[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: libtiff: Update to 4.0.6. Add fixes for CVE-2015-{8665, 8683
|
From: |
Mark H. Weaver |
|
Subject: |
01/01: gnu: libtiff: Update to 4.0.6. Add fixes for CVE-2015-{8665, 8683}. |
|
Date: |
Thu, 21 Jan 2016 05:30:24 +0000 |
mhw pushed a commit to branch core-updates
in repository guix.
commit 86fa2ea92f431fe9d23d41aa22c198ec2ce9a5f1
Author: Mark H Weaver <address@hidden>
Date: Thu Jan 21 00:28:03 2016 -0500
gnu: libtiff: Update to 4.0.6. Add fixes for CVE-2015-{8665,8683}.
* gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch,
gnu/packages/patches/libtiff-oob-accesses-in-decode.patch,
gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff): Update to 4.0.6.
[source]: Add patches.
---
gnu-system.am | 3 +
gnu/packages/image.scm | 10 +-
.../libtiff-CVE-2015-8665+CVE-2015-8683.patch | 107 ++++++++++++
.../patches/libtiff-oob-accesses-in-decode.patch | 171 ++++++++++++++++++++
.../patches/libtiff-oob-write-in-nextdecode.patch | 49 ++++++
5 files changed, 337 insertions(+), 3 deletions(-)
diff --git a/gnu-system.am b/gnu-system.am
index fe421a9..d37775d 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -547,6 +547,9 @@ dist_patch_DATA =
\
gnu/packages/patches/libmad-frame-length.patch \
gnu/packages/patches/libmad-mips-newgcc.patch \
gnu/packages/patches/libtheora-config-guess.patch \
+ gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
+ gnu/packages/patches/libtiff-oob-accesses-in-decode.patch \
+ gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch \
gnu/packages/patches/libtool-skip-tests2.patch \
gnu/packages/patches/libsndfile-CVE-2014-9496.patch \
gnu/packages/patches/libsndfile-CVE-2015-7805.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index d3ed92f..bf120f0 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2015 Andreas Enge <address@hidden>
-;;; Copyright © 2014, 2015 Mark H Weaver <address@hidden>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <address@hidden>
;;; Copyright © 2014, 2015 Alex Kost <address@hidden>
;;; Copyright © 2014 Ricardo Wurmus <address@hidden>
;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <address@hidden>
@@ -131,13 +131,17 @@ maximum quality factor.")
(define-public libtiff
(package
(name "libtiff")
- (version "4.0.5")
+ (version "4.0.6")
(source (origin
(method url-fetch)
(uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-";
version ".tar.gz"))
(sha256 (base32
- "171hgy4mylwmvdm7gp6ffjva81m4j56v3fbqsbfl7avzxn1slpp2"))))
+ "136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd"))
+ (patches (map search-patch
+ '("libtiff-oob-accesses-in-decode.patch"
+ "libtiff-oob-write-in-nextdecode.patch"
+ "libtiff-CVE-2015-8665+CVE-2015-8683.patch")))))
(build-system gnu-build-system)
(outputs '("out"
"doc")) ;1.3 MiB of HTML documentation
diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
new file mode 100644
index 0000000..811516d
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
@@ -0,0 +1,107 @@
+2015-12-26 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+ CVE-2015-8683 reported by zzf of Alibaba.
+
+diff -u -r1.93 -r1.94
+--- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93
++++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94
+@@ -182,20 +182,22 @@
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
+- if( td->td_samplesperpixel != 3 )
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+ {
+ sprintf(emsg,
+- "Sorry, can not handle image with %s=%d",
+- "Samples/pixel", td->td_samplesperpixel);
++ "Sorry, can not handle image with %s=%d, %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels);
+ return 0;
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ||
td->td_bitspersample != 8 )
+ {
+ sprintf(emsg,
+- "Sorry, can not handle image with %s=%d and %s=%d",
++ "Sorry, can not handle image with %s=%d, %s=%d and
%s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
+@@ -255,6 +257,9 @@
+ int colorchannels;
+ uint16 *red_orig, *green_orig, *blue_orig;
+ int n_color;
++
++ if( !TIFFRGBAImageOK(tif, emsg) )
++ return 0;
+
+ /* Initialize to normal values */
+ img->row_offset = 0;
+@@ -2509,29 +2514,33 @@
+ case PHOTOMETRIC_RGB:
+ switch (img->bitspersample) {
+ case 8:
+- if (img->alpha ==
EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha ==
EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >= 4)
+ img->put.contig =
putRGBAAcontig8bittile;
+- else if (img->alpha ==
EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha ==
EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel
>= 4)
+ {
+ if (BuildMapUaToAa(img))
+ img->put.contig =
putRGBUAcontig8bittile;
+ }
+- else
++ else if( img->samplesperpixel >= 3 )
+ img->put.contig =
putRGBcontig8bittile;
+ break;
+ case 16:
+- if (img->alpha ==
EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha ==
EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig =
putRGBAAcontig16bittile;
+ }
+- else if (img->alpha ==
EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha ==
EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel
>=4 )
+ {
+ if (BuildMapBitdepth16To8(img)
&&
+ BuildMapUaToAa(img))
+ img->put.contig =
putRGBUAcontig16bittile;
+ }
+- else
++ else if( img->samplesperpixel >=3 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig =
putRGBcontig16bittile;
+@@ -2540,7 +2549,7 @@
+ }
+ break;
+ case PHOTOMETRIC_SEPARATED:
+- if (buildMap(img)) {
++ if (img->samplesperpixel >=4 && buildMap(img)) {
+ if (img->bitspersample == 8) {
+ if (!img->Map)
+ img->put.contig =
putRGBcontig8bitCMYKtile;
+@@ -2636,7 +2645,7 @@
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if (buildMap(img)) {
++ if (img->samplesperpixel == 3 && buildMap(img)) {
+ if (img->bitspersample == 8)
+ img->put.contig =
initCIELabConversion(img);
+ break;
diff --git a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
new file mode 100644
index 0000000..3fea745
--- /dev/null
+++ b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
@@ -0,0 +1,171 @@
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+ functions in non debug builds by replacing assert()s by regular if
+ checks (bugzilla #2522).
+ Fix potential out-of-bound reads in case of short input data.
+
+diff -u -r1.40 -r1.41
+--- libtiff/libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40
++++ libtiff/libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41
+@@ -1,4 +1,4 @@
+-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
++/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1997 Greg Ward Larson
+@@ -202,7 +202,11 @@
+ if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+ tp = (int16*) op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too
short");
++ return (0);
++ }
+ tp = (int16*) sp->tbuf;
+ }
+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@
+ cc = tif->tif_rawcc;
+ /* get each byte string */
+ for (shft = 2*8; (shft -= 8) >= 0; ) {
+- for (i = 0; i < npixels && cc > 0; )
++ for (i = 0; i < npixels && cc > 0; ) {
+ if (*bp >= 128) { /* run */
+- rc = *bp++ + (2-128); /* TODO: potential
input buffer overrun when decoding corrupt or truncated data */
++ if( cc < 2 )
++ break;
++ rc = *bp++ + (2-128);
+ b = (int16)(*bp++ << shft);
+ cc -= 2;
+ while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@
+ while (--cc && rc-- && i < npixels)
+ tp[i++] |= (int16)*bp++ << shft;
+ }
++ }
+ if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@
+ if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ tp = (uint32 *)op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too
short");
++ return (0);
++ }
+ tp = (uint32 *) sp->tbuf;
+ }
+ /* copy to array of uint32 */
+ bp = (unsigned char*) tif->tif_rawcp;
+ cc = tif->tif_rawcc;
+- for (i = 0; i < npixels && cc > 0; i++) {
++ for (i = 0; i < npixels && cc >= 3; i++) {
+ tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+ bp += 3;
+ cc -= 3;
+@@ -325,7 +336,11 @@
+ if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ tp = (uint32*) op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too
short");
++ return (0);
++ }
+ tp = (uint32*) sp->tbuf;
+ }
+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@
+ cc = tif->tif_rawcc;
+ /* get each byte string */
+ for (shft = 4*8; (shft -= 8) >= 0; ) {
+- for (i = 0; i < npixels && cc > 0; )
++ for (i = 0; i < npixels && cc > 0; ) {
+ if (*bp >= 128) { /* run */
++ if( cc < 2 )
++ break;
+ rc = *bp++ + (2-128);
+ b = (uint32)*bp++ << shft;
+- cc -= 2; /* TODO: potential
input buffer overrun when decoding corrupt or truncated data */
++ cc -= 2;
+ while (rc-- && i < npixels)
+ tp[i++] |= b;
+ } else { /* non-run */
+@@ -346,6 +363,7 @@
+ while (--cc && rc-- && i < npixels)
+ tp[i++] |= (uint32)*bp++ << shft;
+ }
++ }
+ if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -413,6 +431,7 @@
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module[] = "LogL16Encode";
+ LogLuvState* sp = EncoderState(tif);
+ int shft;
+ tmsize_t i;
+@@ -433,7 +452,11 @@
+ tp = (int16*) bp;
+ else {
+ tp = (int16*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too
short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* compress each byte string */
+@@ -506,6 +529,7 @@
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module[] = "LogLuvEncode24";
+ LogLuvState* sp = EncoderState(tif);
+ tmsize_t i;
+ tmsize_t npixels;
+@@ -521,7 +545,11 @@
+ tp = (uint32*) bp;
+ else {
+ tp = (uint32*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too
short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* write out encoded pixels */
+@@ -553,6 +581,7 @@
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module[] = "LogLuvEncode32";
+ LogLuvState* sp = EncoderState(tif);
+ int shft;
+ tmsize_t i;
+@@ -574,7 +603,11 @@
+ tp = (uint32*) bp;
+ else {
+ tp = (uint32*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too
short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* compress each byte string */
diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
new file mode 100644
index 0000000..50657b6
--- /dev/null
+++ b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
@@ -0,0 +1,49 @@
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
+ (bugzilla #2508)
+
+diff -u -r1.16 -r1.18
+--- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16
++++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18
+@@ -1,4 +1,4 @@
+-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
++/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -37,7 +37,7 @@
+ case 0: op[0] = (unsigned char) ((v) << 6); break; \
+ case 1: op[0] |= (v) << 4; break; \
+ case 2: op[0] |= (v) << 2; break; \
+- case 3: *op++ |= (v); break; \
++ case 3: *op++ |= (v); op_offset++; break; \
+ } \
+ }
+
+@@ -103,6 +103,7 @@
+ }
+ default: {
+ uint32 npixels = 0, grey;
++ tmsize_t op_offset = 0;
+ uint32 imagewidth = tif->tif_dir.td_imagewidth;
+ if( isTiled(tif) )
+ imagewidth = tif->tif_dir.td_tilewidth;
+@@ -122,10 +123,15 @@
+ * bounds, potentially resulting in a security
+ * issue.
+ */
+- while (n-- > 0 && npixels < imagewidth)
++ while (n-- > 0 && npixels < imagewidth &&
op_offset < scanline)
+ SETPIXEL(op, grey);
+ if (npixels >= imagewidth)
+ break;
++ if (op_offset >= scanline ) {
++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data
for scanline %ld",
++ (long) tif->tif_row);
++ return (0);
++ }
+ if (cc == 0)
+ goto bad;
+ n = *bp++, cc--;