rpms/libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2018-19210 (#1649387)

Browse Source
This commit is contained in:
Nikola Forró 2019-06-12 17:18:50 +02:00
parent 42c3833b52
commit 0489e94ddf
3 changed files with 123 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
libtiff-CVE-2019-7663.patch → libtiff-CVE-2018-12900_CVE-2019-7663.patch
View File

@ -1,18 +1,26 @@
From 67c11eb5abaf36445650fac968667b62a3ccd0bb Mon Sep 17 00:00:00 2001 From 2cd851937e887704aa6838b272015de93f48bb44 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr> From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 10:05:33 +0100 Date: Mon, 11 Feb 2019 10:05:33 +0100
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
fixes bug 2833 fixes bug 2833
--- ---
tools/tiffcp.c | 8 +++++++- tools/tiffcp.c | 9 ++++++++-
1 file changed, 7 insertions(+), 1 deletion(-) 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 2f406e2..f0ee2c0 100644 index 2f406e2..8c81aa4 100644
--- a/tools/tiffcp.c --- a/tools/tiffcp.c
+++ b/tools/tiffcp.c +++ b/tools/tiffcp.c
@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) @@ -41,6 +41,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include <ctype.h>
@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
int status = 1; int status = 1;
uint32 imagew = TIFFRasterScanlineSize(in); uint32 imagew = TIFFRasterScanlineSize(in);
uint32 tilew = TIFFTileRowSize(in); uint32 tilew = TIFFTileRowSize(in);
@ -21,11 +29,11 @@ index 2f406e2..f0ee2c0 100644
tsize_t tilesize = TIFFTileSize(in); tsize_t tilesize = TIFFTileSize(in);
tdata_t tilebuf; tdata_t tilebuf;
uint8* bufp = (uint8*) buf; uint8* bufp = (uint8*) buf;
@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) @@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
uint32 row; uint32 row;
uint16 bps = 0, bytes_per_sample; uint16 bps = 0, bytes_per_sample;
+ if (spp > (0x7fffffff / tilew)) + if (spp > (INT_MAX / tilew))
+ { + {
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ return 0; + return 0;
@ -35,5 +43,5 @@ index 2f406e2..f0ee2c0 100644
if (tilebuf == 0) if (tilebuf == 0)
return 0; return 0;
-- --
2.17.2 2.21.0

100
libtiff-CVE-2018-19210.patch Normal file
View File

@ -0,0 +1,100 @@
From 6579f23f3019d8aa7ef0cd856c03d1497add85be Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Wed, 21 Nov 2018 18:50:34 +0100
Subject: [PATCH] tif_dir: unset transferfunction field if necessary
The number of entries in the transfer table is determined as following:
(td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1
This means that whenever td->td_samplesperpixel or td->td_extrasamples are
modified we also need to make sure that the number of required entries in
the transfer table didn't change.
If it changed and the number of entries is higher than before we should
invalidate the transfer table field and free previously allocated values.
In the other case there's nothing to do, additional tf entries won't harm
and properly written code will just ignore them since spp - es < 1.
For instance this situation might happen when reading an OJPEG compressed
image with missing SamplesPerPixel tag. In this case the SamplesPerPixel
field might be updated after setting the transfer table.
see http://bugzilla.maptools.org/show_bug.cgi?id=2500
This commit addresses CVE-2018-19210.
---
libtiff/tif_dir.c | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 6f0b487..028ea54 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb)
* Install extra samples information.
*/
static int
-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
+setExtraSamples(TIFF* tif, va_list ap, uint32* v)
{
/* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
#define EXTRASAMPLE_COREL_UNASSALPHA 999
uint16* va;
uint32 i;
+ TIFFDirectory* td = &tif->tif_dir;
+ static const char module[] = "setExtraSamples";
*v = (uint16) va_arg(ap, uint16_vap);
if ((uint16) *v > td->td_samplesperpixel)
@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
return 0;
}
}
+
+ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "ExtraSamples tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
+
td->td_extrasamples = (uint16) *v;
_TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
return 1;
@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFfree(td->td_smaxsamplevalue);
td->td_smaxsamplevalue = NULL;
}
+ /* Test if 3 transfer functions instead of just one are now needed
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "SamplesPerPixel tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
}
td->td_samplesperpixel = (uint16) v;
break;
@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
break;
case TIFFTAG_EXTRASAMPLES:
- if (!setExtraSamples(td, ap, &v))
+ if (!setExtraSamples(tif, ap, &v))
goto badvalue;
break;
case TIFFTAG_MATTEING:
--
2.21.0

9
libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 4.0.10 Version: 4.0.10
Release: 4%{?dist} Release: 5%{?dist}
License: libtiff License: libtiff
URL: http://www.simplesystems.org/libtiff/ URL: http://www.simplesystems.org/libtiff/
@ -10,7 +10,8 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
Patch0: libtiff-am-version.patch Patch0: libtiff-am-version.patch
Patch1: libtiff-make-check.patch Patch1: libtiff-make-check.patch
Patch2: libtiff-CVE-2019-6128.patch Patch2: libtiff-CVE-2019-6128.patch
Patch3: libtiff-CVE-2019-7663.patch Patch3: libtiff-CVE-2018-12900_CVE-2019-7663.patch
Patch4: libtiff-CVE-2018-19210.patch
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -63,6 +64,7 @@ image files using the libtiff library.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1
# Use build system's libtool.m4, not the one in the package. # Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4 rm -f libtool.m4
@ -167,6 +169,9 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-5
- Fix CVE-2018-19210 (#1649387)
* Fri Feb 15 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-4 * Fri Feb 15 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-4
- Fix CVE-2019-7663 (#1677529) - Fix CVE-2019-7663 (#1677529)