pool/tiff
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 674138 from graphics

Browse Source 
- security update
  * CVE-2019-7663 [bsc#1125113]
    + tiff-CVE-2019-7663.patch

- security update
  * CVE-2019-6128 [bsc#1121626]
    + tiff-CVE-2019-6128.patch

- extend tiff-CVE-2018-19210.patch and rename it to
  tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
  * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]

- amend tiff-CVE-2018-12900.patch: fix wrong error message
  [bsc#1099257]

OBS-URL: https://build.opensuse.org/request/show/674138
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=77
This commit is contained in:
Dominique Leuenberger 2019-02-13 09:18:13 +00:00 committed by Git OBS Bridge
commit 7a09266256
7 changed files with 192 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tiff-CVE-2018-12900.patch
View File

@ -8,7 +8,7 @@ Index: tiff-4.0.10/tools/tiffcp.c
}
+ if (0xFFFFFFFF / tilew < spp)
+ {
+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps);
+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or SamplePerPixel (%u) is too large", tilew, spp);
+ status = 0;
+ goto done;
+ }

55
tiff-CVE-2018-17000,19210.patch Normal file
View File

@ -0,0 +1,55 @@
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200
+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100
@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
}
m=(1<<tif->tif_dir.td_bitspersample);
n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ tif->tif_dir.td_transferfunction[1] == NULL)
+ n = 1;
/*
* Check if the table can be written as a single column,
* or if it must be written as 3 columns. Note that we
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFfree(td->td_smaxsamplevalue);
td->td_smaxsamplevalue = NULL;
}
+ /* Test if 3 transfer functions instead of just one are now needed
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
+ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "SamplesPerPixel tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
}
td->td_samplesperpixel = (uint16) v;
break;
@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
break;
case TIFFTAG_EXTRASAMPLES:
+ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
+ !(td->td_samplesperpixel - td->td_extrasamples > 1))
+ {
+ TIFFWarningExt(tif->tif_clientdata,module,
+ "ExtraSamples tag value is changing, "
+ "but TransferFunction was read with a different value. Cancelling it");
+ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+ _TIFFfree(td->td_transferfunction[0]);
+ td->td_transferfunction[0] = NULL;
+ }
if (!setExtraSamples(td, ap, &v))
goto badvalue;
break;

14
tiff-CVE-2018-19210.patch
View File

@ -1,14 +0,0 @@
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200
+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100
@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI
}
m=(1<<tif->tif_dir.td_bitspersample);
n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples;
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ tif->tif_dir.td_transferfunction[1] == NULL)
+ n = 1;
/*
* Check if the table can be written as a single column,
* or if it must be written as 3 columns. Note that we

49
tiff-CVE-2019-6128.patch Normal file
View File

@ -0,0 +1,49 @@
From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Wed, 23 Jan 2019 15:03:53 -0500
Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
pal2rgb failed to free memory on a few errors. This was reported
here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
---
tools/pal2rgb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 01d8502e..9492f1cf 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -118,12 +118,14 @@ main(int argc, char* argv[])
shortv != PHOTOMETRIC_PALETTE) {
fprintf(stderr, "%s: Expecting a palette image.\n",
argv[optind]);
+ (void) TIFFClose(in);
return (-1);
}
if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
fprintf(stderr,
"%s: No colormap (not a valid palette image).\n",
argv[optind]);
+ (void) TIFFClose(in);
return (-1);
}
bitspersample = 0;
@@ -131,11 +133,14 @@ main(int argc, char* argv[])
if (bitspersample != 8) {
fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
argv[optind]);
+ (void) TIFFClose(in);
return (-1);
}
out = TIFFOpen(argv[optind+1], "w");
- if (out == NULL)
+ if (out == NULL) {
+ (void) TIFFClose(in);
return (-2);
+ }
cpTags(in, out);
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
--
2.18.1

48
tiff-CVE-2019-7663.patch Normal file
View File

@ -0,0 +1,48 @@
Index: tiff-4.0.10/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c
+++ tiff-4.0.10/libtiff/tif_dirwrite.c
@@ -1896,12 +1896,14 @@ TIFFWriteDirectoryTagTransferfunction(TI
n=3;
if (n==3)
{
- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ if (tif->tif_dir.td_transferfunction[2] == NULL ||
+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
n=2;
}
if (n==2)
{
- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ if (tif->tif_dir.td_transferfunction[1] == NULL ||
+ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
n=1;
}
if (n==0)
Index: tiff-4.0.10/tools/tiffcp.c
===================================================================
--- tiff-4.0.10.orig/tools/tiffcp.c
+++ tiff-4.0.10/tools/tiffcp.c
@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
int status = 1;
uint32 imagew = TIFFRasterScanlineSize(in);
uint32 tilew = TIFFTileRowSize(in);
- int iskew = imagew - tilew*spp;
+ int iskew;
tsize_t tilesize = TIFFTileSize(in);
tdata_t tilebuf;
uint8* bufp = (uint8*) buf;
@@ -1416,6 +1416,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuf
uint32 row;
uint16 bps = 0, bytes_per_sample;
+ if (spp > (0x7fffffff / tilew))
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ return 0;
+ }
+ iskew = imagew - tilew*spp;
+
tilebuf = _TIFFmalloc(tilesize);
if (tilebuf == 0)
return 0;

27
tiff.changes
View File

@ -1,3 +1,30 @@
-------------------------------------------------------------------
Tue Feb 12 15:36:02 UTC 2019 - mvetter@suse.com
- security update
* CVE-2019-7663 [bsc#1125113]
+ tiff-CVE-2019-7663.patch
-------------------------------------------------------------------
Mon Feb 4 14:04:09 UTC 2019 - mvetter@suse.com
- security update
* CVE-2019-6128 [bsc#1121626]
+ tiff-CVE-2019-6128.patch
-------------------------------------------------------------------
Wed Jan 30 12:47:58 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
- extend tiff-CVE-2018-19210.patch and rename it to
tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11]
* solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606]
-------------------------------------------------------------------
Wed Jan 30 10:12:37 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
- amend tiff-CVE-2018-12900.patch: fix wrong error message
[bsc#1099257]
-------------------------------------------------------------------
Mon Nov 19 13:56:48 UTC 2018 - Petr Gajdos <pgajdos@suse.com>

15
tiff.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package tiff
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
@ -34,7 +34,14 @@ Patch1: tiff-4.0.3-compress-warning.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2798
# https://gitlab.com/libtiff/libtiff/merge_requests/44
Patch2: tiff-CVE-2018-12900.patch
Patch3: tiff-CVE-2018-19210.patch
Patch3: tiff-CVE-2018-17000,19210.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2836
# https://gitlab.com/libtiff/libtiff/merge_requests/50
Patch4: tiff-CVE-2019-6128.patch
# http://bugzilla.maptools.org/show_bug.cgi?id=2833
# https://gitlab.com/libtiff/libtiff/merge_requests/54
# https://gitlab.com/libtiff/libtiff/merge_requests/60
Patch5: tiff-CVE-2019-7663.patch
BuildRequires: gcc-c++
BuildRequires: libjbig-devel
BuildRequires: libjpeg-devel
@ -75,6 +82,8 @@ the libtiff library.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
CFLAGS="%{optflags} -fPIE"