Fix CVE-2011-0192 and a gif2tiff bug

This commit is contained in:
Tom Lane 2011-03-02 17:18:15 -05:00
parent dcf08f89eb
commit 7abdd8bb18
3 changed files with 56 additions and 1 deletions

View File

@ -0,0 +1,23 @@
Protect against a fax VL(n) codeword commanding a move left. Without
this, a malicious input file can generate an indefinitely large series
of runs without a0 ever reaching the right margin, thus overrunning
our buffer of run lengths. Per CVE-2011-0192. This is a modified
version of a patch proposed by Drew Yao of Apple Product Security.
It adds an unexpected() report, and disallows the equality case, since
emitting a run without increasing a0 still allows buffer overrun.
diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
--- tiff-3.9.4.orig/libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400
+++ tiff-3.9.4/libtiff/tif_fax3.h 2011-02-22 15:20:22.336377923 -0500
@@ -478,6 +478,10 @@
break; \
case S_VL: \
CHECK_b1; \
+ if (b1 <= (int) (a0 + TabEnt->Param)) { \
+ unexpected("VL", a0); \
+ goto eol2d; \
+ } \
SETVALUE(b1 - a0 - TabEnt->Param); \
b1 -= *--pb; \
break; \

View File

@ -0,0 +1,22 @@
gif2tiff buffer overrun. Filed upstream at
http://bugzilla.maptools.org/show_bug.cgi?id=2270
This appears not to be security critical: it's a read not a write
overrun, so the worst possible consequence is SIGSEGV, and even that
doesn't seem to happen on any popular architectures.
diff -Naur tiff-3.9.4.orig/tools/gif2tiff.c tiff-3.9.4/tools/gif2tiff.c
--- tiff-3.9.4.orig/tools/gif2tiff.c 2010-06-08 14:50:44.000000000 -0400
+++ tiff-3.9.4/tools/gif2tiff.c 2010-11-02 22:32:10.018264489 -0400
@@ -503,6 +503,10 @@
strip = 0;
stripsize = TIFFStripSize(tif);
for (row=0; row<height; row += rowsperstrip) {
+ if (rowsperstrip > height-row) {
+ rowsperstrip = height-row;
+ stripsize = TIFFVStripSize(tif, rowsperstrip);
+ }
if (TIFFWriteEncodedStrip(tif, strip, newras+row*width, stripsize) < 0)
break;
strip++;

View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 3.9.4
Release: 2%{?dist}
Release: 3%{?dist}
License: libtiff
Group: System Environment/Libraries
@ -18,6 +18,8 @@ Patch7: libtiff-subsampling.patch
Patch8: libtiff-unknown-fix.patch
Patch9: libtiff-checkbytecount.patch
Patch10: libtiff-tiffdump.patch
Patch11: libtiff-CVE-2011-0192.patch
Patch12: libtiff-gif2tiff-overrun.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel
@ -80,6 +82,8 @@ image files using the libtiff library.
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@ -191,6 +195,12 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/*
%changelog
* Wed Mar 2 2011 Tom Lane <tgl@redhat.com> 3.9.4-3
- Add patch for CVE-2011-0192
Resolves: #681672
- Fix non-security-critical potential SIGSEGV in gif2tiff
Related: #648820
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild