~alpine/aports

[alpine-aports] [PATCH v3.4] main/tiff: security fixes #6735

Sergei Lukin
Details
Message ID
<20170126093017.201-1-sergej.lukin@gmail.com>
Sender timestamp
1485423017
DKIM signature
missing
Download raw message
Patch: +72 -1
CVE-2017-5225: Heap-buffer overflow in tools/tiffcp via crafted BitsPerSample value
---
 main/tiff/APKBUILD            |  4 ++-
 main/tiff/CVE-2017-5225.patch | 69 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 main/tiff/CVE-2017-5225.patch

diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 4d002ec..4e4e862 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=4.0.7
pkgrel=0
pkgrel=1
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
arch="all"
@@ -15,6 +15,8 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz"

# secfixes:
#   4.0.7-r1:
#     - CVE-2017-5225
#   4.0.7-r0:
#     - CVE-2016-9273
#     - CVE-2016-9297
diff --git a/main/tiff/CVE-2017-5225.patch b/main/tiff/CVE-2017-5225.patch
new file mode 100644
index 0000000..d8d2cf1
--- /dev/null
+++ b/main/tiff/CVE-2017-5225.patch
@@ -0,0 +1,69 @@
Original patch was downloaded from
 https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
 and adjusted to tiff-4.0.7

commit 5c080298d59efa53264d7248bbe3a04660db6ef7
Author: erouault <erouault>
Date:   Wed Jan 11 19:25:44 2017 +0000

    * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
    cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
    Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
    http://bugzilla.maptools.org/show_bug.cgi?id=2657

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index bdf754c3..8bbcd52f 100644
--- a/tools/tiffcp.c
@@ -591,7 +591,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
 static int
 tiffcp(TIFF* in, TIFF* out)
 {
-	uint16 bitspersample, samplesperpixel = 1;
+	uint16 bitspersample = 1, samplesperpixel = 1;
 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
 	copyFunc cf;
 	uint32 width, length;
@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpContig2SeparateByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpSeparate2ContigByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
 	uint32 w, l, tw, tl;
 	int bychunk;
 
-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
+	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
 		fprintf(stderr,
 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
-- 
2.8.3



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---