--- Begin Message ---
|
Subject: |
[PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes]. |
|
Date: |
Wed, 14 Jun 2017 23:45:57 -0400 |
Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
* gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/image.scm | 1 +
.../patches/libtiff-tiffgetfield-bugs.patch | 201 +++++++++++++++++++++
3 files changed, 203 insertions(+)
create mode 100644 gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8fcd2cab2..974b6536f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -769,6 +769,7 @@ dist_patch_DATA =
\
%D%/packages/patches/libtiff-invalid-read.patch \
%D%/packages/patches/libtiff-null-dereference.patch \
%D%/packages/patches/libtiff-tiffcp-underflow.patch \
+ %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
%D%/packages/patches/libtirpc-CVE-2017-8779.patch \
%D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index abac17d6d..b94c006b1 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -393,6 +393,7 @@ collection of tools for doing simple manipulations of TIFF
images.")
(method url-fetch)
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-";
version ".tar.gz"))
+ (patches (search-patches "libtiff-tiffgetfield-bugs.patch"))
(sha256
(base32
"0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))
diff --git a/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
new file mode 100644
index 000000000..84566ca23
--- /dev/null
+++ b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
@@ -0,0 +1,201 @@
+Fix several bugs in libtiff related to use of TIFFGetField():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095
+
+Patch copied from upstream CVS. 3rd-party Git reference:
+https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
+
+2017-06-01 Even Rouault <even.rouault at spatialys.com>
+
+* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+to behave differently depending on whether the codec is enabled or not, and
+thus can avoid stack based buffer overflows in a number of TIFF utilities
+such as tiffsplit, tiffcmp, thumbnail, etc.
+Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+Fixes:
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+http://bugzilla.maptools.org/show_bug.cgi?id=2693
+http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+http://bugzilla.maptools.org/show_bug.cgi?id=2441
+http://bugzilla.maptools.org/show_bug.cgi?id=2433
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.208
+retrieving revision 1.209
+diff -u -r1.208 -r1.209
+--- libtiff/libtiff/tif_dirread.c 27 Apr 2017 15:46:22 -0000 1.208
++++ libtiff/libtiff/tif_dirread.c 1 Jun 2017 12:44:04 -0000 1.209
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -3580,6 +3580,10 @@
+ goto bad;
+ dp->tdir_tag=IGNORE;
+ break;
++ default:
++ if(
!_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
++ dp->tdir_tag=IGNORE;
++ break;
+ }
+ }
+ }
+Index: libtiff/libtiff/tif_dirinfo.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
+retrieving revision 1.126
+retrieving revision 1.127
+diff -u -r1.126 -r1.127
+--- libtiff/libtiff/tif_dirinfo.c 18 Nov 2016 02:52:13 -0000 1.126
++++ libtiff/libtiff/tif_dirinfo.c 1 Jun 2017 12:44:04 -0000 1.127
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
++/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -956,6 +956,109 @@
+ return 0;
+ }
+
++int
++_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
++{
++ /* Filter out non-codec specific tags */
++ switch (tag) {
++ /* Shared tags */
++ case TIFFTAG_PREDICTOR:
++ /* JPEG tags */
++ case TIFFTAG_JPEGTABLES:
++ /* OJPEG tags */
++ case TIFFTAG_JPEGIFOFFSET:
++ case TIFFTAG_JPEGIFBYTECOUNT:
++ case TIFFTAG_JPEGQTABLES:
++ case TIFFTAG_JPEGDCTABLES:
++ case TIFFTAG_JPEGACTABLES:
++ case TIFFTAG_JPEGPROC:
++ case TIFFTAG_JPEGRESTARTINTERVAL:
++ /* CCITT* */
++ case TIFFTAG_BADFAXLINES:
++ case TIFFTAG_CLEANFAXDATA:
++ case TIFFTAG_CONSECUTIVEBADFAXLINES:
++ case TIFFTAG_GROUP3OPTIONS:
++ case TIFFTAG_GROUP4OPTIONS:
++ break;
++ default:
++ return 1;
++ }
++ /* Check if codec specific tags are allowed for the current
++ * compression scheme (codec) */
++ switch (tif->tif_dir.td_compression) {
++ case COMPRESSION_LZW:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_PACKBITS:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_THUNDERSCAN:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_NEXT:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_JPEG:
++ if (tag == TIFFTAG_JPEGTABLES)
++ return 1;
++ break;
++ case COMPRESSION_OJPEG:
++ switch (tag) {
++ case TIFFTAG_JPEGIFOFFSET:
++ case TIFFTAG_JPEGIFBYTECOUNT:
++ case TIFFTAG_JPEGQTABLES:
++ case TIFFTAG_JPEGDCTABLES:
++ case TIFFTAG_JPEGACTABLES:
++ case TIFFTAG_JPEGPROC:
++ case TIFFTAG_JPEGRESTARTINTERVAL:
++ return 1;
++ }
++ break;
++ case COMPRESSION_CCITTRLE:
++ case COMPRESSION_CCITTRLEW:
++ case COMPRESSION_CCITTFAX3:
++ case COMPRESSION_CCITTFAX4:
++ switch (tag) {
++ case TIFFTAG_BADFAXLINES:
++ case TIFFTAG_CLEANFAXDATA:
++ case TIFFTAG_CONSECUTIVEBADFAXLINES:
++ return 1;
++ case TIFFTAG_GROUP3OPTIONS:
++ if (tif->tif_dir.td_compression ==
COMPRESSION_CCITTFAX3)
++ return 1;
++ break;
++ case TIFFTAG_GROUP4OPTIONS:
++ if (tif->tif_dir.td_compression ==
COMPRESSION_CCITTFAX4)
++ return 1;
++ break;
++ }
++ break;
++ case COMPRESSION_JBIG:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_DEFLATE:
++ case COMPRESSION_ADOBE_DEFLATE:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_PIXARLOG:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_SGILOG:
++ case COMPRESSION_SGILOG24:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_LZMA:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++
++ }
++ return 0;
++}
++
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+
+ /*
+Index: libtiff/libtiff/tif_dir.h
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
+retrieving revision 1.54
+retrieving revision 1.55
+diff -u -r1.54 -r1.55
+--- libtiff/libtiff/tif_dir.h 18 Feb 2011 20:53:05 -0000 1.54
++++ libtiff/libtiff/tif_dir.h 1 Jun 2017 12:44:04 -0000 1.55
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
++/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -291,6 +291,7 @@
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32,
TIFFDataType);
+ extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
++extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+
+ #if defined(__cplusplus)
+ }
--
2.13.1
--- End Message ---
--- Begin Message ---
|
Subject: |
Re: [bug#27370] [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes]. |
|
Date: |
Thu, 15 Jun 2017 11:52:29 -0400 |
|
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Thu, Jun 15, 2017 at 10:13:43AM +0200, Ludovic Courtès wrote:
> Leo Famulari <address@hidden> skribis:
>
> > Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> > the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
> >
> > * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
>
> LGTM. ‘guix lint -c cve’ will keep complaining, but I guess splitting
> the patch in one patch per CVE might be hard and not worth the effort.
> Thoughts?
The long list of bugs has a single root cause and fix, so there is only
one patch.
> Could you apply them to ‘core-updates’ as well?
Sure, done!
signature.asc
Description: PGP signature
--- End Message ---