gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].

Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.

* gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
This commit is contained in:
Leo Famulari 2017-06-14 22:26:15 -04:00
parent ec7e9eeae6
commit 8d138ea087
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
3 changed files with 203 additions and 0 deletions

View file

@ -770,6 +770,7 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-invalid-read.patch \ %D%/packages/patches/libtiff-invalid-read.patch \
%D%/packages/patches/libtiff-null-dereference.patch \ %D%/packages/patches/libtiff-null-dereference.patch \
%D%/packages/patches/libtiff-tiffcp-underflow.patch \ %D%/packages/patches/libtiff-tiffcp-underflow.patch \
%D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
%D%/packages/patches/libtirpc-CVE-2017-8779.patch \ %D%/packages/patches/libtirpc-CVE-2017-8779.patch \
%D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \ %D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \
%D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libtool-skip-tests2.patch \

View file

@ -393,6 +393,7 @@ (define libtiff-4.0.8
(method url-fetch) (method url-fetch)
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
version ".tar.gz")) version ".tar.gz"))
(patches (search-patches "libtiff-tiffgetfield-bugs.patch"))
(sha256 (sha256
(base32 (base32
"0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr")))))) "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))

View file

@ -0,0 +1,201 @@
Fix several bugs in libtiff related to use of TIFFGetField():
http://bugzilla.maptools.org/show_bug.cgi?id=2580
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095
Patch copied from upstream CVS. 3rd-party Git reference:
https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
2017-06-01 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as tiffsplit, tiffcmp, thumbnail, etc.
Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
Fixes:
http://bugzilla.maptools.org/show_bug.cgi?id=2580
http://bugzilla.maptools.org/show_bug.cgi?id=2693
http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
http://bugzilla.maptools.org/show_bug.cgi?id=2441
http://bugzilla.maptools.org/show_bug.cgi?id=2433
Index: libtiff/libtiff/tif_dirread.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
retrieving revision 1.208
retrieving revision 1.209
diff -u -r1.208 -r1.209
--- libtiff/libtiff/tif_dirread.c 27 Apr 2017 15:46:22 -0000 1.208
+++ libtiff/libtiff/tif_dirread.c 1 Jun 2017 12:44:04 -0000 1.209
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -3580,6 +3580,10 @@
goto bad;
dp->tdir_tag=IGNORE;
break;
+ default:
+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
+ dp->tdir_tag=IGNORE;
+ break;
}
}
}
Index: libtiff/libtiff/tif_dirinfo.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
retrieving revision 1.126
retrieving revision 1.127
diff -u -r1.126 -r1.127
--- libtiff/libtiff/tif_dirinfo.c 18 Nov 2016 02:52:13 -0000 1.126
+++ libtiff/libtiff/tif_dirinfo.c 1 Jun 2017 12:44:04 -0000 1.127
@@ -1,4 +1,4 @@
-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -956,6 +956,109 @@
return 0;
}
+int
+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+{
+ /* Filter out non-codec specific tags */
+ switch (tag) {
+ /* Shared tags */
+ case TIFFTAG_PREDICTOR:
+ /* JPEG tags */
+ case TIFFTAG_JPEGTABLES:
+ /* OJPEG tags */
+ case TIFFTAG_JPEGIFOFFSET:
+ case TIFFTAG_JPEGIFBYTECOUNT:
+ case TIFFTAG_JPEGQTABLES:
+ case TIFFTAG_JPEGDCTABLES:
+ case TIFFTAG_JPEGACTABLES:
+ case TIFFTAG_JPEGPROC:
+ case TIFFTAG_JPEGRESTARTINTERVAL:
+ /* CCITT* */
+ case TIFFTAG_BADFAXLINES:
+ case TIFFTAG_CLEANFAXDATA:
+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
+ case TIFFTAG_GROUP3OPTIONS:
+ case TIFFTAG_GROUP4OPTIONS:
+ break;
+ default:
+ return 1;
+ }
+ /* Check if codec specific tags are allowed for the current
+ * compression scheme (codec) */
+ switch (tif->tif_dir.td_compression) {
+ case COMPRESSION_LZW:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_PACKBITS:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_THUNDERSCAN:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_NEXT:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_JPEG:
+ if (tag == TIFFTAG_JPEGTABLES)
+ return 1;
+ break;
+ case COMPRESSION_OJPEG:
+ switch (tag) {
+ case TIFFTAG_JPEGIFOFFSET:
+ case TIFFTAG_JPEGIFBYTECOUNT:
+ case TIFFTAG_JPEGQTABLES:
+ case TIFFTAG_JPEGDCTABLES:
+ case TIFFTAG_JPEGACTABLES:
+ case TIFFTAG_JPEGPROC:
+ case TIFFTAG_JPEGRESTARTINTERVAL:
+ return 1;
+ }
+ break;
+ case COMPRESSION_CCITTRLE:
+ case COMPRESSION_CCITTRLEW:
+ case COMPRESSION_CCITTFAX3:
+ case COMPRESSION_CCITTFAX4:
+ switch (tag) {
+ case TIFFTAG_BADFAXLINES:
+ case TIFFTAG_CLEANFAXDATA:
+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
+ return 1;
+ case TIFFTAG_GROUP3OPTIONS:
+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
+ return 1;
+ break;
+ case TIFFTAG_GROUP4OPTIONS:
+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
+ return 1;
+ break;
+ }
+ break;
+ case COMPRESSION_JBIG:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_DEFLATE:
+ case COMPRESSION_ADOBE_DEFLATE:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_PIXARLOG:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+ case COMPRESSION_SGILOG:
+ case COMPRESSION_SGILOG24:
+ /* No codec-specific tags */
+ break;
+ case COMPRESSION_LZMA:
+ if (tag == TIFFTAG_PREDICTOR)
+ return 1;
+ break;
+
+ }
+ return 0;
+}
+
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
Index: libtiff/libtiff/tif_dir.h
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- libtiff/libtiff/tif_dir.h 18 Feb 2011 20:53:05 -0000 1.54
+++ libtiff/libtiff/tif_dir.h 1 Jun 2017 12:44:04 -0000 1.55
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -291,6 +291,7 @@
extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
#if defined(__cplusplus)
}