diff --git a/gnu/local.mk b/gnu/local.mk index 8ee8b8c66c..24013a52be 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -657,6 +657,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-CVE-2016-5314.patch \ %D%/packages/patches/libtiff-CVE-2016-5321.patch \ %D%/packages/patches/libtiff-CVE-2016-5323.patch \ + %D%/packages/patches/libtiff-CVE-2016-5652.patch \ %D%/packages/patches/libtiff-oob-accesses-in-decode.patch \ %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 873a7f23c6..3a1209f4b1 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -234,7 +234,8 @@ collection of tools for doing simple manipulations of TIFF images.") "libtiff-CVE-2016-3991.patch" "libtiff-CVE-2016-5314.patch" "libtiff-CVE-2016-5321.patch" - "libtiff-CVE-2016-5323.patch")))))) + "libtiff-CVE-2016-5323.patch" + "libtiff-CVE-2016-5652.patch")))))) (define-public libwmf (package diff --git a/gnu/packages/patches/libtiff-CVE-2016-5652.patch b/gnu/packages/patches/libtiff-CVE-2016-5652.patch new file mode 100644 index 0000000000..54b87d0185 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-5652.patch @@ -0,0 +1,47 @@ +Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652 + +Patches exfiltrated from upstream CVS repo with: +cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c + +Index: tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.92 +retrieving revision 1.94 +diff -u -r1.92 -r1.94 +--- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92 ++++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94 +@@ -2887,21 +2887,24 @@ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count > 0) { +- _TIFFmemcpy(buffer, jpt, count); ++ if (count >= 4) { ++ /* Ignore EOI marker of JpegTables */ ++ _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; ++ /* Store last 2 bytes of the JpegTables */ + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; +- } +- if (count > 0) { + xuint32 = bufferoffset; ++ bufferoffset -= 2; + bufferoffset += TIFFReadRawTile( + input, + tile, +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), ++ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), + -1); +- buffer[xuint32-2]=table_end[0]; +- buffer[xuint32-1]=table_end[1]; ++ /* Overwrite SOI marker of image scan with previously */ ++ /* saved end of JpegTables */ ++ buffer[xuint32-2]=table_end[0]; ++ buffer[xuint32-1]=table_end[1]; + } else { + bufferoffset += TIFFReadRawTile( + input,