aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-11-30 11:53:35 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2018-12-07 08:26:06 +0100
commit42e3145e0c57d0a2e3c2717842ae6cfa41e3a03e (patch)
treecafe23056362f0d20831021e82ddbd2348412868
parentb0243d03648d68851d3b5edb68da29eaae5c9f0f (diff)
downloadalpine_aports-42e3145e0c57d0a2e3c2717842ae6cfa41e3a03e.tar.bz2
alpine_aports-42e3145e0c57d0a2e3c2717842ae6cfa41e3a03e.tar.xz
alpine_aports-42e3145e0c57d0a2e3c2717842ae6cfa41e3a03e.zip
main/tiff: security upgrade to 4.0.10
CVE-2018-12900, CVE-2018-18557, CVE-2018-18661 fixes #9716
Diffstat
-rw-r--r--main/tiff/APKBUILD37
-rw-r--r--main/tiff/CVE-2017-11613.patch44
-rw-r--r--main/tiff/CVE-2017-17095.patch28
-rw-r--r--main/tiff/CVE-2017-18013.patch34
-rw-r--r--main/tiff/CVE-2017-9935.patch164
-rw-r--r--main/tiff/CVE-2018-10779.patch32
-rw-r--r--main/tiff/CVE-2018-10963.patch31
-rw-r--r--main/tiff/CVE-2018-12900.patch29
-rw-r--r--main/tiff/CVE-2018-17100-1.patch112
-rw-r--r--main/tiff/CVE-2018-5784.patch128
-rw-r--r--main/tiff/CVE-2018-7456.patch170
-rw-r--r--main/tiff/CVE-2018-8905.patch51
12 files changed, 38 insertions, 822 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 3a0ccc8d72..8a16a653ee 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -2,8 +2,8 @@
2# Contributor: Leonardo Arena <rnalrd@alpinelinux.org> 2# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
3# Maintainer: Michael Mason <ms13sp@gmail.com> 3# Maintainer: Michael Mason <ms13sp@gmail.com>
4pkgname=tiff 4pkgname=tiff
5pkgver=4.0.9 5pkgver=4.0.10
6pkgrel=7 6pkgrel=0
7pkgdesc="Provides support for the Tag Image File Format or TIFF" 7pkgdesc="Provides support for the Tag Image File Format or TIFF"
8url="http://www.libtiff.org" 8url="http://www.libtiff.org"
9arch="all" 9arch="all"
@@ -14,19 +14,14 @@ makedepends="libtool autoconf automake $depends_dev"
14subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" 14subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
15builddir="$srcdir/$pkgname-$pkgver" 15builddir="$srcdir/$pkgname-$pkgver"
16source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz 16source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
17 CVE-2017-9935.patch 17 CVE-2018-12900.patch
18 CVE-2017-11613.patch
19 CVE-2017-17095.patch
20 CVE-2017-18013.patch
21 CVE-2018-5784.patch
22 CVE-2018-7456.patch
23 CVE-2018-8905.patch
24 CVE-2018-10779.patch
25 CVE-2018-10963.patch
26 CVE-2018-17100-1.patch
27 " 18 "
28 19
29# secfixes: 20# secfixes:
21# 4.0.10-r0:
22# - CVE-2018-12900
23# - CVE-2018-18557
24# - CVE-2018-18661
30# 4.0.9-r7: 25# 4.0.9-r7:
31# - CVE-2018-10779 26# - CVE-2018-10779
32# - CVE-2018-17100 27# - CVE-2018-17100
@@ -62,11 +57,6 @@ source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
62# 4.0.7-r1: 57# 4.0.7-r1:
63# - CVE-2017-5225 58# - CVE-2017-5225
64 59
65prepare() {
66 default_prepare
67 update_config_sub
68}
69
70build() { 60build() {
71 cd "$builddir" 61 cd "$builddir"
72 ./configure \ 62 ./configure \
@@ -96,14 +86,5 @@ tools() {
96 mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ 86 mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
97} 87}
98 88
99sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844ba41622ff5572da8cc278593eff8c402b44e7af0a0090e91d326c2d79f6cd tiff-4.0.9.tar.gz 89sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 tiff-4.0.10.tar.gz
10075160265be98350706b90f69e0a432183ce51105b713da32a50030ed3123b956e68c19a21540a5c7fb02253bf33ddfb3e0ea4f3a0977aa7b19404ea3e6d6d5d8 CVE-2017-9935.patch 90c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085 CVE-2018-12900.patch"
10161fbc0fa3256ebdde2a42a482a39d4c63d68e16fc47e3e9f76f5719e7c7dce01f5d3897b53280494334f8be33d48517c24a9739f3be8118f097ff3a7814f0326 CVE-2017-11613.patch
10278c8593033a5c8b91a03bbca7dd05f3de2abfc2965096cc8e828df50a66069544e0221fd573f25eda0726cd5fd8b527bd018bfd74f3e8aac8816f6cc9b462489 CVE-2017-17095.patch
1033a31e4315ecc5c5bf709e2ca0fefb5bc7ff50c79f911b8b8366be38d007d3f79e89982700a620b2d82739313fbd79041428dbf3ecf0a790c9ec3bc2e211d6fce CVE-2017-18013.patch
104c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch
1058f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch
106ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch
107aceae14ec9c6dcbaeb51a3d5527d0da1b0c3f1ef1e87f301615be745f9535be23305e8409105740e615f09d80642d7f84897a89cb98327ad8313d11d877f7e35 CVE-2018-10779.patch
1088dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e CVE-2018-10963.patch
109d19f584bc70bb8b0c1da910cb8642ff2e41741aaa85b23213c6cc27959d6133275b0124c6e779effeb447c559f3debfd04f377b69b8acb9fa5da8fe182c3f2aa CVE-2018-17100-1.patch"
diff --git a/main/tiff/CVE-2017-11613.patch b/main/tiff/CVE-2017-11613.patch
deleted file mode 100644
index b3f600a974..0000000000
--- a/main/tiff/CVE-2017-11613.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sun, 11 Mar 2018 11:14:01 +0100
4Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion
5 (CVE-2017-11613)
6
7In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
8enough and we are in read only mode, validate that the file size is consistent
9with that number of strips to avoid useless attempts at allocating a lot of
10memory for the td_stripbytecount and td_stripoffset arrays.
11
12Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
13cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
14Credit to OSS Fuzz
15
16Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
17---
18 libtiff/tif_dirread.c | 10 ++++++++++
19 1 file changed, 10 insertions(+)
20
21diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
22index 80aaf8d..5896a78 100644
23--- a/libtiff/tif_dirread.c
24+++ b/libtiff/tif_dirread.c
25@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
26 if( nstrips == 0 )
27 return;
28
29+ /* If we are going to allocate a lot of memory, make sure that the */
30+ /* file is as big as needed */
31+ if( tif->tif_mode == O_RDONLY &&
32+ nstrips > 1000000 &&
33+ (offset >= TIFFGetFileSize(tif) ||
34+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
35+ {
36+ return;
37+ }
38+
39 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
40 "for chopped \"StripByteCounts\" array");
41 newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
42--
432.17.1
44
diff --git a/main/tiff/CVE-2017-17095.patch b/main/tiff/CVE-2017-17095.patch
deleted file mode 100644
index 760c9553d9..0000000000
--- a/main/tiff/CVE-2017-17095.patch
+++ /dev/null
@@ -1,28 +0,0 @@
1Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5
2
3diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
4index 7a57800..8443fce 100644
5--- a/tools/pal2rgb.c
6+++ b/tools/pal2rgb.c
7@@ -184,8 +184,19 @@ main(int argc, char* argv[])
8 { unsigned char *ibuf, *obuf;
9 register unsigned char* pp;
10 register uint32 x;
11- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
12- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
13+ tmsize_t tss_in = TIFFScanlineSize(in);
14+ tmsize_t tss_out = TIFFScanlineSize(out);
15+ if (tss_out / tss_in < 3) {
16+ /*
17+ * BUG 2750: The following code assumes the output buffer is 3x the
18+ * length of the input buffer due to exploding the palette into
19+ * RGB tuples. If this doesn't happen, fail now.
20+ */
21+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
22+ return -1;
23+ }
24+ ibuf = (unsigned char*)_TIFFmalloc(tss_in);
25+ obuf = (unsigned char*)_TIFFmalloc(tss_out);
26 switch (config) {
27 case PLANARCONFIG_CONTIG:
28 for (row = 0; row < imagelength; row++) {
diff --git a/main/tiff/CVE-2017-18013.patch b/main/tiff/CVE-2017-18013.patch
deleted file mode 100644
index 5f56ff2593..0000000000
--- a/main/tiff/CVE-2017-18013.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sun, 31 Dec 2017 15:09:41 +0100
4Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770
5
6---
7 libtiff/tif_print.c | 8 ++++----
8 1 file changed, 4 insertions(+), 4 deletions(-)
9
10diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
11index 9959d35..8deceb2 100644
12--- a/libtiff/tif_print.c
13+++ b/libtiff/tif_print.c
14@@ -667,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
15 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
16 fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
17 (unsigned long) s,
18- (unsigned __int64) td->td_stripoffset[s],
19- (unsigned __int64) td->td_stripbytecount[s]);
20+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
21+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
22 #else
23 fprintf(fd, " %3lu: [%8llu, %8llu]\n",
24 (unsigned long) s,
25- (unsigned long long) td->td_stripoffset[s],
26- (unsigned long long) td->td_stripbytecount[s]);
27+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
28+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
29 #endif
30 }
31 }
32--
33libgit2 0.26.0
34
diff --git a/main/tiff/CVE-2017-9935.patch b/main/tiff/CVE-2017-9935.patch
deleted file mode 100644
index 39327ffb92..0000000000
--- a/main/tiff/CVE-2017-9935.patch
+++ /dev/null
@@ -1,164 +0,0 @@
1From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001
2From: Brian May <brian@linuxpenguins.xyz>
3Date: Thu, 7 Dec 2017 07:46:47 +1100
4Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935
5
6Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
7
8This vulnerability - at least for the supplied test case - is because we
9assume that a tiff will only have one transfer function that is the same
10for all pages. This is not required by the TIFF standards.
11
12We than read the transfer function for every page. Depending on the
13transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
14We allocate this memory after we read in the transfer function for the
15page.
16
17For the first exploit - POC1, this file has 3 pages. For the first page
18we allocate 2 extra extra XREF entries. Then for the next page 2 more
19entries. Then for the last page the transfer function changes and we
20allocate 4 more entries.
21
22When we read the file into memory, we assume we have 4 bytes extra for
23each and every page (as per the last transfer function we read). Which
24is not correct, we only have 2 bytes extra for the first 2 pages. As a
25result, we end up writing past the end of the buffer.
26
27There are also some related issues that this also fixes. For example,
28TIFFGetField can return uninitalized pointer values, and the logic to
29detect a N=3 vs N=1 transfer function seemed rather strange.
30
31It is also strange that we declare the transfer functions to be of type
32float, when the standard says they are unsigned 16 bit values. This is
33fixed in another patch.
34
35This patch will check to ensure that the N value for every transfer
36function is the same for every page. If this changes, we abort with an
37error. In theory, we should perhaps check that the transfer function
38itself is identical for every page, however we don't do that due to the
39confusion of the type of the data in the transfer function.
40---
41 libtiff/tif_dir.c | 3 +++
42 tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++----------------
43 2 files changed, 49 insertions(+), 23 deletions(-)
44
45diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
46index f00f808..c36a5f3 100644
47--- a/libtiff/tif_dir.c
48+++ b/libtiff/tif_dir.c
49@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
50 if (td->td_samplesperpixel - td->td_extrasamples > 1) {
51 *va_arg(ap, uint16**) = td->td_transferfunction[1];
52 *va_arg(ap, uint16**) = td->td_transferfunction[2];
53+ } else {
54+ *va_arg(ap, uint16**) = NULL;
55+ *va_arg(ap, uint16**) = NULL;
56 }
57 break;
58 case TIFFTAG_REFERENCEBLACKWHITE:
59diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
60index bdb9126..bd23c9e 100644
61--- a/tools/tiff2pdf.c
62+++ b/tools/tiff2pdf.c
63@@ -239,7 +239,7 @@ typedef struct {
64 float tiff_whitechromaticities[2];
65 float tiff_primarychromaticities[6];
66 float tiff_referenceblackwhite[2];
67- float* tiff_transferfunction[3];
68+ uint16* tiff_transferfunction[3];
69 int pdf_image_interpolate; /* 0 (default) : do not interpolate,
70 1 : interpolate */
71 uint16 tiff_transferfunctioncount;
72@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
73 uint16 pagen=0;
74 uint16 paged=0;
75 uint16 xuint16=0;
76+ uint16 tiff_transferfunctioncount=0;
77+ uint16* tiff_transferfunction[3];
78
79 directorycount=TIFFNumberOfDirectories(input);
80 if(directorycount > TIFF_DIR_MAX) {
81@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
82 }
83 #endif
84 if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
85- &(t2p->tiff_transferfunction[0]),
86- &(t2p->tiff_transferfunction[1]),
87- &(t2p->tiff_transferfunction[2]))) {
88- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
89- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
90- (t2p->tiff_transferfunction[1] !=
91- t2p->tiff_transferfunction[0])) {
92- t2p->tiff_transferfunctioncount = 3;
93- t2p->tiff_pages[i].page_extra += 4;
94- t2p->pdf_xrefcount += 4;
95- } else {
96- t2p->tiff_transferfunctioncount = 1;
97- t2p->tiff_pages[i].page_extra += 2;
98- t2p->pdf_xrefcount += 2;
99- }
100- if(t2p->pdf_minorversion < 2)
101- t2p->pdf_minorversion = 2;
102+ &(tiff_transferfunction[0]),
103+ &(tiff_transferfunction[1]),
104+ &(tiff_transferfunction[2]))) {
105+
106+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
107+ (tiff_transferfunction[2] != (uint16*) NULL)
108+ ) {
109+ tiff_transferfunctioncount=3;
110+ } else {
111+ tiff_transferfunctioncount=1;
112+ }
113 } else {
114- t2p->tiff_transferfunctioncount=0;
115+ tiff_transferfunctioncount=0;
116 }
117+
118+ if (i > 0){
119+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
120+ TIFFError(
121+ TIFF2PDF_MODULE,
122+ "Different transfer function on page %d",
123+ i);
124+ t2p->t2p_error = T2P_ERR_ERROR;
125+ return;
126+ }
127+ }
128+
129+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
130+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
131+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
132+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
133+ if(tiff_transferfunctioncount == 3){
134+ t2p->tiff_pages[i].page_extra += 4;
135+ t2p->pdf_xrefcount += 4;
136+ if(t2p->pdf_minorversion < 2)
137+ t2p->pdf_minorversion = 2;
138+ } else if (tiff_transferfunctioncount == 1){
139+ t2p->tiff_pages[i].page_extra += 2;
140+ t2p->pdf_xrefcount += 2;
141+ if(t2p->pdf_minorversion < 2)
142+ t2p->pdf_minorversion = 2;
143+ }
144+
145 if( TIFFGetField(
146 input,
147 TIFFTAG_ICCPROFILE,
148@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
149 &(t2p->tiff_transferfunction[0]),
150 &(t2p->tiff_transferfunction[1]),
151 &(t2p->tiff_transferfunction[2]))) {
152- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
153- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
154- (t2p->tiff_transferfunction[1] !=
155- t2p->tiff_transferfunction[0])) {
156+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
157+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
158+ ) {
159 t2p->tiff_transferfunctioncount=3;
160 } else {
161 t2p->tiff_transferfunctioncount=1;
162--
1632.17.0
164
diff --git a/main/tiff/CVE-2018-10779.patch b/main/tiff/CVE-2018-10779.patch
deleted file mode 100644
index 828d684708..0000000000
--- a/main/tiff/CVE-2018-10779.patch
+++ /dev/null
@@ -1,32 +0,0 @@
1From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Wed, 15 Aug 2018 16:34:40 +0200
4Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit
5 systems with large number of strips. Probably relates to
6 http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
7
8---
9 libtiff/tif_write.c | 6 ++++--
10 1 file changed, 4 insertions(+), 2 deletions(-)
11
12diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
13index 586f6fdf..a31ecd12 100644
14--- a/libtiff/tif_write.c
15+++ b/libtiff/tif_write.c
16@@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif)
17 if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
18 td->td_stripsperimage /= td->td_samplesperpixel;
19 td->td_stripoffset = (uint64 *)
20- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
21+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
22+ "for \"StripOffsets\" array");
23 td->td_stripbytecount = (uint64 *)
24- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
25+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
26+ "for \"StripByteCounts\" array");
27 if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
28 return (0);
29 /*
30--
312.18.1
32
diff --git a/main/tiff/CVE-2018-10963.patch b/main/tiff/CVE-2018-10963.patch
deleted file mode 100644
index 039b7c1a16..0000000000
--- a/main/tiff/CVE-2018-10963.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 12 May 2018 14:24:15 +0200
4Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes
5 http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
6
7---
8 libtiff/tif_dirwrite.c | 7 +++++--
9 1 file changed, 5 insertions(+), 2 deletions(-)
10
11diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
12index c68d6d2..5d0a669 100644
13--- a/libtiff/tif_dirwrite.c
14+++ b/libtiff/tif_dirwrite.c
15@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
16 }
17 break;
18 default:
19- assert(0); /* we should never get here */
20- break;
21+ TIFFErrorExt(tif->tif_clientdata,module,
22+ "Cannot write tag %d (%s)",
23+ TIFFFieldTag(o),
24+ o->field_name ? o->field_name : "unknown");
25+ goto bad;
26 }
27 }
28 }
29--
302.17.0
31
diff --git a/main/tiff/CVE-2018-12900.patch b/main/tiff/CVE-2018-12900.patch
new file mode 100644
index 0000000000..f95cd06a52
--- /dev/null
+++ b/main/tiff/CVE-2018-12900.patch
@@ -0,0 +1,29 @@
1From 86861b86f26be5301ccfa96f9bf765051f4e644a Mon Sep 17 00:00:00 2001
2From: pgajdos <pgajdos@suse.cz>
3Date: Tue, 13 Nov 2018 09:03:31 +0100
4Subject: [PATCH] prevent integer overflow
5
6---
7 tools/tiffcp.c | 6 ++++++
8 1 file changed, 6 insertions(+)
9
10diff --git a/tools/tiffcp.c b/tools/tiffcp.c
11index 2f406e2d..ece7ba13 100644
12--- a/tools/tiffcp.c
13+++ b/tools/tiffcp.c
14@@ -1435,6 +1435,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
15 status = 0;
16 goto done;
17 }
18+ if (0xFFFFFFFF / tilew < spp)
19+ {
20+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps);
21+ status = 0;
22+ goto done;
23+ }
24 bytes_per_sample = bps/8;
25
26 for (row = 0; row < imagelength; row += tl) {
27--
282.18.1
29
diff --git a/main/tiff/CVE-2018-17100-1.patch b/main/tiff/CVE-2018-17100-1.patch
deleted file mode 100644
index f5a9e1a915..0000000000
--- a/main/tiff/CVE-2018-17100-1.patch
+++ /dev/null
@@ -1,112 +0,0 @@
1From f1b94e8a3ba49febdd3361c0214a1d1149251577 Mon Sep 17 00:00:00 2001
2From: Young_X <YangX92@hotmail.com>
3Date: Sat, 8 Sep 2018 14:36:12 +0800
4Subject: [PATCH 1/3] only read/write TIFFTAG_GROUP3OPTIONS or
5 TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
6 COMPRESSION_CCITTFAX4
7
8---
9 tools/pal2rgb.c | 18 +++++++++++++++++-
10 tools/tiff2bw.c | 18 +++++++++++++++++-
11 2 files changed, 34 insertions(+), 2 deletions(-)
12
13diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
14index 01fcf941..01d8502e 100644
15--- a/tools/pal2rgb.c
16+++ b/tools/pal2rgb.c
17@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out)
18 {
19 struct cpTag *p;
20 for (p = tags; p < &tags[NTAGS]; p++)
21- cpTag(in, out, p->tag, p->count, p->type);
22+ {
23+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
24+ {
25+ uint16 compression;
26+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
27+ compression != COMPRESSION_CCITTFAX3 )
28+ continue;
29+ }
30+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
31+ {
32+ uint16 compression;
33+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
34+ compression != COMPRESSION_CCITTFAX4 )
35+ continue;
36+ }
37+ cpTag(in, out, p->tag, p->count, p->type);
38+ }
39 }
40 #undef NTAGS
41
42diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
43index 05faba87..5bef3142 100644
44--- a/tools/tiff2bw.c
45+++ b/tools/tiff2bw.c
46@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out)
47 {
48 struct cpTag *p;
49 for (p = tags; p < &tags[NTAGS]; p++)
50- cpTag(in, out, p->tag, p->count, p->type);
51+ {
52+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
53+ {
54+ uint16 compression;
55+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
56+ compression != COMPRESSION_CCITTFAX3 )
57+ continue;
58+ }
59+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
60+ {
61+ uint16 compression;
62+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
63+ compression != COMPRESSION_CCITTFAX4 )
64+ continue;
65+ }
66+ cpTag(in, out, p->tag, p->count, p->type);
67+ }
68 }
69 #undef NTAGS
70
71--
722.18.1
73
74
75From 6da1fb3f64d43be37e640efbec60400d1f1ac39e Mon Sep 17 00:00:00 2001
76From: Young_X <YangX92@hotmail.com>
77Date: Sat, 8 Sep 2018 14:46:27 +0800
78Subject: [PATCH 2/3] avoid potential int32 overflows in multiply_ms()
79
80---
81 tools/ppm2tiff.c | 13 +++++++------
82 1 file changed, 7 insertions(+), 6 deletions(-)
83
84diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
85index af6e4124..c2d59257 100644
86--- a/tools/ppm2tiff.c
87+++ b/tools/ppm2tiff.c
88@@ -70,15 +70,16 @@ BadPPM(char* file)
89 exit(-2);
90 }
91
92+
93+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
94+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
95+
96 static tmsize_t
97 multiply_ms(tmsize_t m1, tmsize_t m2)
98 {
99- tmsize_t bytes = m1 * m2;
100-
101- if (m1 && bytes / m1 != m2)
102- bytes = 0;
103-
104- return bytes;
105+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
106+ return 0;
107+ return m1 * m2;
108 }
109
110 int
111--
1122.18.1
diff --git a/main/tiff/CVE-2018-5784.patch b/main/tiff/CVE-2018-5784.patch
deleted file mode 100644
index 92fc2daf35..0000000000
--- a/main/tiff/CVE-2018-5784.patch
+++ /dev/null
@@ -1,128 +0,0 @@
1From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001
2From: Nathan Baker <nathanb@lenovo-chrome.com>
3Date: Tue, 6 Feb 2018 10:13:57 -0500
4Subject: [PATCH] Fix for bug 2772
5
6It is possible to craft a TIFF document where the IFD list is circular,
7leading to an infinite loop while traversing the chain. The libtiff
8directory reader has a failsafe that will break out of this loop after
9reading 65535 directory entries, but it will continue processing,
10consuming time and resources to process what is essentially a bogus TIFF
11document.
12
13This change fixes the above behavior by breaking out of processing when
14a TIFF document has >= 65535 directories and terminating with an error.
15---
16 contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
17 tools/tiff2pdf.c | 10 ++++++++++
18 tools/tiffcrop.c | 13 +++++++++++--
19 3 files changed, 34 insertions(+), 3 deletions(-)
20
21diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
22index c61ffbb..03b3573 100644
23--- a/contrib/addtiffo/tif_overview.c
24+++ b/contrib/addtiffo/tif_overview.c
25@@ -65,6 +65,8 @@
26 # define MAX(a,b) ((a>b) ? a : b)
27 #endif
28
29+#define TIFF_DIR_MAX 65534
30+
31 void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
32 int (*)(double,void*), void * );
33
34@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
35 {
36 toff_t nBaseDirOffset;
37 toff_t nOffset;
38+ tdir_t iNumDir;
39
40 (void) bUseSubIFDs;
41
42@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
43 return 0;
44
45 TIFFWriteDirectory( hTIFF );
46- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
47+ iNumDir = TIFFNumberOfDirectories(hTIFF);
48+ if( iNumDir > TIFF_DIR_MAX )
49+ {
50+ TIFFErrorExt( TIFFClientdata(hTIFF),
51+ "TIFF_WriteOverview",
52+ "File `%s' has too many directories.\n",
53+ TIFFFileName(hTIFF) );
54+ exit(-1);
55+ }
56+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
57
58 nOffset = TIFFCurrentDirOffset( hTIFF );
59
60diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
61index 984ef65..832a247 100644
62--- a/tools/tiff2pdf.c
63+++ b/tools/tiff2pdf.c
64@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
65
66 #define PS_UNIT_SIZE 72.0F
67
68+#define TIFF_DIR_MAX 65534
69+
70 /* This type is of PDF color spaces. */
71 typedef enum {
72 T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
73@@ -1049,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
74 uint16* tiff_transferfunction[3];
75
76 directorycount=TIFFNumberOfDirectories(input);
77+ if(directorycount > TIFF_DIR_MAX) {
78+ TIFFError(
79+ TIFF2PDF_MODULE,
80+ "TIFF contains too many directories, %s",
81+ TIFFFileName(input));
82+ t2p->t2p_error = T2P_ERR_ERROR;
83+ return;
84+ }
85 t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
86 if(t2p->tiff_pages==NULL){
87 TIFFError(
88diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
89index 91a38f6..e466dae 100644
90--- a/tools/tiffcrop.c
91+++ b/tools/tiffcrop.c
92@@ -217,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
93 #define DUMP_TEXT 1
94 #define DUMP_RAW 2
95
96+#define TIFF_DIR_MAX 65534
97+
98 /* Offsets into buffer for margins and fixed width and length segments */
99 struct offset {
100 uint32 tmargin;
101@@ -2233,7 +2234,7 @@ main(int argc, char* argv[])
102 pageNum = -1;
103 else
104 total_images = 0;
105- /* read multiple input files and write to output file(s) */
106+ /* Read multiple input files and write to output file(s) */
107 while (optind < argc - 1)
108 {
109 in = TIFFOpen (argv[optind], "r");
110@@ -2241,7 +2242,14 @@ main(int argc, char* argv[])
111 return (-3);
112
113 /* If only one input file is specified, we can use directory count */
114- total_images = TIFFNumberOfDirectories(in);
115+ total_images = TIFFNumberOfDirectories(in);
116+ if (total_images > TIFF_DIR_MAX)
117+ {
118+ TIFFError (TIFFFileName(in), "File contains too many directories");
119+ if (out != NULL)
120+ (void) TIFFClose(out);
121+ return (1);
122+ }
123 if (image_count == 0)
124 {
125 dirnum = 0;
126--
127libgit2 0.26.0
128
diff --git a/main/tiff/CVE-2018-7456.patch b/main/tiff/CVE-2018-7456.patch
deleted file mode 100644
index b2d081a5d7..0000000000
--- a/main/tiff/CVE-2018-7456.patch
+++ /dev/null
@@ -1,170 +0,0 @@
1From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001
2From: Hugo Lefeuvre <hle@debian.org>
3Date: Sun, 8 Apr 2018 14:07:08 -0400
4Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
5
6The TIFFPrintDirectory function relies on the following assumptions,
7supposed to be guaranteed by the specification:
8
9(a) A Transfer Function field is only present if the TIFF file has
10 photometric type < 3.
11
12(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
13 has count SamplesPerPixel - (Color Channels) and contains
14 information about supplementary channels.
15
16While respect of (a) and (b) are essential for the well functioning of
17TIFFPrintDirectory, no checks are realized neither by the callee nor
18by TIFFPrintDirectory itself. Hence, following scenarios might happen
19and trigger the NULL pointer dereference:
20
21(1) TIFF File of photometric type 4 or more has illegal Transfer
22 Function field.
23
24(2) TIFF File has photometric type 3 or less and defines a
25 SamplesPerPixel field such that SamplesPerPixel > Color Channels
26 without defining all extra samples in the ExtraSamples fields.
27
28In this patch, we address both issues with respect of the following
29principles:
30
31(A) In the case of (1), the defined transfer table should be printed
32 safely even if it isn't 'legal'. This allows us to avoid expensive
33 checks in TIFFPrintDirectory. Also, it is quite possible that
34 an alternative photometric type would be developed (not part of the
35 standard) and would allow definition of Transfer Table. We want
36 libtiff to be able to handle this scenario out of the box.
37
38(B) In the case of (2), the transfer table should be printed at its
39 right size, that is if TIFF file has photometric type Palette
40 then the transfer table should have one row and not three, even
41 if two extra samples are declared.
42
43In order to fulfill (A) we simply add a new 'i < 3' end condition to
44the broken TIFFPrintDirectory loop. This makes sure that in any case
45where (b) would be respected but not (a), everything stays fine.
46
47(B) is fulfilled by the loop condition
48'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
49long as (b) is respected.
50
51Naturally, we also make sure (b) is respected. This is done in the
52TIFFReadDirectory function by making sure any non-color channel is
53counted in ExtraSamples.
54
55This commit addresses CVE-2018-7456.
56---
57 libtiff/tif_dirread.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
58 libtiff/tif_print.c | 2 +-
59 2 files changed, 63 insertions(+), 1 deletion(-)
60
61diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
62index 6baa7b3..af5b84a 100644
63--- a/libtiff/tif_dirread.c
64+++ b/libtiff/tif_dirread.c
65@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
66 static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
67 static void ChopUpSingleUncompressedStrip(TIFF*);
68 static uint64 TIFFReadUInt64(const uint8 *value);
69+static int _TIFFGetMaxColorChannels(uint16 photometric);
70
71 static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
72
73@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
74 }
75
76 /*
77+ * Return the maximum number of color channels specified for a given photometric
78+ * type. 0 is returned if photometric type isn't supported or no default value
79+ * is defined by the specification.
80+ */
81+static int _TIFFGetMaxColorChannels( uint16 photometric )
82+{
83+ switch (photometric) {
84+ case PHOTOMETRIC_PALETTE:
85+ case PHOTOMETRIC_MINISWHITE:
86+ case PHOTOMETRIC_MINISBLACK:
87+ return 1;
88+ case PHOTOMETRIC_YCBCR:
89+ case PHOTOMETRIC_RGB:
90+ case PHOTOMETRIC_CIELAB:
91+ return 3;
92+ case PHOTOMETRIC_SEPARATED:
93+ case PHOTOMETRIC_MASK:
94+ return 4;
95+ case PHOTOMETRIC_LOGL:
96+ case PHOTOMETRIC_LOGLUV:
97+ case PHOTOMETRIC_CFA:
98+ case PHOTOMETRIC_ITULAB:
99+ case PHOTOMETRIC_ICCLAB:
100+ default:
101+ return 0;
102+ }
103+}
104+
105+/*
106 * Read the next TIFF directory from a file and convert it to the internal
107 * format. We read directories sequentially.
108 */
109@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
110 uint32 fii=FAILED_FII;
111 toff_t nextdiroff;
112 int bitspersample_read = FALSE;
113+ int color_channels;
114
115 tif->tif_diroff=tif->tif_nextdiroff;
116 if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
117@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
118 }
119 }
120 }
121+
122+ /*
123+ * Make sure all non-color channels are extrasamples.
124+ * If it's not the case, define them as such.
125+ */
126+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
127+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
128+ uint16 old_extrasamples;
129+ uint16 *new_sampleinfo;
130+
131+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
132+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
133+ "Defining non-color channels as ExtraSamples.");
134+
135+ old_extrasamples = tif->tif_dir.td_extrasamples;
136+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
137+
138+ // sampleinfo should contain information relative to these new extra samples
139+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
140+ if (!new_sampleinfo) {
141+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
142+ "temporary new sampleinfo array (%d 16 bit elements)",
143+ tif->tif_dir.td_extrasamples);
144+ goto bad;
145+ }
146+
147+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
148+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
149+ _TIFFfree(new_sampleinfo);
150+ }
151+
152 /*
153 * Verify Palette image has a Colormap.
154 */
155diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
156index 8deceb2..1d86adb 100644
157--- a/libtiff/tif_print.c
158+++ b/libtiff/tif_print.c
159@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
160 uint16 i;
161 fprintf(fd, " %2ld: %5u",
162 l, td->td_transferfunction[0][l]);
163- for (i = 1; i < td->td_samplesperpixel; i++)
164+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
165 fprintf(fd, " %5u",
166 td->td_transferfunction[i][l]);
167 fputc('\n', fd);
168--
169libgit2 0.27.0
170
diff --git a/main/tiff/CVE-2018-8905.patch b/main/tiff/CVE-2018-8905.patch
deleted file mode 100644
index f951092c1f..0000000000
--- a/main/tiff/CVE-2018-8905.patch
+++ /dev/null
@@ -1,51 +0,0 @@
1From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 12 May 2018 15:32:31 +0200
4Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
5
6The fix consists in using the similar code LZWDecode() to validate we
7don't write outside of the output buffer.
8---
9 libtiff/tif_lzw.c | 18 ++++++++++++------
10 1 file changed, 12 insertions(+), 6 deletions(-)
11
12diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
13index 4ccb443..94d85e3 100644
14--- a/libtiff/tif_lzw.c
15+++ b/libtiff/tif_lzw.c
16@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
17 char *tp;
18 unsigned char *bp;
19 int code, nbits;
20+ int len;
21 long nextbits, nextdata, nbitsmask;
22 code_t *codep, *free_entp, *maxcodep, *oldcodep;
23
24@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
25 } while (--occ);
26 break;
27 }
28- assert(occ >= codep->length);
29- op += codep->length;
30- occ -= codep->length;
31- tp = op;
32+ len = codep->length;
33+ tp = op + len;
34 do {
35- *--tp = codep->value;
36- } while( (codep = codep->next) != NULL );
37+ int t;
38+ --tp;
39+ t = codep->value;
40+ codep = codep->next;
41+ *tp = (char)t;
42+ } while (codep && tp > op);
43+ assert(occ >= len);
44+ op += len;
45+ occ -= len;
46 } else {
47 *op++ = (char)code;
48 occ--;
49--
50libgit2 0.27.0
51
© 2015 Mike Crute