Package: guix-patches;
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sun, 11 Feb 2018 01:06:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30418 in the body.
You can then email your comments to 30418 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#30418; Package guix-patches.
(Sun, 11 Feb 2018 01:06:01 GMT) Full text and rfc822 format available.Leo Famulari <leo <at> famulari.name>:guix-patches <at> gnu.org.
(Sun, 11 Feb 2018 01:06:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}.
Date: Sat, 10 Feb 2018 20:05:18 -0500
* gnu/packages/patches/libtiff-CVE-2017-9935.patch,
gnu/packages/patches/libtiff-CVE-2017-11335.patch,
gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
---
gnu/local.mk | 3 +
gnu/packages/image.scm | 13 ++
gnu/packages/patches/libtiff-CVE-2017-11335.patch | 48 +++++++
gnu/packages/patches/libtiff-CVE-2017-18013.patch | 45 ++++++
gnu/packages/patches/libtiff-CVE-2017-9935.patch | 162 ++++++++++++++++++++++
5 files changed, 271 insertions(+)
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-11335.patch
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-18013.patch
create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9935.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index eb968dede..95650cc50 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -854,7 +854,10 @@ dist_patch_DATA = \
%D%/packages/patches/libtasn1-CVE-2017-10790.patch \
%D%/packages/patches/libtheora-config-guess.patch \
%D%/packages/patches/libtiff-CVE-2016-10688.patch \
+ %D%/packages/patches/libtiff-CVE-2017-9935.patch \
%D%/packages/patches/libtiff-CVE-2017-9936.patch \
+ %D%/packages/patches/libtiff-CVE-2017-11335.patch \
+ %D%/packages/patches/libtiff-CVE-2017-18013.patch \
%D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
%D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \
%D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 548c1df44..a5738f431 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -390,6 +390,7 @@ extracting icontainer icon files.")
(define-public libtiff
(package
(name "libtiff")
+ (replacement libtiff/fixed)
(version "4.0.8")
(source
(origin
@@ -426,6 +427,18 @@ collection of tools for doing simple manipulations of TIFF images.")
"See COPYRIGHT in the distribution."))
(home-page "http://www.simplesystems.org/libtiff/")))
+(define libtiff/fixed
+ (package
+ (inherit libtiff)
+ (source
+ (origin
+ (inherit (package-source libtiff))
+ (patches
+ (append (origin-patches (package-source libtiff))
+ (search-patches "libtiff-CVE-2017-9935.patch"
+ "libtiff-CVE-2017-11335.patch"
+ "libtiff-CVE-2017-18013.patch")))))))
+
(define-public leptonica
(package
(name "leptonica")
diff --git a/gnu/packages/patches/libtiff-CVE-2017-11335.patch b/gnu/packages/patches/libtiff-CVE-2017-11335.patch
new file mode 100644
index 000000000..504bf3d3e
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-11335.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-11335:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2715
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223
+
+From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault <at> spatialys.com>
+Date: Sat, 15 Jul 2017 11:13:46 +0000
+Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
+ "Raw" mode on PlanarConfig=Contig input images. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
+
+---
+ ChangeLog | 7 +++++++
+ tools/tiff2pdf.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 8e4e24ef..caf64ee5 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1,4 +1,4 @@
+-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $
++/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $
+ *
+ * tiff2pdf - converts a TIFF image to a PDF document
+ *
+@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ return;
+
+ t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
+- if(t2p->pdf_nopassthrough==0){
++ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
++ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
++ /* do not take into account the number of samples, and thus */
++ /* that can cause heap buffer overflows such as in */
++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
++ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
+ #ifdef CCITT_SUPPORT
+ if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
+ ){
+--
+2.16.1
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
new file mode 100644
index 000000000..ba03c8384
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-18013:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2770
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
+
+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault <at> spatialys.com>
+Date: Sun, 31 Dec 2017 15:09:41 +0100
+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
+ dereference on corrupted file. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
+
+---
+ libtiff/tif_print.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 9959d353..8deceb2b 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
+ (unsigned long) s,
+- (unsigned __int64) td->td_stripoffset[s],
+- (unsigned __int64) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ fprintf(fd, " %3lu: [%8llu, %8llu]\n",
+ (unsigned long) s,
+- (unsigned long long) td->td_stripoffset[s],
+- (unsigned long long) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ }
+ }
+--
+2.16.1
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
new file mode 100644
index 000000000..5685d81f6
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
@@ -0,0 +1,162 @@
+Fix CVE-2017-9935
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
+http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
+
+From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
+From: Brian May <brian <at> linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
+
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+
+We than read the transfer function for every page. Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+
+It is also strange that we declare the transfer functions to be of type
+float, when the standard says they are unsigned 16 bit values. This is
+fixed in another patch.
+
+This patch will check to ensure that the N value for every transfer
+function is the same for every page. If this changes, we abort with an
+error. In theory, we should perhaps check that the transfer function
+itself is identical for every page, however we don't do that due to the
+confusion of the type of the data in the transfer function.
+---
+ libtiff/tif_dir.c | 3 +++
+ tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 47 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 2ccaf448..cbf2b693 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+ *va_arg(ap, uint16**) = td->td_transferfunction[1];
+ *va_arg(ap, uint16**) = td->td_transferfunction[2];
++ } else {
++ *va_arg(ap, uint16**) = NULL;
++ *va_arg(ap, uint16**) = NULL;
+ }
+ break;
+ case TIFFTAG_REFERENCEBLACKWHITE:
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index d1a9b095..c3ec0746 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ uint16 pagen=0;
+ uint16 paged=0;
+ uint16 xuint16=0;
++ uint16 tiff_transferfunctioncount=0;
++ float* tiff_transferfunction[3];
+
+ directorycount=TIFFNumberOfDirectories(input);
+ t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ }
+ #endif
+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+- &(t2p->tiff_transferfunction[0]),
+- &(t2p->tiff_transferfunction[1]),
+- &(t2p->tiff_transferfunction[2]))) {
+- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[1] !=
+- t2p->tiff_transferfunction[0])) {
+- t2p->tiff_transferfunctioncount = 3;
+- t2p->tiff_pages[i].page_extra += 4;
+- t2p->pdf_xrefcount += 4;
+- } else {
+- t2p->tiff_transferfunctioncount = 1;
+- t2p->tiff_pages[i].page_extra += 2;
+- t2p->pdf_xrefcount += 2;
+- }
+- if(t2p->pdf_minorversion < 2)
+- t2p->pdf_minorversion = 2;
++ &(tiff_transferfunction[0]),
++ &(tiff_transferfunction[1]),
++ &(tiff_transferfunction[2]))) {
++
++ if((tiff_transferfunction[1] != (float*) NULL) &&
++ (tiff_transferfunction[2] != (float*) NULL)
++ ) {
++ tiff_transferfunctioncount=3;
++ } else {
++ tiff_transferfunctioncount=1;
++ }
+ } else {
+- t2p->tiff_transferfunctioncount=0;
++ tiff_transferfunctioncount=0;
+ }
++
++ if (i > 0){
++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Different transfer function on page %d",
++ i);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ }
++
++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
++ if(tiff_transferfunctioncount == 3){
++ t2p->tiff_pages[i].page_extra += 4;
++ t2p->pdf_xrefcount += 4;
++ if(t2p->pdf_minorversion < 2)
++ t2p->pdf_minorversion = 2;
++ } else if (tiff_transferfunctioncount == 1){
++ t2p->tiff_pages[i].page_extra += 2;
++ t2p->pdf_xrefcount += 2;
++ if(t2p->pdf_minorversion < 2)
++ t2p->pdf_minorversion = 2;
++ }
++
+ if( TIFFGetField(
+ input,
+ TIFFTAG_ICCPROFILE,
+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ &(t2p->tiff_transferfunction[1]),
+ &(t2p->tiff_transferfunction[2]))) {
+ if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[1] !=
+- t2p->tiff_transferfunction[0])) {
++ (t2p->tiff_transferfunction[2] != (float*) NULL)
++ ) {
+ t2p->tiff_transferfunctioncount=3;
+ } else {
+ t2p->tiff_transferfunctioncount=1;
+--
+2.16.1
+
--
2.16.1
guix-patches <at> gnu.org:bug#30418; Package guix-patches.
(Sun, 11 Feb 2018 01:33:02 GMT) Full text and rfc822 format available.Message #8 received at 30418 <at> debbugs.gnu.org (full text, mbox):
From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org, Leo Famulari <leo <at> famulari.name>,
30418 <at> debbugs.gnu.org
Subject: Re: [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935, 11335,
18013}.
Date: Sun, 11 Feb 2018 02:32:38 +0100
On February 11, 2018 2:05:18 AM GMT+01:00, Leo Famulari <leo <at> famulari.name> wrote:
>* gnu/packages/patches/libtiff-CVE-2017-9935.patch,
>gnu/packages/patches/libtiff-CVE-2017-11335.patch,
>gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files.
>* gnu/local.mk (dist_patch_DATA): Add them.
>* gnu/packages/image.scm (libtiff)[replacement]: New field.
>(libtiff/fixed): New variable.
LGTM, thanks for taking care of this.
>---
> gnu/local.mk | 3 +
> gnu/packages/image.scm | 13 ++
> gnu/packages/patches/libtiff-CVE-2017-11335.patch | 48 +++++++
> gnu/packages/patches/libtiff-CVE-2017-18013.patch | 45 ++++++
>gnu/packages/patches/libtiff-CVE-2017-9935.patch | 162
>++++++++++++++++++++++
> 5 files changed, 271 insertions(+)
> create mode 100644 gnu/packages/patches/libtiff-CVE-2017-11335.patch
> create mode 100644 gnu/packages/patches/libtiff-CVE-2017-18013.patch
> create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9935.patch
>
>diff --git a/gnu/local.mk b/gnu/local.mk
>index eb968dede..95650cc50 100644
>--- a/gnu/local.mk
>+++ b/gnu/local.mk
>@@ -854,7 +854,10 @@ dist_patch_DATA = \
> %D%/packages/patches/libtasn1-CVE-2017-10790.patch \
> %D%/packages/patches/libtheora-config-guess.patch \
> %D%/packages/patches/libtiff-CVE-2016-10688.patch \
>+ %D%/packages/patches/libtiff-CVE-2017-9935.patch \
> %D%/packages/patches/libtiff-CVE-2017-9936.patch \
>+ %D%/packages/patches/libtiff-CVE-2017-11335.patch \
>+ %D%/packages/patches/libtiff-CVE-2017-18013.patch \
> %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \
> %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \
>%D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \
>diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
>index 548c1df44..a5738f431 100644
>--- a/gnu/packages/image.scm
>+++ b/gnu/packages/image.scm
>@@ -390,6 +390,7 @@ extracting icontainer icon files.")
> (define-public libtiff
> (package
> (name "libtiff")
>+ (replacement libtiff/fixed)
> (version "4.0.8")
> (source
> (origin
>@@ -426,6 +427,18 @@ collection of tools for doing simple manipulations
>of TIFF images.")
> "See COPYRIGHT in the distribution."))
> (home-page "http://www.simplesystems.org/libtiff/")))
>
>+(define libtiff/fixed
>+ (package
>+ (inherit libtiff)
>+ (source
>+ (origin
>+ (inherit (package-source libtiff))
>+ (patches
>+ (append (origin-patches (package-source libtiff))
>+ (search-patches "libtiff-CVE-2017-9935.patch"
>+ "libtiff-CVE-2017-11335.patch"
>+
>"libtiff-CVE-2017-18013.patch")))))))
>+
> (define-public leptonica
> (package
> (name "leptonica")
>diff --git a/gnu/packages/patches/libtiff-CVE-2017-11335.patch
>b/gnu/packages/patches/libtiff-CVE-2017-11335.patch
>new file mode 100644
>index 000000000..504bf3d3e
>--- /dev/null
>+++ b/gnu/packages/patches/libtiff-CVE-2017-11335.patch
>@@ -0,0 +1,48 @@
>+Fix CVE-2017-11335:
>+
>+http://bugzilla.maptools.org/show_bug.cgi?id=2715
>+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11335
>+
>+Patch copied from upstream source repository:
>+
>+https://gitlab.com/libtiff/libtiff/commit/979751c407648bd29a6bdf5581ab9e3af42c1223
>+
>+From 979751c407648bd29a6bdf5581ab9e3af42c1223 Mon Sep 17 00:00:00 2001
>+From: Even Rouault <even.rouault <at> spatialys.com>
>+Date: Sat, 15 Jul 2017 11:13:46 +0000
>+Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow
>write in
>+ "Raw" mode on PlanarConfig=Contig input images. Fixes
>+ http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team
>OWL337
>+
>+---
>+ ChangeLog | 7 +++++++
>+ tools/tiff2pdf.c | 9 +++++++--
>+ 2 files changed, 14 insertions(+), 2 deletions(-)
>+
>+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
>+index 8e4e24ef..caf64ee5 100644
>+--- a/tools/tiff2pdf.c
>++++ b/tools/tiff2pdf.c
>+@@ -1,4 +1,4 @@
>+-/* $Id: tiff2pdf.c,v 1.101 2016-12-20 17:28:17 erouault Exp $
>++/* $Id: tiff2pdf.c,v 1.102 2017-07-15 11:13:46 erouault Exp $
>+ *
>+ * tiff2pdf - converts a TIFF image to a PDF document
>+ *
>+@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
>+ return;
>+
>+ t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
>+- if(t2p->pdf_nopassthrough==0){
>++ /* It seems that T2P_TRANSCODE_RAW mode doesn't support
>separate->contig */
>++ /* conversion. At least t2p_read_tiff_size and
>t2p_read_tiff_size_tile */
>++ /* do not take into account the number of samples, and thus
>*/
>++ /* that can cause heap buffer overflows such as in */
>++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
>++ if(t2p->pdf_nopassthrough==0 &&
>t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
>+ #ifdef CCITT_SUPPORT
>+ if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
>+ ){
>+--
>+2.16.1
>+
>diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch
>b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
>new file mode 100644
>index 000000000..ba03c8384
>--- /dev/null
>+++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch
>@@ -0,0 +1,45 @@
>+Fix CVE-2017-18013:
>+
>+http://bugzilla.maptools.org/show_bug.cgi?id=2770
>+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
>+
>+Patch copied from upstream source repository:
>+
>+https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
>+
>+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
>+From: Even Rouault <even.rouault <at> spatialys.com>
>+Date: Sun, 31 Dec 2017 15:09:41 +0100
>+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null
>pointer
>+ dereference on corrupted file. Fixes
>+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
>+
>+---
>+ libtiff/tif_print.c | 8 ++++----
>+ 1 file changed, 4 insertions(+), 4 deletions(-)
>+
>+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
>+index 9959d353..8deceb2b 100644
>+--- a/libtiff/tif_print.c
>++++ b/libtiff/tif_print.c
>+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long
>flags)
>+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
>+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
>+ (unsigned long) s,
>+- (unsigned __int64) td->td_stripoffset[s],
>+- (unsigned __int64) td->td_stripbytecount[s]);
>++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s]
>: 0,
>++ td->td_stripbytecount ? (unsigned __int64)
>td->td_stripbytecount[s] : 0);
>+ #else
>+ fprintf(fd, " %3lu: [%8llu, %8llu]\n",
>+ (unsigned long) s,
>+- (unsigned long long) td->td_stripoffset[s],
>+- (unsigned long long) td->td_stripbytecount[s]);
>++ td->td_stripoffset ? (unsigned long long)
>td->td_stripoffset[s] : 0,
>++ td->td_stripbytecount ? (unsigned long long)
>td->td_stripbytecount[s] : 0);
>+ #endif
>+ }
>+ }
>+--
>+2.16.1
>+
>diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch
>b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
>new file mode 100644
>index 000000000..5685d81f6
>--- /dev/null
>+++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch
>@@ -0,0 +1,162 @@
>+Fix CVE-2017-9935
>+
>+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
>+http://bugzilla.maptools.org/show_bug.cgi?id=2704
>+
>+Patch copied from upstream source repository:
>+
>+https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
>+
>+From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
>+From: Brian May <brian <at> linuxpenguins.xyz>
>+Date: Thu, 7 Dec 2017 07:46:47 +1100
>+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
>+
>+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
>+
>+This vulnerability - at least for the supplied test case - is because
>we
>+assume that a tiff will only have one transfer function that is the
>same
>+for all pages. This is not required by the TIFF standards.
>+
>+We than read the transfer function for every page. Depending on the
>+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
>+We allocate this memory after we read in the transfer function for the
>+page.
>+
>+For the first exploit - POC1, this file has 3 pages. For the first
>page
>+we allocate 2 extra extra XREF entries. Then for the next page 2 more
>+entries. Then for the last page the transfer function changes and we
>+allocate 4 more entries.
>+
>+When we read the file into memory, we assume we have 4 bytes extra for
>+each and every page (as per the last transfer function we read). Which
>+is not correct, we only have 2 bytes extra for the first 2 pages. As a
>+result, we end up writing past the end of the buffer.
>+
>+There are also some related issues that this also fixes. For example,
>+TIFFGetField can return uninitalized pointer values, and the logic to
>+detect a N=3 vs N=1 transfer function seemed rather strange.
>+
>+It is also strange that we declare the transfer functions to be of
>type
>+float, when the standard says they are unsigned 16 bit values. This is
>+fixed in another patch.
>+
>+This patch will check to ensure that the N value for every transfer
>+function is the same for every page. If this changes, we abort with an
>+error. In theory, we should perhaps check that the transfer function
>+itself is identical for every page, however we don't do that due to
>the
>+confusion of the type of the data in the transfer function.
>+---
>+ libtiff/tif_dir.c | 3 +++
>+ tools/tiff2pdf.c | 65
>+++++++++++++++++++++++++++++++++++++------------------
>+ 2 files changed, 47 insertions(+), 21 deletions(-)
>+
>+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
>+index 2ccaf448..cbf2b693 100644
>+--- a/libtiff/tif_dir.c
>++++ b/libtiff/tif_dir.c
>+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list
>ap)
>+ if (td->td_samplesperpixel - td->td_extrasamples > 1) {
>+ *va_arg(ap, uint16**) = td->td_transferfunction[1];
>+ *va_arg(ap, uint16**) = td->td_transferfunction[2];
>++ } else {
>++ *va_arg(ap, uint16**) = NULL;
>++ *va_arg(ap, uint16**) = NULL;
>+ }
>+ break;
>+ case TIFFTAG_REFERENCEBLACKWHITE:
>+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
>+index d1a9b095..c3ec0746 100644
>+--- a/tools/tiff2pdf.c
>++++ b/tools/tiff2pdf.c
>+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
>+ uint16 pagen=0;
>+ uint16 paged=0;
>+ uint16 xuint16=0;
>++ uint16 tiff_transferfunctioncount=0;
>++ float* tiff_transferfunction[3];
>+
>+ directorycount=TIFFNumberOfDirectories(input);
>+ t2p->tiff_pages = (T2P_PAGE*)
>_TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
>+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF*
>input){
>+ }
>+ #endif
>+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
>+- &(t2p->tiff_transferfunction[0]),
>+- &(t2p->tiff_transferfunction[1]),
>+- &(t2p->tiff_transferfunction[2]))) {
>+- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
>+- (t2p->tiff_transferfunction[2] != (float*)
>NULL) &&
>+- (t2p->tiff_transferfunction[1] !=
>+- t2p->tiff_transferfunction[0])) {
>+- t2p->tiff_transferfunctioncount = 3;
>+- t2p->tiff_pages[i].page_extra += 4;
>+- t2p->pdf_xrefcount += 4;
>+- } else {
>+- t2p->tiff_transferfunctioncount = 1;
>+- t2p->tiff_pages[i].page_extra += 2;
>+- t2p->pdf_xrefcount += 2;
>+- }
>+- if(t2p->pdf_minorversion < 2)
>+- t2p->pdf_minorversion = 2;
>++ &(tiff_transferfunction[0]),
>++ &(tiff_transferfunction[1]),
>++ &(tiff_transferfunction[2]))) {
>++
>++ if((tiff_transferfunction[1] != (float*)
>NULL) &&
>++ (tiff_transferfunction[2] != (float*)
>NULL)
>++ ) {
>++ tiff_transferfunctioncount=3;
>++ } else {
>++ tiff_transferfunctioncount=1;
>++ }
>+ } else {
>+- t2p->tiff_transferfunctioncount=0;
>++ tiff_transferfunctioncount=0;
>+ }
>++
>++ if (i > 0){
>++ if (tiff_transferfunctioncount !=
>t2p->tiff_transferfunctioncount){
>++ TIFFError(
>++ TIFF2PDF_MODULE,
>++ "Different transfer function on page %d",
>++ i);
>++ t2p->t2p_error = T2P_ERR_ERROR;
>++ return;
>++ }
>++ }
>++
>++ t2p->tiff_transferfunctioncount =
>tiff_transferfunctioncount;
>++ t2p->tiff_transferfunction[0] =
>tiff_transferfunction[0];
>++ t2p->tiff_transferfunction[1] =
>tiff_transferfunction[1];
>++ t2p->tiff_transferfunction[2] =
>tiff_transferfunction[2];
>++ if(tiff_transferfunctioncount == 3){
>++ t2p->tiff_pages[i].page_extra += 4;
>++ t2p->pdf_xrefcount += 4;
>++ if(t2p->pdf_minorversion < 2)
>++ t2p->pdf_minorversion = 2;
>++ } else if (tiff_transferfunctioncount == 1){
>++ t2p->tiff_pages[i].page_extra += 2;
>++ t2p->pdf_xrefcount += 2;
>++ if(t2p->pdf_minorversion < 2)
>++ t2p->pdf_minorversion = 2;
>++ }
>++
>+ if( TIFFGetField(
>+ input,
>+ TIFFTAG_ICCPROFILE,
>+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
>+ &(t2p->tiff_transferfunction[1]),
>+ &(t2p->tiff_transferfunction[2]))) {
>+ if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
>+- (t2p->tiff_transferfunction[2] != (float*) NULL)
>&&
>+- (t2p->tiff_transferfunction[1] !=
>+- t2p->tiff_transferfunction[0])) {
>++ (t2p->tiff_transferfunction[2] != (float*) NULL)
>++ ) {
>+ t2p->tiff_transferfunctioncount=3;
>+ } else {
>+ t2p->tiff_transferfunctioncount=1;
>+--
>+2.16.1
>+
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
guix-patches <at> gnu.org:bug#30418; Package guix-patches.
(Sun, 11 Feb 2018 01:34:02 GMT) Full text and rfc822 format available.Leo Famulari <leo <at> famulari.name>:Leo Famulari <leo <at> famulari.name>:Message #16 received at 30418-done <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 30418-done <at> debbugs.gnu.org
Subject: Re: [bug#30418] [PATCH] gnu: libtiff: Fix CVE-2017-{9935,11335,18013}.
Date: Sat, 10 Feb 2018 23:00:02 -0500
[Message part 1 (text/plain, inline)]
On Sun, Feb 11, 2018 at 02:32:38AM +0100, Marius Bakke wrote: > > > On February 11, 2018 2:05:18 AM GMT+01:00, Leo Famulari <leo <at> famulari.name> wrote: > >* gnu/packages/patches/libtiff-CVE-2017-9935.patch, > >gnu/packages/patches/libtiff-CVE-2017-11335.patch, > >gnu/packages/patches/libtiff-CVE-2017-18013.patch: New files. > >* gnu/local.mk (dist_patch_DATA): Add them. > >* gnu/packages/image.scm (libtiff)[replacement]: New field. > >(libtiff/fixed): New variable. > > LGTM, thanks for taking care of this. Thanks for review, pushed as 79cf1053046f083df831460c9ff7d42d5c47c110
[signature.asc (application/pgp-signature, inline)]
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Sun, 11 Mar 2018 11:24:04 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.