Fix CVE-2018-19210 (#1649387)

2019-06-12 17:18:50 +02:00 · 2019-06-12 17:18:50 +02:00 · 0489e94ddf
commit 0489e94ddf
parent 42c3833b52
3 changed files with 123 additions and 10 deletions
--- a/libtiff-CVE-2018-12900_CVE-2019-7663.patch
+++ b/libtiff-CVE-2018-12900_CVE-2019-7663.patch
@ -1,18 +1,26 @@
-From 67c11eb5abaf36445650fac968667b62a3ccd0bb Mon Sep 17 00:00:00 2001
+From 2cd851937e887704aa6838b272015de93f48bb44 Mon Sep 17 00:00:00 2001
 From: Thomas Bernard <miniupnp@free.fr>
 Date: Mon, 11 Feb 2019 10:05:33 +0100
 Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow

 fixes bug 2833
 ---
- tools/tiffcp.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
+ tools/tiffcp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)

 diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 2f406e2..f0ee2c0 100644
+index 2f406e2..8c81aa4 100644
 --- a/tools/tiffcp.c
 +++ b/tools/tiffcp.c
-@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+@@ -41,6 +41,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <limits.h>
+ 
+ #include <ctype.h>
+ 
+@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
 	int status = 1;
 	uint32 imagew = TIFFRasterScanlineSize(in);
 	uint32 tilew = TIFFTileRowSize(in);
@ -21,11 +29,11 @@ index 2f406e2..f0ee2c0 100644
 	tsize_t tilesize = TIFFTileSize(in);
 	tdata_t tilebuf;
 	uint8* bufp = (uint8*) buf;
-@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
 	uint32 row;
 	uint16 bps = 0, bytes_per_sample;
 
-+	if (spp > (0x7fffffff / tilew))
+	if (spp > (INT_MAX / tilew))
 +	{
 +		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
 +		return 0;
@ -35,5 +43,5 @@ index 2f406e2..f0ee2c0 100644
 	if (tilebuf == 0)
 		return 0;
 -- 
-2.17.2
+2.21.0

--- a/libtiff-CVE-2018-19210.patch
+++ b/libtiff-CVE-2018-19210.patch
@ -0,0 +1,100 @@
+From 6579f23f3019d8aa7ef0cd856c03d1497add85be Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Wed, 21 Nov 2018 18:50:34 +0100
+Subject: [PATCH] tif_dir: unset transferfunction field if necessary
+
+The number of entries in the transfer table is determined as following:
+
+(td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1
+
+This means that whenever td->td_samplesperpixel or td->td_extrasamples are
+modified we also need to make sure that the number of required entries in
+the transfer table didn't change.
+
+If it changed and the number of entries is higher than before we should
+invalidate the transfer table field and free previously allocated values.
+In the other case there's nothing to do, additional tf entries won't harm
+and properly written code will just ignore them since spp - es < 1.
+
+For instance this situation might happen when reading an OJPEG compressed
+image with missing SamplesPerPixel tag. In this case the SamplesPerPixel
+field might be updated after setting the transfer table.
+
+see http://bugzilla.maptools.org/show_bug.cgi?id=2500
+
+This commit addresses CVE-2018-19210.
+---
+ libtiff/tif_dir.c | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 6f0b487..028ea54 100644
+--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
+@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, double value, size_t nmemb)
+  * Install extra samples information.
+  */
+ static int
+-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
+setExtraSamples(TIFF* tif, va_list ap, uint32* v)
+ {
+ /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
+ #define EXTRASAMPLE_COREL_UNASSALPHA 999 
+ 
+ 	uint16* va;
+ 	uint32 i;
+        TIFFDirectory* td = &tif->tif_dir;
+        static const char module[] = "setExtraSamples";
+ 
+ 	*v = (uint16) va_arg(ap, uint16_vap);
+ 	if ((uint16) *v > td->td_samplesperpixel)
+@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
+ 				return 0;
+ 		}
+ 	}
+
+        if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
+                !(td->td_samplesperpixel - td->td_extrasamples > 1))
+        {
+                TIFFWarningExt(tif->tif_clientdata,module,
+                    "ExtraSamples tag value is changing, "
+                    "but TransferFunction was read with a different value. Cancelling it");
+                TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+                _TIFFfree(td->td_transferfunction[0]);
+                td->td_transferfunction[0] = NULL;
+        }
+
+ 	td->td_extrasamples = (uint16) *v;
+ 	_TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
+ 	return 1;
+@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+                 _TIFFfree(td->td_smaxsamplevalue);
+                 td->td_smaxsamplevalue = NULL;
+             }
+            /* Test if 3 transfer functions instead of just one are now needed
+               See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+            if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+                !(td->td_samplesperpixel - td->td_extrasamples > 1))
+            {
+                    TIFFWarningExt(tif->tif_clientdata,module,
+                        "SamplesPerPixel tag value is changing, "
+                        "but TransferFunction was read with a different value. Cancelling it");
+                    TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+                    _TIFFfree(td->td_transferfunction[0]);
+                    td->td_transferfunction[0] = NULL;
+            }
+         }
+ 		td->td_samplesperpixel = (uint16) v;
+ 		break;
+@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 		_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
+ 		break;
+ 	case TIFFTAG_EXTRASAMPLES:
+-		if (!setExtraSamples(td, ap, &v))
+		if (!setExtraSamples(tif, ap, &v))
+ 			goto badvalue;
+ 		break;
+ 	case TIFFTAG_MATTEING:
+-- 
+2.21.0
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.10
-Release:       4%{?dist}
+Release:       5%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/

@ -10,7 +10,8 @@ Source:        ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
 Patch0:        libtiff-am-version.patch
 Patch1:        libtiff-make-check.patch
 Patch2:        libtiff-CVE-2019-6128.patch
-Patch3:        libtiff-CVE-2019-7663.patch
+Patch3:        libtiff-CVE-2018-12900_CVE-2019-7663.patch
+Patch4:        libtiff-CVE-2018-19210.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -63,6 +64,7 @@ image files using the libtiff library.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -167,6 +169,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-5
+- Fix CVE-2018-19210 (#1649387)
+
 * Fri Feb 15 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-4
 - Fix CVE-2019-7663 (#1677529)