* [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}.
@ 2018-02-11 1:05 Leo Famulari
2018-02-11 1:32 ` [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935, 11335, 18013} Marius Bakke
0 siblings, 1 reply; 3+ messages in thread
From: Leo Famulari @ 2018-02-11 1:05 UTC (permalink / raw)
To: 30418
* gnu/packages/patches/libtiff-CVE-2017-9935.patch,
gnu/packages/patches/libtiff-CVE-2017-11335.patch,
gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
---
gnu/local.mk | 3 +
gnu/packages/image.scm | 13 ++
gnu/packages/patches/libtiff-CVE-2017-11335.patch | 48 +++++++
gnu/packages/patches/libtiff-CVE-2017-18013.patch | 45 ++++++
gnu/packages/patches/libtiff-CVE-2017-9935.patch | 162 ++++++++++++++++++++++
5 files changed, 271 insertions(+)
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-11335.patch
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-18013.patch
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9935.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index eb968dede..95650cc50 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -854,7 +854,10 @@ dist_patch_DATA = \
%D%/packages/patches/libtasn1-CVE-2017-10790.patch \
%D%/packages/patches/libtheora-config-guess.patch \
%D%/packages/patches/libtiff-CVE-2016-10688.patch \
+ %D%/packages/patches/libtiff-CVE-2017-9935.patch \
%D%/packages/patches/libtiff-CVE-2017-9936.patch \
+ %D%/packages/patches/libtiff-CVE-2017-11335.patch \
+ %D%/packages/patches/libtiff-CVE-2017-18013.patch \
%D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
%D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \
%D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 548c1df44..a5738f431 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -390,6 +390,7 @@ extracting icontainer icon files.")
(define-public libtiff
(package
(name "libtiff")
+ (replacement libtiff/fixed)
(version "4.0.8")
(source
(origin
@@ -426,6 +427,18 @@ collection of tools for doing simple manipulations of TIFF images.")
"See COPYRIGHT in the distribution."))
(home-page "http://www.simplesystems.org/libtiff/")))
+(define libtiff/fixed
+ (package
+ (inherit libtiff)
+ (source
+ (origin
+ (inherit (package-source libtiff))
+ (patches
+ (append (origin-patches (package-source libtiff))
+ (search-patches "libtiff-CVE-2017-9935.patch"
+ "libtiff-CVE-2017-11335.patch"
+ "libtiff-CVE-2017-18013.patch")))))))
+
(define-public leptonica
(package
(name "leptonica")
diff --git a/gnu/packages/patches/libtiff-CVE-2017-11335.patch b/gnu/packages/patches/libtiff-CVE-2017-11335.patch
new file mode 100644
index 000000000..504bf3d3e
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-11335.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-11335:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2715
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223
+
+From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 15 Jul 2017 11:13:46 +0000
+Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
+ "Raw" mode on PlanarConfig=Contig input images. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
+
+---
+ ChangeLog | 7 +++++++
+ tools/tiff2pdf.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 8e4e24ef..caf64ee5 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1,4 +1,4 @@
+-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $
++/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $
+ *
+ * tiff2pdf - converts a TIFF image to a PDF document
+ *
+@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ return;
+
+ t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
+- if(t2p->pdf_nopassthrough==0){
++ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
++ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
++ /* do not take into account the number of samples, and thus */
++ /* that can cause heap buffer overflows such as in */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
++ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
+ #ifdef CCITT_SUPPORT
+ if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
+ ){
+--
+2.16.1
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
new file mode 100644
index 000000000..ba03c8384
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-18013:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2770
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
+
+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 31 Dec 2017 15:09:41 +0100
+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
+ dereference on corrupted file. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
+
+---
+ libtiff/tif_print.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 9959d353..8deceb2b 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
+ (unsigned long) s,
+- (unsigned __int64) td->td_stripoffset[s],
+- (unsigned __int64) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ fprintf(fd, " %3lu: [%8llu, %8llu]\n",
+ (unsigned long) s,
+- (unsigned long long) td->td_stripoffset[s],
+- (unsigned long long) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ }
+ }
+--
+2.16.1
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
new file mode 100644
index 000000000..5685d81f6
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
@@ -0,0 +1,162 @@
+Fix CVE-2017-9935
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
+http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
+
+From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
+
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+
+We than read the transfer function for every page. Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+
+It is also strange that we declare the transfer functions to be of type
+float, when the standard says they are unsigned 16 bit values. This is
+fixed in another patch.
+
+This patch will check to ensure that the N value for every transfer
+function is the same for every page. If this changes, we abort with an
+error. In theory, we should perhaps check that the transfer function
+itself is identical for every page, however we don't do that due to the
+confusion of the type of the data in the transfer function.
+---
+ libtiff/tif_dir.c | 3 +++
+ tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 47 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 2ccaf448..cbf2b693 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+ *va_arg(ap, uint16**) = td->td_transferfunction[1];
+ *va_arg(ap, uint16**) = td->td_transferfunction[2];
++ } else {
++ *va_arg(ap, uint16**) = NULL;
++ *va_arg(ap, uint16**) = NULL;
+ }
+ break;
+ case TIFFTAG_REFERENCEBLACKWHITE:
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index d1a9b095..c3ec0746 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ uint16 pagen=0;
+ uint16 paged=0;
+ uint16 xuint16=0;
++ uint16 tiff_transferfunctioncount=0;
++ float* tiff_transferfunction[3];
+
+ directorycount=TIFFNumberOfDirectories(input);
+ t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ }
+ #endif
+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+- &(t2p->tiff_transferfunction[0]),
+- &(t2p->tiff_transferfunction[1]),
+- &(t2p->tiff_transferfunction[2]))) {
+- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[1] !=
+- t2p->tiff_transferfunction[0])) {
+- t2p->tiff_transferfunctioncount = 3;
+- t2p->tiff_pages[i].page_extra += 4;
+- t2p->pdf_xrefcount += 4;
+- } else {
+- t2p->tiff_transferfunctioncount = 1;
+- t2p->tiff_pages[i].page_extra += 2;
+- t2p->pdf_xrefcount += 2;
+- }
+- if(t2p->pdf_minorversion < 2)
+- t2p->pdf_minorversion = 2;
++ &(tiff_transferfunction[0]),
++ &(tiff_transferfunction[1]),
++ &(tiff_transferfunction[2]))) {
++
++ if((tiff_transferfunction[1] != (float*) NULL) &&
++ (tiff_transferfunction[2] != (float*) NULL)
++ ) {
++ tiff_transferfunctioncount=3;
++ } else {
++ tiff_transferfunctioncount=1;
++ }
+ } else {
+- t2p->tiff_transferfunctioncount=0;
++ tiff_transferfunctioncount=0;
+ }
++
++ if (i > 0){
++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Different transfer function on page %d",
++ i);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ }
++
++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
++ if(tiff_transferfunctioncount == 3){
++ t2p->tiff_pages[i].page_extra += 4;
++ t2p->pdf_xrefcount += 4;
++ if(t2p->pdf_minorversion < 2)
++ t2p->pdf_minorversion = 2;
++ } else if (tiff_transferfunctioncount == 1){
++ t2p->tiff_pages[i].page_extra += 2;
++ t2p->pdf_xrefcount += 2;
++ if(t2p->pdf_minorversion < 2)
++ t2p->pdf_minorversion = 2;
++ }
++
+ if( TIFFGetField(
+ input,
+ TIFFTAG_ICCPROFILE,
+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ &(t2p->tiff_transferfunction[1]),
+ &(t2p->tiff_transferfunction[2]))) {
+ if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[1] !=
+- t2p->tiff_transferfunction[0])) {
++ (t2p->tiff_transferfunction[2] != (float*) NULL)
++ ) {
+ t2p->tiff_transferfunctioncount=3;
+ } else {
+ t2p->tiff_transferfunctioncount=1;
+--
+2.16.1
+
--
2.16.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935, 11335, 18013}.
2018-02-11 1:05 [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013} Leo Famulari
@ 2018-02-11 1:32 ` Marius Bakke
2018-02-11 4:00 ` bug#30418: [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013} Leo Famulari
0 siblings, 1 reply; 3+ messages in thread
From: Marius Bakke @ 2018-02-11 1:32 UTC (permalink / raw)
To: 30418, leo
On February 11, 2018 2:05:18 AM GMT+01:00, Leo Famulari <leo@famulari.name> wrote:
>* gnu/packages/patches/libtiff-CVE-2017-9935.patch,
>gnu/packages/patches/libtiff-CVE-2017-11335.patch,
>gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files.
>* gnu/local.mk (dist_patch_DATA): Add them.
>* gnu/packages/image.scm (libtiff)[replacement]: New field.
>(libtiff/fixed): New variable.
LGTM, thanks for taking care of this.
>---
> gnu/local.mk | 3 +
> gnu/packages/image.scm | 13 ++
> gnu/packages/patches/libtiff-CVE-2017-11335.patch | 48 +++++++
> gnu/packages/patches/libtiff-CVE-2017-18013.patch | 45 ++++++
>gnu/packages/patches/libtiff-CVE-2017-9935.patch | 162
>++++++++++++++++++++++
> 5 files changed, 271 insertions(+)
> create mode 100644 gnu/packages/patches/libtiff-CVE-2017-11335.patch
> create mode 100644 gnu/packages/patches/libtiff-CVE-2017-18013.patch
> create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9935.patch
>
>diff --git a/gnu/local.mk b/gnu/local.mk
>index eb968dede..95650cc50 100644
>--- a/gnu/local.mk
>+++ b/gnu/local.mk
>@@ -854,7 +854,10 @@ dist_patch_DATA = \
> %D%/packages/patches/libtasn1-CVE-2017-10790.patch \
> %D%/packages/patches/libtheora-config-guess.patch \
> %D%/packages/patches/libtiff-CVE-2016-10688.patch \
>+ %D%/packages/patches/libtiff-CVE-2017-9935.patch \
> %D%/packages/patches/libtiff-CVE-2017-9936.patch \
>+ %D%/packages/patches/libtiff-CVE-2017-11335.patch \
>+ %D%/packages/patches/libtiff-CVE-2017-18013.patch \
> %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
> %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \
>%D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \
>diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
>index 548c1df44..a5738f431 100644
>--- a/gnu/packages/image.scm
>+++ b/gnu/packages/image.scm
>@@ -390,6 +390,7 @@ extracting icontainer icon files.")
> (define-public libtiff
> (package
> (name "libtiff")
>+ (replacement libtiff/fixed)
> (version "4.0.8")
> (source
> (origin
>@@ -426,6 +427,18 @@ collection of tools for doing simple manipulations
>of TIFF images.")
> "See COPYRIGHT in the distribution."))
> (home-page "http://www.simplesystems.org/libtiff/")))
>
>+(define libtiff/fixed
>+ (package
>+ (inherit libtiff)
>+ (source
>+ (origin
>+ (inherit (package-source libtiff))
>+ (patches
>+ (append (origin-patches (package-source libtiff))
>+ (search-patches "libtiff-CVE-2017-9935.patch"
>+ "libtiff-CVE-2017-11335.patch"
>+
>"libtiff-CVE-2017-18013.patch")))))))
>+
> (define-public leptonica
> (package
> (name "leptonica")
>diff --git a/gnu/packages/patches/libtiff-CVE-2017-11335.patch
>b/gnu/packages/patches/libtiff-CVE-2017-11335.patch
>new file mode 100644
>index 000000000..504bf3d3e
>--- /dev/null
>+++ b/gnu/packages/patches/libtiff-CVE-2017-11335.patch
>@@ -0,0 +1,48 @@
>+Fix CVE-2017-11335:
>+
>+http://bugzilla.maptools.org/show_bug.cgi?id=2715
>+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
>+
>+Patch copied from upstream source repository:
>+
>+https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223
>+
>+From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001
>+From: Even Rouault <even.rouault@spatialys.com>
>+Date: Sat, 15 Jul 2017 11:13:46 +0000
>+Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow
>write in
>+ "Raw" mode on PlanarConfig=Contig input images. Fixes
>+ http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team
>OWL337
>+
>+---
>+ ChangeLog | 7 +++++++
>+ tools/tiff2pdf.c | 9 +++++++--
>+ 2 files changed, 14 insertions(+), 2 deletions(-)
>+
>+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
>+index 8e4e24ef..caf64ee5 100644
>+--- a/tools/tiff2pdf.c
>++++ b/tools/tiff2pdf.c
>+@@ -1,4 +1,4 @@
>+-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $
>++/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $
>+ *
>+ * tiff2pdf - converts a TIFF image to a PDF document
>+ *
>+@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
>+ return;
>+
>+ t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
>+- if(t2p->pdf_nopassthrough==0){
>++ /* It seems that T2P_TRANSCODE_RAW mode doesn't support
>separate->contig */
>++ /* conversion. At least t2p_read_tiff_size and
>t2p_read_tiff_size_tile */
>++ /* do not take into account the number of samples, and thus
>*/
>++ /* that can cause heap buffer overflows such as in */
>++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
>++ if(t2p->pdf_nopassthrough==0 &&
>t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
>+ #ifdef CCITT_SUPPORT
>+ if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
>+ ){
>+--
>+2.16.1
>+
>diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch
>b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
>new file mode 100644
>index 000000000..ba03c8384
>--- /dev/null
>+++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
>@@ -0,0 +1,45 @@
>+Fix CVE-2017-18013:
>+
>+http://bugzilla.maptools.org/show_bug.cgi?id=2770
>+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
>+
>+Patch copied from upstream source repository:
>+
>+https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
>+
>+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
>+From: Even Rouault <even.rouault@spatialys.com>
>+Date: Sun, 31 Dec 2017 15:09:41 +0100
>+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null
>pointer
>+ dereference on corrupted file. Fixes
>+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
>+
>+---
>+ libtiff/tif_print.c | 8 ++++----
>+ 1 file changed, 4 insertions(+), 4 deletions(-)
>+
>+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
>+index 9959d353..8deceb2b 100644
>+--- a/libtiff/tif_print.c
>++++ b/libtiff/tif_print.c
>+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long
>flags)
>+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
>+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
>+ (unsigned long) s,
>+- (unsigned __int64) td->td_stripoffset[s],
>+- (unsigned __int64) td->td_stripbytecount[s]);
>++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s]
>: 0,
>++ td->td_stripbytecount ? (unsigned __int64)
>td->td_stripbytecount[s] : 0);
>+ #else
>+ fprintf(fd, " %3lu: [%8llu, %8llu]\n",
>+ (unsigned long) s,
>+- (unsigned long long) td->td_stripoffset[s],
>+- (unsigned long long) td->td_stripbytecount[s]);
>++ td->td_stripoffset ? (unsigned long long)
>td->td_stripoffset[s] : 0,
>++ td->td_stripbytecount ? (unsigned long long)
>td->td_stripbytecount[s] : 0);
>+ #endif
>+ }
>+ }
>+--
>+2.16.1
>+
>diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch
>b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
>new file mode 100644
>index 000000000..5685d81f6
>--- /dev/null
>+++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
>@@ -0,0 +1,162 @@
>+Fix CVE-2017-9935
>+
>+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
>+http://bugzilla.maptools.org/show_bug.cgi?id=2704
>+
>+Patch copied from upstream source repository:
>+
>+https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
>+
>+From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
>+From: Brian May <brian@linuxpenguins.xyz>
>+Date: Thu, 7 Dec 2017 07:46:47 +1100
>+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
>+
>+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
>+
>+This vulnerability - at least for the supplied test case - is because
>we
>+assume that a tiff will only have one transfer function that is the
>same
>+for all pages. This is not required by the TIFF standards.
>+
>+We than read the transfer function for every page. Depending on the
>+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
>+We allocate this memory after we read in the transfer function for the
>+page.
>+
>+For the first exploit - POC1, this file has 3 pages. For the first
>page
>+we allocate 2 extra extra XREF entries. Then for the next page 2 more
>+entries. Then for the last page the transfer function changes and we
>+allocate 4 more entries.
>+
>+When we read the file into memory, we assume we have 4 bytes extra for
>+each and every page (as per the last transfer function we read). Which
>+is not correct, we only have 2 bytes extra for the first 2 pages. As a
>+result, we end up writing past the end of the buffer.
>+
>+There are also some related issues that this also fixes. For example,
>+TIFFGetField can return uninitalized pointer values, and the logic to
>+detect a N=3 vs N=1 transfer function seemed rather strange.
>+
>+It is also strange that we declare the transfer functions to be of
>type
>+float, when the standard says they are unsigned 16 bit values. This is
>+fixed in another patch.
>+
>+This patch will check to ensure that the N value for every transfer
>+function is the same for every page. If this changes, we abort with an
>+error. In theory, we should perhaps check that the transfer function
>+itself is identical for every page, however we don't do that due to
>the
>+confusion of the type of the data in the transfer function.
>+---
>+ libtiff/tif_dir.c | 3 +++
>+ tools/tiff2pdf.c | 65
>+++++++++++++++++++++++++++++++++++++------------------
>+ 2 files changed, 47 insertions(+), 21 deletions(-)
>+
>+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
>+index 2ccaf448..cbf2b693 100644
>+--- a/libtiff/tif_dir.c
>++++ b/libtiff/tif_dir.c
>+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list
>ap)
>+ if (td->td_samplesperpixel - td->td_extrasamples > 1) {
>+ *va_arg(ap, uint16**) = td->td_transferfunction[1];
>+ *va_arg(ap, uint16**) = td->td_transferfunction[2];
>++ } else {
>++ *va_arg(ap, uint16**) = NULL;
>++ *va_arg(ap, uint16**) = NULL;
>+ }
>+ break;
>+ case TIFFTAG_REFERENCEBLACKWHITE:
>+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
>+index d1a9b095..c3ec0746 100644
>+--- a/tools/tiff2pdf.c
>++++ b/tools/tiff2pdf.c
>+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
>+ uint16 pagen=0;
>+ uint16 paged=0;
>+ uint16 xuint16=0;
>++ uint16 tiff_transferfunctioncount=0;
>++ float* tiff_transferfunction[3];
>+
>+ directorycount=TIFFNumberOfDirectories(input);
>+ t2p->tiff_pages = (T2P_PAGE*)
>_TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
>+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF*
>input){
>+ }
>+ #endif
>+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
>+- &(t2p->tiff_transferfunction[0]),
>+- &(t2p->tiff_transferfunction[1]),
>+- &(t2p->tiff_transferfunction[2]))) {
>+- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
>+- (t2p->tiff_transferfunction[2] != (float*)
>NULL) &&
>+- (t2p->tiff_transferfunction[1] !=
>+- t2p->tiff_transferfunction[0])) {
>+- t2p->tiff_transferfunctioncount = 3;
>+- t2p->tiff_pages[i].page_extra += 4;
>+- t2p->pdf_xrefcount += 4;
>+- } else {
>+- t2p->tiff_transferfunctioncount = 1;
>+- t2p->tiff_pages[i].page_extra += 2;
>+- t2p->pdf_xrefcount += 2;
>+- }
>+- if(t2p->pdf_minorversion < 2)
>+- t2p->pdf_minorversion = 2;
>++ &(tiff_transferfunction[0]),
>++ &(tiff_transferfunction[1]),
>++ &(tiff_transferfunction[2]))) {
>++
>++ if((tiff_transferfunction[1] != (float*)
>NULL) &&
>++ (tiff_transferfunction[2] != (float*)
>NULL)
>++ ) {
>++ tiff_transferfunctioncount=3;
>++ } else {
>++ tiff_transferfunctioncount=1;
>++ }
>+ } else {
>+- t2p->tiff_transferfunctioncount=0;
>++ tiff_transferfunctioncount=0;
>+ }
>++
>++ if (i > 0){
>++ if (tiff_transferfunctioncount !=
>t2p->tiff_transferfunctioncount){
>++ TIFFError(
>++ TIFF2PDF_MODULE,
>++ "Different transfer function on page %d",
>++ i);
>++ t2p->t2p_error = T2P_ERR_ERROR;
>++ return;
>++ }
>++ }
>++
>++ t2p->tiff_transferfunctioncount =
>tiff_transferfunctioncount;
>++ t2p->tiff_transferfunction[0] =
>tiff_transferfunction[0];
>++ t2p->tiff_transferfunction[1] =
>tiff_transferfunction[1];
>++ t2p->tiff_transferfunction[2] =
>tiff_transferfunction[2];
>++ if(tiff_transferfunctioncount == 3){
>++ t2p->tiff_pages[i].page_extra += 4;
>++ t2p->pdf_xrefcount += 4;
>++ if(t2p->pdf_minorversion < 2)
>++ t2p->pdf_minorversion = 2;
>++ } else if (tiff_transferfunctioncount == 1){
>++ t2p->tiff_pages[i].page_extra += 2;
>++ t2p->pdf_xrefcount += 2;
>++ if(t2p->pdf_minorversion < 2)
>++ t2p->pdf_minorversion = 2;
>++ }
>++
>+ if( TIFFGetField(
>+ input,
>+ TIFFTAG_ICCPROFILE,
>+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
>+ &(t2p->tiff_transferfunction[1]),
>+ &(t2p->tiff_transferfunction[2]))) {
>+ if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
>+- (t2p->tiff_transferfunction[2] != (float*) NULL)
>&&
>+- (t2p->tiff_transferfunction[1] !=
>+- t2p->tiff_transferfunction[0])) {
>++ (t2p->tiff_transferfunction[2] != (float*) NULL)
>++ ) {
>+ t2p->tiff_transferfunctioncount=3;
>+ } else {
>+ t2p->tiff_transferfunctioncount=1;
>+--
>+2.16.1
>+
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#30418: [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}.
2018-02-11 1:32 ` [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935, 11335, 18013} Marius Bakke
@ 2018-02-11 4:00 ` Leo Famulari
0 siblings, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2018-02-11 4:00 UTC (permalink / raw)
To: Marius Bakke; +Cc: 30418-done
[-- Attachment #1: Type: text/plain, Size: 599 bytes --]
On Sun, Feb 11, 2018 at 02:32:38AM +0100, Marius Bakke wrote:
>
>
> On February 11, 2018 2:05:18 AM GMT+01:00, Leo Famulari <leo@famulari.name> wrote:
> >* gnu/packages/patches/libtiff-CVE-2017-9935.patch,
> >gnu/packages/patches/libtiff-CVE-2017-11335.patch,
> >gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files.
> >* gnu/local.mk (dist_patch_DATA): Add them.
> >* gnu/packages/image.scm (libtiff)[replacement]: New field.
> >(libtiff/fixed): New variable.
>
> LGTM, thanks for taking care of this.
Thanks for review, pushed as 79cf1053046f083df831460c9ff7d42d5c47c110
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-02-11 4:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-11 1:05 [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013} Leo Famulari
2018-02-11 1:32 ` [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935, 11335, 18013} Marius Bakke
2018-02-11 4:00 ` bug#30418: [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013} Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).