01/01: gnu: libtiff: Fix CVE-2017-5225.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: libtiff: Fix CVE-2017-5225.

From:	Leo Famulari
Subject:	01/01: gnu: libtiff: Fix CVE-2017-5225.
Date:	Mon, 23 Jan 2017 07:21:43 +0000 (UTC)

lfam pushed a commit to branch master
in repository guix.

commit 62cf8fa7cd2126cce5f1ac37feeb3ca75db6f6bf
Author: Leo Famulari <address@hidden>
Date:   Mon Jan 23 02:06:40 2017 -0500

    gnu: libtiff: Fix CVE-2017-5225.
    
    * gnu/packages/patches/libtiff-CVE-2017-5225.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/image.scm (libtiff/fixed)[source]: Use it.
---
 gnu/local.mk                                     |    1 +
 gnu/packages/image.scm                           |    3 +-
 gnu/packages/patches/libtiff-CVE-2017-5225.patch |   86 ++++++++++++++++++++++
 3 files changed, 89 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index d321824..3d8e462 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -689,6 +689,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/libtiff-CVE-2016-10092.patch            \
   %D%/packages/patches/libtiff-CVE-2016-10093.patch            \
   %D%/packages/patches/libtiff-CVE-2016-10094.patch            \
+  %D%/packages/patches/libtiff-CVE-2017-5225.patch             \
   %D%/packages/patches/libtiff-assertion-failure.patch         \
   %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch      \
   %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch     \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index a9bbf19..6378199 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -312,7 +312,8 @@ collection of tools for doing simple manipulations of TIFF 
images.")
                                  "libtiff-CVE-2016-10093.patch"
                                  "libtiff-divide-by-zero-tiffcp.patch"
                                  "libtiff-assertion-failure.patch"
-                                 "libtiff-CVE-2016-10094.patch"))))))
+                                 "libtiff-CVE-2016-10094.patch"
+                                 "libtiff-CVE-2017-5225.patch"))))))
 
 (define-public libwmf
   (package
diff --git a/gnu/packages/patches/libtiff-CVE-2017-5225.patch 
b/gnu/packages/patches/libtiff-CVE-2017-5225.patch
new file mode 100644
index 0000000..3158b49
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-5225.patch
@@ -0,0 +1,86 @@
+Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2656
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225
+https://security-tracker.debian.org/tracker/CVE-2017-5225
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+        cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
+overflow.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+        http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+
+less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1210; previous revision: 1.1209
+/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
+new revision: 1.61; previous revision: 1.60
+
+Index: libtiff/tools/tiffcp.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
+retrieving revision 1.60
+retrieving revision 1.61
+diff -u -r1.60 -r1.61
+--- libtiff/tools/tiffcp.c     3 Dec 2016 16:50:02 -0000       1.60
++++ libtiff/tools/tiffcp.c     11 Jan 2017 19:26:14 -0000      1.61
+#@@ -1,4 +1,4 @@
+#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */
+#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */
+# 
+# /*
+#  * Copyright (c) 1988-1997 Sam Leffler
+@@ -591,7 +591,7 @@
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+-      uint16 bitspersample, samplesperpixel = 1;
++      uint16 bitspersample = 1, samplesperpixel = 1;
+       uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+       copyFunc cf;
+       uint32 width, length;
+@@ -1067,6 +1067,16 @@
+       register uint32 n;
+       uint32 row;
+       tsample_t s;
++        uint16 bps = 0;
++
++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps != 8 )
++        {
++            TIFFError(TIFFFileName(in),
++                      "Error, can only handle BitsPerSample=8 in %s",
++                      "cpContig2SeparateByRow");
++            return 0;
++        }
+ 
+       inbuf = _TIFFmalloc(scanlinesizein);
+       outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1120,6 +1130,16 @@
+       register uint32 n;
+       uint32 row;
+       tsample_t s;
++        uint16 bps = 0;
++
++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps != 8 )
++        {
++            TIFFError(TIFFFileName(in),
++                      "Error, can only handle BitsPerSample=8 in %s",
++                      "cpSeparate2ContigByRow");
++            return 0;
++        }
+ 
+       inbuf = _TIFFmalloc(scanlinesizein);
+       outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1784,7 +1804,7 @@
+       uint32 w, l, tw, tl;
+       int bychunk;
+ 
+-      (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++      (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+       if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+               fprintf(stderr,
+                   "%s: Cannot handle different planar configuration w/ 
bits/sample != 8\n",

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (ffcfaf2 -> 62cf8fa), Leo Famulari, 2017/01/23
- 01/01: gnu: libtiff: Fix CVE-2017-5225., Leo Famulari <=

Prev by Date: branch master updated (ffcfaf2 -> 62cf8fa)
Next by Date: branch master updated (62cf8fa -> a3dbea4)
Previous by thread: branch master updated (ffcfaf2 -> 62cf8fa)
Next by thread: branch master updated (62cf8fa -> a3dbea4)
Index(es):
- Date
- Thread