From 7abdd8bb1884924321289541e36192c6854ff3d1 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Wed, 2 Mar 2011 17:18:15 -0500 Subject: [PATCH] Fix CVE-2011-0192 and a gif2tiff bug --- libtiff-CVE-2011-0192.patch | 23 +++++++++++++++++++++++ libtiff-gif2tiff-overrun.patch | 22 ++++++++++++++++++++++ libtiff.spec | 12 +++++++++++- 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 libtiff-CVE-2011-0192.patch create mode 100644 libtiff-gif2tiff-overrun.patch diff --git a/libtiff-CVE-2011-0192.patch b/libtiff-CVE-2011-0192.patch new file mode 100644 index 0000000..340a161 --- /dev/null +++ b/libtiff-CVE-2011-0192.patch @@ -0,0 +1,23 @@ +Protect against a fax VL(n) codeword commanding a move left. Without +this, a malicious input file can generate an indefinitely large series +of runs without a0 ever reaching the right margin, thus overrunning +our buffer of run lengths. Per CVE-2011-0192. This is a modified +version of a patch proposed by Drew Yao of Apple Product Security. +It adds an unexpected() report, and disallows the equality case, since +emitting a run without increasing a0 still allows buffer overrun. + + +diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h +--- tiff-3.9.4.orig/libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400 ++++ tiff-3.9.4/libtiff/tif_fax3.h 2011-02-22 15:20:22.336377923 -0500 +@@ -478,6 +478,10 @@ + break; \ + case S_VL: \ + CHECK_b1; \ ++ if (b1 <= (int) (a0 + TabEnt->Param)) { \ ++ unexpected("VL", a0); \ ++ goto eol2d; \ ++ } \ + SETVALUE(b1 - a0 - TabEnt->Param); \ + b1 -= *--pb; \ + break; \ diff --git a/libtiff-gif2tiff-overrun.patch b/libtiff-gif2tiff-overrun.patch new file mode 100644 index 0000000..eff7343 --- /dev/null +++ b/libtiff-gif2tiff-overrun.patch @@ -0,0 +1,22 @@ +gif2tiff buffer overrun. Filed upstream at +http://bugzilla.maptools.org/show_bug.cgi?id=2270 + +This appears not to be security critical: it's a read not a write +overrun, so the worst possible consequence is SIGSEGV, and even that +doesn't seem to happen on any popular architectures. + + +diff -Naur tiff-3.9.4.orig/tools/gif2tiff.c tiff-3.9.4/tools/gif2tiff.c +--- tiff-3.9.4.orig/tools/gif2tiff.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/gif2tiff.c 2010-11-02 22:32:10.018264489 -0400 +@@ -503,6 +503,10 @@ + strip = 0; + stripsize = TIFFStripSize(tif); + for (row=0; row height-row) { ++ rowsperstrip = height-row; ++ stripsize = TIFFVStripSize(tif, rowsperstrip); ++ } + if (TIFFWriteEncodedStrip(tif, strip, newras+row*width, stripsize) < 0) + break; + strip++; diff --git a/libtiff.spec b/libtiff.spec index 1091715..98e4c4a 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 3.9.4 -Release: 2%{?dist} +Release: 3%{?dist} License: libtiff Group: System Environment/Libraries @@ -18,6 +18,8 @@ Patch7: libtiff-subsampling.patch Patch8: libtiff-unknown-fix.patch Patch9: libtiff-checkbytecount.patch Patch10: libtiff-tiffdump.patch +Patch11: libtiff-CVE-2011-0192.patch +Patch12: libtiff-gif2tiff-overrun.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel libjpeg-devel @@ -80,6 +82,8 @@ image files using the libtiff library. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -191,6 +195,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/* %changelog +* Wed Mar 2 2011 Tom Lane 3.9.4-3 +- Add patch for CVE-2011-0192 +Resolves: #681672 +- Fix non-security-critical potential SIGSEGV in gif2tiff +Related: #648820 + * Tue Feb 08 2011 Fedora Release Engineering - 3.9.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild