From mboxrd@z Thu Jan  1 00:00:00 1970
From: Kei Kebreau <kei@openmailbox.org>
Subject: Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-9297.
Date: Wed, 16 Nov 2016 13:08:03 -0500
Message-ID: <87bmxfe1rw.fsf@openmailbox.org>
References: <5e1ece4368188c766c670e0c0be7f881b683f470.1479237439.git.leo@famulari.name>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54565)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1c74dB-0000MU-KC
	for guix-devel@gnu.org; Wed, 16 Nov 2016 13:08:23 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1c74d8-0004KC-Cq
	for guix-devel@gnu.org; Wed, 16 Nov 2016 13:08:21 -0500
Received: from smtp2.openmailbox.org ([62.4.1.36]:51880)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <kei@openmailbox.org>) id 1c74d8-0004Jl-1m
	for guix-devel@gnu.org; Wed, 16 Nov 2016 13:08:18 -0500
In-Reply-To: <5e1ece4368188c766c670e0c0be7f881b683f470.1479237439.git.leo@famulari.name>
	(Leo Famulari's message of "Tue, 15 Nov 2016 14:17:23 -0500")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/patches/libtiff-CVE-2016-9297.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/image.scm (libtiff/fixed)[source]: Use it.
> ---
>  gnu/local.mk                                     |  1 +
>  gnu/packages/image.scm                           |  3 +-
>  gnu/packages/patches/libtiff-CVE-2016-9297.patch | 52 ++++++++++++++++++=
++++++
>  3 files changed, 55 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/libtiff-CVE-2016-9297.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 08f99c4..513bd34 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -667,6 +667,7 @@ dist_patch_DATA =3D						\
>    %D%/packages/patches/libtiff-CVE-2016-5323.patch		\
>    %D%/packages/patches/libtiff-CVE-2016-5652.patch		\
>    %D%/packages/patches/libtiff-CVE-2016-9273.patch		\
> +  %D%/packages/patches/libtiff-CVE-2016-9297.patch		\
>    %D%/packages/patches/libtiff-oob-accesses-in-decode.patch	\
>    %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch	\
>    %D%/packages/patches/libtool-skip-tests2.patch		\
> diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
> index a40b212..d38344a 100644
> --- a/gnu/packages/image.scm
> +++ b/gnu/packages/image.scm
> @@ -300,7 +300,8 @@ collection of tools for doing simple manipulations of=
 TIFF images.")
>                           "libtiff-CVE-2016-5321.patch"
>                           "libtiff-CVE-2016-5323.patch"
>                           "libtiff-CVE-2016-5652.patch"
> -                         "libtiff-CVE-2016-9273.patch"))))))
> +                         "libtiff-CVE-2016-9273.patch"
> +                         "libtiff-CVE-2016-9297.patch"))))))
>=20=20
>  (define-public libwmf
>    (package
> diff --git a/gnu/packages/patches/libtiff-CVE-2016-9297.patch b/gnu/packa=
ges/patches/libtiff-CVE-2016-9297.patch
> new file mode 100644
> index 0000000..c9207bb
> --- /dev/null
> +++ b/gnu/packages/patches/libtiff-CVE-2016-9297.patch
> @@ -0,0 +1,52 @@
> +Fix CVE-2016-9297:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9297
> +http://bugzilla.maptools.org/show_bug.cgi?id=3D2590
> +
> +Patch copied from upstream source repository.
> +
> +2016-11-11 Even Rouault <even.rouault at spatialys.com>
> +
> +        * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
> +        values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
> +        access are null terminated, to avoid potential read outside buff=
er
> +        in _TIFFPrintField().
> +        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2590
> +
> +
> +/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
> +new revision: 1.1154; previous revision: 1.1153
> +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <--=20
> +libtiff/tif_dirread.c
> +new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_=
dirread.c
> +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
> +retrieving revision 1.202
> +retrieving revision 1.203
> +diff -u -r1.202 -r1.203
> +--- libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:01:55 -0000	1.202
> ++++ libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:22:01 -0000	1.203
> +@@ -5000,6 +5000,11 @@
> + 					if (err=3D=3DTIFFReadDirEntryErrOk)
> + 					{
> + 						int m;
> ++                        if( data[dp->tdir_count-1] !=3D '\0' )
> ++                        {
> ++                            TIFFWarningExt(tif->tif_clientdata,module,"=
ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null=
",fip->field_name);
> ++                            data[dp->tdir_count-1] =3D '\0';
> ++                        }
> + 						m=3DTIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
> + 						if (data!=3D0)
> + 							_TIFFfree(data);
> +@@ -5172,6 +5177,11 @@
> + 				if (err=3D=3DTIFFReadDirEntryErrOk)
> + 				{
> + 					int m;
> ++                    if( data[dp->tdir_count-1] !=3D '\0' )
> ++                    {
> ++                        TIFFWarningExt(tif->tif_clientdata,module,"ASCI=
I value for tag \"%s\" does not end in null byte. Forcing it to be null",fi=
p->field_name);
> ++                        data[dp->tdir_count-1] =3D '\0';
> ++                    }
> + 					m=3DTIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
> + 					if (data!=3D0)
> + 						_TIFFfree(data);

LGTM.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYLKCDAAoJEOal7jwZRnoNAHkP/j+r7mkz3CkB3C7RheG5o/7E
OwsLKPrXSq4iseFa8LSCUTl7x6DGmIrxKG6hrkm65/ioo5Ww2q5O6KHkO6yWJB8X
zVcHMhOCieCZRTYuRIbf2Ivg5A05oeKXSu1P7JcEpVAr3U0oAcvBBCczfzf2kAU4
5QAyRLKiz7qczHz8Wvw2xuvmeMMJxt+7e8r2v7og9TwnRUZObkgDQceXxjA5DZFx
R7dYmiA5PdyW1s7cmFrvjzkvyiHF+O9/gzLBUSvFo2KUNkbM3CWTzghiQOL3ljVC
aDDVxxHgA3NR970pV+bg787SNhAP9tG+jqquWQG7H2pOnC/Zk+a+jyj2LuxKZa4h
sA/pK6cVECjHv4ycmbSMCs9ceo6PjAbMOXsPftpfm5RoPFj6sAy824dJCYPuRb2L
RuCEm0/BJTbewTYU4B6TuxKsyQSrXIJ1wKZR5er6WgMHwbwZTBBAk+qQpAW/jGzK
wTsCbkQEDXAT7OcyD+y4Ts5CGb0ok4E8LHZ9xJ3XUHDxDBNSlO7mOj368dSXfxn2
ufyOlnDe/QBScHXzF5j4rq04KBOe9T+gf5cny5kHO/ZNIstAJd7rRwSLupBFJ28f
IbElFWX+tiRN+nT7+Glb8EAty9PturfAXVBwRqSSSGz5qGNLz3SfdHFA4jRDSBNN
K/3JZAOnB9qC0W//j+72
=oTXk
-----END PGP SIGNATURE-----
--=-=-=--