rpms/libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix incorrect fix for CVE-2011-0192; add fix for CVE-2011-1167

Browse Source
This commit is contained in:
Tom Lane 2011-03-21 16:14:46 -04:00
parent 7abdd8bb18
commit 0224c9c3f8
3 changed files with 74 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libtiff-CVE-2011-0192.patch
View File

@ -3,20 +3,24 @@ this, a malicious input file can generate an indefinitely large series
of runs without a0 ever reaching the right margin, thus overrunning of runs without a0 ever reaching the right margin, thus overrunning
our buffer of run lengths. Per CVE-2011-0192. This is a modified our buffer of run lengths. Per CVE-2011-0192. This is a modified
version of a patch proposed by Drew Yao of Apple Product Security. version of a patch proposed by Drew Yao of Apple Product Security.
It adds an unexpected() report, and disallows the equality case, since It adds an unexpected() report, and disallows the equality case except
emitting a run without increasing a0 still allows buffer overrun. for the first run of a line, since emitting a run without increasing a0
still allows buffer overrun. (We have to allow it for the first run to
cover the case of encoding a zero-length run at start of line using VL.)
diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
--- tiff-3.9.4.orig/libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400 --- tiff-3.9.4.orig/libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_fax3.h 2011-02-22 15:20:22.336377923 -0500 +++ tiff-3.9.4/libtiff/tif_fax3.h 2011-03-10 12:11:20.850839162 -0500
@@ -478,6 +478,10 @@ @@ -478,6 +478,12 @@
break; \ break; \
case S_VL: \ case S_VL: \
CHECK_b1; \ CHECK_b1; \
+ if (b1 <= (int) (a0 + TabEnt->Param)) { \ + if (b1 <= (int) (a0 + TabEnt->Param)) { \
+ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \
+ unexpected("VL", a0); \ + unexpected("VL", a0); \
+ goto eol2d; \ + goto eol2d; \
+ } \
+ } \ + } \
SETVALUE(b1 - a0 - TabEnt->Param); \ SETVALUE(b1 - a0 - TabEnt->Param); \
b1 -= *--pb; \ b1 -= *--pb; \

53
libtiff-CVE-2011-1167.patch Normal file
View File

@ -0,0 +1,53 @@
Upstream patch for CVE-2011-1167, heap-based buffer overflow in thunder
decoder (ZDI-CAN-1004).
diff -Naur tiff-3.9.4.orig/libtiff/tif_thunder.c tiff-3.9.4/libtiff/tif_thunder.c
--- tiff-3.9.4.orig/libtiff/tif_thunder.c 2010-06-08 14:50:43.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_thunder.c 2011-03-18 12:17:13.635796403 -0400
@@ -55,12 +55,32 @@
static const int twobitdeltas[4] = { 0, 1, 0, -1 };
static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 };
-#define SETPIXEL(op, v) { \
- lastpixel = (v) & 0xf; \
- if (npixels++ & 1) \
- *op++ |= lastpixel; \
- else \
+#define SETPIXEL(op, v) { \
+ lastpixel = (v) & 0xf; \
+ if ( npixels < maxpixels ) \
+ { \
+ if (npixels++ & 1) \
+ *op++ |= lastpixel; \
+ else \
op[0] = (tidataval_t) (lastpixel << 4); \
+ } \
+}
+
+static int
+ThunderSetupDecode(TIFF* tif)
+{
+ static const char module[] = "ThunderSetupDecode";
+
+ if( tif->tif_dir.td_bitspersample != 4 )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.",
+ (int) tif->tif_dir.td_bitspersample );
+ return 0;
+ }
+
+
+ return (1);
}
static int
@@ -151,6 +171,7 @@
(void) scheme;
tif->tif_decoderow = ThunderDecodeRow;
tif->tif_decodestrip = ThunderDecodeRow;
+ tif->tif_setupdecode = ThunderSetupDecode;
return (1);
}
#endif /* THUNDER_SUPPORT */

13
libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 3.9.4 Version: 3.9.4
Release: 3%{?dist} Release: 4%{?dist}
License: libtiff License: libtiff
Group: System Environment/Libraries Group: System Environment/Libraries
@ -19,7 +19,8 @@ Patch8: libtiff-unknown-fix.patch
Patch9: libtiff-checkbytecount.patch Patch9: libtiff-checkbytecount.patch
Patch10: libtiff-tiffdump.patch Patch10: libtiff-tiffdump.patch
Patch11: libtiff-CVE-2011-0192.patch Patch11: libtiff-CVE-2011-0192.patch
Patch12: libtiff-gif2tiff-overrun.patch Patch12: libtiff-CVE-2011-1167.patch
Patch13: libtiff-gif2tiff-overrun.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel BuildRequires: zlib-devel libjpeg-devel
@ -84,6 +85,7 @@ image files using the libtiff library.
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1 %patch12 -p1
%patch13 -p1
# Use build system's libtool.m4, not the one in the package. # Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4 rm -f libtool.m4
@ -195,6 +197,13 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Mon Mar 21 2011 Tom Lane <tgl@redhat.com> 3.9.4-4
- Fix incorrect fix for CVE-2011-0192
Resolves: #684007
Related: #688825
- Add fix for CVE-2011-1167
Resolves: #689574
* Wed Mar 2 2011 Tom Lane <tgl@redhat.com> 3.9.4-3 * Wed Mar 2 2011 Tom Lane <tgl@redhat.com> 3.9.4-3
- Add patch for CVE-2011-0192 - Add patch for CVE-2011-0192
Resolves: #681672 Resolves: #681672