gnu: libtiff: Fix CVE-2016-5652.
* gnu/packages/patches/libtiff-CVE-2016-5652.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/image.scm (libtiff-fixed)[source]: Use it.
This commit is contained in:
parent
a7db8540a7
commit
b89cbf5832
|
@ -657,6 +657,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libtiff-CVE-2016-5314.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-5321.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-5323.patch \
|
||||
%D%/packages/patches/libtiff-CVE-2016-5652.patch \
|
||||
%D%/packages/patches/libtiff-oob-accesses-in-decode.patch \
|
||||
%D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \
|
||||
%D%/packages/patches/libtool-skip-tests2.patch \
|
||||
|
|
|
@ -234,7 +234,8 @@ collection of tools for doing simple manipulations of TIFF images.")
|
|||
"libtiff-CVE-2016-3991.patch"
|
||||
"libtiff-CVE-2016-5314.patch"
|
||||
"libtiff-CVE-2016-5321.patch"
|
||||
"libtiff-CVE-2016-5323.patch"))))))
|
||||
"libtiff-CVE-2016-5323.patch"
|
||||
"libtiff-CVE-2016-5652.patch"))))))
|
||||
|
||||
(define-public libwmf
|
||||
(package
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
|
||||
|
||||
Patches exfiltrated from upstream CVS repo with:
|
||||
cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
|
||||
|
||||
Index: tools/tiff2pdf.c
|
||||
===================================================================
|
||||
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
|
||||
retrieving revision 1.92
|
||||
retrieving revision 1.94
|
||||
diff -u -r1.92 -r1.94
|
||||
--- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92
|
||||
+++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94
|
||||
@@ -2887,21 +2887,24 @@
|
||||
return(0);
|
||||
}
|
||||
if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
|
||||
- if (count > 0) {
|
||||
- _TIFFmemcpy(buffer, jpt, count);
|
||||
+ if (count >= 4) {
|
||||
+ /* Ignore EOI marker of JpegTables */
|
||||
+ _TIFFmemcpy(buffer, jpt, count - 2);
|
||||
bufferoffset += count - 2;
|
||||
+ /* Store last 2 bytes of the JpegTables */
|
||||
table_end[0] = buffer[bufferoffset-2];
|
||||
table_end[1] = buffer[bufferoffset-1];
|
||||
- }
|
||||
- if (count > 0) {
|
||||
xuint32 = bufferoffset;
|
||||
+ bufferoffset -= 2;
|
||||
bufferoffset += TIFFReadRawTile(
|
||||
input,
|
||||
tile,
|
||||
- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),
|
||||
+ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
|
||||
-1);
|
||||
- buffer[xuint32-2]=table_end[0];
|
||||
- buffer[xuint32-1]=table_end[1];
|
||||
+ /* Overwrite SOI marker of image scan with previously */
|
||||
+ /* saved end of JpegTables */
|
||||
+ buffer[xuint32-2]=table_end[0];
|
||||
+ buffer[xuint32-1]=table_end[1];
|
||||
} else {
|
||||
bufferoffset += TIFFReadRawTile(
|
||||
input,
|
Loading…
Reference in New Issue