Accepting request 483282 from graphics

Misc security fixes OBS-URL: https://build.opensuse.org/request/show/483282 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=66
2017-04-06 08:59:47 +00:00 · 2017-04-06 08:59:47 +00:00 · 0b94c7ac8b
commit 0b94c7ac8b
parent 2b6b2af8d1 c29ea0dd7e
9 changed files with 304 additions and 0 deletions
--- a/tiff-CVE-2016-10266.patch
+++ b/tiff-CVE-2016-10266.patch
@ -0,0 +1,24 @@
+--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
+@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ 	rowsperstrip=td->td_rowsperstrip;
+ 	if (rowsperstrip>td->td_imagelength)
+ 		rowsperstrip=td->td_imagelength;
+-	stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
+	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
+ 	stripinplane=(strip%stripsperplane);
+ 	plane=(uint16)(strip/stripsperplane);
+ 	rows=td->td_imagelength-stripinplane*rowsperstrip;
+--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
+@@ -250,6 +250,10 @@ struct tiff {
+ #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+ 			   ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+ 			   0U)
+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
+#define TIFFhowmany_32_maxuint_compat(x, y) \
+			   (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
+ #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
+ #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
+ #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
--- a/tiff-CVE-2016-10267.patch
+++ b/tiff-CVE-2016-10267.patch
@ -0,0 +1,33 @@
+--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
+@@ -244,6 +244,7 @@ typedef enum {
+ 
+ typedef struct {
+ 	TIFF* tif;
+        int decoder_ok;
+ 	#ifndef LIBJPEG_ENCAP_EXTERNAL
+ 	JMP_BUF exit_jmpbuf;
+ 	#endif
+@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
+ 		}
+ 		sp->write_curstrile++;
+ 	}
+	sp->decoder_ok = 1;
+ 	return(1);
+ }
+ 
+@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)
+ static int
+ OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
+ {
+        static const char module[]="OJPEGDecode";
+ 	OJPEGState* sp=(OJPEGState*)tif->tif_data;
+ 	(void)s;
+        if( !sp->decoder_ok )
+        {
+            TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
+            return 0;
+        }
+ 	if (sp->libjpeg_jpeg_query_style==0)
+ 	{
+ 		if (OJPEGDecodeRaw(tif,buf,cc)==0)
--- a/tiff-CVE-2016-10268.patch
+++ b/tiff-CVE-2016-10268.patch
@ -0,0 +1,11 @@
+--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
+@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips)
+ 		tstrip_t s, ns = TIFFNumberOfStrips(in);
+ 		uint32 row = 0;
+ 		_TIFFmemset(buf, 0, stripsize);
+-		for (s = 0; s < ns; s++) {
+		for (s = 0; s < ns && row < imagelength; s++) {
+ 			tsize_t cc = (row + rowsperstrip > imagelength) ?
+ 			    TIFFVStripSize(in, imagelength - row) : stripsize;
+ 			if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
--- a/tiff-CVE-2016-10269.patch
+++ b/tiff-CVE-2016-10269.patch
@ -0,0 +1,85 @@
+--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+ 
+ struct logLuvState {
+        int                     encoder_state;  /* 1 if encoder correctly initialized */
+ 	int                     user_datafmt;   /* user data format */
+ 	int                     encode_meth;    /* encoding method */
+ 	int                     pixel_size;     /* bytes per pixel */
+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
+ 		    td->td_photometric, "must be either LogLUV or LogL");
+ 		break;
+ 	}
+	sp->encoder_state = 1;
+ 	return (1);
+ notsupported:
+ 	TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@ notsupported:
+ static void
+ LogLuvClose(TIFF* tif)
+ {
+        LogLuvState* sp = (LogLuvState*) tif->tif_data;
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
+	assert(sp != 0);
+ 	/*
+ 	 * For consistency, we always want to write out the same
+ 	 * bitspersample and sampleformat for our TIFF file,
+ 	 * regardless of the data format being used by the application.
+ 	 * Since this routine is called after tags have been set but
+ 	 * before they have been recorded in the file, we reset them here.
+         * Note: this is really a nasty approach. See PixarLogClose
+ 	 */
+-	td->td_samplesperpixel =
+-	    (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+-	td->td_bitspersample = 16;
+-	td->td_sampleformat = SAMPLEFORMAT_INT;
+        if( sp->encoder_state )
+        {
+            /* See PixarLogClose. Might avoid issues with tags whose size depends
+             * on those below, but not completely sure this is enough. */
+            td->td_samplesperpixel =
+                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+            td->td_bitspersample = 16;
+            td->td_sampleformat = SAMPLEFORMAT_INT;
+        }
+ }
+ 
+ static void
+--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
+ static void
+ PixarLogClose(TIFF* tif)
+ {
+        PixarLogState* sp = (PixarLogState*) tif->tif_data;
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
+	assert(sp != 0);
+ 	/* In a really sneaky (and really incorrect, and untruthful, and
+ 	 * troublesome, and error-prone) maneuver that completely goes against
+ 	 * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
+ 	 * readers that don't know about PixarLog, or how to set
+ 	 * the PIXARLOGDATFMT pseudo-tag.
+ 	 */
+-	td->td_bitspersample = 8;
+-	td->td_sampleformat = SAMPLEFORMAT_UINT;
+
+        if (sp->state&PLSTATE_INIT) {
+            /* We test the state to avoid an issue such as in
+             * http://bugzilla.maptools.org/show_bug.cgi?id=2604
+             * What appends in that case is that the bitspersample is 1 and
+             * a TransferFunction is set. The size of the TransferFunction
+             * depends on 1<<bitspersample. So if we increase it, an access
+             * out of the buffer will happen at directory flushing.
+             * Another option would be to clear those targs. 
+             */
+            td->td_bitspersample = 8;
+            td->td_sampleformat = SAMPLEFORMAT_UINT;
+        }
+ }
+ 
+ static void
--- a/tiff-CVE-2016-10270.patch
+++ b/tiff-CVE-2016-10270.patch
@ -0,0 +1,77 @@
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	uint64 rowblockbytes;
+ 	uint64 stripbytes;
+ 	uint32 strip;
+-	uint64 nstrips64;
+-	uint32 nstrips32;
+	uint32 nstrips;
+ 	uint32 rowsperstrip;
+ 	uint64* newcounts;
+ 	uint64* newoffsets;
+@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	    return;
+ 
+ 	/*
+-	 * never increase the number of strips in an image
+	 * never increase the number of rows per strip
+ 	 */
+ 	if (rowsperstrip >= td->td_rowsperstrip)
+ 		return;
+-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
+-	    return;
+-	nstrips32 = (uint32)nstrips64;
+        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
+        if( nstrips == 0 )
+            return;
+ 
+-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripByteCounts\" array");
+-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripOffsets\" array");
+ 	if (newcounts == NULL || newoffsets == NULL) {
+ 		/*
+@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	 * Fill the strip information arrays with new bytecounts and offsets
+ 	 * that reflect the broken-up format.
+ 	 */
+-	for (strip = 0; strip < nstrips32; strip++) {
+	for (strip = 0; strip < nstrips; strip++) {
+ 		if (stripbytes > bytecount)
+ 			stripbytes = bytecount;
+ 		newcounts[strip] = stripbytes;
+-		newoffsets[strip] = offset;
+		newoffsets[strip] = stripbytes ? offset : 0;
+ 		offset += stripbytes;
+ 		bytecount -= stripbytes;
+ 	}
+ 	/*
+ 	 * Replace old single strip info with multi-strip info.
+ 	 */
+-	td->td_stripsperimage = td->td_nstrips = nstrips32;
+	td->td_stripsperimage = td->td_nstrips = nstrips;
+ 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+ 	_TIFFfree(td->td_stripbytecount);
+--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 	uint32 nstrips;
+ 
+-    /* If the value was already computed and store in td_nstrips, then return it,
+-       since ChopUpSingleUncompressedStrip might have altered and resized the
+-       since the td_stripbytecount and td_stripoffset arrays to the new value
+-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+-       tif_dirread.c ~line 3612.
+-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+-    if( td->td_nstrips )
+-        return td->td_nstrips;
+-
+ 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
--- a/tiff-CVE-2016-10271.patch
+++ b/tiff-CVE-2016-10271.patch
@ -0,0 +1,11 @@
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
+                                   (unsigned long) strip, (unsigned long)rows);
+                         return 0;
+                 }
+-                bufp += bytes_read;
+                bufp += stripsize;
+         }
+ 
+         return 1;
--- a/tiff-CVE-2016-10272.patch
+++ b/tiff-CVE-2016-10272.patch
@ -0,0 +1,11 @@
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -2895,7 +2895,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
+ 				return(0);
+ 			}
+ 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+-				if (count >= 4) {
+				if (count > 4) {
+                     /* Ignore EOI marker of JpegTables */
+ 					_TIFFmemcpy(buffer, jpt, count - 2);
+ 					bufferoffset += count - 2;
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Wed Mar 29 07:55:02 UTC 2017 - fstrba@suse.com
+
+- Added patches:
+  * tiff-CVE-2016-10266.patch
+    + Upstream fix for CVE-2016-10266, LibTIFF 4.0.7 allows remote
+      attackers to cause a denial of service (divide-by-zero error
+      and application crash) via a crafted TIFF image (bsc#1031263)
+  * tiff-CVE-2016-10267.patch
+    + Upstream fix for CVE-2016-10267, LibTIFF 4.0.7 allows remote
+      attackers to cause a denial of service (divide-by-zero error
+      and application crash) via a crafted TIFF image (bsc#1031262)
+  * tiff-CVE-2016-10268.patch
+    + Upstream fix for CVE-2016-10268, LibTIFF 4.0.7 allows remote
+      attackers to cause a denial of service (divide-by-zero error
+      and application crash) via a crafted TIFF image (bsc#1031255)
+  * tiff-CVE-2016-10269.patch
+    + Upstream fix for CVE-2016-10269, LibTIFF 4.0.7 allows remote
+      attackers to cause a denial of service (heap-based buffer
+      over-read) or possibly have unspecified other impact via a
+      crafted TIFF image (bsc#1031254)
+  * tiff-CVE-2016-10270.patch
+    + Upstream fix for CVE-2016-10270, LibTIFF 4.0.7 allows remote
+      attackers to cause a denial of service (heap-based buffer
+      over-read) or possibly have unspecified other impact via a
+      crafted TIFF image (bsc#1031250)
+  * tiff-CVE-2016-10271.patch
+    + Upstream fix for CVE-2016-10271, LibTIFF 4.0.7 allows remote
+	  attackers to cause a denial of service (heap-based buffer
+	  over-read and buffer overflow) or possibly have unspecified
+	  other impact via a crafted TIFF image (bsc#1031249)
+  * tiff-CVE-2016-10272.patch
+    + Upstream fix for CVE-2016-10272, LibTIFF 4.0.7 allows remote
+	  attackers to cause a denial of service (heap-based buffer
+	  overflow) or possibly have unspecified other impact via a
+	  crafted TIFF image (bsc#1031247)
+
 -------------------------------------------------------------------
 Thu Feb  2 13:40:16 UTC 2017 - fstrba@suse.com

--- a/tiff.spec
+++ b/tiff.spec
@ -38,6 +38,14 @@ Patch4:         tiff-4.0.7-CVE-2017-5225.patch
 # bsc#1022103
 Patch5:         tiff-4.0.7-TIFFTAG_FAXRECVPARAMS.patch

+Patch6:         tiff-CVE-2016-10266.patch
+Patch7:         tiff-CVE-2016-10267.patch
+Patch8:         tiff-CVE-2016-10268.patch
+Patch9:         tiff-CVE-2016-10269.patch
+Patch10:        tiff-CVE-2016-10270.patch
+Patch11:        tiff-CVE-2016-10271.patch
+Patch12:        tiff-CVE-2016-10272.patch
+
 BuildRequires:  gcc-c++
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtool
@ -103,6 +111,13 @@ the libtiff library.
 %patch3
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1

 %build
 CFLAGS="%{optflags} -fPIE"