pool/tiff
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 650209 from graphics

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/650209
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=76
This commit is contained in:
Dominique Leuenberger 2018-11-26 09:13:11 +00:00 committed by Git OBS Bridge
commit 04c1ff8b84
16 changed files with 88 additions and 708 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tiff-4.0.10.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4
size 2402867

128
tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
View File

@ -1,128 +0,0 @@
From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001
From: Nathan Baker <nathanb@lenovo-chrome.com>
Date: Tue, 6 Feb 2018 10:13:57 -0500
Subject: [PATCH] Fix for bug 2772
It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
directory reader has a failsafe that will break out of this loop after
reading 65535 directory entries, but it will continue processing,
consuming time and resources to process what is essentially a bogus TIFF
document.
This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.
---
contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
tools/tiff2pdf.c | 10 ++++++++++
tools/tiffcrop.c | 13 +++++++++++--
3 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
index c61ffbb..03b3573 100644
--- a/contrib/addtiffo/tif_overview.c
+++ b/contrib/addtiffo/tif_overview.c
@@ -65,6 +65,8 @@
# define MAX(a,b) ((a>b) ? a : b)
#endif
+#define TIFF_DIR_MAX 65534
+
void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
int (*)(double,void*), void * );
@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
{
toff_t nBaseDirOffset;
toff_t nOffset;
+ tdir_t iNumDir;
(void) bUseSubIFDs;
@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
return 0;
TIFFWriteDirectory( hTIFF );
- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
+ iNumDir = TIFFNumberOfDirectories(hTIFF);
+ if( iNumDir > TIFF_DIR_MAX )
+ {
+ TIFFErrorExt( TIFFClientdata(hTIFF),
+ "TIFF_WriteOverview",
+ "File `%s' has too many directories.\n",
+ TIFFFileName(hTIFF) );
+ exit(-1);
+ }
+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
nOffset = TIFFCurrentDirOffset( hTIFF );
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 984ef65..832a247 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
#define PS_UNIT_SIZE 72.0F
+#define TIFF_DIR_MAX 65534
+
/* This type is of PDF color spaces. */
typedef enum {
T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
+ if(directorycount > TIFF_DIR_MAX) {
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "TIFF contains too many directories, %s",
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
if(t2p->tiff_pages==NULL){
TIFFError(
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 91a38f6..e466dae 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -215,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
#define DUMP_TEXT 1
#define DUMP_RAW 2
+#define TIFF_DIR_MAX 65534
+
/* Offsets into buffer for margins and fixed width and length segments */
struct offset {
uint32 tmargin;
@@ -2232,7 +2234,7 @@ main(int argc, char* argv[])
pageNum = -1;
else
total_images = 0;
- /* read multiple input files and write to output file(s) */
+ /* Read multiple input files and write to output file(s) */
while (optind < argc - 1)
{
in = TIFFOpen (argv[optind], "r");
@@ -2240,7 +2242,14 @@ main(int argc, char* argv[])
return (-3);
/* If only one input file is specified, we can use directory count */
- total_images = TIFFNumberOfDirectories(in);
+ total_images = TIFFNumberOfDirectories(in);
+ if (total_images > TIFF_DIR_MAX)
+ {
+ TIFFError (TIFFFileName(in), "File contains too many directories");
+ if (out != NULL)
+ (void) TIFFClose(out);
+ return (1);
+ }
if (image_count == 0)
{
dirnum = 0;
--
libgit2 0.26.0

3
tiff-4.0.9.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd
size 2305681

21
tiff-CVE-2017-11613,CVE-2018-16335,15209.patch
View File

@ -1,21 +0,0 @@
Index: tiff-4.0.9/libtiff/tif_dirread.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_dirread.c 2018-06-04 16:49:48.940452546 +0200
+++ tiff-4.0.9/libtiff/tif_dirread.c 2018-06-04 16:50:18.572859131 +0200
@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
if( nstrips == 0 )
return;
+ /* If we are going to allocate a lot of memory, make sure that the */
+ /* file is as big as needed */
+ if( tif->tif_mode == O_RDONLY &&
+ nstrips > 1000000 &&
+ (offset >= TIFFGetFileSize(tif) ||
+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
+ {
+ return;
+ }
+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

21
tiff-CVE-2017-18013.patch
View File

@ -1,21 +0,0 @@
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
(unsigned long) s,
- (unsigned __int64) td->td_stripoffset[s],
- (unsigned __int64) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
#else
fprintf(fd, " %3lu: [%8llu, %8llu]\n",
(unsigned long) s,
- (unsigned long long) td->td_stripoffset[s],
- (unsigned long long) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
#endif
}
}

209
tiff-CVE-2017-9935,CVE-2018-17795.patch
View File

@ -1,209 +0,0 @@
From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 7 Dec 2017 07:46:47 +1100
Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
This vulnerability - at least for the supplied test case - is because we
assume that a tiff will only have one transfer function that is the same
for all pages. This is not required by the TIFF standards.
We than read the transfer function for every page. Depending on the
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
We allocate this memory after we read in the transfer function for the
page.
For the first exploit - POC1, this file has 3 pages. For the first page
we allocate 2 extra extra XREF entries. Then for the next page 2 more
entries. Then for the last page the transfer function changes and we
allocate 4 more entries.
When we read the file into memory, we assume we have 4 bytes extra for
each and every page (as per the last transfer function we read). Which
is not correct, we only have 2 bytes extra for the first 2 pages. As a
result, we end up writing past the end of the buffer.
There are also some related issues that this also fixes. For example,
TIFFGetField can return uninitalized pointer values, and the logic to
detect a N=3 vs N=1 transfer function seemed rather strange.
It is also strange that we declare the transfer functions to be of type
float, when the standard says they are unsigned 16 bit values. This is
fixed in another patch.
This patch will check to ensure that the N value for every transfer
function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
---
libtiff/tif_dir.c | 3 +++
tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++++++++++++++---------------------
2 files changed, 47 insertions(+), 21 deletions(-)
From d4f213636b6f950498a1386083199bd7f65676b9 Mon Sep 17 00:00:00 2001
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 7 Dec 2017 07:49:20 +1100
Subject: [PATCH] tiff2pdf: Fix apparent incorrect type for transfer table
The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.
---
tools/tiff2pdf.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 2ccaf44..cbf2b69 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
*va_arg(ap, uint16**) = td->td_transferfunction[1];
*va_arg(ap, uint16**) = td->td_transferfunction[2];
+ } else {
+ *va_arg(ap, uint16**) = NULL;
+ *va_arg(ap, uint16**) = NULL;
}
break;
case TIFFTAG_REFERENCEBLACKWHITE:
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index d1a9b09..c3ec074 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0;
uint16 paged=0;
uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+ float* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
}
#endif
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
- &(t2p->tiff_transferfunction[0]),
- &(t2p->tiff_transferfunction[1]),
- &(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
- t2p->tiff_transferfunctioncount = 3;
- t2p->tiff_pages[i].page_extra += 4;
- t2p->pdf_xrefcount += 4;
- } else {
- t2p->tiff_transferfunctioncount = 1;
- t2p->tiff_pages[i].page_extra += 2;
- t2p->pdf_xrefcount += 2;
- }
- if(t2p->pdf_minorversion < 2)
- t2p->pdf_minorversion = 2;
+ &(tiff_transferfunction[0]),
+ &(tiff_transferfunction[1]),
+ &(tiff_transferfunction[2]))) {
+
+ if((tiff_transferfunction[1] != (float*) NULL) &&
+ (tiff_transferfunction[2] != (float*) NULL)
+ ) {
+ tiff_transferfunctioncount=3;
+ } else {
+ tiff_transferfunctioncount=1;
+ }
} else {
- t2p->tiff_transferfunctioncount=0;
+ tiff_transferfunctioncount=0;
}
+
+ if (i > 0){
+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Different transfer function on page %d",
+ i);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ }
+
+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
+ if(tiff_transferfunctioncount == 3){
+ t2p->tiff_pages[i].page_extra += 4;
+ t2p->pdf_xrefcount += 4;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ } else if (tiff_transferfunctioncount == 1){
+ t2p->tiff_pages[i].page_extra += 2;
+ t2p->pdf_xrefcount += 2;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ }
+
if( TIFFGetField(
input,
TIFFTAG_ICCPROFILE,
@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
+ (t2p->tiff_transferfunction[2] != (float*) NULL)
+ ) {
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index c3ec074..484776c 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -237,7 +237,7 @@ typedef struct {
float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2];
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */
uint16 tiff_transferfunctioncount;
@@ -1048,7 +1048,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 paged=0;
uint16 xuint16=0;
uint16 tiff_transferfunctioncount=0;
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
@@ -1153,8 +1153,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
&(tiff_transferfunction[1]),
&(tiff_transferfunction[2]))) {
- if((tiff_transferfunction[1] != (float*) NULL) &&
- (tiff_transferfunction[2] != (float*) NULL)
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
+ (tiff_transferfunction[2] != (uint16*) NULL)
) {
tiff_transferfunctioncount=3;
} else {
@@ -1851,8 +1851,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL)
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
) {
t2p->tiff_transferfunctioncount=3;
} else {
--
libgit2 0.26.0

19
tiff-CVE-2018-10779.patch
View File

@ -1,19 +0,0 @@
diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
index 586f6fdff66a7a0c1864dbe1e2c5831602b055ce..a31ecd12c133ac18bed6bfbc97fcbad5e19a3257 100644
--- a/libtiff/tif_write.c
+++ b/libtiff/tif_write.c
@@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif)
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
td->td_stripsperimage /= td->td_samplesperpixel;
td->td_stripoffset = (uint64 *)
- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+ "for \"StripOffsets\" array");
td->td_stripbytecount = (uint64 *)
- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
+ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
+ "for \"StripByteCounts\" array");
if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
return (0);
/*

19
tiff-CVE-2018-10963.patch
View File

@ -1,19 +0,0 @@
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 2430de6..c15a28d 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
}
break;
default:
- assert(0); /* we should never get here */
- break;
+ TIFFErrorExt(tif->tif_clientdata,module,
+ "Cannot write tag %d (%s)",
+ TIFFFieldTag(o),
+ o->field_name ? o->field_name : "unknown");
+ goto bad;
}
}
}

17
tiff-CVE-2018-12900.patch Normal file
View File

@ -0,0 +1,17 @@
Index: tiff-4.0.10/tools/tiffcp.c
===================================================================
--- tiff-4.0.10.orig/tools/tiffcp.c 2018-10-13 15:58:55.180101778 +0200
+++ tiff-4.0.10/tools/tiffcp.c 2018-11-12 17:00:52.706128841 +0100
@@ -1435,6 +1435,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
status = 0;
goto done;
}
+ if (0xFFFFFFFF / tilew < spp)
+ {
+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps);
+ status = 0;
+ goto done;
+ }
bytes_per_sample = bps/8;
for (row = 0; row < imagelength; row += tl) {

27
tiff-CVE-2018-17100.patch
View File

@ -1,27 +0,0 @@
Index: tiff-4.0.9/tools/ppm2tiff.c
===================================================================
--- tiff-4.0.9.orig/tools/ppm2tiff.c 2018-10-17 12:25:05.271940872 +0200
+++ tiff-4.0.9/tools/ppm2tiff.c 2018-10-17 12:26:15.468262130 +0200
@@ -72,15 +72,16 @@ BadPPM(char* file)
exit(-2);
}
+
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
- tmsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-
- return bytes;
+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+ return 0;
+ return m1 * m2;
}
int

58
tiff-CVE-2018-17101.patch
View File

@ -1,58 +0,0 @@
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 01fcf941..01d8502e 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out)
{
struct cpTag *p;
for (p = tags; p < &tags[NTAGS]; p++)
- cpTag(in, out, p->tag, p->count, p->type);
+ {
+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX3 )
+ continue;
+ }
+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX4 )
+ continue;
+ }
+ cpTag(in, out, p->tag, p->count, p->type);
+ }
}
#undef NTAGS
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index 05faba87..5bef3142 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out)
{
struct cpTag *p;
for (p = tags; p < &tags[NTAGS]; p++)
- cpTag(in, out, p->tag, p->count, p->type);
+ {
+ if( p->tag == TIFFTAG_GROUP3OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX3 )
+ continue;
+ }
+ if( p->tag == TIFFTAG_GROUP4OPTIONS )
+ {
+ uint16 compression;
+ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
+ compression != COMPRESSION_CCITTFAX4 )
+ continue;
+ }
+ cpTag(in, out, p->tag, p->count, p->type);
+ }
}
#undef NTAGS

14
tiff-CVE-2018-19210.patch Normal file
View File

@ -0,0 +1,14 @@
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200
+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100
@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
}
m=(1<<tif->tif_dir.td_bitspersample);
n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ tif->tif_dir.td_transferfunction[1] == NULL)
+ n = 1;
/*
* Check if the table can be written as a single column,
* or if it must be written as 3 columns. Note that we

108
tiff-CVE-2018-7456.patch
View File

@ -1,108 +0,0 @@
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 6baa7b3..af5b84a 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
static void ChopUpSingleUncompressedStrip(TIFF*);
static uint64 TIFFReadUInt64(const uint8 *value);
+static int _TIFFGetMaxColorChannels(uint16 photometric);
static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
}
/*
+ * Return the maximum number of color channels specified for a given photometric
+ * type. 0 is returned if photometric type isn't supported or no default value
+ * is defined by the specification.
+ */
+static int _TIFFGetMaxColorChannels( uint16 photometric )
+{
+ switch (photometric) {
+ case PHOTOMETRIC_PALETTE:
+ case PHOTOMETRIC_MINISWHITE:
+ case PHOTOMETRIC_MINISBLACK:
+ return 1;
+ case PHOTOMETRIC_YCBCR:
+ case PHOTOMETRIC_RGB:
+ case PHOTOMETRIC_CIELAB:
+ return 3;
+ case PHOTOMETRIC_SEPARATED:
+ case PHOTOMETRIC_MASK:
+ return 4;
+ case PHOTOMETRIC_LOGL:
+ case PHOTOMETRIC_LOGLUV:
+ case PHOTOMETRIC_CFA:
+ case PHOTOMETRIC_ITULAB:
+ case PHOTOMETRIC_ICCLAB:
+ default:
+ return 0;
+ }
+}
+
+/*
* Read the next TIFF directory from a file and convert it to the internal
* format. We read directories sequentially.
*/
@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
uint32 fii=FAILED_FII;
toff_t nextdiroff;
int bitspersample_read = FALSE;
+ int color_channels;
tif->tif_diroff=tif->tif_nextdiroff;
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
}
}
}
+
+ /*
+ * Make sure all non-color channels are extrasamples.
+ * If it's not the case, define them as such.
+ */
+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
+ uint16 old_extrasamples;
+ uint16 *new_sampleinfo;
+
+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
+ "Defining non-color channels as ExtraSamples.");
+
+ old_extrasamples = tif->tif_dir.td_extrasamples;
+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
+
+ // sampleinfo should contain information relative to these new extra samples
+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
+ if (!new_sampleinfo) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
+ "temporary new sampleinfo array (%d 16 bit elements)",
+ tif->tif_dir.td_extrasamples);
+ goto bad;
+ }
+
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
+
/*
* Verify Palette image has a Colormap.
*/
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 8deceb2..1d86adb 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
uint16 i;
fprintf(fd, " %2ld: %5u",
l, td->td_transferfunction[0][l]);
- for (i = 1; i < td->td_samplesperpixel; i++)
+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
fprintf(fd, " %5u",
td->td_transferfunction[i][l]);
fputc('\n', fd);

38
tiff-CVE-2018-8905.patch
View File

@ -1,38 +0,0 @@
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 4ccb443..94d85e3 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
char *tp;
unsigned char *bp;
int code, nbits;
+ int len;
long nextbits, nextdata, nbitsmask;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
} while (--occ);
break;
}
- assert(occ >= codep->length);
- op += codep->length;
- occ -= codep->length;
- tp = op;
+ len = codep->length;
+ tp = op + len;
do {
- *--tp = codep->value;
- } while( (codep = codep->next) != NULL );
+ int t;
+ --tp;
+ t = codep->value;
+ codep = codep->next;
+ *tp = (char)t;
+ } while (codep && tp > op);
+ assert(occ >= len);
+ op += len;
+ occ -= len;
} else {
*op++ = (char)code;
occ--;

37
tiff.changes
View File

@ -1,3 +1,40 @@
-------------------------------------------------------------------
Mon Nov 19 13:56:48 UTC 2018 - Petr Gajdos <pgajdos@suse.com>
- security update
* CVE-2018-19210 [bsc#1115717]
+ tiff-CVE-2018-19210.patch
-------------------------------------------------------------------
Tue Nov 13 10:20:45 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Support only SLE12+ and remove the no longer needed conditions
-------------------------------------------------------------------
Tue Nov 13 08:18:54 UTC 2018 - Petr Gajdos <pgajdos@suse.com>
- security update
* CVE-2018-12900 [bsc#1099257]
+ tiff-CVE-2018-12900.patch
-------------------------------------------------------------------
Mon Nov 12 11:37:11 UTC 2018 - Petr Gajdos <pgajdos@suse.com>
- upddated to 4.0.10:
* fixes several CVEs mentioned below plus CVE-2018-18557 and
CVE-2018-18661 and more
- removed patches
* tiff-CVE-2017-11613,CVE-2018-16335,15209.patch
* tiff-CVE-2017-18013.patch
* tiff-CVE-2017-9935,CVE-2018-17795.patch
* tiff-CVE-2018-10779.patch
* tiff-CVE-2018-10963.patch
* tiff-CVE-2018-17100.patch
* tiff-CVE-2018-17101.patch
* tiff-CVE-2018-7456.patch
* tiff-CVE-2018-8905.patch
* tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
-------------------------------------------------------------------
Fri Oct 19 07:02:18 UTC 2018 - Petr Gajdos <pgajdos@suse.com>

74
tiff.spec
View File

@ -16,54 +16,32 @@
#
%define asan_build 0
%define asan_build 0
%define debug_build 0
Name: tiff
Version: 4.0.9
Version: 4.0.10
Release: 0
Summary: Tools for Converting from and to the Tagged Image File Format
License: HPND
Group: Productivity/Graphics/Convertors
Url: http://www.simplesystems.org/libtiff/
URL: http://www.simplesystems.org/libtiff/
Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Source2: README.SUSE
Source3: baselibs.conf
Patch0: tiff-4.0.3-seek.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2442
Patch1: tiff-4.0.3-compress-warning.patch
# Contained in upstream repo. See bsc#1046077 for commit IDs.
Patch2: tiff-CVE-2017-9935,CVE-2018-17795.patch
Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch
Patch4: tiff-CVE-2018-10963.patch
Patch5: tiff-CVE-2017-18013.patch
Patch6: tiff-CVE-2018-7456.patch
Patch7: tiff-CVE-2017-11613,CVE-2018-16335,15209.patch
Patch8: tiff-CVE-2018-8905.patch
Patch9: tiff-CVE-2018-10779.patch
Patch10: tiff-CVE-2018-17100.patch
Patch11: tiff-CVE-2018-17101.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2798
# https://gitlab.com/libtiff/libtiff/merge_requests/44
Patch2: tiff-CVE-2018-12900.patch
Patch3: tiff-CVE-2018-19210.patch
BuildRequires: gcc-c++
BuildRequires: libjbig-devel
BuildRequires: libjpeg-devel
BuildRequires: libtool
BuildRequires: zlib-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version} > 1030
BuildRequires: lzma-devel
%endif
%if 0%{?suse_version} <= 1000
BuildRequires: pkgconfig
%endif
%if 0%{?suse_version} > 1000
BuildRequires: pkg-config
%endif
# bug437293
%ifarch ppc64
Obsoletes: tiff-64bit
%endif
%if 0%{?suse_version} > 1210
BuildRequires: libjbig-devel
%endif
BuildRequires: pkgconfig(zlib)
%description
This package contains the library and support programs for the TIFF
@ -73,11 +51,6 @@ image format.
Summary: The Tiff Library (with JPEG and compression support)
Group: System/Libraries
Provides: libtiff = %{version}
# bug437293
%ifarch ppc64
Obsoletes: libtiff-64bit
%endif
#
%description -n libtiff5
This package includes the tiff libraries. To link a program with
@ -90,11 +63,6 @@ Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libstdc++-devel
Requires: libtiff5 = %{version}
# bug437293
%ifarch ppc64
Obsoletes: tiff-devel-64bit
%endif
#
%description -n libtiff-devel
This package contains the header files and static libraries for
@ -107,17 +75,12 @@ the libtiff library.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%build
CFLAGS="%{optflags} -fPIE"
%if %{debug_build}
CFLAGS="$CFLAGS -O0"
%endif
%configure --disable-static
%if %{asan_build}
find -name Makefile | xargs sed -i 's/\(^CFLAGS.*\)/\1 -fsanitize=address/'
@ -126,7 +89,7 @@ make %{?_smp_mflags} LDFLAGS="-pie"
%install
mkdir -p %{buildroot}/{%{_mandir}/{man1,man3},usr/{bin,lib,include}}
make DESTDIR=%{buildroot} install %{?_smp_mflags}
%make_install
for f in `find %{buildroot}/%{_mandir} -type f -print ` ; do
if [ `wc -l <$f` -eq 1 ] && grep -q "^\.so " $f ; then
linkto=`sed -e "s|^\.so ||" $f`
@ -155,23 +118,20 @@ for i in tools test; do
done
%post -n libtiff5 -p /sbin/ldconfig
%postun -n libtiff5 -p /sbin/ldconfig
%files
%defattr(-,root,root)
%{_bindir}/*
%doc html
%doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE
%doc README.md VERSION ChangeLog TODO RELEASE-DATE
%{_mandir}/man1/*
%files -n libtiff5
%defattr(-,root,root)
%doc README COPYRIGHT README.SUSE
%license COPYRIGHT
%doc README.md README.SUSE
%{_libdir}/*.so.*
%files -n libtiff-devel
%defattr(-,root,root)
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc