Fix CVE-2011-0192 and a gif2tiff bug

2011-03-02 17:18:15 -05:00 · 2011-03-02 17:18:15 -05:00 · 7abdd8bb18
commit 7abdd8bb18
parent dcf08f89eb
3 changed files with 56 additions and 1 deletions
--- a/libtiff-CVE-2011-0192.patch
+++ b/libtiff-CVE-2011-0192.patch
@ -0,0 +1,23 @@
+Protect against a fax VL(n) codeword commanding a move left.  Without
+this, a malicious input file can generate an indefinitely large series
+of runs without a0 ever reaching the right margin, thus overrunning
+our buffer of run lengths.  Per CVE-2011-0192.  This is a modified
+version of a patch proposed by Drew Yao of Apple Product Security.
+It adds an unexpected() report, and disallows the equality case, since
+emitting a run without increasing a0 still allows buffer overrun.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
+--- tiff-3.9.4.orig/libtiff/tif_fax3.h	2010-06-08 14:50:42.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_fax3.h	2011-02-22 15:20:22.336377923 -0500
+@@ -478,6 +478,10 @@
+ 	    break;							\
+ 	case S_VL:							\
+ 	    CHECK_b1;							\
+	    if (b1 <= (int) (a0 + TabEnt->Param)) {			\
+		unexpected("VL", a0);					\
+		goto eol2d;						\
+	    }								\
+ 	    SETVALUE(b1 - a0 - TabEnt->Param);				\
+ 	    b1 -= *--pb;						\
+ 	    break;							\
--- a/libtiff-gif2tiff-overrun.patch
+++ b/libtiff-gif2tiff-overrun.patch
@ -0,0 +1,22 @@
+gif2tiff buffer overrun.  Filed upstream at
+http://bugzilla.maptools.org/show_bug.cgi?id=2270
+
+This appears not to be security critical: it's a read not a write
+overrun, so the worst possible consequence is SIGSEGV, and even that
+doesn't seem to happen on any popular architectures.
+
+
+diff -Naur tiff-3.9.4.orig/tools/gif2tiff.c tiff-3.9.4/tools/gif2tiff.c
+--- tiff-3.9.4.orig/tools/gif2tiff.c	2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/gif2tiff.c	2010-11-02 22:32:10.018264489 -0400
+@@ -503,6 +503,10 @@
+     strip = 0;
+     stripsize = TIFFStripSize(tif);
+     for (row=0; row<height; row += rowsperstrip) {
+	if (rowsperstrip > height-row) {
+	    rowsperstrip = height-row;
+	    stripsize = TIFFVStripSize(tif, rowsperstrip);
+	}
+ 	if (TIFFWriteEncodedStrip(tif, strip, newras+row*width, stripsize) < 0)
+ 	    break;
+ 	strip++;
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
 Version: 3.9.4
-Release: 2%{?dist}
+Release: 3%{?dist}

 License: libtiff
 Group: System Environment/Libraries
@ -18,6 +18,8 @@ Patch7: libtiff-subsampling.patch
 Patch8: libtiff-unknown-fix.patch
 Patch9: libtiff-checkbytecount.patch
 Patch10: libtiff-tiffdump.patch
+Patch11: libtiff-CVE-2011-0192.patch
+Patch12: libtiff-gif2tiff-overrun.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@ -80,6 +82,8 @@ image files using the libtiff library.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -191,6 +195,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/*

 %changelog
+* Wed Mar  2 2011 Tom Lane <tgl@redhat.com> 3.9.4-3
+- Add patch for CVE-2011-0192
+Resolves: #681672
+- Fix non-security-critical potential SIGSEGV in gif2tiff
+Related: #648820
+
 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild