Sergey Lukin: 1 main/tiff: security fixes 4 files changed, 192 insertions(+), 9 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/aports/patches/2698/mbox | git am -3Learn more about email & git
CVE-2015-8668, CVE-2016-3945, CVE-2016-3990 --- main/tiff/APKBUILD | 31 ++++++++++---- main/tiff/CVE-2015-8668.patch | 40 ++++++++++++++++++ main/tiff/CVE-2016-3945.patch | 95 +++++++++++++++++++++++++++++++++++++++++++ main/tiff/CVE-2016-3990.patch | 35 ++++++++++++++++ 4 files changed, 192 insertions(+), 9 deletions(-) create mode 100644 main/tiff/CVE-2015-8668.patch create mode 100644 main/tiff/CVE-2016-3945.patch create mode 100644 main/tiff/CVE-2016-3990.patch diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index bf84f4d..85256eb 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -1,8 +1,9 @@ # Contributor: Leonardo Arena <rnalrd@alpinelinux.org> # Maintainer: Michael Mason <ms13sp@gmail.com> +# Contributor: Sergey Lukin <sergej.lukin@gmail.com> pkgname=tiff pkgver=4.0.6 -pkgrel=3 +pkgrel=4 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" arch="all" @@ -11,17 +12,20 @@ depends= depends_dev="zlib-dev libjpeg-turbo-dev" makedepends="libtool autoconf automake $depends_dev" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools" -source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz +source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz CVE-2015-8665.patch + CVE-2015-8668.patch CVE-2015-8781-8782-8783.patch CVE-2015-8784.patch + CVE-2016-3945.patch + CVE-2016-3990.patch " -_builddir="$srcdir"/$pkgname-$pkgver +builddir="$srcdir"/$pkgname-$pkgver prepare() { local _failed= - cd "$_builddir" + cd "$builddir" update_config_sub || return 1 for i in $source; do case $i in @@ -31,7 +35,7 @@ prepare() { } build() { - cd "$_builddir" + cd "$builddir" ./configure \ --build=$CBUILD \ @@ -46,7 +50,7 @@ build() { } package() { - cd "$_builddir" + cd "$builddir" make DESTDIR="$pkgdir" install } @@ -58,13 +62,22 @@ tools() { md5sums="d1d2e940dea0b5ad435f21f03d96dd72 tiff-4.0.6.tar.gz 1ed2295ff179a6b64803d33f0f865740 CVE-2015-8665.patch +afb8f33be03452530ec08e17adfb2b4e CVE-2015-8668.patch 96d2a934914a548d244e0a055f370334 CVE-2015-8781-8782-8783.patch -8b3e84314fc2c0eeabd8d2c410f85727 CVE-2015-8784.patch" +8b3e84314fc2c0eeabd8d2c410f85727 CVE-2015-8784.patch +2d6bc5b89e7283b87c615a905d2e3336 CVE-2016-3945.patch +f1732576a00613b89d580b186d34b4b8 CVE-2016-3990.patch" sha256sums="4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c tiff-4.0.6.tar.gz 1e4158f2a85e4c597b2a6d290c54d4ee815c8930f80824363945506bda3fc798 CVE-2015-8665.patch +4a758a18324c0cf905230b84797760b9104e5fcce4667691ab330a77bd7fbef3 CVE-2015-8668.patch f7c953c51f4f14b8627aad9bfe5b183b5d56e62e96e24d80a233e0b849c0c743 CVE-2015-8781-8782-8783.patch -504332761f3e72d8424fd59d4e2c75dd280f61efbbd4e60f6bc0e1f91ed9e972 CVE-2015-8784.patch" +504332761f3e72d8424fd59d4e2c75dd280f61efbbd4e60f6bc0e1f91ed9e972 CVE-2015-8784.patch +654501fa6d69de7e79a1407baddd0bae35fb5deb2a32e919ca75b791ead4f568 CVE-2016-3945.patch +c9c98ae4b2ccef568bffb8fc538df2977a733900ead6587ca1e6b8395115bc44 CVE-2016-3990.patch" sha512sums="2c8dbaaaab9f82a7722bfe8cb6fcfcf67472beb692f1b7dafaf322759e7016dad1bc58457c0f03db50aa5bd088fef2b37358fcbc1524e20e9e14a9620373fdf8 tiff-4.0.6.tar.gz 4507d3852d57922574897d53f366d80d71d0d83850aa3c3993b956fabce26165f315838c17430d1abd41f160c40a4e3d8e6b31ff150e81059669ccfe29f90126 CVE-2015-8665.patch +0bb232dc6e49d768007217f16d89e030ffd431a543314159017a9a44d5fb301e3ada918b9bcc6571f642cc39945d4b16eb125e8e5b42bf3430ec1985a73bd9b3 CVE-2015-8668.patch 4ca7823f666df8f29eba0f62a14f71e440eef20fcc8d3a1a77cf65a07e1e737bdcfb49641ee5b62ce28877ef428106996254989d2100615dc7cf2be7aa903002 CVE-2015-8781-8782-8783.patch -46c917d435bca839bc2bcdb170e1a9724e07da9ba9cdf1230168f1cef7b1e62c4af19ebe4892d9d56f29fcf2820b8f55e81539eca70120893b2f0894efcc370f CVE-2015-8784.patch" +46c917d435bca839bc2bcdb170e1a9724e07da9ba9cdf1230168f1cef7b1e62c4af19ebe4892d9d56f29fcf2820b8f55e81539eca70120893b2f0894efcc370f CVE-2015-8784.patch +3f2c74eebd0675000c881d33eaf85fb293729c2342a4994694a32f9b216205fa6c7698d13a8a3fe8dfdcbbfdb4bfb9932b169a0519811666d1fb651162711258 CVE-2016-3945.patch +b1b9b80718be88d667376e70930fc6d4b15b9d093af98b1bb8da1398245bfb72fe1a756dd6ede3c0473d6a9ca664d59b06df008208c751aff440581fe4e9b80e CVE-2016-3990.patch" diff --git a/main/tiff/CVE-2015-8668.patch b/main/tiff/CVE-2015-8668.patch new file mode 100644 index 0000000..a70f824 --- /dev/null +++ b/main/tiff/CVE-2015-8668.patch @@ -0,0 +1,40 @@ +diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c +index 376f4e6..c747c13 100644 +--- a/tools/bmp2tiff.c ++++ b/tools/bmp2tiff.c +@@ -614,18 +614,27 @@ main(int argc, char* argv[]) + || info_hdr.iCompression == BMPC_RLE4 ) { + uint32 i, j, k, runlength; + uint32 compr_size, uncompr_size; ++ uint32 bits = 0; + unsigned char *comprbuf; + unsigned char *uncomprbuf; + + compr_size = file_hdr.iSize - file_hdr.iOffBits; +- uncompr_size = width * length; +- /* Detect int overflow */ +- if( uncompr_size / width != length ) { +- TIFFError(infilename, +- "Invalid dimensions of BMP file" ); +- close(fd); +- return -1; +- } ++ ++ bits = info_hdr.iBitCount; ++ ++ if (bits > 8) // bit depth is > 8bit, adjust size ++ { ++ uncompr_size = width * length * (bits / 8); ++ /* Detect int overflow */ ++ if (uncompr_size / width / (bits / 8) != length) { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file"); ++ close(fd); ++ return -1; ++ } ++ } ++ else ++ uncompr_size = width * length; + if ( (compr_size == 0) || + (compr_size > ((uint32) ~0) >> 1) || + (uncompr_size == 0) || diff --git a/main/tiff/CVE-2016-3945.patch b/main/tiff/CVE-2016-3945.patch new file mode 100644 index 0000000..75493bb --- /dev/null +++ b/main/tiff/CVE-2016-3945.patch @@ -0,0 +1,95 @@ +From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Mon, 15 Aug 2016 20:06:40 +0000 +Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of + allocated buffer, when -b mode is enabled, that could result in out-of-bounds + write. Based initially on patch tiff-CVE-2016-3945.patch from + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid + tests that rejected valid files. + +CVE: CVE-2016-3945 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6 + +Signed-off-by: Yi Zhao <yi.zhao@windirver.com> +--- +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c +index b7a81eb..16e3dc4 100644 +--- a/tools/tiff2rgba.c ++++ b/tools/tiff2rgba.c +@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) + uint32 row, col; + uint32 *wrk_line; + int ok = 1; ++ uint32 rastersize, wrk_linesize; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ rastersize = tile_width * tile_height * sizeof (uint32); ++ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); ++ exit(-1); ++ } ++ raster = (uint32*)_TIFFmalloc(rastersize); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out ) + * Allocate a scanline buffer for swapping during the vertical + * mirroring pass. + */ +- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); ++ wrk_linesize = tile_width * sizeof (uint32); ++ if (tile_width != wrk_linesize / sizeof (uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); ++ exit(-1); ++ } ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); + if (!wrk_line) { + TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); + ok = 0; +@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) + uint32 row; + uint32 *wrk_line; + int ok = 1; ++ uint32 rastersize, wrk_linesize; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ rastersize = width * rowsperstrip * sizeof (uint32); ++ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); ++ exit(-1); ++ } ++ raster = (uint32*)_TIFFmalloc(rastersize); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out ) + * Allocate a scanline buffer for swapping during the vertical + * mirroring pass. + */ +- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); ++ wrk_linesize = width * sizeof (uint32); ++ if (width != wrk_linesize / sizeof (uint32)) ++ { ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); ++ exit(-1); ++ } ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); + if (!wrk_line) { + TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); + ok = 0; diff --git a/main/tiff/CVE-2016-3990.patch b/main/tiff/CVE-2016-3990.patch new file mode 100644 index 0000000..f5bbff6 --- /dev/null +++ b/main/tiff/CVE-2016-3990.patch @@ -0,0 +1,35 @@ +From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Mon, 15 Aug 2016 20:49:48 +0000 +Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in + PixarLogEncode if more input samples are provided than expected by + PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and + simpler check. (bugzilla #2544) + +invalid tests that rejected valid files. (bugzilla #2545) + +CVE: CVE-2016-3990 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 + +Signed-off-by: Yi Zhao <yi.zhao@windirver.com> +--- +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index e78f788..28329d1 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) + } + + llen = sp->stride * td->td_imagewidth; ++ /* Check against the number of elements (of size uint16) of sp->tbuf */ ++ if( n > td->td_rowsperstrip * llen ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Too many input bytes provided"); ++ return 0; ++ } + + for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { + switch (sp->user_datafmt) { -- 2.8.3 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---