rpms/libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2018-17100 (#1631070) and CVE-2018-17101 (#1631079)

Browse Source
This commit is contained in:
Nikola Forró 2018-10-11 16:00:46 +02:00
parent c3eccd2c64
commit b9f5e1a576
3 changed files with 120 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
libtiff-CVE-2018-17100.patch Normal file
View File

@ -0,0 +1,39 @@
From 175d6d447556c56fa93695eca26ef1af19ed7286 Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Sat, 8 Sep 2018 14:46:27 +0800
Subject: [PATCH 1/2] avoid potential int32 overflows in multiply_ms()
---
tools/ppm2tiff.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index 91415e9..81ffa3d 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -72,15 +72,16 @@ BadPPM(char* file)
exit(-2);
}
+
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
- tmsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-
- return bytes;
+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+ return 0;
+ return m1 * m2;
}
int
--
2.17.2

73
libtiff-CVE-2018-17101.patch Normal file
View File

@ -0,0 +1,73 @@
From 536c5752fe944f6288c87c773dcee74420865b65 Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Sat, 8 Sep 2018 14:36:12 +0800
Subject: [PATCH 2/2] only read/write TIFFTAG_GROUP3OPTIONS or
TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
---
tools/pal2rgb.c | 18 +++++++++++++++++-
tools/tiff2bw.c | 18 +++++++++++++++++-
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 7a57800..01e9dab 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -391,7 +391,23 @@ cpTags(TIFF* in, TIFF* out)
{
struct cpTag *p;
for (p = tags; p < &tags[NTAGS]; p++)
- cpTag(in, out, p->tag, p->count, p->type);
+ {
+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX3 )
+ continue;
+ }
+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX4 )
+ continue;
+ }
+ cpTag(in, out, p->tag, p->count, p->type);
+ }
}
#undef NTAGS
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index dad54af..0c53015 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out)
{
struct cpTag *p;
for (p = tags; p < &tags[NTAGS]; p++)
- cpTag(in, out, p->tag, p->count, p->type);
+ {
+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX3 )
+ continue;
+ }
+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX4 )
+ continue;
+ }
+ cpTag(in, out, p->tag, p->count, p->type);
+ }
}
#undef NTAGS
--
2.17.2

9
libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 4.0.9 Version: 4.0.9
Release: 12%{?dist} Release: 13%{?dist}
License: libtiff License: libtiff
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/ URL: http://www.simplesystems.org/libtiff/
@ -18,6 +18,8 @@ Patch6: libtiff-CVE-2018-8905.patch
Patch7: libtiff-CVE-2018-10963.patch Patch7: libtiff-CVE-2018-10963.patch
Patch8: libtiff-CVE-2017-11613.patch Patch8: libtiff-CVE-2017-11613.patch
Patch9: libtiff-CVE-2018-10779.patch Patch9: libtiff-CVE-2018-10779.patch
Patch10: libtiff-CVE-2018-17100.patch
Patch11: libtiff-CVE-2018-17101.patch
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -79,6 +81,8 @@ image files using the libtiff library.
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1
%patch11 -p1
# Use build system's libtool.m4, not the one in the package. # Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4 rm -f libtool.m4
@ -182,6 +186,9 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-13
- Fix CVE-2018-17100 (#1631070) and CVE-2018-17101 (#1631079)
* Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-12 * Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-12
- Fix CVE-2018-10779 (#1577316) - Fix CVE-2018-10779 (#1577316)