Mail archive
alpine-aports

[alpine-aports] [PATCH v3.4] main/tiff: security fixes #6735

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Thu, 26 Jan 2017 09:33:14 +0000

CVE-2017-5225: Heap-buffer overflow in tools/tiffcp via crafted BitsPerSample value
---
 main/tiff/APKBUILD            | 17 +++++++----
 main/tiff/CVE-2017-5225.patch | 69 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 5 deletions(-)
 create mode 100644 main/tiff/CVE-2017-5225.patch
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 4d002ec..7975ecb 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
_at_@ -3,7 +3,7 @@
 # Maintainer: Michael Mason <ms13sp_at_gmail.com>
 pkgname=tiff
 pkgver=4.0.7
-pkgrel=0
+pkgrel=1
 pkgdesc="Provides support for the Tag Image File Format or TIFF"
 url="http://www.libtiff.org/"
 arch="all"
_at_@ -12,9 +12,13 @@ depends=
 depends_dev="zlib-dev libjpeg-turbo-dev"
 makedepends="libtool autoconf automake $depends_dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
-source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz"
+source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
+	CVE-2017-5225.patch
+	"
 
 # secfixes:
+#   4.0.7-r1:
+#     - CVE-2017-5225
 #   4.0.7-r0:
 #     - CVE-2016-9273
 #     - CVE-2016-9297
_at_@ -77,6 +81,9 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-md5sums="77ae928d2c6b7fb46a21c3a29325157b  tiff-4.0.7.tar.gz"
-sha256sums="9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019  tiff-4.0.7.tar.gz"
-sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc  tiff-4.0.7.tar.gz"
+md5sums="77ae928d2c6b7fb46a21c3a29325157b  tiff-4.0.7.tar.gz
+1758d0b97458604fb770b55afcce156c  CVE-2017-5225.patch"
+sha256sums="9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019  tiff-4.0.7.tar.gz
+a1bf4d4ce292a593d525fd3c6f68090c5f6242b493e9ba80bcad70e7c2a57e68  CVE-2017-5225.patch"
+sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc  tiff-4.0.7.tar.gz
+001a2df978f51025771c243edee2d033c91114bdd5318a05730b910add9c70f219a848faad899f27421ca18da6ce9972013aa3ecf689cf4ea37ac5409b4b6244  CVE-2017-5225.patch"
diff --git a/main/tiff/CVE-2017-5225.patch b/main/tiff/CVE-2017-5225.patch
new file mode 100644
index 0000000..d8d2cf1
--- /dev/null
+++ b/main/tiff/CVE-2017-5225.patch
_at_@ -0,0 +1,69 @@
+Original patch was downloaded from
+ https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
+ and adjusted to tiff-4.0.7
+
+commit 5c080298d59efa53264d7248bbe3a04660db6ef7
+Author: erouault <erouault>
+Date:   Wed Jan 11 19:25:44 2017 +0000
+
+    * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+    cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
+    Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+    http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index bdf754c3..8bbcd52f 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+_at_@ -591,7 +591,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+-	uint16 bitspersample, samplesperpixel = 1;
++	uint16 bitspersample = 1, samplesperpixel = 1;
+ 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ 	copyFunc cf;
+ 	uint32 width, length;
+_at_@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
+ 	register uint32 n;
+ 	uint32 row;
+ 	tsample_t s;
++        uint16 bps = 0;
++
++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps != 8 )
++        {
++            TIFFError(TIFFFileName(in),
++                      "Error, can only handle BitsPerSample=8 in %s",
++                      "cpContig2SeparateByRow");
++            return 0;
++        }
+ 
+ 	inbuf = _TIFFmalloc(scanlinesizein);
+ 	outbuf = _TIFFmalloc(scanlinesizeout);
+_at_@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
+ 	register uint32 n;
+ 	uint32 row;
+ 	tsample_t s;
++        uint16 bps = 0;
++
++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++        if( bps != 8 )
++        {
++            TIFFError(TIFFFileName(in),
++                      "Error, can only handle BitsPerSample=8 in %s",
++                      "cpSeparate2ContigByRow");
++            return 0;
++        }
+ 
+ 	inbuf = _TIFFmalloc(scanlinesizein);
+ 	outbuf = _TIFFmalloc(scanlinesizeout);
+_at_@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
+ 	uint32 w, l, tw, tl;
+ 	int bychunk;
+ 
+-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ 		fprintf(stderr,
+ 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
-- 
2.8.3
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Thu Jan 26 2017 - 09:33:14 GMT