From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:32901) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekg5l-0007ae-3G for guix-patches@gnu.org; Sat, 10 Feb 2018 20:06:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekg5i-0006dg-AX for guix-patches@gnu.org; Sat, 10 Feb 2018 20:06:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:57768) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ekg5i-0006dI-6P for guix-patches@gnu.org; Sat, 10 Feb 2018 20:06:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ekg5h-0002qs-VI for guix-patches@gnu.org; Sat, 10 Feb 2018 20:06:01 -0500 Subject: [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60722) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ekg58-0007PR-T9 for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:32 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ekg56-0005IT-0Q for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:26 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52315) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ekg55-0005GA-He for guix-patches@gnu.org; Sat, 10 Feb 2018 20:05:23 -0500 Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 47C1A245F1 for ; Sat, 10 Feb 2018 20:05:22 -0500 (EST) From: Leo Famulari Date: Sat, 10 Feb 2018 20:05:18 -0500 Message-Id: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 30418@debbugs.gnu.org * gnu/packages/patches/libtiff-CVE-2017-9935.patch, gnu/packages/patches/libtiff-CVE-2017-11335.patch, gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable. --- gnu/local.mk | 3 + gnu/packages/image.scm | 13 ++ gnu/packages/patches/libtiff-CVE-2017-11335.patch | 48 +++++++ gnu/packages/patches/libtiff-CVE-2017-18013.patch | 45 ++++++ gnu/packages/patches/libtiff-CVE-2017-9935.patch | 162 ++++++++++++++++++++++ 5 files changed, 271 insertions(+) create mode 100644 gnu/packages/patches/libtiff-CVE-2017-11335.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-18013.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9935.patch diff --git a/gnu/local.mk b/gnu/local.mk index eb968dede..95650cc50 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -854,7 +854,10 @@ dist_patch_DATA = \ %D%/packages/patches/libtasn1-CVE-2017-10790.patch \ %D%/packages/patches/libtheora-config-guess.patch \ %D%/packages/patches/libtiff-CVE-2016-10688.patch \ + %D%/packages/patches/libtiff-CVE-2017-9935.patch \ %D%/packages/patches/libtiff-CVE-2017-9936.patch \ + %D%/packages/patches/libtiff-CVE-2017-11335.patch \ + %D%/packages/patches/libtiff-CVE-2017-18013.patch \ %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \ %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \ %D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 548c1df44..a5738f431 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -390,6 +390,7 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") + (replacement libtiff/fixed) (version "4.0.8") (source (origin @@ -426,6 +427,18 @@ collection of tools for doing simple manipulations of TIFF images.") "See COPYRIGHT in the distribution.")) (home-page "http://www.simplesystems.org/libtiff/"))) +(define libtiff/fixed + (package + (inherit libtiff) + (source + (origin + (inherit (package-source libtiff)) + (patches + (append (origin-patches (package-source libtiff)) + (search-patches "libtiff-CVE-2017-9935.patch" + "libtiff-CVE-2017-11335.patch" + "libtiff-CVE-2017-18013.patch"))))))) + (define-public leptonica (package (name "leptonica") diff --git a/gnu/packages/patches/libtiff-CVE-2017-11335.patch b/gnu/packages/patches/libtiff-CVE-2017-11335.patch new file mode 100644 index 000000000..504bf3d3e --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-11335.patch @@ -0,0 +1,48 @@ +Fix CVE-2017-11335: + +http://bugzilla.maptools.org/show_bug.cgi?id=2715 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223 + +From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 15 Jul 2017 11:13:46 +0000 +Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in + "Raw" mode on PlanarConfig=Contig input images. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337 + +--- + ChangeLog | 7 +++++++ + tools/tiff2pdf.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 8e4e24ef..caf64ee5 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1,4 +1,4 @@ +-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $ ++/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $ + * + * tiff2pdf - converts a TIFF image to a PDF document + * +@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + return; + + t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; +- if(t2p->pdf_nopassthrough==0){ ++ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ ++ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ ++ /* do not take into account the number of samples, and thus */ ++ /* that can cause heap buffer overflows such as in */ ++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ ++ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ + #ifdef CCITT_SUPPORT + if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 + ){ +-- +2.16.1 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch new file mode 100644 index 000000000..ba03c8384 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-18013: + +http://bugzilla.maptools.org/show_bug.cgi?id=2770 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 + +From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer + dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 9959d353..8deceb2b 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +2.16.1 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch new file mode 100644 index 000000000..5685d81f6 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch @@ -0,0 +1,162 @@ +Fix CVE-2017-9935 + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935 +http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 + +From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------ + 2 files changed, 47 insertions(+), 21 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 2ccaf448..cbf2b693 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index d1a9b095..c3ec0746 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (float*) NULL) && ++ (tiff_transferfunction[2] != (float*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { + if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ (t2p->tiff_transferfunction[2] != (float*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; +-- +2.16.1 + -- 2.16.1