From 0489e94ddf13f011dde735078c5a1de3da7ab086 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Wed, 12 Jun 2019 17:18:50 +0200 Subject: [PATCH] Fix CVE-2018-19210 (#1649387) --- ...libtiff-CVE-2018-12900_CVE-2019-7663.patch | 24 +++-- libtiff-CVE-2018-19210.patch | 100 ++++++++++++++++++ libtiff.spec | 9 +- 3 files changed, 123 insertions(+), 10 deletions(-) rename libtiff-CVE-2019-7663.patch => libtiff-CVE-2018-12900_CVE-2019-7663.patch (63%) create mode 100644 libtiff-CVE-2018-19210.patch diff --git a/libtiff-CVE-2019-7663.patch b/libtiff-CVE-2018-12900_CVE-2019-7663.patch similarity index 63% rename from libtiff-CVE-2019-7663.patch rename to libtiff-CVE-2018-12900_CVE-2019-7663.patch index d0ff5a9..a412080 100644 --- a/libtiff-CVE-2019-7663.patch +++ b/libtiff-CVE-2018-12900_CVE-2019-7663.patch @@ -1,18 +1,26 @@ -From 67c11eb5abaf36445650fac968667b62a3ccd0bb Mon Sep 17 00:00:00 2001 +From 2cd851937e887704aa6838b272015de93f48bb44 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Mon, 11 Feb 2019 10:05:33 +0100 Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow fixes bug 2833 --- - tools/tiffcp.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) + tools/tiffcp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 2f406e2..f0ee2c0 100644 +index 2f406e2..8c81aa4 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c -@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) int status = 1; uint32 imagew = TIFFRasterScanlineSize(in); uint32 tilew = TIFFTileRowSize(in); @@ -21,11 +29,11 @@ index 2f406e2..f0ee2c0 100644 tsize_t tilesize = TIFFTileSize(in); tdata_t tilebuf; uint8* bufp = (uint8*) buf; -@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) +@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) uint32 row; uint16 bps = 0, bytes_per_sample; -+ if (spp > (0x7fffffff / tilew)) ++ if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; @@ -35,5 +43,5 @@ index 2f406e2..f0ee2c0 100644 if (tilebuf == 0) return 0; -- -2.17.2 +2.21.0 diff --git a/libtiff-CVE-2018-19210.patch b/libtiff-CVE-2018-19210.patch new file mode 100644 index 0000000..fa5149c --- /dev/null +++ b/libtiff-CVE-2018-19210.patch @@ -0,0 +1,100 @@ +From 6579f23f3019d8aa7ef0cd856c03d1497add85be Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Wed, 21 Nov 2018 18:50:34 +0100 +Subject: [PATCH] tif_dir: unset transferfunction field if necessary + +The number of entries in the transfer table is determined as following: + +(td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1 + +This means that whenever td->td_samplesperpixel or td->td_extrasamples are +modified we also need to make sure that the number of required entries in +the transfer table didn't change. + +If it changed and the number of entries is higher than before we should +invalidate the transfer table field and free previously allocated values. +In the other case there's nothing to do, additional tf entries won't harm +and properly written code will just ignore them since spp - es < 1. + +For instance this situation might happen when reading an OJPEG compressed +image with missing SamplesPerPixel tag. In this case the SamplesPerPixel +field might be updated after setting the transfer table. + +see http://bugzilla.maptools.org/show_bug.cgi?id=2500 + +This commit addresses CVE-2018-19210. +--- + libtiff/tif_dir.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 6f0b487..028ea54 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb) + * Install extra samples information. + */ + static int +-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) ++setExtraSamples(TIFF* tif, va_list ap, uint32* v) + { + /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */ + #define EXTRASAMPLE_COREL_UNASSALPHA 999 + + uint16* va; + uint32 i; ++ TIFFDirectory* td = &tif->tif_dir; ++ static const char module[] = "setExtraSamples"; + + *v = (uint16) va_arg(ap, uint16_vap); + if ((uint16) *v > td->td_samplesperpixel) +@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) + return 0; + } + } ++ ++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "ExtraSamples tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } ++ + td->td_extrasamples = (uint16) *v; + _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples); + return 1; +@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + _TIFFfree(td->td_smaxsamplevalue); + td->td_smaxsamplevalue = NULL; + } ++ /* Test if 3 transfer functions instead of just one are now needed ++ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */ ++ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "SamplesPerPixel tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } + } + td->td_samplesperpixel = (uint16) v; + break; +@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); + break; + case TIFFTAG_EXTRASAMPLES: +- if (!setExtraSamples(td, ap, &v)) ++ if (!setExtraSamples(tif, ap, &v)) + goto badvalue; + break; + case TIFFTAG_MATTEING: +-- +2.21.0 + diff --git a/libtiff.spec b/libtiff.spec index 544ac42..318c521 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.10 -Release: 4%{?dist} +Release: 5%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -10,7 +10,8 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz Patch0: libtiff-am-version.patch Patch1: libtiff-make-check.patch Patch2: libtiff-CVE-2019-6128.patch -Patch3: libtiff-CVE-2019-7663.patch +Patch3: libtiff-CVE-2018-12900_CVE-2019-7663.patch +Patch4: libtiff-CVE-2018-19210.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -63,6 +64,7 @@ image files using the libtiff library. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -167,6 +169,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Wed Jun 12 2019 Nikola Forró - 4.0.10-5 +- Fix CVE-2018-19210 (#1649387) + * Fri Feb 15 2019 Nikola Forró - 4.0.10-4 - Fix CVE-2019-7663 (#1677529)