gnu: libtiff: Fix CVE-2017-{9935,11335,18013}.

* gnu/packages/patches/libtiff-CVE-2017-9935.patch,
gnu/packages/patches/libtiff-CVE-2017-11335.patch,
gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
This commit is contained in:
Leo Famulari 2018-02-10 20:03:08 -05:00
parent 6a517548e6
commit 79cf105304
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
5 changed files with 271 additions and 0 deletions

View File

@ -854,7 +854,10 @@ dist_patch_DATA = \
%D%/packages/patches/libtasn1-CVE-2017-10790.patch \
%D%/packages/patches/libtheora-config-guess.patch \
%D%/packages/patches/libtiff-CVE-2016-10688.patch \
%D%/packages/patches/libtiff-CVE-2017-9935.patch \
%D%/packages/patches/libtiff-CVE-2017-9936.patch \
%D%/packages/patches/libtiff-CVE-2017-11335.patch \
%D%/packages/patches/libtiff-CVE-2017-18013.patch \
%D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
%D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \
%D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \

View File

@ -390,6 +390,7 @@ extracting icontainer icon files.")
(define-public libtiff
(package
(name "libtiff")
(replacement libtiff/fixed)
(version "4.0.8")
(source
(origin
@ -426,6 +427,18 @@ collection of tools for doing simple manipulations of TIFF images.")
"See COPYRIGHT in the distribution."))
(home-page "http://www.simplesystems.org/libtiff/")))
(define libtiff/fixed
(package
(inherit libtiff)
(source
(origin
(inherit (package-source libtiff))
(patches
(append (origin-patches (package-source libtiff))
(search-patches "libtiff-CVE-2017-9935.patch"
"libtiff-CVE-2017-11335.patch"
"libtiff-CVE-2017-18013.patch")))))))
(define-public leptonica
(package
(name "leptonica")

View File

@ -0,0 +1,48 @@
Fix CVE-2017-11335:
http://bugzilla.maptools.org/show_bug.cgi?id=2715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
Patch copied from upstream source repository:
https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223
From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 15 Jul 2017 11:13:46 +0000
Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
"Raw" mode on PlanarConfig=Contig input images. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
---
ChangeLog | 7 +++++++
tools/tiff2pdf.c | 9 +++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 8e4e24ef..caf64ee5 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1,4 +1,4 @@
-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $
+/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $
*
* tiff2pdf - converts a TIFF image to a PDF document
*
@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
return;
t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
- if(t2p->pdf_nopassthrough==0){
+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
+ /* do not take into account the number of samples, and thus */
+ /* that can cause heap buffer overflows such as in */
+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
#ifdef CCITT_SUPPORT
if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
){
--
2.16.1

View File

@ -0,0 +1,45 @@
Fix CVE-2017-18013:
http://bugzilla.maptools.org/show_bug.cgi?id=2770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
Patch copied from upstream source repository:
https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 31 Dec 2017 15:09:41 +0100
Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
dereference on corrupted file. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2770
---
libtiff/tif_print.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 9959d353..8deceb2b 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
(unsigned long) s,
- (unsigned __int64) td->td_stripoffset[s],
- (unsigned __int64) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
#else
fprintf(fd, " %3lu: [%8llu, %8llu]\n",
(unsigned long) s,
- (unsigned long long) td->td_stripoffset[s],
- (unsigned long long) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
#endif
}
}
--
2.16.1

View File

@ -0,0 +1,162 @@
Fix CVE-2017-9935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
http://bugzilla.maptools.org/show_bug.cgi?id=2704
Patch copied from upstream source repository:
https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 7 Dec 2017 07:46:47 +1100
Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
This vulnerability - at least for the supplied test case - is because we
assume that a tiff will only have one transfer function that is the same
for all pages. This is not required by the TIFF standards.
We than read the transfer function for every page. Depending on the
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
We allocate this memory after we read in the transfer function for the
page.
For the first exploit - POC1, this file has 3 pages. For the first page
we allocate 2 extra extra XREF entries. Then for the next page 2 more
entries. Then for the last page the transfer function changes and we
allocate 4 more entries.
When we read the file into memory, we assume we have 4 bytes extra for
each and every page (as per the last transfer function we read). Which
is not correct, we only have 2 bytes extra for the first 2 pages. As a
result, we end up writing past the end of the buffer.
There are also some related issues that this also fixes. For example,
TIFFGetField can return uninitalized pointer values, and the logic to
detect a N=3 vs N=1 transfer function seemed rather strange.
It is also strange that we declare the transfer functions to be of type
float, when the standard says they are unsigned 16 bit values. This is
fixed in another patch.
This patch will check to ensure that the N value for every transfer
function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
---
libtiff/tif_dir.c | 3 +++
tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------
2 files changed, 47 insertions(+), 21 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 2ccaf448..cbf2b693 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
*va_arg(ap, uint16**) = td->td_transferfunction[1];
*va_arg(ap, uint16**) = td->td_transferfunction[2];
+ } else {
+ *va_arg(ap, uint16**) = NULL;
+ *va_arg(ap, uint16**) = NULL;
}
break;
case TIFFTAG_REFERENCEBLACKWHITE:
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index d1a9b095..c3ec0746 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0;
uint16 paged=0;
uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+ float* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
}
#endif
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
- &(t2p->tiff_transferfunction[0]),
- &(t2p->tiff_transferfunction[1]),
- &(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
- t2p->tiff_transferfunctioncount = 3;
- t2p->tiff_pages[i].page_extra += 4;
- t2p->pdf_xrefcount += 4;
- } else {
- t2p->tiff_transferfunctioncount = 1;
- t2p->tiff_pages[i].page_extra += 2;
- t2p->pdf_xrefcount += 2;
- }
- if(t2p->pdf_minorversion < 2)
- t2p->pdf_minorversion = 2;
+ &(tiff_transferfunction[0]),
+ &(tiff_transferfunction[1]),
+ &(tiff_transferfunction[2]))) {
+
+ if((tiff_transferfunction[1] != (float*) NULL) &&
+ (tiff_transferfunction[2] != (float*) NULL)
+ ) {
+ tiff_transferfunctioncount=3;
+ } else {
+ tiff_transferfunctioncount=1;
+ }
} else {
- t2p->tiff_transferfunctioncount=0;
+ tiff_transferfunctioncount=0;
}
+
+ if (i > 0){
+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Different transfer function on page %d",
+ i);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ }
+
+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
+ if(tiff_transferfunctioncount == 3){
+ t2p->tiff_pages[i].page_extra += 4;
+ t2p->pdf_xrefcount += 4;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ } else if (tiff_transferfunctioncount == 1){
+ t2p->tiff_pages[i].page_extra += 2;
+ t2p->pdf_xrefcount += 2;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ }
+
if( TIFFGetField(
input,
TIFFTAG_ICCPROFILE,
@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
+ (t2p->tiff_transferfunction[2] != (float*) NULL)
+ ) {
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;
--
2.16.1