unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
blob 496efb73b9db90db24e24b086a40d5b8bbb60fbe 4141 bytes (raw)
name: gnu/packages/patches/libtiff-CVE-2017-7593.patch 	 # note: path name is non-authoritative(*)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
 
Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawdata):

http://bugzilla.maptools.org/show_bug.cgi?id=2651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593
https://security-tracker.debian.org/tracker/CVE-2017-7593

2017-01-11 Even Rouault <even.rouault at spatialys.com>

        * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add
        _TIFFcalloc()

        * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
        initialize tif_rawdata.
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651

/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1208; previous revision: 1.1207
/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v  <--  libtiff/tif_read.c
new revision: 1.53; previous revision: 1.52
/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v  <--  libtiff/tif_unix.c
new revision: 1.28; previous revision: 1.27
/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v  <--  libtiff/tif_vms.c
new revision: 1.14; previous revision: 1.13
/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v  <--  libtiff/tif_win32.c
new revision: 1.42; previous revision: 1.41
/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v  <--  libtiff/tiffio.h
new revision: 1.94; previous revision: 1.93

diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h
--- tiff-4.0.7/libtiff/tiffio.h	1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.7.new/libtiff/tiffio.h	2017-05-05 19:08:03.772999790 -0400
@@ -1,4 +1,4 @@
-/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -293,6 +293,7 @@
  */
 
 extern void* _TIFFmalloc(tmsize_t s);
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
 extern void* _TIFFrealloc(void* p, tmsize_t s);
 extern void _TIFFmemset(void* p, int v, tmsize_t c);
 extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c
--- tiff-4.0.7/libtiff/tif_read.c	2017-05-05 19:04:09.740966642 -0400
+++ tiff-4.0.7.new/libtiff/tif_read.c	2017-05-05 18:59:11.070709441 -0400
@@ -1,4 +1,4 @@
-/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
+/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -976,7 +976,9 @@
 				"Invalid buffer size");
 		    return (0);
 		}
-		tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
+		/* Initialize to zero to avoid uninitialized buffers in case of */
+		/* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
+		tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
 		tif->tif_flags |= TIFF_MYBUFFER;
 	}
 	if (tif->tif_rawdata == NULL) {
diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c
--- tiff-4.0.7/libtiff/tif_unix.c	1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.7.new/libtiff/tif_unix.c	2017-05-05 19:10:48.302645187 -0400
@@ -1,4 +1,4 @@
-/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */
+/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -316,6 +316,14 @@
 	return (malloc((size_t) s));
 }
 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
 void
 _TIFFfree(void* p)
 {
diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32.c
--- tiff-4.0.7/libtiff/tif_win32.c	1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.7.new/libtiff/tif_win32.c	2017-05-05 19:13:06.903399627 -0400
@@ -1,4 +1,4 @@
-/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */
+/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -360,6 +360,14 @@
 	return (malloc((size_t) s));
 }
 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
 void
 _TIFFfree(void* p)
 {

debug log:

solving 496efb73b ...
found 496efb73b in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).