From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-9297. Date: Wed, 16 Nov 2016 13:08:03 -0500 Message-ID: <87bmxfe1rw.fsf@openmailbox.org> References: <5e1ece4368188c766c670e0c0be7f881b683f470.1479237439.git.leo@famulari.name> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54565) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c74dB-0000MU-KC for guix-devel@gnu.org; Wed, 16 Nov 2016 13:08:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c74d8-0004KC-Cq for guix-devel@gnu.org; Wed, 16 Nov 2016 13:08:21 -0500 Received: from smtp2.openmailbox.org ([62.4.1.36]:51880) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1c74d8-0004Jl-1m for guix-devel@gnu.org; Wed, 16 Nov 2016 13:08:18 -0500 In-Reply-To: <5e1ece4368188c766c670e0c0be7f881b683f470.1479237439.git.leo@famulari.name> (Leo Famulari's message of "Tue, 15 Nov 2016 14:17:23 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > * gnu/packages/patches/libtiff-CVE-2016-9297.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/image.scm (libtiff/fixed)[source]: Use it. > --- > gnu/local.mk | 1 + > gnu/packages/image.scm | 3 +- > gnu/packages/patches/libtiff-CVE-2016-9297.patch | 52 ++++++++++++++++++= ++++++ > 3 files changed, 55 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/libtiff-CVE-2016-9297.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 08f99c4..513bd34 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -667,6 +667,7 @@ dist_patch_DATA =3D \ > %D%/packages/patches/libtiff-CVE-2016-5323.patch \ > %D%/packages/patches/libtiff-CVE-2016-5652.patch \ > %D%/packages/patches/libtiff-CVE-2016-9273.patch \ > + %D%/packages/patches/libtiff-CVE-2016-9297.patch \ > %D%/packages/patches/libtiff-oob-accesses-in-decode.patch \ > %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \ > %D%/packages/patches/libtool-skip-tests2.patch \ > diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm > index a40b212..d38344a 100644 > --- a/gnu/packages/image.scm > +++ b/gnu/packages/image.scm > @@ -300,7 +300,8 @@ collection of tools for doing simple manipulations of= TIFF images.") > "libtiff-CVE-2016-5321.patch" > "libtiff-CVE-2016-5323.patch" > "libtiff-CVE-2016-5652.patch" > - "libtiff-CVE-2016-9273.patch")))))) > + "libtiff-CVE-2016-9273.patch" > + "libtiff-CVE-2016-9297.patch")))))) >=20=20 > (define-public libwmf > (package > diff --git a/gnu/packages/patches/libtiff-CVE-2016-9297.patch b/gnu/packa= ges/patches/libtiff-CVE-2016-9297.patch > new file mode 100644 > index 0000000..c9207bb > --- /dev/null > +++ b/gnu/packages/patches/libtiff-CVE-2016-9297.patch > @@ -0,0 +1,52 @@ > +Fix CVE-2016-9297: > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9297 > +http://bugzilla.maptools.org/show_bug.cgi?id=3D2590 > + > +Patch copied from upstream source repository. > + > +2016-11-11 Even Rouault > + > + * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that > + values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII > + access are null terminated, to avoid potential read outside buff= er > + in _TIFFPrintField(). > + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2590 > + > + > +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog > +new revision: 1.1154; previous revision: 1.1153 > +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <--=20 > +libtiff/tif_dirread.c > +new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_= dirread.c > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v > +retrieving revision 1.202 > +retrieving revision 1.203 > +diff -u -r1.202 -r1.203 > +--- libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:01:55 -0000 1.202 > ++++ libtiff/libtiff/tif_dirread.c 11 Nov 2016 20:22:01 -0000 1.203 > +@@ -5000,6 +5000,11 @@ > + if (err=3D=3DTIFFReadDirEntryErrOk) > + { > + int m; > ++ if( data[dp->tdir_count-1] !=3D '\0' ) > ++ { > ++ TIFFWarningExt(tif->tif_clientdata,module,"= ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null= ",fip->field_name); > ++ data[dp->tdir_count-1] =3D '\0'; > ++ } > + m=3DTIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data); > + if (data!=3D0) > + _TIFFfree(data); > +@@ -5172,6 +5177,11 @@ > + if (err=3D=3DTIFFReadDirEntryErrOk) > + { > + int m; > ++ if( data[dp->tdir_count-1] !=3D '\0' ) > ++ { > ++ TIFFWarningExt(tif->tif_clientdata,module,"ASCI= I value for tag \"%s\" does not end in null byte. Forcing it to be null",fi= p->field_name); > ++ data[dp->tdir_count-1] =3D '\0'; > ++ } > + m=3DTIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data); > + if (data!=3D0) > + _TIFFfree(data); LGTM. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYLKCDAAoJEOal7jwZRnoNAHkP/j+r7mkz3CkB3C7RheG5o/7E OwsLKPrXSq4iseFa8LSCUTl7x6DGmIrxKG6hrkm65/ioo5Ww2q5O6KHkO6yWJB8X zVcHMhOCieCZRTYuRIbf2Ivg5A05oeKXSu1P7JcEpVAr3U0oAcvBBCczfzf2kAU4 5QAyRLKiz7qczHz8Wvw2xuvmeMMJxt+7e8r2v7og9TwnRUZObkgDQceXxjA5DZFx R7dYmiA5PdyW1s7cmFrvjzkvyiHF+O9/gzLBUSvFo2KUNkbM3CWTzghiQOL3ljVC aDDVxxHgA3NR970pV+bg787SNhAP9tG+jqquWQG7H2pOnC/Zk+a+jyj2LuxKZa4h sA/pK6cVECjHv4ycmbSMCs9ceo6PjAbMOXsPftpfm5RoPFj6sAy824dJCYPuRb2L RuCEm0/BJTbewTYU4B6TuxKsyQSrXIJ1wKZR5er6WgMHwbwZTBBAk+qQpAW/jGzK wTsCbkQEDXAT7OcyD+y4Ts5CGb0ok4E8LHZ9xJ3XUHDxDBNSlO7mOj368dSXfxn2 ufyOlnDe/QBScHXzF5j4rq04KBOe9T+gf5cny5kHO/ZNIstAJd7rRwSLupBFJ28f IbElFWX+tiRN+nT7+Glb8EAty9PturfAXVBwRqSSSGz5qGNLz3SfdHFA4jRDSBNN K/3JZAOnB9qC0W//j+72 =oTXk -----END PGP SIGNATURE----- --=-=-=--