[bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].

[bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].

[Leo Famulari]

Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.

* gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
---
 gnu/local.mk                                       |   1 +
 gnu/packages/image.scm                             |   1 +
 .../patches/libtiff-tiffgetfield-bugs.patch        | 201 +++++++++++++++++++++
 3 files changed, 203 insertions(+)
 create mode 100644 gnu/packages/patches/libtiff-tiffgetfield-bugs.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 8fcd2cab2..974b6536f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -769,6 +769,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtiff-invalid-read.patch		\
   %D%/packages/patches/libtiff-null-dereference.patch		\
   %D%/packages/patches/libtiff-tiffcp-underflow.patch		\
+  %D%/packages/patches/libtiff-tiffgetfield-bugs.patch		\
   %D%/packages/patches/libtirpc-CVE-2017-8779.patch		\
   %D%/packages/patches/libtorrent-rasterbar-boost-compat.patch	\
   %D%/packages/patches/libtool-skip-tests2.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index abac17d6d..b94c006b1 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -393,6 +393,7 @@ collection of tools for doing simple manipulations of TIFF images.")
        (method url-fetch)
        (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
                            version ".tar.gz"))
+       (patches (search-patches "libtiff-tiffgetfield-bugs.patch"))
        (sha256
         (base32
          "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))
diff --git a/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
new file mode 100644
index 000000000..84566ca23
--- /dev/null
+++ b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
@@ -0,0 +1,201 @@
+Fix several bugs in libtiff related to use of TIFFGetField():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095
+
+Patch copied from upstream CVS. 3rd-party Git reference:
+https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
+
+2017-06-01  Even Rouault <even.rouault at spatialys.com>
+
+* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+to behave differently depending on whether the codec is enabled or not, and
+thus can avoid stack based buffer overflows in a number of TIFF utilities
+such as tiffsplit, tiffcmp, thumbnail, etc.
+Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+Fixes:
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+http://bugzilla.maptools.org/show_bug.cgi?id=2693
+http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+http://bugzilla.maptools.org/show_bug.cgi?id=2441
+http://bugzilla.maptools.org/show_bug.cgi?id=2433
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.208
+retrieving revision 1.209
+diff -u -r1.208 -r1.209
+--- libtiff/libtiff/tif_dirread.c	27 Apr 2017 15:46:22 -0000	1.208
++++ libtiff/libtiff/tif_dirread.c	1 Jun 2017 12:44:04 -0000	1.209
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -3580,6 +3580,10 @@
+ 							goto bad;
+ 						dp->tdir_tag=IGNORE;
+ 						break;
++                                        default:
++                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
++                                                dp->tdir_tag=IGNORE;
++                                            break;
+ 				}
+ 			}
+ 		}
+Index: libtiff/libtiff/tif_dirinfo.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
+retrieving revision 1.126
+retrieving revision 1.127
+diff -u -r1.126 -r1.127
+--- libtiff/libtiff/tif_dirinfo.c	18 Nov 2016 02:52:13 -0000	1.126
++++ libtiff/libtiff/tif_dirinfo.c	1 Jun 2017 12:44:04 -0000	1.127
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
++/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -956,6 +956,109 @@
+ 	return 0;
+ }
+ 
++int
++_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
++{
++	/* Filter out non-codec specific tags */
++	switch (tag) {
++	    /* Shared tags */
++	    case TIFFTAG_PREDICTOR:
++	    /* JPEG tags */
++	    case TIFFTAG_JPEGTABLES:
++	    /* OJPEG tags */
++	    case TIFFTAG_JPEGIFOFFSET:
++	    case TIFFTAG_JPEGIFBYTECOUNT:
++	    case TIFFTAG_JPEGQTABLES:
++	    case TIFFTAG_JPEGDCTABLES:
++	    case TIFFTAG_JPEGACTABLES:
++	    case TIFFTAG_JPEGPROC:
++	    case TIFFTAG_JPEGRESTARTINTERVAL:
++	    /* CCITT* */
++	    case TIFFTAG_BADFAXLINES:
++	    case TIFFTAG_CLEANFAXDATA:
++	    case TIFFTAG_CONSECUTIVEBADFAXLINES:
++	    case TIFFTAG_GROUP3OPTIONS:
++	    case TIFFTAG_GROUP4OPTIONS:
++		break;
++	    default:
++		return 1;
++	}
++	/* Check if codec specific tags are allowed for the current
++	 * compression scheme (codec) */
++	switch (tif->tif_dir.td_compression) {
++	    case COMPRESSION_LZW:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	    case COMPRESSION_PACKBITS:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_THUNDERSCAN:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_NEXT:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_JPEG:
++		if (tag == TIFFTAG_JPEGTABLES)
++		    return 1;
++		break;
++	    case COMPRESSION_OJPEG:
++		switch (tag) {
++		    case TIFFTAG_JPEGIFOFFSET:
++		    case TIFFTAG_JPEGIFBYTECOUNT:
++		    case TIFFTAG_JPEGQTABLES:
++		    case TIFFTAG_JPEGDCTABLES:
++		    case TIFFTAG_JPEGACTABLES:
++		    case TIFFTAG_JPEGPROC:
++		    case TIFFTAG_JPEGRESTARTINTERVAL:
++			return 1;
++		}
++		break;
++	    case COMPRESSION_CCITTRLE:
++	    case COMPRESSION_CCITTRLEW:
++	    case COMPRESSION_CCITTFAX3:
++	    case COMPRESSION_CCITTFAX4:
++		switch (tag) {
++		    case TIFFTAG_BADFAXLINES:
++		    case TIFFTAG_CLEANFAXDATA:
++		    case TIFFTAG_CONSECUTIVEBADFAXLINES:
++			return 1;
++		    case TIFFTAG_GROUP3OPTIONS:
++			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
++			    return 1;
++			break;
++		    case TIFFTAG_GROUP4OPTIONS:
++			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
++			    return 1;
++			break;
++		}
++		break;
++	    case COMPRESSION_JBIG:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_DEFLATE:
++	    case COMPRESSION_ADOBE_DEFLATE:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	   case COMPRESSION_PIXARLOG:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++	    case COMPRESSION_SGILOG:
++	    case COMPRESSION_SGILOG24:
++		/* No codec-specific tags */
++		break;
++	    case COMPRESSION_LZMA:
++		if (tag == TIFFTAG_PREDICTOR)
++		    return 1;
++		break;
++
++	}
++	return 0;
++}
++
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+ 
+ /*
+Index: libtiff/libtiff/tif_dir.h
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
+retrieving revision 1.54
+retrieving revision 1.55
+diff -u -r1.54 -r1.55
+--- libtiff/libtiff/tif_dir.h	18 Feb 2011 20:53:05 -0000	1.54
++++ libtiff/libtiff/tif_dir.h	1 Jun 2017 12:44:04 -0000	1.55
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
++/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -291,6 +291,7 @@
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
++extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+ 
+ #if defined(__cplusplus)
+ }
-- 
2.13.1

[bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
>
> * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.

LGTM.  ‘guix lint -c cve’ will keep complaining, but I guess splitting
the patch in one patch per CVE might be hard and not worth the effort.
Thoughts?

Could you apply them to ‘core-updates’ as well?

Thank you!

Ludo’.

[bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

On Wed, Jun 14, 2017 at 11:45:57PM -0400, Leo Famulari wrote:
> Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
> 
> * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.

I'd also like to add a patch for this libtiff commit, fixing a
regression in 4.0.8:

https://github.com/vadz/libtiff/commit/cd23b66764cb0a2d67198e060a9e238380e3ae9f

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#27370: [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 771 bytes --]

On Thu, Jun 15, 2017 at 10:13:43AM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> > the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
> >
> > * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
> 
> LGTM.  ‘guix lint -c cve’ will keep complaining, but I guess splitting
> the patch in one patch per CVE might be hard and not worth the effort.
> Thoughts?

The long list of bugs has a single root cause and fix, so there is only
one patch.

> Could you apply them to ‘core-updates’ as well?

Sure, done!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]