Add upstream patches for CVE-2012-4447, CVE-2012-4564

2012-12-13 14:14:22 -05:00 · 2012-12-13 14:14:22 -05:00 · 1d5ae67789
commit 1d5ae67789
parent 78445b68d5
5 changed files with 193 additions and 1 deletions
--- a/libtiff-CVE-2012-4447.patch
+++ b/libtiff-CVE-2012-4447.patch
@ -0,0 +1,40 @@
+Upstream patch for CVE-2012-4447.
+
+
+diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
+--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c	2012-07-04 15:26:31.000000000 -0400
+++ tiff-4.0.3/libtiff/tif_pixarlog.c	2012-12-12 16:43:18.931315699 -0500
+@@ -644,6 +644,20 @@
+ 	return bytes;
+ }
+ 
+static tmsize_t
+add_ms(tmsize_t m1, tmsize_t m2)
+{
+	tmsize_t bytes = m1 + m2;
+
+	/* if either input is zero, assume overflow already occurred */
+	if (m1 == 0 || m2 == 0)
+		bytes = 0;
+	else if (bytes <= m1 || bytes <= m2)
+		bytes = 0;
+
+	return bytes;
+}
+
+ static int
+ PixarLogFixupTags(TIFF* tif)
+ {
+@@ -671,9 +685,11 @@
+ 	    td->td_samplesperpixel : 1);
+ 	tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
+ 				      td->td_rowsperstrip), sizeof(uint16));
+	/* add one more stride in case input ends mid-stride */
+	tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ 	if (tbuf_size == 0)
+ 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */
+-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
+	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
--- a/libtiff-CVE-2012-4564.patch
+++ b/libtiff-CVE-2012-4564.patch
@ -0,0 +1,86 @@
+Upstream patch for CVE-2012-4564.
+
+
+diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c
+--- tiff-4.0.3.orig/tools/ppm2tiff.c	2010-04-10 15:22:34.000000000 -0400
+++ tiff-4.0.3/tools/ppm2tiff.c	2012-12-12 16:43:18.932315708 -0500
+@@ -72,6 +72,17 @@
+ 	exit(-2);
+ }
+ 
+static tmsize_t
+multiply_ms(tmsize_t m1, tmsize_t m2)
+{
+	tmsize_t bytes = m1 * m2;
+
+	if (m1 && bytes / m1 != m2)
+		bytes = 0;
+
+	return bytes;
+}
+
+ int
+ main(int argc, char* argv[])
+ {
+@@ -79,7 +90,7 @@
+ 	uint32 rowsperstrip = (uint32) -1;
+ 	double resolution = -1;
+ 	unsigned char *buf = NULL;
+-	tsize_t linebytes = 0;
+	tmsize_t linebytes = 0;
+ 	uint16 spp = 1;
+ 	uint16 bpp = 8;
+ 	TIFF *out;
+@@ -89,6 +100,7 @@
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
+	tmsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -221,7 +233,8 @@
+ 	}
+ 	switch (bpp) {
+ 		case 1:
+-			linebytes = (spp * w + (8 - 1)) / 8;
+			/* if round-up overflows, result will be zero, OK */
+			linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ 			if (rowsperstrip == (uint32) -1) {
+ 				TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+ 			} else {
+@@ -230,15 +243,31 @@
+ 			}
+ 			break;
+ 		case 8:
+-			linebytes = spp * w;
+			linebytes = multiply_ms(spp, w);
+ 			TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ 			    TIFFDefaultStripSize(out, rowsperstrip));
+ 			break;
+ 	}
+-	if (TIFFScanlineSize(out) > linebytes)
+	if (linebytes == 0) {
+		fprintf(stderr, "%s: scanline size overflow\n", infile);
+		(void) TIFFClose(out);
+		exit(-2);					
+	}
+	scanline_size = TIFFScanlineSize(out);
+	if (scanline_size == 0) {
+		/* overflow - TIFFScanlineSize already printed a message */
+		(void) TIFFClose(out);
+		exit(-2);					
+	}
+	if (scanline_size < linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+ 	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+		buf = (unsigned char *)_TIFFmalloc(scanline_size);
+	if (buf == NULL) {
+		fprintf(stderr, "%s: Not enough memory\n", infile);
+		(void) TIFFClose(out);
+		exit(-2);
+	}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
--- a/libtiff-am-version.patch
+++ b/libtiff-am-version.patch
@ -0,0 +1,31 @@
+Back off the minimum required automake version to 1.11.  There isn't
+anything in libtiff currently that actually requires 1.12, and changing
+this allows the package to be built on pre-F18 machines for easier testing.
+
+This patch can go away once we no longer care about testing on pre-F18.
+
+
+diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
+--- tiff-4.0.3.orig/Makefile.am	2012-09-20 09:22:47.000000000 -0400
+++ tiff-4.0.3/Makefile.am	2012-10-30 11:33:30.312823564 -0400
+@@ -25,7 +25,7 @@
+ 
+ docdir = $(LIBTIFF_DOCDIR)
+ 
+-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
+ ACLOCAL_AMFLAGS = -I m4
+ 
+ docfiles = \
+diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
+--- tiff-4.0.3.orig/test/Makefile.am	2012-09-20 09:22:28.000000000 -0400
+++ tiff-4.0.3/test/Makefile.am	2012-10-30 11:33:17.109696812 -0400
+@@ -23,7 +23,7 @@
+ 
+ # Process this file with automake to produce Makefile.in.
+ 
+-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
+ 
+ LIBTIFF = $(top_builddir)/libtiff/libtiff.la
+ 
--- a/libtiff-printdir-width.patch
+++ b/libtiff-printdir-width.patch
@ -0,0 +1,20 @@
+Back-patch upstream patch of 2012-12-12 ("Fix TIFF_VARIABLE/TIFF_VARIABLE2
+confusion in TIFFPrintDirectory").
+
+
+diff -Naur tiff-4.0.3.orig/libtiff/tif_print.c tiff-4.0.3/libtiff/tif_print.c
+--- tiff-4.0.3.orig/libtiff/tif_print.c	2012-08-19 12:56:35.000000000 -0400
+++ tiff-4.0.3/libtiff/tif_print.c	2012-12-12 16:53:05.355927641 -0500
+@@ -582,10 +582,10 @@
+ 				continue;
+ 
+ 			if(fip->field_passcount) {
+-				if (fip->field_readcount == TIFF_VARIABLE ) {
+				if (fip->field_readcount == TIFF_VARIABLE2 ) {
+ 					if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
+ 						continue;
+-				} else if (fip->field_readcount == TIFF_VARIABLE2 ) {
+				} else if (fip->field_readcount == TIFF_VARIABLE ) {
+ 					uint16 small_value_count;
+ 					if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
+ 						continue;
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
 Version: 4.0.3
-Release: 1%{?dist}
+Release: 2%{?dist}

 License: libtiff
 Group: System Environment/Libraries
@ -9,6 +9,11 @@ URL: http://www.remotesensing.org/libtiff/

 Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz

+Patch0: libtiff-am-version.patch
+Patch1: libtiff-CVE-2012-4447.patch
+Patch2: libtiff-CVE-2012-4564.patch
+Patch3: libtiff-printdir-width.patch
+
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires: libtool automake autoconf pkgconfig

@ -58,6 +63,11 @@ image files using the libtiff library.
 %prep
 %setup -q -n tiff-%{version}

+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4

@ -160,6 +170,11 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Thu Dec 13 2012 Tom Lane <tgl@redhat.com> 4.0.3-2
+- Add upstream patches for CVE-2012-4447, CVE-2012-4564
+  (note: CVE-2012-5581 is already fixed in 4.0.3)
+Resolves: #880907
+
 * Thu Oct  4 2012 Tom Lane <tgl@redhat.com> 4.0.3-1
 - Update to libtiff 4.0.3