CVE-2017-5225: Heap-buffer overflow in tools/tiffcp via crafted BitsPerSample value
---
main/tiff/APKBUILD | 4 ++-
main/tiff/CVE-2017-5225.patch | 69 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+), 1 deletion(-)
create mode 100644 main/tiff/CVE-2017-5225.patch
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 4d002ec..4e4e862 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=4.0.7
-pkgrel=0
+pkgrel=1
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
arch="all"
@@ -15,6 +15,8 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz"
# secfixes:
+# 4.0.7-r1:
+# - CVE-2017-5225
# 4.0.7-r0:
# - CVE-2016-9273
# - CVE-2016-9297
diff --git a/main/tiff/CVE-2017-5225.patch b/main/tiff/CVE-2017-5225.patch
new file mode 100644
index 0000000..d8d2cf1
--- /dev/null
+++ b/main/tiff/CVE-2017-5225.patch
@@ -0,0 +1,69 @@
+Original patch was downloaded from
+ https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
+ and adjusted to tiff-4.0.7
+
+commit 5c080298d59efa53264d7248bbe3a04660db6ef7
+Author: erouault <erouault>
+Date: Wed Jan 11 19:25:44 2017 +0000
+
+ * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+ cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index bdf754c3..8bbcd52f 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
+ static int
+ tiffcp(TIFF* in, TIFF* out)
+ {
+- uint16 bitspersample, samplesperpixel = 1;
++ uint16 bitspersample = 1, samplesperpixel = 1;
+ uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
+ copyFunc cf;
+ uint32 width, length;
+@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpContig2SeparateByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
+ register uint32 n;
+ uint32 row;
+ tsample_t s;
++ uint16 bps = 0;
++
++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps != 8 )
++ {
++ TIFFError(TIFFFileName(in),
++ "Error, can only handle BitsPerSample=8 in %s",
++ "cpSeparate2ContigByRow");
++ return 0;
++ }
+
+ inbuf = _TIFFmalloc(scanlinesizein);
+ outbuf = _TIFFmalloc(scanlinesizeout);
+@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
+ uint32 w, l, tw, tl;
+ int bychunk;
+
+- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
+ if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
+ fprintf(stderr,
+ "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
--
2.8.3
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---