From 8e28d22c914122aa7bfb70847370d8ae0f070688 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 16 Jun 2015 00:59:15 -0400 Subject: gnu: libtiff: Add fixes for several CVEs. * gnu/packages/patches/libtiff-CVE-2012-4564.patch, gnu/packages/patches/libtiff-CVE-2013-1960.patch, gnu/packages/patches/libtiff-CVE-2013-1961.patch, gnu/packages/patches/libtiff-CVE-2013-4231.patch, gnu/packages/patches/libtiff-CVE-2013-4232.patch, gnu/packages/patches/libtiff-CVE-2013-4243.patch, gnu/packages/patches/libtiff-CVE-2013-4244.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch, gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch, gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch, gnu/packages/patches/libtiff-CVE-2014-8129.patch, gnu/packages/patches/libtiff-CVE-2014-9330.patch, gnu/packages/patches/libtiff-CVE-2014-9655.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[source]: Add patches. --- .../patches/libtiff-CVE-2014-8127-pt4.patch | 295 +++++++++++++++++++++ 1 file changed, 295 insertions(+) create mode 100644 gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch (limited to 'gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch') diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch new file mode 100644 index 0000000000..62d903c650 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch @@ -0,0 +1,295 @@ +Copied from Debian + +From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sun, 21 Dec 2014 15:15:31 +0000 +Subject: [PATCH] Fix various crasher bugs on fuzzed images. * + libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for + TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing + the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read + ColorMap or TransferFunction if BitsPerSample has not yet been read, + otherwise reading it later will cause user code to crash if BitsPerSample > 1 + * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with + SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample + != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images + instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int + overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to + invalid tile count (should likely be checked by libtiff too). Detect invalid + settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * + tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * + tools/tiffdump.c: fix crash due to overflow of entry count. + +--- + ChangeLog | 19 +++++++++++++++++++ + libtiff/tif_dir.c | 21 +++++++++++++++++++-- + libtiff/tif_dirread.c | 17 +++++++++++++++++ + libtiff/tif_getimage.c | 15 +++++++++++++++ + libtiff/tif_next.c | 2 ++ + tools/bmp2tiff.c | 15 +++++++++++++++ + tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++ + tools/tiffcrop.c | 7 ++++--- + tools/tiffdump.c | 9 ++++++--- + 9 files changed, 138 insertions(+), 8 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 98cf66d..ab43a28 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; ++ double dblval; + char* s; + const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); + uint32 standard_tag = tag; +@@ -284,10 +285,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); + break; + case TIFFTAG_XRESOLUTION: +- td->td_xresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_xresolution = (float) dblval; + break; + case TIFFTAG_YRESOLUTION: +- td->td_yresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_yresolution = (float) dblval; + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -694,6 +701,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + va_end(ap); + } + return (0); ++badvaluedouble: ++ { ++ const TIFFField* fip=TIFFFieldWithTag(tif,tag); ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Bad value %f for \"%s\" tag", ++ tif->tif_name, dblval, ++ fip ? fip->field_name : "Unknown"); ++ va_end(ap); ++ } ++ return (0); + } + + /* +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 391c823..f66c9a7 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3430,6 +3430,8 @@ TIFFReadDirectory(TIFF* tif) + const TIFFField* fip; + uint32 fii=FAILED_FII; + toff_t nextdiroff; ++ int bitspersample_read = FALSE; ++ + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) + return 0; /* last offset or bad offset (IFD looping) */ +@@ -3706,6 +3708,8 @@ TIFFReadDirectory(TIFF* tif) + } + if (!TIFFSetField(tif,dp->tdir_tag,value)) + goto bad; ++ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) ++ bitspersample_read = TRUE; + } + break; + case TIFFTAG_SMINSAMPLEVALUE: +@@ -3763,6 +3767,19 @@ TIFFReadDirectory(TIFF* tif) + uint32 countrequired; + uint32 incrementpersample; + uint16* value=NULL; ++ /* It would be dangerous to instanciate those tag values */ ++ /* since if td_bitspersample has not yet been read (due to */ ++ /* unordered tags), it could be read afterwards with a */ ++ /* values greater than the default one (1), which may cause */ ++ /* crashes in user code */ ++ if( !bitspersample_read ) ++ { ++ fip = TIFFFieldWithTag(tif,dp->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "Ignoring %s since BitsPerSample tag not found", ++ fip ? fip->field_name : "unknown tagname"); ++ continue; ++ } + countpersample=(1L<tif_dir.td_bitspersample); + if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) + { +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 074d32a..396ad08 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -182,8 +182,23 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + "Planarconfiguration", td->td_planarconfig); + return (0); + } ++ if( td->td_samplesperpixel != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d", ++ "Samples/pixel", td->td_samplesperpixel); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: ++ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index 55e2537..a53c716 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + default: { + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; ++ if( isTiled(tif) ) ++ imagewidth = tif->tif_dir.td_tilewidth; + + /* + * The scanline is composed of a sequence of constant +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index dfda963..f202b41 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1167,6 +1167,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ + TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid tile count, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tilecount/= xuint16; + } + if( t2p->tiff_tiles[i].tiles_tilecount > 0){ +@@ -1552,6 +1561,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + #endif + break; + case PHOTOMETRIC_CIELAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for CIELAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for CIELAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]= -127; + t2p->pdf_labrange[1]= 127; + t2p->pdf_labrange[2]= -127; +@@ -1567,6 +1592,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + t2p->pdf_colorspace=T2P_CS_LAB; + break; + case PHOTOMETRIC_ITULAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for ITULAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for ITULAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]=-85; + t2p->pdf_labrange[1]=85; + t2p->pdf_labrange[2]=-75; +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f5530bb..4088463 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + tsize_t tilesize = TIFFTileSize(out); + unsigned char *tilebuf = NULL; + +- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); +- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); +- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || ++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || ++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) ++ return 1; + + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) +diff --git a/tools/tiffdump.c b/tools/tiffdump.c +index cf5d62f..8247765 100644 +--- a/tools/tiffdump.c ++++ b/tools/tiffdump.c +@@ -374,6 +374,8 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + void* datamem; + uint64 dataoffset; + int datatruncated; ++ int datasizeoverflow; ++ + tag = *(uint16*)dp; + if (swabflag) + TIFFSwabShort(&tag); +@@ -412,13 +414,14 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + else + typewidth = datawidth[type]; + datasize = count*typewidth; ++ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); + datafits = 1; + datamem = dp; + dataoffset = 0; + datatruncated = 0; + if (!bigtiff) + { +- if (datasize>4) ++ if (datasizeoverflow || datasize>4) + { + uint32 dataoffset32; + datafits = 0; +@@ -432,7 +435,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + } + else + { +- if (datasize>8) ++ if (datasizeoverflow || datasize>8) + { + datafits = 0; + datamem = NULL; +@@ -442,7 +445,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + } + dp += sizeof(uint64); + } +- if (datasize>0x10000) ++ if (datasizeoverflow || datasize>0x10000) + { + datatruncated = 1; + count = 0x10000/typewidth; -- cgit v1.2.3