From a2e7f4f6bcd2a7694f0a803054f90b3a6e3a2d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Fri, 23 Mar 2018 15:42:09 +0100 Subject: [PATCH] Fix CVE-2018-5784 (#1537742) --- libtiff-CVE-2018-5784.patch | 128 ++++++++++++++++++++++++++++++++++++ libtiff.spec | 7 +- 2 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 libtiff-CVE-2018-5784.patch diff --git a/libtiff-CVE-2018-5784.patch b/libtiff-CVE-2018-5784.patch new file mode 100644 index 0000000..5f26e5d --- /dev/null +++ b/libtiff-CVE-2018-5784.patch @@ -0,0 +1,128 @@ +From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Fri, 23 Mar 2018 15:35:39 +0100 +Subject: [PATCH] Fix for bug 2772 + +It is possible to craft a TIFF document where the IFD list is circular, +leading to an infinite loop while traversing the chain. The libtiff +directory reader has a failsafe that will break out of this loop after +reading 65535 directory entries, but it will continue processing, +consuming time and resources to process what is essentially a bogus TIFF +document. + +This change fixes the above behavior by breaking out of processing when +a TIFF document has >= 65535 directories and terminating with an error. +--- + contrib/addtiffo/tif_overview.c | 14 +++++++++++++- + tools/tiff2pdf.c | 10 ++++++++++ + tools/tiffcrop.c | 13 +++++++++++-- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c +index c61ffbb..03b3573 100644 +--- a/contrib/addtiffo/tif_overview.c ++++ b/contrib/addtiffo/tif_overview.c +@@ -65,6 +65,8 @@ + # define MAX(a,b) ((a>b) ? a : b) + #endif + ++#define TIFF_DIR_MAX 65534 ++ + void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, + int (*)(double,void*), void * ); + +@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + { + toff_t nBaseDirOffset; + toff_t nOffset; ++ tdir_t iNumDir; + + (void) bUseSubIFDs; + +@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + return 0; + + TIFFWriteDirectory( hTIFF ); +- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); ++ iNumDir = TIFFNumberOfDirectories(hTIFF); ++ if( iNumDir > TIFF_DIR_MAX ) ++ { ++ TIFFErrorExt( TIFFClientdata(hTIFF), ++ "TIFF_WriteOverview", ++ "File `%s' has too many directories.\n", ++ TIFFFileName(hTIFF) ); ++ exit(-1); ++ } ++ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); + + nOffset = TIFFCurrentDirOffset( hTIFF ); + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 454befb..bdb9126 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); + + #define PS_UNIT_SIZE 72.0F + ++#define TIFF_DIR_MAX 65534 ++ + /* This type is of PDF color spaces. */ + typedef enum { + T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ +@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 xuint16=0; + + directorycount=TIFFNumberOfDirectories(input); ++ if(directorycount > TIFF_DIR_MAX) { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "TIFF contains too many directories, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); + if(t2p->tiff_pages==NULL){ + TIFFError( +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c69177e..c60cb38 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + #define DUMP_TEXT 1 + #define DUMP_RAW 2 + ++#define TIFF_DIR_MAX 65534 ++ + /* Offsets into buffer for margins and fixed width and length segments */ + struct offset { + uint32 tmargin; +@@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) + pageNum = -1; + else + total_images = 0; +- /* read multiple input files and write to output file(s) */ ++ /* Read multiple input files and write to output file(s) */ + while (optind < argc - 1) + { + in = TIFFOpen (argv[optind], "r"); +@@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) + return (-3); + + /* If only one input file is specified, we can use directory count */ +- total_images = TIFFNumberOfDirectories(in); ++ total_images = TIFFNumberOfDirectories(in); ++ if (total_images > TIFF_DIR_MAX) ++ { ++ TIFFError (TIFFFileName(in), "File contains too many directories"); ++ if (out != NULL) ++ (void) TIFFClose(out); ++ return (1); ++ } + if (image_count == 0) + { + dirnum = 0; +-- +2.13.6 + diff --git a/libtiff.spec b/libtiff.spec index 30a2993..8819bff 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 6%{?dist} +Release: 7%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -10,6 +10,7 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz Patch0: libtiff-am-version.patch Patch1: libtiff-make-check.patch +Patch2: libtiff-CVE-2018-5784.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -63,6 +64,7 @@ image files using the libtiff library. %patch0 -p1 %patch1 -p1 +%patch2 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -166,6 +168,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Fri Mar 23 2018 Nikola Forró - 4.0.9-7 +- Fix CVE-2018-5784 (#1537742) + * Tue Feb 20 2018 Nikola Forró - 4.0.9-6 - Add missing gcc-c++ build dependency