* [bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].
@ 2017-06-15 3:45 Leo Famulari
2017-06-15 8:13 ` Ludovic Courtès
2017-06-15 15:22 ` [bug#27370] " Leo Famulari
0 siblings, 2 replies; 4+ messages in thread
From: Leo Famulari @ 2017-06-15 3:45 UTC (permalink / raw)
To: 27370
Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
* gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/image.scm | 1 +
.../patches/libtiff-tiffgetfield-bugs.patch | 201 +++++++++++++++++++++
3 files changed, 203 insertions(+)
create mode 100644 gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8fcd2cab2..974b6536f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -769,6 +769,7 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-invalid-read.patch \
%D%/packages/patches/libtiff-null-dereference.patch \
%D%/packages/patches/libtiff-tiffcp-underflow.patch \
+ %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
%D%/packages/patches/libtirpc-CVE-2017-8779.patch \
%D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index abac17d6d..b94c006b1 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -393,6 +393,7 @@ collection of tools for doing simple manipulations of TIFF images.")
(method url-fetch)
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
version ".tar.gz"))
+ (patches (search-patches "libtiff-tiffgetfield-bugs.patch"))
(sha256
(base32
"0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))
diff --git a/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
new file mode 100644
index 000000000..84566ca23
--- /dev/null
+++ b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
@@ -0,0 +1,201 @@
+Fix several bugs in libtiff related to use of TIFFGetField():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095
+
+Patch copied from upstream CVS. 3rd-party Git reference:
+https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
+
+2017-06-01 Even Rouault <even.rouault at spatialys.com>
+
+* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+to behave differently depending on whether the codec is enabled or not, and
+thus can avoid stack based buffer overflows in a number of TIFF utilities
+such as tiffsplit, tiffcmp, thumbnail, etc.
+Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+Fixes:
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+http://bugzilla.maptools.org/show_bug.cgi?id=2693
+http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+http://bugzilla.maptools.org/show_bug.cgi?id=2441
+http://bugzilla.maptools.org/show_bug.cgi?id=2433
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.208
+retrieving revision 1.209
+diff -u -r1.208 -r1.209
+--- libtiff/libtiff/tif_dirread.c 27 Apr 2017 15:46:22 -0000 1.208
++++ libtiff/libtiff/tif_dirread.c 1 Jun 2017 12:44:04 -0000 1.209
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -3580,6 +3580,10 @@
+ goto bad;
+ dp->tdir_tag=IGNORE;
+ break;
++ default:
++ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
++ dp->tdir_tag=IGNORE;
++ break;
+ }
+ }
+ }
+Index: libtiff/libtiff/tif_dirinfo.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
+retrieving revision 1.126
+retrieving revision 1.127
+diff -u -r1.126 -r1.127
+--- libtiff/libtiff/tif_dirinfo.c 18 Nov 2016 02:52:13 -0000 1.126
++++ libtiff/libtiff/tif_dirinfo.c 1 Jun 2017 12:44:04 -0000 1.127
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
++/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -956,6 +956,109 @@
+ return 0;
+ }
+
++int
++_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
++{
++ /* Filter out non-codec specific tags */
++ switch (tag) {
++ /* Shared tags */
++ case TIFFTAG_PREDICTOR:
++ /* JPEG tags */
++ case TIFFTAG_JPEGTABLES:
++ /* OJPEG tags */
++ case TIFFTAG_JPEGIFOFFSET:
++ case TIFFTAG_JPEGIFBYTECOUNT:
++ case TIFFTAG_JPEGQTABLES:
++ case TIFFTAG_JPEGDCTABLES:
++ case TIFFTAG_JPEGACTABLES:
++ case TIFFTAG_JPEGPROC:
++ case TIFFTAG_JPEGRESTARTINTERVAL:
++ /* CCITT* */
++ case TIFFTAG_BADFAXLINES:
++ case TIFFTAG_CLEANFAXDATA:
++ case TIFFTAG_CONSECUTIVEBADFAXLINES:
++ case TIFFTAG_GROUP3OPTIONS:
++ case TIFFTAG_GROUP4OPTIONS:
++ break;
++ default:
++ return 1;
++ }
++ /* Check if codec specific tags are allowed for the current
++ * compression scheme (codec) */
++ switch (tif->tif_dir.td_compression) {
++ case COMPRESSION_LZW:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_PACKBITS:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_THUNDERSCAN:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_NEXT:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_JPEG:
++ if (tag == TIFFTAG_JPEGTABLES)
++ return 1;
++ break;
++ case COMPRESSION_OJPEG:
++ switch (tag) {
++ case TIFFTAG_JPEGIFOFFSET:
++ case TIFFTAG_JPEGIFBYTECOUNT:
++ case TIFFTAG_JPEGQTABLES:
++ case TIFFTAG_JPEGDCTABLES:
++ case TIFFTAG_JPEGACTABLES:
++ case TIFFTAG_JPEGPROC:
++ case TIFFTAG_JPEGRESTARTINTERVAL:
++ return 1;
++ }
++ break;
++ case COMPRESSION_CCITTRLE:
++ case COMPRESSION_CCITTRLEW:
++ case COMPRESSION_CCITTFAX3:
++ case COMPRESSION_CCITTFAX4:
++ switch (tag) {
++ case TIFFTAG_BADFAXLINES:
++ case TIFFTAG_CLEANFAXDATA:
++ case TIFFTAG_CONSECUTIVEBADFAXLINES:
++ return 1;
++ case TIFFTAG_GROUP3OPTIONS:
++ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
++ return 1;
++ break;
++ case TIFFTAG_GROUP4OPTIONS:
++ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
++ return 1;
++ break;
++ }
++ break;
++ case COMPRESSION_JBIG:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_DEFLATE:
++ case COMPRESSION_ADOBE_DEFLATE:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_PIXARLOG:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_SGILOG:
++ case COMPRESSION_SGILOG24:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_LZMA:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++
++ }
++ return 0;
++}
++
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+
+ /*
+Index: libtiff/libtiff/tif_dir.h
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
+retrieving revision 1.54
+retrieving revision 1.55
+diff -u -r1.54 -r1.55
+--- libtiff/libtiff/tif_dir.h 18 Feb 2011 20:53:05 -0000 1.54
++++ libtiff/libtiff/tif_dir.h 1 Jun 2017 12:44:04 -0000 1.55
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
++/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -291,6 +291,7 @@
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
++extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+
+ #if defined(__cplusplus)
+ }
--
2.13.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].
2017-06-15 3:45 [bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes] Leo Famulari
@ 2017-06-15 8:13 ` Ludovic Courtès
2017-06-15 15:52 ` bug#27370: " Leo Famulari
2017-06-15 15:22 ` [bug#27370] " Leo Famulari
1 sibling, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2017-06-15 8:13 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27370
Leo Famulari <leo@famulari.name> skribis:
> Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
>
> * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
LGTM. ‘guix lint -c cve’ will keep complaining, but I guess splitting
the patch in one patch per CVE might be hard and not worth the effort.
Thoughts?
Could you apply them to ‘core-updates’ as well?
Thank you!
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#27370: [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].
2017-06-15 8:13 ` Ludovic Courtès
@ 2017-06-15 15:52 ` Leo Famulari
0 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2017-06-15 15:52 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27370-done
[-- Attachment #1: Type: text/plain, Size: 771 bytes --]
On Thu, Jun 15, 2017 at 10:13:43AM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> > the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
> >
> > * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
>
> LGTM. ‘guix lint -c cve’ will keep complaining, but I guess splitting
> the patch in one patch per CVE might be hard and not worth the effort.
> Thoughts?
The long list of bugs has a single root cause and fix, so there is only
one patch.
> Could you apply them to ‘core-updates’ as well?
Sure, done!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].
2017-06-15 3:45 [bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes] Leo Famulari
2017-06-15 8:13 ` Ludovic Courtès
@ 2017-06-15 15:22 ` Leo Famulari
1 sibling, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2017-06-15 15:22 UTC (permalink / raw)
To: 27370
[-- Attachment #1: Type: text/plain, Size: 550 bytes --]
On Wed, Jun 14, 2017 at 11:45:57PM -0400, Leo Famulari wrote:
> Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
>
> * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
I'd also like to add a patch for this libtiff commit, fixing a
regression in 4.0.8:
https://github.com/vadz/libtiff/commit/cd23b66764cb0a2d67198e060a9e238380e3ae9f
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-06-15 15:53 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-15 3:45 [bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes] Leo Famulari
2017-06-15 8:13 ` Ludovic Courtès
2017-06-15 15:52 ` bug#27370: " Leo Famulari
2017-06-15 15:22 ` [bug#27370] " Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.