Fix CVE-2018-17100 (#1631070) and CVE-2018-17101 (#1631079)

2018-10-11 16:00:46 +02:00 · 2018-10-11 16:00:46 +02:00 · b9f5e1a576
commit b9f5e1a576
parent c3eccd2c64
3 changed files with 120 additions and 1 deletions
--- a/libtiff-CVE-2018-17100.patch
+++ b/libtiff-CVE-2018-17100.patch
@ -0,0 +1,39 @@
+From 175d6d447556c56fa93695eca26ef1af19ed7286 Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:46:27 +0800
+Subject: [PATCH 1/2] avoid potential int32 overflows in multiply_ms()
+
+---
+ tools/ppm2tiff.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index 91415e9..81ffa3d 100644
+--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
+@@ -72,15 +72,16 @@ BadPPM(char* file)
+ 	exit(-2);
+ }
+ 
+
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-	tmsize_t bytes = m1 * m2;
+-
+-	if (m1 && bytes / m1 != m2)
+-		bytes = 0;
+-
+-	return bytes;
+        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+            return 0;
+        return m1 * m2;
+ }
+ 
+ int
+-- 
+2.17.2
+
--- a/libtiff-CVE-2018-17101.patch
+++ b/libtiff-CVE-2018-17101.patch
@ -0,0 +1,73 @@
+From 536c5752fe944f6288c87c773dcee74420865b65 Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:36:12 +0800
+Subject: [PATCH 2/2] only read/write TIFFTAG_GROUP3OPTIONS or
+ TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
+ COMPRESSION_CCITTFAX4
+
+---
+ tools/pal2rgb.c | 18 +++++++++++++++++-
+ tools/tiff2bw.c | 18 +++++++++++++++++-
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 7a57800..01e9dab 100644
+--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
+@@ -391,7 +391,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
+-	cpTag(in, out, p->tag, p->count, p->type);
+    {
+        if( p->tag == TIFFTAG_GROUP3OPTIONS )
+        {
+            uint16 compression;
+            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+                    compression != COMPRESSION_CCITTFAX3 )
+                continue;
+        }
+        if( p->tag == TIFFTAG_GROUP4OPTIONS )
+        {
+            uint16 compression;
+            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+                    compression != COMPRESSION_CCITTFAX4 )
+                continue;
+        }
+        cpTag(in, out, p->tag, p->count, p->type);
+    }
+ }
+ #undef NTAGS
+ 
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index dad54af..0c53015 100644
+--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
+@@ -452,7 +452,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
+-	cpTag(in, out, p->tag, p->count, p->type);
+    {
+        if( p->tag == TIFFTAG_GROUP3OPTIONS )
+        {
+            uint16 compression;
+            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+                    compression != COMPRESSION_CCITTFAX3 )
+                continue;
+        }
+        if( p->tag == TIFFTAG_GROUP4OPTIONS )
+        {
+            uint16 compression;
+            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+                    compression != COMPRESSION_CCITTFAX4 )
+                continue;
+        }
+        cpTag(in, out, p->tag, p->count, p->type);
+    }
+ }
+ #undef NTAGS
+ 
+-- 
+2.17.2
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       12%{?dist}
+Release:       13%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -18,6 +18,8 @@ Patch6:        libtiff-CVE-2018-8905.patch
 Patch7:        libtiff-CVE-2018-10963.patch
 Patch8:        libtiff-CVE-2017-11613.patch
 Patch9:        libtiff-CVE-2018-10779.patch
+Patch10:       libtiff-CVE-2018-17100.patch
+Patch11:       libtiff-CVE-2018-17101.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -79,6 +81,8 @@ image files using the libtiff library.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -182,6 +186,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-13
+- Fix CVE-2018-17100 (#1631070) and CVE-2018-17101 (#1631079)
+
 * Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-12
 - Fix CVE-2018-10779 (#1577316)