From e68189b3a78fb9a25275d518d0353e275d0a90af0c3d10cf8170e352f8f3d9bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Mon, 4 Jun 2018 13:02:38 +0000 Subject: [PATCH 1/3] Accepting request 613978 from home:pgajdos - security update * CVE-2018-7456 [bsc#1082825] + tiff-CVE-2018-7456.patch OBS-URL: https://build.opensuse.org/request/show/613978 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=119 --- tiff-CVE-2018-7456.patch | 108 +++++++++++++++++++++++++++++++++++++++ tiff.changes | 7 +++ tiff.spec | 2 + 3 files changed, 117 insertions(+) create mode 100644 tiff-CVE-2018-7456.patch diff --git a/tiff-CVE-2018-7456.patch b/tiff-CVE-2018-7456.patch new file mode 100644 index 0000000..b369c7f --- /dev/null +++ b/tiff-CVE-2018-7456.patch @@ -0,0 +1,108 @@ +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 6baa7b3..af5b84a 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin + static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*); + static void ChopUpSingleUncompressedStrip(TIFF*); + static uint64 TIFFReadUInt64(const uint8 *value); ++static int _TIFFGetMaxColorChannels(uint16 photometric); + + static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount ); + +@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c + } + + /* ++ * Return the maximum number of color channels specified for a given photometric ++ * type. 0 is returned if photometric type isn't supported or no default value ++ * is defined by the specification. ++ */ ++static int _TIFFGetMaxColorChannels( uint16 photometric ) ++{ ++ switch (photometric) { ++ case PHOTOMETRIC_PALETTE: ++ case PHOTOMETRIC_MINISWHITE: ++ case PHOTOMETRIC_MINISBLACK: ++ return 1; ++ case PHOTOMETRIC_YCBCR: ++ case PHOTOMETRIC_RGB: ++ case PHOTOMETRIC_CIELAB: ++ return 3; ++ case PHOTOMETRIC_SEPARATED: ++ case PHOTOMETRIC_MASK: ++ return 4; ++ case PHOTOMETRIC_LOGL: ++ case PHOTOMETRIC_LOGLUV: ++ case PHOTOMETRIC_CFA: ++ case PHOTOMETRIC_ITULAB: ++ case PHOTOMETRIC_ICCLAB: ++ default: ++ return 0; ++ } ++} ++ ++/* + * Read the next TIFF directory from a file and convert it to the internal + * format. We read directories sequentially. + */ +@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif) + uint32 fii=FAILED_FII; + toff_t nextdiroff; + int bitspersample_read = FALSE; ++ int color_channels; + + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) +@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif) + } + } + } ++ ++ /* ++ * Make sure all non-color channels are extrasamples. ++ * If it's not the case, define them as such. ++ */ ++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric); ++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) { ++ uint16 old_extrasamples; ++ uint16 *new_sampleinfo; ++ ++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related " ++ "color channels and ExtraSamples doesn't match SamplesPerPixel. " ++ "Defining non-color channels as ExtraSamples."); ++ ++ old_extrasamples = tif->tif_dir.td_extrasamples; ++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels); ++ ++ // sampleinfo should contain information relative to these new extra samples ++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16)); ++ if (!new_sampleinfo) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for " ++ "temporary new sampleinfo array (%d 16 bit elements)", ++ tif->tif_dir.td_extrasamples); ++ goto bad; ++ } ++ ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); ++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); ++ _TIFFfree(new_sampleinfo); ++ } ++ + /* + * Verify Palette image has a Colormap. + */ +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 8deceb2..1d86adb 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + uint16 i; + fprintf(fd, " %2ld: %5u", + l, td->td_transferfunction[0][l]); +- for (i = 1; i < td->td_samplesperpixel; i++) ++ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++) + fprintf(fd, " %5u", + td->td_transferfunction[i][l]); + fputc('\n', fd); + diff --git a/tiff.changes b/tiff.changes index 9446534..97d1a6e 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jun 4 12:55:54 UTC 2018 - pgajdos@suse.com + +- security update + * CVE-2018-7456 [bsc#1082825] + + tiff-CVE-2018-7456.patch + ------------------------------------------------------------------- Fri May 18 09:18:26 UTC 2018 - pgajdos@suse.com diff --git a/tiff.spec b/tiff.spec index 8466565..5677b00 100644 --- a/tiff.spec +++ b/tiff.spec @@ -34,6 +34,7 @@ Patch2: tiff-4.0.9-bsc1046077-CVE-2017-9935.patch Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch Patch4: tiff-CVE-2018-10963.patch Patch5: tiff-CVE-2017-18013.patch +Patch6: tiff-CVE-2018-7456.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -101,6 +102,7 @@ the libtiff library. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build CFLAGS="%{optflags} -fPIE" From 3dcdb2c325b75b4be1d738d0d4a73ac997a2e1d9011ad236fd6e68bb7a934bb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Mon, 4 Jun 2018 15:31:10 +0000 Subject: [PATCH 2/3] Accepting request 614015 from home:pgajdos - security update * CVE-2017-11613 [bsc#1082332] + tiff-CVE-2017-11613.patch OBS-URL: https://build.opensuse.org/request/show/614015 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=120 --- tiff-CVE-2017-11613.patch | 21 +++++++++++++++++++++ tiff.changes | 7 +++++++ tiff.spec | 2 ++ 3 files changed, 30 insertions(+) create mode 100644 tiff-CVE-2017-11613.patch diff --git a/tiff-CVE-2017-11613.patch b/tiff-CVE-2017-11613.patch new file mode 100644 index 0000000..cde8d80 --- /dev/null +++ b/tiff-CVE-2017-11613.patch @@ -0,0 +1,21 @@ +Index: tiff-4.0.9/libtiff/tif_dirread.c +=================================================================== +--- tiff-4.0.9.orig/libtiff/tif_dirread.c 2018-06-04 16:49:48.940452546 +0200 ++++ tiff-4.0.9/libtiff/tif_dirread.c 2018-06-04 16:50:18.572859131 +0200 +@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + if( nstrips == 0 ) + return; + ++ /* If we are going to allocate a lot of memory, make sure that the */ ++ /* file is as big as needed */ ++ if( tif->tif_mode == O_RDONLY && ++ nstrips > 1000000 && ++ (offset >= TIFFGetFileSize(tif) || ++ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) ++ { ++ return; ++ } ++ + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/tiff.changes b/tiff.changes index 97d1a6e..82239e5 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jun 4 15:12:15 UTC 2018 - pgajdos@suse.com + +- security update + * CVE-2017-11613 [bsc#1082332] + + tiff-CVE-2017-11613.patch + ------------------------------------------------------------------- Mon Jun 4 12:55:54 UTC 2018 - pgajdos@suse.com diff --git a/tiff.spec b/tiff.spec index 5677b00..7257d46 100644 --- a/tiff.spec +++ b/tiff.spec @@ -35,6 +35,7 @@ Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch Patch4: tiff-CVE-2018-10963.patch Patch5: tiff-CVE-2017-18013.patch Patch6: tiff-CVE-2018-7456.patch +Patch7: tiff-CVE-2017-11613.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -103,6 +104,7 @@ the libtiff library. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build CFLAGS="%{optflags} -fPIE" From 338f91dbdcdeed138d51ee05bb6be2f745bf7b2b033195a6dd0f83fbf8778380 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Tue, 5 Jun 2018 13:04:45 +0000 Subject: [PATCH 3/3] Accepting request 614252 from home:pgajdos - security update * CVE-2018-8905 [bsc#1086408] + tiff-CVE-2018-8905.patch OBS-URL: https://build.opensuse.org/request/show/614252 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=121 --- tiff-CVE-2018-8905.patch | 38 ++++++++++++++++++++++++++++++++++++++ tiff.changes | 7 +++++++ tiff.spec | 2 ++ 3 files changed, 47 insertions(+) create mode 100644 tiff-CVE-2018-8905.patch diff --git a/tiff-CVE-2018-8905.patch b/tiff-CVE-2018-8905.patch new file mode 100644 index 0000000..dc5f046 --- /dev/null +++ b/tiff-CVE-2018-8905.patch @@ -0,0 +1,38 @@ +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index 4ccb443..94d85e3 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + char *tp; + unsigned char *bp; + int code, nbits; ++ int len; + long nextbits, nextdata, nbitsmask; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + +@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + } while (--occ); + break; + } +- assert(occ >= codep->length); +- op += codep->length; +- occ -= codep->length; +- tp = op; ++ len = codep->length; ++ tp = op + len; + do { +- *--tp = codep->value; +- } while( (codep = codep->next) != NULL ); ++ int t; ++ --tp; ++ t = codep->value; ++ codep = codep->next; ++ *tp = (char)t; ++ } while (codep && tp > op); ++ assert(occ >= len); ++ op += len; ++ occ -= len; + } else { + *op++ = (char)code; + occ--; + diff --git a/tiff.changes b/tiff.changes index 82239e5..5a4dd47 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Jun 5 12:21:02 UTC 2018 - pgajdos@suse.com + +- security update + * CVE-2018-8905 [bsc#1086408] + + tiff-CVE-2018-8905.patch + ------------------------------------------------------------------- Mon Jun 4 15:12:15 UTC 2018 - pgajdos@suse.com diff --git a/tiff.spec b/tiff.spec index 7257d46..5818621 100644 --- a/tiff.spec +++ b/tiff.spec @@ -36,6 +36,7 @@ Patch4: tiff-CVE-2018-10963.patch Patch5: tiff-CVE-2017-18013.patch Patch6: tiff-CVE-2018-7456.patch Patch7: tiff-CVE-2017-11613.patch +Patch8: tiff-CVE-2018-8905.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -105,6 +106,7 @@ the libtiff library. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build CFLAGS="%{optflags} -fPIE"