gnu: libtiff: Fix CVE-2017-{9935,11335,18013}.
* gnu/packages/patches/libtiff-CVE-2017-9935.patch, gnu/packages/patches/libtiff-CVE-2017-11335.patch, gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable.
This commit is contained in:
parent
6a517548e6
commit
79cf105304
|
@ -854,7 +854,10 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libtasn1-CVE-2017-10790.patch \
|
||||
%D%/packages/patches/libtheora-config-guess.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-10688.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2017-9935.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2017-9936.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2017-11335.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2017-18013.patch \
|
||||
%D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
|
||||
%D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \
|
||||
%D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \
|
||||
|
|
|
@ -390,6 +390,7 @@ extracting icontainer icon files.")
|
|||
(define-public libtiff
|
||||
(package
|
||||
(name "libtiff")
|
||||
(replacement libtiff/fixed)
|
||||
(version "4.0.8")
|
||||
(source
|
||||
(origin
|
||||
|
@ -426,6 +427,18 @@ collection of tools for doing simple manipulations of TIFF images.")
|
|||
"See COPYRIGHT in the distribution."))
|
||||
(home-page "http://www.simplesystems.org/libtiff/")))
|
||||
|
||||
(define libtiff/fixed
|
||||
(package
|
||||
(inherit libtiff)
|
||||
(source
|
||||
(origin
|
||||
(inherit (package-source libtiff))
|
||||
(patches
|
||||
(append (origin-patches (package-source libtiff))
|
||||
(search-patches "libtiff-CVE-2017-9935.patch"
|
||||
"libtiff-CVE-2017-11335.patch"
|
||||
"libtiff-CVE-2017-18013.patch")))))))
|
||||
|
||||
(define-public leptonica
|
||||
(package
|
||||
(name "leptonica")
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
Fix CVE-2017-11335:
|
||||
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2715
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223
|
||||
|
||||
From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 15 Jul 2017 11:13:46 +0000
|
||||
Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
|
||||
"Raw" mode on PlanarConfig=Contig input images. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
|
||||
|
||||
---
|
||||
ChangeLog | 7 +++++++
|
||||
tools/tiff2pdf.c | 9 +++++++--
|
||||
2 files changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index 8e4e24ef..caf64ee5 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $
|
||||
+/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $
|
||||
*
|
||||
* tiff2pdf - converts a TIFF image to a PDF document
|
||||
*
|
||||
@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||
return;
|
||||
|
||||
t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
|
||||
- if(t2p->pdf_nopassthrough==0){
|
||||
+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
|
||||
+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
|
||||
+ /* do not take into account the number of samples, and thus */
|
||||
+ /* that can cause heap buffer overflows such as in */
|
||||
+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
|
||||
+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
|
||||
#ifdef CCITT_SUPPORT
|
||||
if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
|
||||
){
|
||||
--
|
||||
2.16.1
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
Fix CVE-2017-18013:
|
||||
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2770
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
|
||||
|
||||
From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 31 Dec 2017 15:09:41 +0100
|
||||
Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
|
||||
dereference on corrupted file. Fixes
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2770
|
||||
|
||||
---
|
||||
libtiff/tif_print.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||
index 9959d353..8deceb2b 100644
|
||||
--- a/libtiff/tif_print.c
|
||||
+++ b/libtiff/tif_print.c
|
||||
@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
|
||||
(unsigned long) s,
|
||||
- (unsigned __int64) td->td_stripoffset[s],
|
||||
- (unsigned __int64) td->td_stripbytecount[s]);
|
||||
+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
|
||||
+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
|
||||
#else
|
||||
fprintf(fd, " %3lu: [%8llu, %8llu]\n",
|
||||
(unsigned long) s,
|
||||
- (unsigned long long) td->td_stripoffset[s],
|
||||
- (unsigned long long) td->td_stripbytecount[s]);
|
||||
+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
|
||||
+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
--
|
||||
2.16.1
|
||||
|
|
@ -0,0 +1,162 @@
|
|||
Fix CVE-2017-9935
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
|
||||
http://bugzilla.maptools.org/show_bug.cgi?id=2704
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
|
||||
|
||||
From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
|
||||
From: Brian May <brian@linuxpenguins.xyz>
|
||||
Date: Thu, 7 Dec 2017 07:46:47 +1100
|
||||
Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
|
||||
|
||||
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
|
||||
|
||||
This vulnerability - at least for the supplied test case - is because we
|
||||
assume that a tiff will only have one transfer function that is the same
|
||||
for all pages. This is not required by the TIFF standards.
|
||||
|
||||
We than read the transfer function for every page. Depending on the
|
||||
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
|
||||
We allocate this memory after we read in the transfer function for the
|
||||
page.
|
||||
|
||||
For the first exploit - POC1, this file has 3 pages. For the first page
|
||||
we allocate 2 extra extra XREF entries. Then for the next page 2 more
|
||||
entries. Then for the last page the transfer function changes and we
|
||||
allocate 4 more entries.
|
||||
|
||||
When we read the file into memory, we assume we have 4 bytes extra for
|
||||
each and every page (as per the last transfer function we read). Which
|
||||
is not correct, we only have 2 bytes extra for the first 2 pages. As a
|
||||
result, we end up writing past the end of the buffer.
|
||||
|
||||
There are also some related issues that this also fixes. For example,
|
||||
TIFFGetField can return uninitalized pointer values, and the logic to
|
||||
detect a N=3 vs N=1 transfer function seemed rather strange.
|
||||
|
||||
It is also strange that we declare the transfer functions to be of type
|
||||
float, when the standard says they are unsigned 16 bit values. This is
|
||||
fixed in another patch.
|
||||
|
||||
This patch will check to ensure that the N value for every transfer
|
||||
function is the same for every page. If this changes, we abort with an
|
||||
error. In theory, we should perhaps check that the transfer function
|
||||
itself is identical for every page, however we don't do that due to the
|
||||
confusion of the type of the data in the transfer function.
|
||||
---
|
||||
libtiff/tif_dir.c | 3 +++
|
||||
tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------
|
||||
2 files changed, 47 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||
index 2ccaf448..cbf2b693 100644
|
||||
--- a/libtiff/tif_dir.c
|
||||
+++ b/libtiff/tif_dir.c
|
||||
@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
|
||||
*va_arg(ap, uint16**) = td->td_transferfunction[1];
|
||||
*va_arg(ap, uint16**) = td->td_transferfunction[2];
|
||||
+ } else {
|
||||
+ *va_arg(ap, uint16**) = NULL;
|
||||
+ *va_arg(ap, uint16**) = NULL;
|
||||
}
|
||||
break;
|
||||
case TIFFTAG_REFERENCEBLACKWHITE:
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index d1a9b095..c3ec0746 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
uint16 pagen=0;
|
||||
uint16 paged=0;
|
||||
uint16 xuint16=0;
|
||||
+ uint16 tiff_transferfunctioncount=0;
|
||||
+ float* tiff_transferfunction[3];
|
||||
|
||||
directorycount=TIFFNumberOfDirectories(input);
|
||||
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
|
||||
@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
}
|
||||
#endif
|
||||
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
|
||||
- &(t2p->tiff_transferfunction[0]),
|
||||
- &(t2p->tiff_transferfunction[1]),
|
||||
- &(t2p->tiff_transferfunction[2]))) {
|
||||
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[1] !=
|
||||
- t2p->tiff_transferfunction[0])) {
|
||||
- t2p->tiff_transferfunctioncount = 3;
|
||||
- t2p->tiff_pages[i].page_extra += 4;
|
||||
- t2p->pdf_xrefcount += 4;
|
||||
- } else {
|
||||
- t2p->tiff_transferfunctioncount = 1;
|
||||
- t2p->tiff_pages[i].page_extra += 2;
|
||||
- t2p->pdf_xrefcount += 2;
|
||||
- }
|
||||
- if(t2p->pdf_minorversion < 2)
|
||||
- t2p->pdf_minorversion = 2;
|
||||
+ &(tiff_transferfunction[0]),
|
||||
+ &(tiff_transferfunction[1]),
|
||||
+ &(tiff_transferfunction[2]))) {
|
||||
+
|
||||
+ if((tiff_transferfunction[1] != (float*) NULL) &&
|
||||
+ (tiff_transferfunction[2] != (float*) NULL)
|
||||
+ ) {
|
||||
+ tiff_transferfunctioncount=3;
|
||||
+ } else {
|
||||
+ tiff_transferfunctioncount=1;
|
||||
+ }
|
||||
} else {
|
||||
- t2p->tiff_transferfunctioncount=0;
|
||||
+ tiff_transferfunctioncount=0;
|
||||
}
|
||||
+
|
||||
+ if (i > 0){
|
||||
+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Different transfer function on page %d",
|
||||
+ i);
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
|
||||
+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
|
||||
+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
|
||||
+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
|
||||
+ if(tiff_transferfunctioncount == 3){
|
||||
+ t2p->tiff_pages[i].page_extra += 4;
|
||||
+ t2p->pdf_xrefcount += 4;
|
||||
+ if(t2p->pdf_minorversion < 2)
|
||||
+ t2p->pdf_minorversion = 2;
|
||||
+ } else if (tiff_transferfunctioncount == 1){
|
||||
+ t2p->tiff_pages[i].page_extra += 2;
|
||||
+ t2p->pdf_xrefcount += 2;
|
||||
+ if(t2p->pdf_minorversion < 2)
|
||||
+ t2p->pdf_minorversion = 2;
|
||||
+ }
|
||||
+
|
||||
if( TIFFGetField(
|
||||
input,
|
||||
TIFFTAG_ICCPROFILE,
|
||||
@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||
&(t2p->tiff_transferfunction[1]),
|
||||
&(t2p->tiff_transferfunction[2]))) {
|
||||
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[1] !=
|
||||
- t2p->tiff_transferfunction[0])) {
|
||||
+ (t2p->tiff_transferfunction[2] != (float*) NULL)
|
||||
+ ) {
|
||||
t2p->tiff_transferfunctioncount=3;
|
||||
} else {
|
||||
t2p->tiff_transferfunctioncount=1;
|
||||
--
|
||||
2.16.1
|
||||
|
Loading…
Reference in New Issue