Fix CVE-2018-10779 (#1577316)

2018-10-11 13:09:09 +02:00 · 2018-10-11 13:09:09 +02:00 · c3eccd2c64
commit c3eccd2c64
parent 2c55bfaeae
2 changed files with 30 additions and 1 deletions
--- a/libtiff-CVE-2018-10779.patch
+++ b/libtiff-CVE-2018-10779.patch
@ -0,0 +1,24 @@
+commit 14ffb69a5892fcfff6c72e73af74565467ab6ae9
+Author: Even Rouault <even.rouault@spatialys.com>
+Date:   Wed Aug 15 16:34:40 2018 +0200
+
+    TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit systems with large number of strips. Probably relates to http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
+
+diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
+index 4c216ec..208a2ee 100644
+--- a/libtiff/tif_write.c
+++ b/libtiff/tif_write.c
+@@ -540,9 +540,11 @@ TIFFSetupStrips(TIFF* tif)
+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ 		td->td_stripsperimage /= td->td_samplesperpixel;
+ 	td->td_stripoffset = (uint64 *)
+-	    _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+            _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+                             "for \"StripOffsets\" array");
+ 	td->td_stripbytecount = (uint64 *)
+-	    _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+            _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+                             "for \"StripByteCounts\" array");
+ 	if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
+ 		return (0);
+ 	/*
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       11%{?dist}
+Release:       12%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -17,6 +17,7 @@ Patch5:        libtiff-CVE-2017-18013.patch
 Patch6:        libtiff-CVE-2018-8905.patch
 Patch7:        libtiff-CVE-2018-10963.patch
 Patch8:        libtiff-CVE-2017-11613.patch
+Patch9:        libtiff-CVE-2018-10779.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -77,6 +78,7 @@ image files using the libtiff library.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -180,6 +182,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-12
+- Fix CVE-2018-10779 (#1577316)
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.9-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild