Package: guix-patches;
Reported by: Kei Kebreau <kei <at> openmailbox.org>
Date: Sat, 6 May 2017 14:47:01 UTC
Severity: normal
Tags: patch
Done: Kei Kebreau <kei <at> openmailbox.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26804 in the body.
You can then email your comments to 26804 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#26804; Package guix-patches.
(Sat, 06 May 2017 14:47:01 GMT) Full text and rfc822 format available.Kei Kebreau <kei <at> openmailbox.org>:guix-patches <at> gnu.org.
(Sat, 06 May 2017 14:47:01 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Kei Kebreau <kei <at> openmailbox.org>
To: guix-patches <at> gnu.org
Cc: Kei Kebreau <kei <at> openmailbox.org>
Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597, 7598,
7599, 7600, 7601, 7602}.
Date: Sat, 6 May 2017 10:45:57 -0400
* gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file.
* gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file.
* gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[source]: Use them.
---
gnu/local.mk | 3 +
gnu/packages/image.scm | 7 +-
gnu/packages/patches/libtiff-CVE-2017-7593.patch | 113 ++++++
gnu/packages/patches/libtiff-CVE-2017-7594.patch | 54 +++
.../patches/libtiff-multiple-UBSAN-crashes.patch | 449 +++++++++++++++++++++
5 files changed, 624 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7593.patch
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7594.patch
create mode 100644 gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index c93dca64c..d983d62fd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -739,6 +739,9 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-CVE-2016-10093.patch \
%D%/packages/patches/libtiff-CVE-2016-10094.patch \
%D%/packages/patches/libtiff-CVE-2017-5225.patch \
+ %D%/packages/patches/libtiff-CVE-2017-7593.patch \
+ %D%/packages/patches/libtiff-CVE-2017-7594.patch \
+ %D%/packages/patches/libtiff-multiple-UBSAN-crashes.patch \
%D%/packages/patches/libtiff-assertion-failure.patch \
%D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \
%D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 2027395ca..a8cc837d5 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2016 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;; Copyright © 2016 Eric Bavier <bavier <at> member.fsf.org>
;;; Copyright © 2016 Arun Isaac <arunisaac <at> systemreboot.net>
-;;; Copyright © 2016 Kei Kebreau <kei <at> openmailbox.org>
+;;; Copyright © 2016, 2017 Kei Kebreau <kei <at> openmailbox.org>
;;; Copyright © 2017 ng0 <contact.ng0 <at> cryptolab.net>
;;;
;;; This file is part of GNU Guix.
@@ -319,7 +319,10 @@ extracting icontainer icon files.")
"libtiff-divide-by-zero-tiffcp.patch"
"libtiff-assertion-failure.patch"
"libtiff-CVE-2016-10094.patch"
- "libtiff-CVE-2017-5225.patch"))
+ "libtiff-CVE-2017-5225.patch"
+ "libtiff-CVE-2017-7593.patch"
+ "libtiff-CVE-2017-7594.patch"
+ "libtiff-multiple-UBSAN-crashes.patch"))
(sha256
(base32
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7593.patch b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
new file mode 100644
index 000000000..496efb73b
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
@@ -0,0 +1,113 @@
+Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawdata):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2651
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593
+https://security-tracker.debian.org/tracker/CVE-2017-7593
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+
+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+ initialize tif_rawdata.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1208; previous revision: 1.1207
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
+new revision: 1.53; previous revision: 1.52
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_unix.c
+new revision: 1.28; previous revision: 1.27
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.c
+new revision: 1.14; previous revision: 1.13
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_win32.c
+new revision: 1.42; previous revision: 1.41
+/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h
+new revision: 1.94; previous revision: 1.93
+
+diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h
+--- tiff-4.0.7/libtiff/tiffio.h 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tiffio.h 2017-05-05 19:08:03.772999790 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -293,6 +293,7 @@
+ */
+
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c
+--- tiff-4.0.7/libtiff/tif_read.c 2017-05-05 19:04:09.740966642 -0400
++++ tiff-4.0.7.new/libtiff/tif_read.c 2017-05-05 18:59:11.070709441 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
++/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -976,7 +976,9 @@
+ "Invalid buffer size");
+ return (0);
+ }
+- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++ /* Initialize to zero to avoid uninitialized buffers in case of */
++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
++ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ tif->tif_flags |= TIFF_MYBUFFER;
+ }
+ if (tif->tif_rawdata == NULL) {
+diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c
+--- tiff-4.0.7/libtiff/tif_unix.c 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_unix.c 2017-05-05 19:10:48.302645187 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */
++/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -316,6 +316,14 @@
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32.c
+--- tiff-4.0.7/libtiff/tif_win32.c 1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_win32.c 2017-05-05 19:13:06.903399627 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */
++/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -360,6 +360,14 @@
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7594.patch b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
new file mode 100644
index 000000000..d17997d44
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
@@ -0,0 +1,54 @@
+Fixes CVE-2017-7594 (Direct leak in tif_ojpeg.c):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2659
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7594
+https://security-tracker.debian.org/tracker/CVE-2017-7594
+
+2017-01-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
+ when read fails.
+ Patch by Nicolás Peña.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1212; previous revision: 1.1211
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c
+new revision: 1.67; previous revision: 1.66
+
+Index: libtiff/libtiff/tif_ojpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.67
+retrieving revision 1.68
+diff -u -r1.67 -r1.68
+--- libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 17:43:26 -0000 1.67
++++ libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 19:23:20 -0000 1.68
+@@ -1,4 +1,4 @@
+-/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
++/* $Id: tif_ojpeg.c,v 1.68 2017-01-12 19:23:20 erouault Exp $ */
+
+ /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
+ specification is now totally obsolete and deprecated for new applications and
+@@ -1790,7 +1790,10 @@
+ TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
+ p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+ if (p!=64)
++ {
++ _TIFFfree(ob);
+ return(0);
++ }
+ sp->qtable[m]=ob;
+ sp->sof_tq[m]=m;
+ }
+@@ -1854,7 +1857,10 @@
+ rb[sizeof(uint32)+5+n]=o[n];
+ p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ if (p!=q)
++ {
++ _TIFFfree(rb);
+ return(0);
++ }
+ sp->dctable[m]=rb;
+ sp->sos_tda[m]=(m<<4);
+ }
diff --git a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
new file mode 100644
index 000000000..2f4509f38
--- /dev/null
+++ b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
@@ -0,0 +1,449 @@
+Fixes CVE-2017-{7595,7596,7597,7598,7599,7600,7601,7602}:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7595
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7596
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7597
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7598
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7599
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7600
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7601
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7602
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various
+ clampings
+ of double to other data types to avoid undefined behaviour if the
+ output range
+ isn't big enough to hold the input value.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
+ http://bugzilla.maptools.org/show_bug.cgi?id=2642
+ http://bugzilla.maptools.org/show_bug.cgi?id=2646
+ http://bugzilla.maptools.org/show_bug.cgi?id=2647
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1204; previous revision: 1.1203
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c
+new revision: 1.129; previous revision: 1.128
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
+new revision: 1.207; previous revision: 1.206
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- libtiff/tif_dirwrite.c
+new revision: 1.85; previous revision: 1.84
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: avoid division by floating point 0 in
+ TIFFReadDirEntryCheckedRational() and
+ TIFFReadDirEntryCheckedSrational(),
+ and return 0 in that case (instead of infinity as before presumably)
+ Apparently some sanitizers do not like those divisions by zero.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1203; previous revision: 1.1202
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
+new revision: 1.206; previous revision: 1.205
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to
+ avoid undefined behaviour caused by invalid shift exponent.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1205; previous revision: 1.1204
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v <-- libtiff/tif_jpeg.c
+new revision: 1.126; previous revision: 1.125
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: avoid potential undefined behaviour on signed
+ integer addition in TIFFReadRawStrip1() in isMapped() case.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
+new revision: 1.1206; previous revision: 1.1205
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c
+new revision: 1.51; previous revision: 1.50
+
+Index: libtiff/libtiff/tif_dir.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
+retrieving revision 1.128
+retrieving revision 1.129
+diff -u -r1.128 -r1.129
+--- libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128
++++ libtiff/libtiff/tif_dir.c 11 Jan 2017 16:09:02 -0000 1.129
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
++/* $Id: tif_dir.c,v 1.129 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -31,6 +31,7 @@
+ * (and also some miscellaneous stuff)
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ /*
+ * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@
+ return (0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_xresolution = (float) dblval;
++ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_YRESOLUTION:
+ dblval = va_arg(ap, double);
+ if( dblval < 0 )
+ goto badvaluedouble;
+- td->td_yresolution = (float) dblval;
++ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@
+ td->td_planarconfig = (uint16) v;
+ break;
+ case TIFFTAG_XPOSITION:
+- td->td_xposition = (float) va_arg(ap, double);
++ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_YPOSITION:
+- td->td_yposition = (float) va_arg(ap, double);
++ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ break;
+ case TIFFTAG_RESOLUTIONUNIT:
+ v = (uint16) va_arg(ap, uint16_vap);
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.206
+retrieving revision 1.207
+diff -u -r1.206 -r1.207
+--- libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206
++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 16:09:02 -0000 1.207
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.207 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -40,6 +40,7 @@
+ */
+
+ #include "tiffiop.h"
++#include <float.h>
+
+ #define IGNORE 0 /* tag placeholder used below */
+ #define FAILED_FII ((uint32) -1)
+@@ -2406,7 +2407,14 @@
+ ma=(double*)origdata;
+ mb=data;
+ for (n=0; n<count; n++)
+- *mb++=(float)(*ma++);
++ {
++ double val = *ma++;
++ if( val > FLT_MAX )
++ val = FLT_MAX;
++ else if( val < -FLT_MAX )
++ val = -FLT_MAX;
++ *mb++=(float)val;
++ }
+ }
+ break;
+ }
+Index: libtiff/libtiff/tif_dirwrite.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v
+retrieving revision 1.84
+retrieving revision 1.85
+diff -u -r1.84 -r1.85
+--- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 12:51:59 -0000 1.84
++++ libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */
++/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -30,6 +30,7 @@
+ * Directory Write Support Routines.
+ */
+ #include "tiffiop.h"
++#include <float.h>
+
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@
+ return(0);
+ }
+
++static float TIFFClampDoubleToFloat( double val )
++{
++ if( val > FLT_MAX )
++ return FLT_MAX;
++ if( val < -FLT_MAX )
++ return -FLT_MAX;
++ return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++ if( val > 127 )
++ return 127;
++ if( val < -128 || val != val )
++ return -128;
++ return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++ if( val > 32767 )
++ return 32767;
++ if( val < -32768 || val != val )
++ return -32768;
++ return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++ if( val > 0x7FFFFFFF )
++ return 0x7FFFFFFF;
++ if( val < -0x7FFFFFFF-1 || val != val )
++ return -0x7FFFFFFF-1;
++ return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 255 || val != val )
++ return 255;
++ return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 65535 || val != val )
++ return 65535;
++ return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++ if( val < 0 )
++ return 0;
++ if( val > 0xFFFFFFFFU || val != val )
++ return 0xFFFFFFFFU;
++ return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@
+ if (tif->tif_dir.td_bitspersample<=32)
+ {
+ for (i = 0; i < count; ++i)
+- ((float*)conv)[i] = (float)value[i];
++ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
+ }
+ else
+@@ -971,19 +1035,19 @@
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((int8*)conv)[i] = (int8)value[i];
++ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
+ ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((int16*)conv)[i] = (int16)value[i];
++ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
+ ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((int32*)conv)[i] = (int32)value[i];
++ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
+ ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
+ }
+ break;
+@@ -991,19 +1055,19 @@
+ if (tif->tif_dir.td_bitspersample<=8)
+ {
+ for (i = 0; i < count; ++i)
+- ((uint8*)conv)[i] = (uint8)value[i];
++ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
+ ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
+ }
+ else if (tif->tif_dir.td_bitspersample<=16)
+ {
+ for (i = 0; i < count; ++i)
+- ((uint16*)conv)[i] = (uint16)value[i];
++ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
+ ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
+ }
+ else
+ {
+ for (i = 0; i < count; ++i)
+- ((uint32*)conv)[i] = (uint32)value[i];
++ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
+ ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
+ }
+ break;
+@@ -2102,7 +2102,7 @@
+ m[0]=0;
+ m[1]=1;
+ }
+- else if (value==(double)(uint32)value)
++ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
+ {
+ m[0]=(uint32)value;
+ m[1]=1;
+@@ -2148,12 +2217,13 @@
+ }
+ for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
+ {
+- if (*na<=0.0)
++ if (*na<=0.0 || *na != *na)
+ {
+ nb[0]=0;
+ nb[1]=1;
+ }
+- else if (*na==(float)(uint32)(*na))
++ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
++ *na==(float)(uint32)(*na))
+ {
+ nb[0]=(uint32)(*na);
+ nb[1]=1;
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.205
+retrieving revision 1.206
+diff -u -r1.205 -r1.206
+--- libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205
++++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206
+@@ -2872,7 +2872,10 @@
+ m.l = direntry->tdir_offset.toff_long8;
+ if (tif->tif_flags&TIFF_SWAB)
+ TIFFSwabArrayOfLong(m.i,2);
+- if (m.i[0]==0)
++ /* Not completely sure what we should do when m.i[1]==0, but some */
++ /* sanitizers do not like division by 0.0: */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++ if (m.i[0]==0 || m.i[1]==0)
+ *value=0.0;
+ else
+ *value=(double)m.i[0]/(double)m.i[1];
+@@ -2900,7 +2903,10 @@
+ m.l=direntry->tdir_offset.toff_long8;
+ if (tif->tif_flags&TIFF_SWAB)
+ TIFFSwabArrayOfLong(m.i,2);
+- if ((int32)m.i[0]==0)
++ /* Not completely sure what we should do when m.i[1]==0, but some */
++ /* sanitizers do not like division by 0.0: */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
++ if ((int32)m.i[0]==0 || m.i[1]==0)
+ *value=0.0;
+ else
+ *value=(double)((int32)m.i[0])/(double)m.i[1];
+Index: libtiff/libtiff/tif_jpeg.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v
+retrieving revision 1.125
+retrieving revision 1.126
+diff -u -r1.125 -r1.126
+--- libtiff/libtiff/tif_jpeg.c 11 Jan 2017 12:15:01 -0000 1.125
++++ libtiff/libtiff/tif_jpeg.c 11 Jan 2017 16:13:50 -0000 1.126
+@@ -1,4 +1,4 @@
+-/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1994-1997 Sam Leffler
+@@ -1632,6 +1632,13 @@
+ "Invalig horizontal/vertical sampling value");
+ return (0);
+ }
++ if( td->td_bitspersample > 16 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "BitsPerSample %d not allowed for JPEG",
++ td->td_bitspersample);
++ return (0);
++ }
+
+ /*
+ * A ReferenceBlackWhite field *must* be present since the
+Index: libtiff/libtiff/tif_read.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
+retrieving revision 1.50
+retrieving revision 1.51
+diff -u -r1.50 -r1.51
+--- libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50
++++ libtiff/libtiff/tif_read.c 11 Jan 2017 16:33:34 -0000 1.51
+@@ -420,16 +420,25 @@
+ return ((tmsize_t)(-1));
+ }
+ } else {
+- tmsize_t ma,mb;
++ tmsize_t ma;
+ tmsize_t n;
+- ma=(tmsize_t)td->td_stripoffset[strip];
+- mb=ma+size;
+- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+- n=0;
+- else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+- n=tif->tif_size-ma;
+- else
+- n=size;
++ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
++ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
++ {
++ n=0;
++ }
++ else if( ma > TIFF_TMSIZE_T_MAX - size )
++ {
++ n=0;
++ }
++ else
++ {
++ tmsize_t mb=ma+size;
++ if (mb>tif->tif_size)
++ n=tif->tif_size-ma;
++ else
++ n=size;
++ }
+ if (n!=size) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
--
2.12.2
guix-patches <at> gnu.org:bug#26804; Package guix-patches.
(Sat, 06 May 2017 18:55:02 GMT) Full text and rfc822 format available.Message #8 received at 26804 <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
To: Kei Kebreau <kei <at> openmailbox.org>
Cc: 26804 <at> debbugs.gnu.org
Subject: Re: bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595,
7596, 7597, 7598, 7599, 7600, 7601, 7602}.
Date: Sat, 6 May 2017 14:54:50 -0400
[Message part 1 (text/plain, inline)]
On Sat, May 06, 2017 at 10:45:57AM -0400, Kei Kebreau wrote: > * gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file. > * gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file. > * gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/image.scm (libtiff)[source]: Use them. Thank you! This change should be grafted, since ~2000 packages will be affected. There's a recent example of appending patches in a replacement package: + (source + (origin + (inherit (package-source libsndfile)) + (patches + (append + (origin-patches (package-source libsndfile)) + (search-patches "libsndfile-CVE-2017-8361-8363-8365.patch" + "libsndfile-CVE-2017-8362.patch"))))))) https://git.savannah.gnu.org/cgit/guix.git/commit/?id=1c4a500aae53b8cd33d1266eb3809b859ae2555d
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#26804; Package guix-patches.
(Sun, 07 May 2017 00:12:02 GMT) Full text and rfc822 format available.Message #11 received at 26804 <at> debbugs.gnu.org (full text, mbox):
From: Kei Kebreau <kei <at> openmailbox.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 26804 <at> debbugs.gnu.org
Subject: Re: bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595,
7596, 7597, 7598, 7599, 7600, 7601, 7602}.
Date: Sat, 06 May 2017 20:11:35 -0400
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes: > On Sat, May 06, 2017 at 10:45:57AM -0400, Kei Kebreau wrote: >> * gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file. >> * gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file. >> * gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Add them. >> * gnu/packages/image.scm (libtiff)[source]: Use them. > > Thank you! Thanks for the tips you gave. > > This change should be grafted, since ~2000 packages will be affected. > > There's a recent example of appending patches in a replacement package: > > + (source > + (origin > + (inherit (package-source libsndfile)) > + (patches > + (append > + (origin-patches (package-source libsndfile)) > + (search-patches "libsndfile-CVE-2017-8361-8363-8365.patch" > + "libsndfile-CVE-2017-8362.patch"))))))) > > https://git.savannah.gnu.org/cgit/guix.git/commit/?id=1c4a500aae53b8cd33d1266eb3809b859ae2555d So the attached patch would be okay to push to the master branch?
[0001-gnu-libtiff-Fix-CVE-2017-7593-7594-7595-7596-7597-75.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#26804; Package guix-patches.
(Sun, 07 May 2017 03:42:02 GMT) Full text and rfc822 format available.Message #14 received at 26804 <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
To: Kei Kebreau <kei <at> openmailbox.org>
Cc: 26804 <at> debbugs.gnu.org
Subject: Re: bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595,
7596, 7597, 7598, 7599, 7600, 7601, 7602}.
Date: Sat, 6 May 2017 23:41:51 -0400
[Message part 1 (text/plain, inline)]
On Sat, May 06, 2017 at 08:11:35PM -0400, Kei Kebreau wrote:
> So the attached patch would be okay to push to the master branch?
Yes, after ...
> From fe8c0d5c5c4f7bbba7375dc28294a2efd0d2f85e Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei <at> openmailbox.org>
> Date: Sat, 6 May 2017 10:45:57 -0400
> Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597,
> 7598, 7599, 7600, 7601, 7602}.
... putting the list of CVEs on its own line, and changing the title to
be shorter than 80 characters. Then please push :)
[signature.asc (application/pgp-signature, inline)]
Kei Kebreau <kei <at> openmailbox.org>:Kei Kebreau <kei <at> openmailbox.org>:Message #19 received at 26804-done <at> debbugs.gnu.org (full text, mbox):
From: Kei Kebreau <kei <at> openmailbox.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 26804-done <at> debbugs.gnu.org
Subject: Re: bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595,
7596, 7597, 7598, 7599, 7600, 7601, 7602}.
Date: Sun, 07 May 2017 06:58:42 -0400
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Sat, May 06, 2017 at 08:11:35PM -0400, Kei Kebreau wrote:
>> So the attached patch would be okay to push to the master branch?
>
> Yes, after ...
>
>> From fe8c0d5c5c4f7bbba7375dc28294a2efd0d2f85e Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei <at> openmailbox.org>
>> Date: Sat, 6 May 2017 10:45:57 -0400
>> Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596, 7597,
>> 7598, 7599, 7600, 7601, 7602}.
>
> ... putting the list of CVEs on its own line, and changing the title to
> be shorter than 80 characters. Then please push :)
Pushed with appropriate changes. Thanks for your time!
[signature.asc (application/pgp-signature, inline)]
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Sun, 04 Jun 2017 11:24:04 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.