X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-lf0-f68.google.com (mail-lf0-f68.google.com [209.85.215.68]) by lists.alpinelinux.org (Postfix) with ESMTP id 3D13C5C4917 for ; Thu, 26 Jan 2017 09:39:12 +0000 (GMT) Received: by mail-lf0-f68.google.com with SMTP id q89so23233821lfi.1 for ; Thu, 26 Jan 2017 01:39:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=nrd4ZkWKM+wnAJKpTZBUqUnldRi1TmTX7Oj80H099Q8=; b=tIuT0MUGfQ1oI9MSEgibK+9oY1uKMvXcQKyrUKLsqogIqa2EBGWm9TSxxGppQYKF67 lIXmBWtwcLO5CeQtqYEJSmoRGiTLHCeVJmPlFrMXeZLGvyAiGziFSzVJGz92roqQNdE1 nLV85IwOGRUyh/O41PD4BN+IlBRLR8JklZnkvAaCl0MnPnJ3bH+O8lhUl0GvS0Fs2CJc M5x+JFQpcsvMTn+Z5nk8D2BQ0UBlbGogVH0wCBs2ftDG8KlGdFx9JwVYwKTH9mlyuyk7 FOvv9O8+3h3sVCQaEPuY28XXYev7q8wWwIDcpYMZ1/TRpmjp+jMSg1HUlNaA3y1F4jv8 5QrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=nrd4ZkWKM+wnAJKpTZBUqUnldRi1TmTX7Oj80H099Q8=; b=q0oETXM6hI1k6oT/f08U2IzJkvJmTumcTaRcTz2mkWR+qB0on8SRs5awQjYQriRpAj vZ6ZJud2KG/I17s4D6xqEGZzJqGiimIFhdKMLyc+ln+pDARQhTiZmkUksFMHijaPFKVw bTH+RFL4ZybFX+QsDMzBnFRj5D9ciXpkgqv1N0jTeY0aTCLC2D8wCq0KfCmuQzSZDv8x jUpYq+RvWGt4NZo/L0eRSZF2OQiTBWFjSXikEILygsLiHKJ4eREeHPL6Gks0D9TvuOBY /mkNJ/olRb/Er9MKgzsXjmLZotDOiUE4TvZXB3uU50TzREJOg5j68DkOT6kFFwe4Vqsd /8Kg== X-Gm-Message-State: AIkVDXIZZmXayoyF/DaG1omsmuTTCl0IrYWabkFp1fcumWVhEFY7C2j5jyrgGozmTdMuUg== X-Received: by 10.25.35.194 with SMTP id j185mr580211lfj.21.1485423551138; Thu, 26 Jan 2017 01:39:11 -0800 (PST) Received: from v3-3.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id s20sm313183lfe.41.2017.01.26.01.39.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Jan 2017 01:39:10 -0800 (PST) From: Sergei Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergei Lukin Subject: [alpine-aports] [PATCH v3.3] main/tiff: security fixes #6736 Date: Thu, 26 Jan 2017 09:39:03 +0000 Message-Id: <1485423543-200-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.6.6 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2017-5225: Heap-buffer overflow in tools/tiffcp via crafted BitsPerSample value --- main/tiff/APKBUILD | 8 +++-- main/tiff/CVE-2017-5225.patch | 69 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 main/tiff/CVE-2017-5225.patch diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 4d002ec..119f111 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Michael Mason pkgname=tiff pkgver=4.0.7 -pkgrel=0 +pkgrel=1 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" arch="all" @@ -12,9 +12,13 @@ depends= depends_dev="zlib-dev libjpeg-turbo-dev" makedepends="libtool autoconf automake $depends_dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" -source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz" +source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz + CVE-2017-5225.patch + " # secfixes: +# 4.0.7-r1: +# - CVE-2017-5225 # 4.0.7-r0: # - CVE-2016-9273 # - CVE-2016-9297 diff --git a/main/tiff/CVE-2017-5225.patch b/main/tiff/CVE-2017-5225.patch new file mode 100644 index 0000000..d8d2cf1 --- /dev/null +++ b/main/tiff/CVE-2017-5225.patch @@ -0,0 +1,69 @@ +Original patch was downloaded from + https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7 + and adjusted to tiff-4.0.7 + +commit 5c080298d59efa53264d7248bbe3a04660db6ef7 +Author: erouault +Date: Wed Jan 11 19:25:44 2017 +0000 + + * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and + cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index bdf754c3..8bbcd52f 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); + static int + tiffcp(TIFF* in, TIFF* out) + { +- uint16 bitspersample, samplesperpixel = 1; ++ uint16 bitspersample = 1, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; + copyFunc cf; + uint32 width, length; +@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow) + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpContig2SeparateByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow) + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpSeparate2ContigByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel) + uint32 w, l, tw, tl; + int bychunk; + +- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); ++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); + if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { + fprintf(stderr, + "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", -- 2.6.6 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---