From f75cedfefe6ffebb0ff93c7e0f8572a5479e129f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 06:52:47 -0500 Subject: [PATCH] import libtiff-4.0.9-18.el8 --- SOURCES/libtiff-CVE-2019-17546.patch | 104 +++++++++++++++++++++++++++ SPECS/libtiff.spec | 7 +- 2 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 SOURCES/libtiff-CVE-2019-17546.patch diff --git a/SOURCES/libtiff-CVE-2019-17546.patch b/SOURCES/libtiff-CVE-2019-17546.patch new file mode 100644 index 0000000..b802ce6 --- /dev/null +++ b/SOURCES/libtiff-CVE-2019-17546.patch @@ -0,0 +1,104 @@ +From 3d451e3f95cbb67dd771a986991b5b6107140c4e Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 15 Aug 2019 15:05:28 +0200 +Subject: [PATCH] RGBA interface: fix integer overflow potentially causing + write heap buffer overflow, especially on 32 bit builds. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS + Fuzz + +--- + libtiff/tif_getimage.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index ec09fea..c6edd27 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) + { ++ uint32 temp; + rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; + nrow = (row + rowstoread > h ? h - row : rowstoread); + nrowsub = nrow; + if ((nrowsub%subsamplingver)!=0) + nrowsub+=subsamplingver-nrowsub%subsamplingver; ++ temp = (row + img->row_offset)%rowsperstrip + nrowsub; ++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig"); ++ return 0; ++ } + if (_TIFFReadEncodedStripAndAllocBuffer(tif, + TIFFComputeStrip(tif,row+img->row_offset, 0), + (void**)(&buf), + maxstripsize, +- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1) ++ temp * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; +@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + fromskew = (w < imagewidth ? imagewidth - w : 0); + for (row = 0; row < h; row += nrow) + { ++ uint32 temp; + rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip; + nrow = (row + rowstoread > h ? h - row : rowstoread); + offset_row = row + img->row_offset; ++ temp = (row + img->row_offset)%rowsperstrip + nrow; ++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate"); ++ return 0; ++ } + if( buf == NULL ) + { + if (_TIFFReadEncodedStripAndAllocBuffer( + tif, TIFFComputeStrip(tif, offset_row, 0), + (void**) &buf, bufsize, +- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ temp * scanline)==(tmsize_t)(-1) + && (buf == NULL || img->stoponerr)) + { + ret = 0; +@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + } + else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0), +- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ p0, temp * scanline)==(tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + if (colorchannels > 1 + && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1), +- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) ++ p1, temp * scanline) == (tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + } + if (colorchannels > 1 + && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2), +- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1) ++ p2, temp * scanline) == (tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + if (alpha) + { + if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels), +- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1) ++ pa, temp * scanline)==(tmsize_t)(-1) + && img->stoponerr) + { + ret = 0; +-- +2.21.1 + diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index 4ce6c17..44c07bb 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 17%{?dist} +Release: 18%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -22,6 +22,7 @@ Patch10: libtiff-CVE-2018-18557.patch Patch11: libtiff-CVE-2018-18661.patch Patch12: libtiff-CVE-2018-12900.patch Patch13: libtiff-CVE-2019-14973.patch +Patch14: libtiff-CVE-2019-17546.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -87,6 +88,7 @@ image files using the libtiff library. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -190,6 +192,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Thu Feb 20 2020 Nikola Forró - 4.0.9-18 +- Fix CVE-2019-17546 (#1771372) + * Thu Nov 28 2019 Nikola Forró - 4.0.9-17 - Add upstream test suite and enable it in gating