From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Libtiff CVE-2016-5652 Date: Sat, 29 Oct 2016 19:41:32 -0400 Message-ID: <20161029234132.GA23900@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3lcZGd9BuhuYXNfi" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55006) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c0dFu-000069-Mb for guix-devel@gnu.org; Sat, 29 Oct 2016 19:41:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c0dFq-00067H-Fy for guix-devel@gnu.org; Sat, 29 Oct 2016 19:41:42 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:50785) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c0dFq-000676-B4 for guix-devel@gnu.org; Sat, 29 Oct 2016 19:41:38 -0400 Received: from localhost (96-90-63-214-static.hfc.comcastbusiness.net [96.90.63.214]) by mail.messagingengine.com (Postfix) with ESMTPA id 9FE96F29C9 for ; Sat, 29 Oct 2016 19:41:37 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --3lcZGd9BuhuYXNfi Content-Type: multipart/mixed; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I read this 3rd party security advisory about libtiff: http://blog.talosintel.com/2016/10/LibTIFF-Code-Execution.html This patch fixes CVE-2016-5652, which is a buffer overflow with potential for remote code execution. You can easily view the commit in this unofficial Git mirror of the libtiff CVS repo: https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63 Unfortunately, that's the closest thing to an "official" upstream reference to the bug that is viewable in a web browser that I can find. I had to also take the previous change to the affected file, since the bug fix commit depended on those changes. This patched libtiff does _seem_ to work properly; I viewed a TIFF file with it. One of the bugs in that Talos advisory, CVE-2016-8331, is apparently still not fixed upstream. And CVE-2016-5875 appears to me to be fixed by our patch for CVE-2016-5314 [0]. [0] http://bugzilla.maptools.org/show_bug.cgi?id=2554 --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-libtiff-Fix-CVE-2016-5652.patch" Content-Transfer-Encoding: quoted-printable =46rom 7abe86a8d93e1a1ed11f14ec7ede22ce9b020611 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Sat, 29 Oct 2016 19:23:05 -0400 Subject: [PATCH] gnu: libtiff: Fix CVE-2016-5652. * gnu/packages/patches/libtiff-CVE-2016-5652.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/image.scm (libtiff/fixed)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/image.scm | 3 +- gnu/packages/patches/libtiff-CVE-2016-5652.patch | 47 ++++++++++++++++++++= ++++ 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtiff-CVE-2016-5652.patch diff --git a/gnu/local.mk b/gnu/local.mk index a64b7ec..1942131 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -657,6 +657,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/libtiff-CVE-2016-5314.patch \ %D%/packages/patches/libtiff-CVE-2016-5321.patch \ %D%/packages/patches/libtiff-CVE-2016-5323.patch \ + %D%/packages/patches/libtiff-CVE-2016-5652.patch \ %D%/packages/patches/libtiff-oob-accesses-in-decode.patch \ %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 873a7f2..3a1209f 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -234,7 +234,8 @@ collection of tools for doing simple manipulations of T= IFF images.") "libtiff-CVE-2016-3991.patch" "libtiff-CVE-2016-5314.patch" "libtiff-CVE-2016-5321.patch" - "libtiff-CVE-2016-5323.patch")))))) + "libtiff-CVE-2016-5323.patch" + "libtiff-CVE-2016-5652.patch")))))) =20 (define-public libwmf (package diff --git a/gnu/packages/patches/libtiff-CVE-2016-5652.patch b/gnu/package= s/patches/libtiff-CVE-2016-5652.patch new file mode 100644 index 0000000..54b87d0 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-5652.patch @@ -0,0 +1,47 @@ +Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-5652 + +Patches exfiltrated from upstream CVS repo with: +cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c + +Index: tools/tiff2pdf.c +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.92 +retrieving revision 1.94 +diff -u -r1.92 -r1.94 +--- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92 ++++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94 +@@ -2887,21 +2887,24 @@ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) !=3D 0) { +- if (count > 0) { +- _TIFFmemcpy(buffer, jpt, count); ++ if (count >=3D 4) { ++ /* Ignore EOI marker of JpegTables */ ++ _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset +=3D count - 2; ++ /* Store last 2 bytes of the JpegTables */ + table_end[0] =3D buffer[bufferoffset-2]; + table_end[1] =3D buffer[bufferoffset-1]; +- } +- if (count > 0) { + xuint32 =3D bufferoffset; ++ bufferoffset -=3D 2; + bufferoffset +=3D TIFFReadRawTile( + input,=20 + tile,=20 +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),=20 ++ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),=20 + -1); +- buffer[xuint32-2]=3Dtable_end[0]; +- buffer[xuint32-1]=3Dtable_end[1]; ++ /* Overwrite SOI marker of image scan with previously= */ ++ /* saved end of JpegTables */ ++ buffer[xuint32-2]=3Dtable_end[0]; ++ buffer[xuint32-1]=3Dtable_end[1]; + } else { + bufferoffset +=3D TIFFReadRawTile( + input,=20 --=20 2.10.1 --ikeVEW9yuYc//A+q-- --3lcZGd9BuhuYXNfi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYFTOoAAoJECZG+jC6yn8IHXgQAJV9nuPCrwQafV+D/qota8cV CaYPWI/IDM3nRRB1b00z8W8EJD+LYKoR3NNVN+VBt1yyoh/nlUy13TkCKNmiiaaJ /s3hNgMerdVnuI4+j7+y5hyiGqp2enomOfsgRJLNKhq3y3rLXCmxNUZGyfIl4h+8 CZZIiJ9O3p+x1EgwrYJxh+BhxJFNr9HV5b6b+b3mrz2SD9swIzV1sugt5R4YDBbX fg8yYyL+zqtgF4VeQEgvJ8pH9t9O2C2Kv5OU/FHEdGCpIrVyz2TlVLti4WLz/slL oHLGSzJ+oFF0GfWwcp52JZPj8i84Ns8jWTlPt+cMw0DNak8+Fy2YCk2a83bm1OMG 4wG//4RNfKjoEa99FRPyW/g1jJHfX9da5wUIQxTUNlalYK9F3Vu5tTpJhgKFEhRr g8tlWKNxRNVkovDZPJAkiWuTzbxRaaCVvffEiby6E7Nel4oPNA53RkGZTP+jxdYE bT/zKU9N3l5JFP0BD1On81SuOy9Ewr8NKgWduFsMSLRc6tgw54GzSYpdZYnz1uc4 0NAxBTpCf0481jHqd8qF4DBg9DL58v0V8D/vQuqAus8kZsUFG1IgboUC7pIFKaRt PfWgygfJfAYikVsdwWBSsQ6U9gFBgv5d1XF+xfxbrqbGimipXVvVo0sd1+DYchIH Se9SEXjiAfgXGGzfXvW9 =40B6 -----END PGP SIGNATURE----- --3lcZGd9BuhuYXNfi--