~alpine/aports

v3.5: main/tiff: security fixes #6734 v1 PROPOSED

Sergei Lukin: 1
 main/tiff: security fixes #6734

 2 files changed, 86 insertions(+), 8 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/1060/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH v3.5] main/tiff: security fixes #6734 Export this patch

CVE-2017-5225: Heap-buffer overflow in tools/tiffcp via crafted BitsPerSample value
---
 main/tiff/APKBUILD            | 25 +++++++++++-----
 main/tiff/CVE-2017-5225.patch | 69 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+), 8 deletions(-)
 create mode 100644 main/tiff/CVE-2017-5225.patch

diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index b1889d1fa0..9ecb3090c5 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -1,8 +1,9 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=4.0.7
pkgrel=0
pkgrel=1
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
arch="all"
@@ -12,13 +13,18 @@ depends_dev="zlib-dev libjpeg-turbo-dev"
makedepends="libtool autoconf automake $depends_dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
source="http://download.osgeo.org/libtiff/tiff-${pkgver}.tar.gz
	CVE-2017-5225.patch
	"

_builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
#   4.0.7-r1:
#     - CVE-2017-5225

builddir="$srcdir"/$pkgname-$pkgver

prepare() {
	local _failed=
	cd "$_builddir"
	cd "$builddir"
	update_config_sub || return 1
	for i in $source; do
		case $i in
@@ -28,7 +34,7 @@ prepare() {
}

build() {
	cd "$_builddir"
	cd "$builddir"

	./configure \
		--build=$CBUILD \
@@ -43,7 +49,7 @@ build() {
}

package() {
	cd "$_builddir"
	cd "$builddir"
	make DESTDIR="$pkgdir" install
}

@@ -53,6 +59,9 @@ tools() {
	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}

md5sums="77ae928d2c6b7fb46a21c3a29325157b  tiff-4.0.7.tar.gz"
sha256sums="9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019  tiff-4.0.7.tar.gz"
sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc  tiff-4.0.7.tar.gz"
md5sums="77ae928d2c6b7fb46a21c3a29325157b  tiff-4.0.7.tar.gz
1758d0b97458604fb770b55afcce156c  CVE-2017-5225.patch"
sha256sums="9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019  tiff-4.0.7.tar.gz
a1bf4d4ce292a593d525fd3c6f68090c5f6242b493e9ba80bcad70e7c2a57e68  CVE-2017-5225.patch"
sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc  tiff-4.0.7.tar.gz
001a2df978f51025771c243edee2d033c91114bdd5318a05730b910add9c70f219a848faad899f27421ca18da6ce9972013aa3ecf689cf4ea37ac5409b4b6244  CVE-2017-5225.patch"
diff --git a/main/tiff/CVE-2017-5225.patch b/main/tiff/CVE-2017-5225.patch
new file mode 100644
index 0000000000..d8d2cf11e3
--- /dev/null
+++ b/main/tiff/CVE-2017-5225.patch
@@ -0,0 +1,69 @@
Original patch was downloaded from
 https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
 and adjusted to tiff-4.0.7

commit 5c080298d59efa53264d7248bbe3a04660db6ef7
Author: erouault <erouault>
Date:   Wed Jan 11 19:25:44 2017 +0000

    * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
    cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
    Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
    http://bugzilla.maptools.org/show_bug.cgi?id=2657

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index bdf754c3..8bbcd52f 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -591,7 +591,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
 static int
 tiffcp(TIFF* in, TIFF* out)
 {
-	uint16 bitspersample, samplesperpixel = 1;
+	uint16 bitspersample = 1, samplesperpixel = 1;
 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
 	copyFunc cf;
 	uint32 width, length;
@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpContig2SeparateByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpSeparate2ContigByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
 	uint32 w, l, tw, tl;
 	int bychunk;
 
-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
+	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
 		fprintf(stderr,
 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
-- 
2.11.0



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---