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sun, 11 Mar 2018 11:14:01 +0100 | ||
4 | Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion | ||
5 | (CVE-2017-11613) | ||
6 | |||
7 | In ChopUpSingleUncompressedStrip(), if the computed number of strips is big | ||
8 | enough and we are in read only mode, validate that the file size is consistent | ||
9 | with that number of strips to avoid useless attempts at allocating a lot of | ||
10 | memory for the td_stripbytecount and td_stripoffset arrays. | ||
11 | |||
12 | Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more | ||
13 | cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. | ||
14 | Credit to OSS Fuzz | ||
15 | |||
16 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 | ||
17 | --- | ||
18 | libtiff/tif_dirread.c | 10 ++++++++++ | ||
19 | 1 file changed, 10 insertions(+) | ||
20 | |||
21 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
22 | index 80aaf8d..5896a78 100644 | ||
23 | --- a/libtiff/tif_dirread.c | ||
24 | +++ b/libtiff/tif_dirread.c | ||
25 | @@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) | ||
26 | if( nstrips == 0 ) | ||
27 | return; | ||
28 | |||
29 | + /* If we are going to allocate a lot of memory, make sure that the */ | ||
30 | + /* file is as big as needed */ | ||
31 | + if( tif->tif_mode == O_RDONLY && | ||
32 | + nstrips > 1000000 && | ||
33 | + (offset >= TIFFGetFileSize(tif) || | ||
34 | + stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) | ||
35 | + { | ||
36 | + return; | ||
37 | + } | ||
38 | + | ||
39 | newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
40 | "for chopped \"StripByteCounts\" array"); | ||
41 | newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | ||
42 | -- | ||
43 | 2.17.1 | ||
44 | |||
diff --git a/main/tiff/CVE-2017-17095.patch b/main/tiff/CVE-2017-17095.patch new file mode 100644 index 0000000000..760c9553d9 --- /dev/null +++ b/main/tiff/CVE-2017-17095.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5 | ||
2 | |||
3 | diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c | ||
4 | index 7a57800..8443fce 100644 | ||
5 | --- a/tools/pal2rgb.c | ||
6 | +++ b/tools/pal2rgb.c | ||
7 | @@ -184,8 +184,19 @@ main(int argc, char* argv[]) | ||
8 | { unsigned char *ibuf, *obuf; | ||
9 | register unsigned char* pp; | ||
10 | register uint32 x; | ||
11 | - ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in)); | ||
12 | - obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out)); | ||
13 | + tmsize_t tss_in = TIFFScanlineSize(in); | ||
14 | + tmsize_t tss_out = TIFFScanlineSize(out); | ||
15 | + if (tss_out / tss_in < 3) { | ||
16 | + /* | ||
17 | + * BUG 2750: The following code assumes the output buffer is 3x the | ||
18 | + * length of the input buffer due to exploding the palette into | ||
19 | + * RGB tuples. If this doesn't happen, fail now. | ||
20 | + */ | ||
21 | + fprintf(stderr, "Could not determine correct image size for output. Exiting.\n"); | ||
22 | + return -1; | ||
23 | + } | ||
24 | + ibuf = (unsigned char*)_TIFFmalloc(tss_in); | ||
25 | + obuf = (unsigned char*)_TIFFmalloc(tss_out); | ||
26 | switch (config) { | ||
27 | case PLANARCONFIG_CONTIG: | ||
28 | for (row = 0; row < imagelength; row++) { | ||
diff --git a/main/tiff/CVE-2017-9935.patch b/main/tiff/CVE-2017-9935.patch new file mode 100644 index 0000000000..39327ffb92 --- /dev/null +++ b/main/tiff/CVE-2017-9935.patch | |||
@@ -0,0 +1,164 @@ | |||
1 | From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001 | ||
2 | From: Brian May <brian@linuxpenguins.xyz> | ||
3 | Date: Thu, 7 Dec 2017 07:46:47 +1100 | ||
4 | Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935 | ||
5 | |||
6 | Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 | ||
7 | |||
8 | This vulnerability - at least for the supplied test case - is because we | ||
9 | assume that a tiff will only have one transfer function that is the same | ||
10 | for all pages. This is not required by the TIFF standards. | ||
11 | |||
12 | We than read the transfer function for every page. Depending on the | ||
13 | transfer function, we allocate either 2 or 4 bytes to the XREF buffer. | ||
14 | We allocate this memory after we read in the transfer function for the | ||
15 | page. | ||
16 | |||
17 | For the first exploit - POC1, this file has 3 pages. For the first page | ||
18 | we allocate 2 extra extra XREF entries. Then for the next page 2 more | ||
19 | entries. Then for the last page the transfer function changes and we | ||
20 | allocate 4 more entries. | ||
21 | |||
22 | When we read the file into memory, we assume we have 4 bytes extra for | ||
23 | each and every page (as per the last transfer function we read). Which | ||
24 | is not correct, we only have 2 bytes extra for the first 2 pages. As a | ||
25 | result, we end up writing past the end of the buffer. | ||
26 | |||
27 | There are also some related issues that this also fixes. For example, | ||
28 | TIFFGetField can return uninitalized pointer values, and the logic to | ||
29 | detect a N=3 vs N=1 transfer function seemed rather strange. | ||
30 | |||
31 | It is also strange that we declare the transfer functions to be of type | ||
32 | float, when the standard says they are unsigned 16 bit values. This is | ||
33 | fixed in another patch. | ||
34 | |||
35 | This patch will check to ensure that the N value for every transfer | ||
36 | function is the same for every page. If this changes, we abort with an | ||
37 | error. In theory, we should perhaps check that the transfer function | ||
38 | itself is identical for every page, however we don't do that due to the | ||
39 | confusion of the type of the data in the transfer function. | ||
40 | --- | ||
41 | libtiff/tif_dir.c | 3 +++ | ||
42 | tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++---------------- | ||
43 | 2 files changed, 49 insertions(+), 23 deletions(-) | ||
44 | |||
45 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
46 | index f00f808..c36a5f3 100644 | ||
47 | --- a/libtiff/tif_dir.c | ||
48 | +++ b/libtiff/tif_dir.c | ||
49 | @@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) | ||
50 | if (td->td_samplesperpixel - td->td_extrasamples > 1) { | ||
51 | *va_arg(ap, uint16**) = td->td_transferfunction[1]; | ||
52 | *va_arg(ap, uint16**) = td->td_transferfunction[2]; | ||
53 | + } else { | ||
54 | + *va_arg(ap, uint16**) = NULL; | ||
55 | + *va_arg(ap, uint16**) = NULL; | ||
56 | } | ||
57 | break; | ||
58 | case TIFFTAG_REFERENCEBLACKWHITE: | ||
59 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
60 | index bdb9126..bd23c9e 100644 | ||
61 | --- a/tools/tiff2pdf.c | ||
62 | +++ b/tools/tiff2pdf.c | ||
63 | @@ -239,7 +239,7 @@ typedef struct { | ||
64 | float tiff_whitechromaticities[2]; | ||
65 | float tiff_primarychromaticities[6]; | ||
66 | float tiff_referenceblackwhite[2]; | ||
67 | - float* tiff_transferfunction[3]; | ||
68 | + uint16* tiff_transferfunction[3]; | ||
69 | int pdf_image_interpolate; /* 0 (default) : do not interpolate, | ||
70 | 1 : interpolate */ | ||
71 | uint16 tiff_transferfunctioncount; | ||
72 | @@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
73 | uint16 pagen=0; | ||
74 | uint16 paged=0; | ||
75 | uint16 xuint16=0; | ||
76 | + uint16 tiff_transferfunctioncount=0; | ||
77 | + uint16* tiff_transferfunction[3]; | ||
78 | |||
79 | directorycount=TIFFNumberOfDirectories(input); | ||
80 | if(directorycount > TIFF_DIR_MAX) { | ||
81 | @@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ | ||
82 | } | ||
83 | #endif | ||
84 | if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, | ||
85 | - &(t2p->tiff_transferfunction[0]), | ||
86 | - &(t2p->tiff_transferfunction[1]), | ||
87 | - &(t2p->tiff_transferfunction[2]))) { | ||
88 | - if((t2p->tiff_transferfunction[1] != (float*) NULL) && | ||
89 | - (t2p->tiff_transferfunction[2] != (float*) NULL) && | ||
90 | - (t2p->tiff_transferfunction[1] != | ||
91 | - t2p->tiff_transferfunction[0])) { | ||
92 | - t2p->tiff_transferfunctioncount = 3; | ||
93 | - t2p->tiff_pages[i].page_extra += 4; | ||
94 | - t2p->pdf_xrefcount += 4; | ||
95 | - } else { | ||
96 | - t2p->tiff_transferfunctioncount = 1; | ||
97 | - t2p->tiff_pages[i].page_extra += 2; | ||
98 | - t2p->pdf_xrefcount += 2; | ||
99 | - } | ||
100 | - if(t2p->pdf_minorversion < 2) | ||
101 | - t2p->pdf_minorversion = 2; | ||
102 | + &(tiff_transferfunction[0]), | ||
103 | + &(tiff_transferfunction[1]), | ||
104 | + &(tiff_transferfunction[2]))) { | ||
105 | + | ||
106 | + if((tiff_transferfunction[1] != (uint16*) NULL) && | ||
107 | + (tiff_transferfunction[2] != (uint16*) NULL) | ||
108 | + ) { | ||
109 | + tiff_transferfunctioncount=3; | ||
110 | + } else { | ||
111 | + tiff_transferfunctioncount=1; | ||
112 | + } | ||
113 | } else { | ||
114 | - t2p->tiff_transferfunctioncount=0; | ||
115 | + tiff_transferfunctioncount=0; | ||
116 | } | ||
117 | + | ||
118 | + if (i > 0){ | ||
119 | + if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ | ||
120 | + TIFFError( | ||
121 | + TIFF2PDF_MODULE, | ||
122 | + "Different transfer function on page %d", | ||
123 | + i); | ||
124 | + t2p->t2p_error = T2P_ERR_ERROR; | ||
125 | + return; | ||
126 | + } | ||
127 | + } | ||
128 | + | ||
129 | + t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; | ||
130 | + t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; | ||
131 | + t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; | ||
132 | + t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; | ||
133 | + if(tiff_transferfunctioncount == 3){ | ||
134 | + t2p->tiff_pages[i].page_extra += 4; | ||
135 | + t2p->pdf_xrefcount += 4; | ||
136 | + if(t2p->pdf_minorversion < 2) | ||
137 | + t2p->pdf_minorversion = 2; | ||
138 | + } else if (tiff_transferfunctioncount == 1){ | ||
139 | + t2p->tiff_pages[i].page_extra += 2; | ||
140 | + t2p->pdf_xrefcount += 2; | ||
141 | + if(t2p->pdf_minorversion < 2) | ||
142 | + t2p->pdf_minorversion = 2; | ||
143 | + } | ||
144 | + | ||
145 | if( TIFFGetField( | ||
146 | input, | ||
147 | TIFFTAG_ICCPROFILE, | ||
148 | @@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ | ||
149 | &(t2p->tiff_transferfunction[0]), | ||
150 | &(t2p->tiff_transferfunction[1]), | ||
151 | &(t2p->tiff_transferfunction[2]))) { | ||
152 | - if((t2p->tiff_transferfunction[1] != (float*) NULL) && | ||
153 | - (t2p->tiff_transferfunction[2] != (float*) NULL) && | ||
154 | - (t2p->tiff_transferfunction[1] != | ||
155 | - t2p->tiff_transferfunction[0])) { | ||
156 | + if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && | ||
157 | + (t2p->tiff_transferfunction[2] != (uint16*) NULL) | ||
158 | + ) { | ||
159 | t2p->tiff_transferfunctioncount=3; | ||
160 | } else { | ||
161 | t2p->tiff_transferfunctioncount=1; | ||
162 | -- | ||
163 | 2.17.0 | ||
164 | |||
diff --git a/main/tiff/CVE-2018-10963.patch b/main/tiff/CVE-2018-10963.patch new file mode 100644 index 0000000000..039b7c1a16 --- /dev/null +++ b/main/tiff/CVE-2018-10963.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 12 May 2018 14:24:15 +0200 | ||
4 | Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes | ||
5 | http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 | ||
6 | |||
7 | --- | ||
8 | libtiff/tif_dirwrite.c | 7 +++++-- | ||
9 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
10 | |||
11 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
12 | index c68d6d2..5d0a669 100644 | ||
13 | --- a/libtiff/tif_dirwrite.c | ||
14 | +++ b/libtiff/tif_dirwrite.c | ||
15 | @@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) | ||
16 | } | ||
17 | break; | ||
18 | default: | ||
19 | - assert(0); /* we should never get here */ | ||
20 | - break; | ||
21 | + TIFFErrorExt(tif->tif_clientdata,module, | ||
22 | + "Cannot write tag %d (%s)", | ||
23 | + TIFFFieldTag(o), | ||
24 | + o->field_name ? o->field_name : "unknown"); | ||
25 | + goto bad; | ||
26 | } | ||
27 | } | ||
28 | } | ||
29 | -- | ||
30 | 2.17.0 | ||
31 | |||