GNU bug report logs - #31967
[PATCH] gnu: libtiff: Fix CVE-2018-{8905,10963}.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 25 Jun 2018 20:34:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31967 in the body.
You can then email your comments to 31967 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#31967; Package guix-patches. (Mon, 25 Jun 2018 20:34:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 25 Jun 2018 20:34:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: libtiff: Fix CVE-2018-{8905,10963}.
Date: Mon, 25 Jun 2018 16:32:58 -0400

* gnu/packages/patches/libtiff-CVE-2018-8905.patch,
gnu/packages/patches/libtiff-CVE-2018-10963.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[replacement]: New field.
(libtiff/fixed): New variable.
---
 gnu/local.mk                                  |  2 +
 gnu/packages/image.scm                        | 12 ++++
 .../patches/libtiff-CVE-2018-10963.patch      | 40 ++++++++++++
 .../patches/libtiff-CVE-2018-8905.patch       | 61 +++++++++++++++++++
 4 files changed, 115 insertions(+)
 create mode 100644 gnu/packages/patches/libtiff-CVE-2018-10963.patch
 create mode 100644 gnu/packages/patches/libtiff-CVE-2018-8905.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9d8947d55..1b39bf4e9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -883,6 +883,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtheora-config-guess.patch		\
   %D%/packages/patches/libtiff-CVE-2017-9935.patch		\
   %D%/packages/patches/libtiff-CVE-2017-18013.patch		\
+  %D%/packages/patches/libtiff-CVE-2018-8905.patch		\
+  %D%/packages/patches/libtiff-CVE-2018-10963.patch		\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libusb-0.1-disable-tests.patch		\
   %D%/packages/patches/libusb-for-axoloti.patch			\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index a2874be1a..5ad6fe948 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -394,6 +394,7 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
+   (replacement libtiff/fixed)
    (version "4.0.9")
    (source
      (origin
@@ -426,6 +427,17 @@ collection of tools for doing simple manipulations of TIFF images.")
                                   "See COPYRIGHT in the distribution."))
    (home-page "http://www.simplesystems.org/libtiff/")))
 
+(define libtiff/fixed
+  (package
+    (inherit libtiff)
+    (source
+      (origin
+        (inherit (package-source libtiff))
+        (patches
+          (append (origin-patches (package-source libtiff))
+                  (search-patches "libtiff-CVE-2018-8905.patch"
+                                  "libtiff-CVE-2018-10963.patch")))))))
+
 (define-public leptonica
   (package
     (name "leptonica")
diff --git a/gnu/packages/patches/libtiff-CVE-2018-10963.patch b/gnu/packages/patches/libtiff-CVE-2018-10963.patch
new file mode 100644
index 000000000..d31c12399
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2018-10963.patch
@@ -0,0 +1,40 @@
+Fix CVE-2018-10963:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2795
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9
+
+From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault <at> spatialys.com>
+Date: Sat, 12 May 2018 14:24:15 +0200
+Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
+
+---
+ libtiff/tif_dirwrite.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 2430de6d..c15a28db 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ 								}
+ 								break;
+ 							default:
+-								assert(0);   /* we should never get here */
+-								break;
++								TIFFErrorExt(tif->tif_clientdata,module,
++								            "Cannot write tag %d (%s)",
++								            TIFFFieldTag(o),
++                                                                            o->field_name ? o->field_name : "unknown");
++								goto bad;
+ 						}
+ 					}
+ 				}
+-- 
+2.17.0
+
diff --git a/gnu/packages/patches/libtiff-CVE-2018-8905.patch b/gnu/packages/patches/libtiff-CVE-2018-8905.patch
new file mode 100644
index 000000000..f49815789
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2018-8905.patch
@@ -0,0 +1,61 @@
+Fix CVE-2018-8095:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2780
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d
+
+From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault <at> spatialys.com>
+Date: Sat, 12 May 2018 15:32:31 +0200
+Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
+
+The fix consists in using the similar code LZWDecode() to validate we
+don't write outside of the output buffer.
+---
+ libtiff/tif_lzw.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index 4ccb443c..94d85e38 100644
+--- a/libtiff/tif_lzw.c
++++ b/libtiff/tif_lzw.c
+@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ 	char *tp;
+ 	unsigned char *bp;
+ 	int code, nbits;
++	int len;
+ 	long nextbits, nextdata, nbitsmask;
+ 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ 
+@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ 				}  while (--occ);
+ 				break;
+ 			}
+-			assert(occ >= codep->length);
+-			op += codep->length;
+-			occ -= codep->length;
+-			tp = op;
++			len = codep->length;
++			tp = op + len;
+ 			do {
+-				*--tp = codep->value;
+-			} while( (codep = codep->next) != NULL );
++				int t;
++				--tp;
++				t = codep->value;
++				codep = codep->next;
++				*tp = (char)t;
++			} while (codep && tp > op);
++			assert(occ >= len);
++			op += len;
++			occ -= len;
+ 		} else {
+ 			*op++ = (char)code;
+ 			occ--;
+-- 
+2.17.0
+
-- 
2.18.0
Information forwarded to guix-patches <at> gnu.org:
bug#31967; Package guix-patches. (Mon, 25 Jun 2018 20:41:02 GMT) Full text and rfc822 format available.

Message #8 received at 31967 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 31967 <at> debbugs.gnu.org
Subject: Re: [bug#31967] [PATCH] gnu: libtiff: Fix CVE-2018-{8905,10963}.
Date: Mon, 25 Jun 2018 22:40:11 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> * gnu/packages/patches/libtiff-CVE-2018-8905.patch,
> gnu/packages/patches/libtiff-CVE-2018-10963.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/image.scm (libtiff)[replacement]: New field.
> (libtiff/fixed): New variable.

LGTM, thanks!

[signature.asc (application/pgp-signature, inline)]
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Tue, 26 Jun 2018 15:54:02 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Tue, 26 Jun 2018 15:54:02 GMT) Full text and rfc822 format available.

Message #13 received at 31967-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 31967-done <at> debbugs.gnu.org
Subject: Re: [bug#31967] [PATCH] gnu: libtiff: Fix CVE-2018-{8905,10963}.
Date: Tue, 26 Jun 2018 11:52:59 -0400

[Message part 1 (text/plain, inline)]
On Mon, Jun 25, 2018 at 10:40:11PM +0200, Marius Bakke wrote:
> Leo Famulari <leo <at> famulari.name> writes:
> 
> > * gnu/packages/patches/libtiff-CVE-2018-8905.patch,
> > gnu/packages/patches/libtiff-CVE-2018-10963.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/image.scm (libtiff)[replacement]: New field.
> > (libtiff/fixed): New variable.
> 
> LGTM, thanks!

Thanks! Pushed as 8dbfaff028d73cc847a9fff03cb17006c5461b11

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 25 Jul 2018 11:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 6 years and 334 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.