diff --git a/gnu/local.mk b/gnu/local.mk index d321824ece..3d8e462d63 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -689,6 +689,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-CVE-2016-10092.patch \ %D%/packages/patches/libtiff-CVE-2016-10093.patch \ %D%/packages/patches/libtiff-CVE-2016-10094.patch \ + %D%/packages/patches/libtiff-CVE-2017-5225.patch \ %D%/packages/patches/libtiff-assertion-failure.patch \ %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \ %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index a9bbf192cc..637819947c 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -312,7 +312,8 @@ collection of tools for doing simple manipulations of TIFF images.") "libtiff-CVE-2016-10093.patch" "libtiff-divide-by-zero-tiffcp.patch" "libtiff-assertion-failure.patch" - "libtiff-CVE-2016-10094.patch")))))) + "libtiff-CVE-2016-10094.patch" + "libtiff-CVE-2017-5225.patch")))))) (define-public libwmf (package diff --git a/gnu/packages/patches/libtiff-CVE-2017-5225.patch b/gnu/packages/patches/libtiff-CVE-2017-5225.patch new file mode 100644 index 0000000000..3158b49360 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-5225.patch @@ -0,0 +1,86 @@ +Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp): + +http://bugzilla.maptools.org/show_bug.cgi?id=2656 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 +https://security-tracker.debian.org/tracker/CVE-2017-5225 + +2017-01-11 Even Rouault + + * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and + cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based +overflow. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + + +less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1210; previous revision: 1.1209 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.61; previous revision: 1.60 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.60 +retrieving revision 1.61 +diff -u -r1.60 -r1.61 +--- libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 ++++ libtiff/tools/tiffcp.c 11 Jan 2017 19:26:14 -0000 1.61 +#@@ -1,4 +1,4 @@ +#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */ +#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */ +# +# /* +# * Copyright (c) 1988-1997 Sam Leffler +@@ -591,7 +591,7 @@ + static int + tiffcp(TIFF* in, TIFF* out) + { +- uint16 bitspersample, samplesperpixel = 1; ++ uint16 bitspersample = 1, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; + copyFunc cf; + uint32 width, length; +@@ -1067,6 +1067,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpContig2SeparateByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1120,6 +1130,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpSeparate2ContigByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1784,7 +1804,7 @@ + uint32 w, l, tw, tl; + int bychunk; + +- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); ++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); + if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { + fprintf(stderr, + "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",