GNU bug report logs -
#27370
[PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes].
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 15 Jun 2017 03:47:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27370 in the body.
You can then email your comments to 27370 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#27370; Package
guix-patches.
(Thu, 15 Jun 2017 03:47:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 15 Jun 2017 03:47:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
* gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/image.scm | 1 +
.../patches/libtiff-tiffgetfield-bugs.patch | 201 +++++++++++++++++++++
3 files changed, 203 insertions(+)
create mode 100644 gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8fcd2cab2..974b6536f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -769,6 +769,7 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-invalid-read.patch \
%D%/packages/patches/libtiff-null-dereference.patch \
%D%/packages/patches/libtiff-tiffcp-underflow.patch \
+ %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
%D%/packages/patches/libtirpc-CVE-2017-8779.patch \
%D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index abac17d6d..b94c006b1 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -393,6 +393,7 @@ collection of tools for doing simple manipulations of TIFF images.")
(method url-fetch)
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
version ".tar.gz"))
+ (patches (search-patches "libtiff-tiffgetfield-bugs.patch"))
(sha256
(base32
"0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))
diff --git a/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
new file mode 100644
index 000000000..84566ca23
--- /dev/null
+++ b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
@@ -0,0 +1,201 @@
+Fix several bugs in libtiff related to use of TIFFGetField():
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095
+
+Patch copied from upstream CVS. 3rd-party Git reference:
+https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
+
+2017-06-01 Even Rouault <even.rouault at spatialys.com>
+
+* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+to behave differently depending on whether the codec is enabled or not, and
+thus can avoid stack based buffer overflows in a number of TIFF utilities
+such as tiffsplit, tiffcmp, thumbnail, etc.
+Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+Fixes:
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+http://bugzilla.maptools.org/show_bug.cgi?id=2693
+http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+http://bugzilla.maptools.org/show_bug.cgi?id=2441
+http://bugzilla.maptools.org/show_bug.cgi?id=2433
+Index: libtiff/libtiff/tif_dirread.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.208
+retrieving revision 1.209
+diff -u -r1.208 -r1.209
+--- libtiff/libtiff/tif_dirread.c 27 Apr 2017 15:46:22 -0000 1.208
++++ libtiff/libtiff/tif_dirread.c 1 Jun 2017 12:44:04 -0000 1.209
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -3580,6 +3580,10 @@
+ goto bad;
+ dp->tdir_tag=IGNORE;
+ break;
++ default:
++ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
++ dp->tdir_tag=IGNORE;
++ break;
+ }
+ }
+ }
+Index: libtiff/libtiff/tif_dirinfo.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
+retrieving revision 1.126
+retrieving revision 1.127
+diff -u -r1.126 -r1.127
+--- libtiff/libtiff/tif_dirinfo.c 18 Nov 2016 02:52:13 -0000 1.126
++++ libtiff/libtiff/tif_dirinfo.c 1 Jun 2017 12:44:04 -0000 1.127
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
++/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -956,6 +956,109 @@
+ return 0;
+ }
+
++int
++_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
++{
++ /* Filter out non-codec specific tags */
++ switch (tag) {
++ /* Shared tags */
++ case TIFFTAG_PREDICTOR:
++ /* JPEG tags */
++ case TIFFTAG_JPEGTABLES:
++ /* OJPEG tags */
++ case TIFFTAG_JPEGIFOFFSET:
++ case TIFFTAG_JPEGIFBYTECOUNT:
++ case TIFFTAG_JPEGQTABLES:
++ case TIFFTAG_JPEGDCTABLES:
++ case TIFFTAG_JPEGACTABLES:
++ case TIFFTAG_JPEGPROC:
++ case TIFFTAG_JPEGRESTARTINTERVAL:
++ /* CCITT* */
++ case TIFFTAG_BADFAXLINES:
++ case TIFFTAG_CLEANFAXDATA:
++ case TIFFTAG_CONSECUTIVEBADFAXLINES:
++ case TIFFTAG_GROUP3OPTIONS:
++ case TIFFTAG_GROUP4OPTIONS:
++ break;
++ default:
++ return 1;
++ }
++ /* Check if codec specific tags are allowed for the current
++ * compression scheme (codec) */
++ switch (tif->tif_dir.td_compression) {
++ case COMPRESSION_LZW:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_PACKBITS:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_THUNDERSCAN:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_NEXT:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_JPEG:
++ if (tag == TIFFTAG_JPEGTABLES)
++ return 1;
++ break;
++ case COMPRESSION_OJPEG:
++ switch (tag) {
++ case TIFFTAG_JPEGIFOFFSET:
++ case TIFFTAG_JPEGIFBYTECOUNT:
++ case TIFFTAG_JPEGQTABLES:
++ case TIFFTAG_JPEGDCTABLES:
++ case TIFFTAG_JPEGACTABLES:
++ case TIFFTAG_JPEGPROC:
++ case TIFFTAG_JPEGRESTARTINTERVAL:
++ return 1;
++ }
++ break;
++ case COMPRESSION_CCITTRLE:
++ case COMPRESSION_CCITTRLEW:
++ case COMPRESSION_CCITTFAX3:
++ case COMPRESSION_CCITTFAX4:
++ switch (tag) {
++ case TIFFTAG_BADFAXLINES:
++ case TIFFTAG_CLEANFAXDATA:
++ case TIFFTAG_CONSECUTIVEBADFAXLINES:
++ return 1;
++ case TIFFTAG_GROUP3OPTIONS:
++ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
++ return 1;
++ break;
++ case TIFFTAG_GROUP4OPTIONS:
++ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
++ return 1;
++ break;
++ }
++ break;
++ case COMPRESSION_JBIG:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_DEFLATE:
++ case COMPRESSION_ADOBE_DEFLATE:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_PIXARLOG:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_SGILOG:
++ case COMPRESSION_SGILOG24:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_LZMA:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++
++ }
++ return 0;
++}
++
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+
+ /*
+Index: libtiff/libtiff/tif_dir.h
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
+retrieving revision 1.54
+retrieving revision 1.55
+diff -u -r1.54 -r1.55
+--- libtiff/libtiff/tif_dir.h 18 Feb 2011 20:53:05 -0000 1.54
++++ libtiff/libtiff/tif_dir.h 1 Jun 2017 12:44:04 -0000 1.55
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
++/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -291,6 +291,7 @@
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
++extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+
+ #if defined(__cplusplus)
+ }
--
2.13.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#27370; Package
guix-patches.
(Thu, 15 Jun 2017 08:14:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 27370 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
>
> * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
LGTM. ‘guix lint -c cve’ will keep complaining, but I guess splitting
the patch in one patch per CVE might be hard and not worth the effort.
Thoughts?
Could you apply them to ‘core-updates’ as well?
Thank you!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#27370; Package
guix-patches.
(Thu, 15 Jun 2017 15:23:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 27370 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Jun 14, 2017 at 11:45:57PM -0400, Leo Famulari wrote:
> Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
>
> * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
I'd also like to add a patch for this libtiff commit, fixing a
regression in 4.0.8:
https://github.com/vadz/libtiff/commit/cd23b66764cb0a2d67198e060a9e238380e3ae9f
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Thu, 15 Jun 2017 15:53:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Thu, 15 Jun 2017 15:53:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 27370-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, Jun 15, 2017 at 10:13:43AM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and
> > the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'.
> >
> > * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it.
>
> LGTM. ‘guix lint -c cve’ will keep complaining, but I guess splitting
> the patch in one patch per CVE might be hard and not worth the effort.
> Thoughts?
The long list of bugs has a single root cause and fix, so there is only
one patch.
> Could you apply them to ‘core-updates’ as well?
Sure, done!
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 14 Jul 2017 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 55 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.