From 252bc8dd8ea03a43c78304ea6b2ceabf5c1ab1ed2f62cbf59b0651de7716cf5e Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 30 Jan 2019 10:17:21 +0000 Subject: [PATCH 1/4] Accepting request 670090 from home:pgajdos - amend tiff-CVE-2018-12900.patch: fix wrong error message [bsc#1099257] OBS-URL: https://build.opensuse.org/request/show/670090 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=134 --- tiff-CVE-2018-12900.patch | 2 +- tiff.changes | 6 ++++++ tiff.spec | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/tiff-CVE-2018-12900.patch b/tiff-CVE-2018-12900.patch index 208b451..e62d8ab 100644 --- a/tiff-CVE-2018-12900.patch +++ b/tiff-CVE-2018-12900.patch @@ -8,7 +8,7 @@ Index: tiff-4.0.10/tools/tiffcp.c } + if (0xFFFFFFFF / tilew < spp) + { -+ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps); ++ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or SamplePerPixel (%u) is too large", tilew, spp); + status = 0; + goto done; + } diff --git a/tiff.changes b/tiff.changes index b055ee1..9077ec1 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jan 30 10:12:37 UTC 2019 - Petr Gajdos + +- amend tiff-CVE-2018-12900.patch: fix wrong error message + [bsc#1099257] + ------------------------------------------------------------------- Mon Nov 19 13:56:48 UTC 2018 - Petr Gajdos diff --git a/tiff.spec b/tiff.spec index 95aa1e4..fe925cf 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed From 6232377d76af8ef6517419a1206a8a1f4e446eecb10f4d90b3d5c429ed6a4b19 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Wed, 30 Jan 2019 13:03:18 +0000 Subject: [PATCH 2/4] Accepting request 670119 from home:pgajdos - extend tiff-CVE-2018-19210.patch and rename it to tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11] * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606] OBS-URL: https://build.opensuse.org/request/show/670119 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=135 --- tiff-CVE-2018-17000,19210.patch | 55 +++++++++++++++++++++++++++++++++ tiff-CVE-2018-19210.patch | 14 --------- tiff.changes | 7 +++++ tiff.spec | 2 +- 4 files changed, 63 insertions(+), 15 deletions(-) create mode 100644 tiff-CVE-2018-17000,19210.patch delete mode 100644 tiff-CVE-2018-19210.patch diff --git a/tiff-CVE-2018-17000,19210.patch b/tiff-CVE-2018-17000,19210.patch new file mode 100644 index 0000000..742d0d0 --- /dev/null +++ b/tiff-CVE-2018-17000,19210.patch @@ -0,0 +1,55 @@ +Index: tiff-4.0.10/libtiff/tif_dirwrite.c +=================================================================== +--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200 ++++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100 +@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI + } + m=(1<tif_dir.td_bitspersample); + n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples; ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ tif->tif_dir.td_transferfunction[1] == NULL) ++ n = 1; + /* + * Check if the table can be written as a single column, + * or if it must be written as 3 columns. Note that we +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 6f0b48798bdeee91729c10e1fbcf9786234be5f3..078fbcec20677f19f7f967a4834011fe60df1df3 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -285,6 +285,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + _TIFFfree(td->td_smaxsamplevalue); + td->td_smaxsamplevalue = NULL; + } ++ /* Test if 3 transfer functions instead of just one are now needed ++ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */ ++ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "SamplesPerPixel tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } + } + td->td_samplesperpixel = (uint16) v; + break; +@@ -361,6 +373,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); + break; + case TIFFTAG_EXTRASAMPLES: ++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "ExtraSamples tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } + if (!setExtraSamples(td, ap, &v)) + goto badvalue; + break; + diff --git a/tiff-CVE-2018-19210.patch b/tiff-CVE-2018-19210.patch deleted file mode 100644 index c9fde26..0000000 --- a/tiff-CVE-2018-19210.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: tiff-4.0.10/libtiff/tif_dirwrite.c -=================================================================== ---- tiff-4.0.10.orig/libtiff/tif_dirwrite.c 2018-06-24 22:26:30.335763566 +0200 -+++ tiff-4.0.10/libtiff/tif_dirwrite.c 2018-11-19 14:21:42.703256410 +0100 -@@ -1883,6 +1883,9 @@ TIFFWriteDirectoryTagTransferfunction(TI - } - m=(1<tif_dir.td_bitspersample); - n=tif->tif_dir.td_samplesperpixel-tif->tif_dir.td_extrasamples; -+ if (tif->tif_dir.td_transferfunction[2] == NULL || -+ tif->tif_dir.td_transferfunction[1] == NULL) -+ n = 1; - /* - * Check if the table can be written as a single column, - * or if it must be written as 3 columns. Note that we diff --git a/tiff.changes b/tiff.changes index 9077ec1..d2f2469 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Jan 30 12:47:58 UTC 2019 - Petr Gajdos + +- extend tiff-CVE-2018-19210.patch and rename it to + tiff-CVE-2018-17000,19210.patch [bsc#1108606c#11] + * solves CVE-2018-19210 [bsc#1115717] and CVE-2018-17000 [bsc#1108606] + ------------------------------------------------------------------- Wed Jan 30 10:12:37 UTC 2019 - Petr Gajdos diff --git a/tiff.spec b/tiff.spec index fe925cf..1e5b0fc 100644 --- a/tiff.spec +++ b/tiff.spec @@ -34,7 +34,7 @@ Patch1: tiff-4.0.3-compress-warning.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2798 # https://gitlab.com/libtiff/libtiff/merge_requests/44 Patch2: tiff-CVE-2018-12900.patch -Patch3: tiff-CVE-2018-19210.patch +Patch3: tiff-CVE-2018-17000,19210.patch BuildRequires: gcc-c++ BuildRequires: libjbig-devel BuildRequires: libjpeg-devel From 0164724f5518e8d31d5a36c40324ec87ef944e66e0aa7b7b56fd3f3d63c5e917 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 4 Feb 2019 14:42:48 +0000 Subject: [PATCH 3/4] - security update * CVE-2019-6128 [bsc#1121626] + tiff-CVE-2019-6128.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=136 --- tiff-CVE-2019-6128.patch | 49 ++++++++++++++++++++++++++++++++++++++++ tiff.changes | 7 ++++++ tiff.spec | 6 ++++- 3 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 tiff-CVE-2019-6128.patch diff --git a/tiff-CVE-2019-6128.patch b/tiff-CVE-2019-6128.patch new file mode 100644 index 0000000..ad4ce32 --- /dev/null +++ b/tiff-CVE-2019-6128.patch @@ -0,0 +1,49 @@ +From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001 +From: Scott Gayou +Date: Wed, 23 Jan 2019 15:03:53 -0500 +Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. + +pal2rgb failed to free memory on a few errors. This was reported +here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. +--- + tools/pal2rgb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502e..9492f1cf 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); +-- +2.18.1 + diff --git a/tiff.changes b/tiff.changes index d2f2469..71d44c6 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Feb 4 14:04:09 UTC 2019 - mvetter@suse.com + +- security update + * CVE-2019-6128 [bsc#1121626] + + tiff-CVE-2019-6128.patch + ------------------------------------------------------------------- Wed Jan 30 12:47:58 UTC 2019 - Petr Gajdos diff --git a/tiff.spec b/tiff.spec index 1e5b0fc..480e61b 100644 --- a/tiff.spec +++ b/tiff.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -35,6 +35,9 @@ Patch1: tiff-4.0.3-compress-warning.patch # https://gitlab.com/libtiff/libtiff/merge_requests/44 Patch2: tiff-CVE-2018-12900.patch Patch3: tiff-CVE-2018-17000,19210.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2836 +# https://gitlab.com/libtiff/libtiff/merge_requests/50 +Patch4: tiff-CVE-2019-6128.patch BuildRequires: gcc-c++ BuildRequires: libjbig-devel BuildRequires: libjpeg-devel @@ -75,6 +78,7 @@ the libtiff library. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build CFLAGS="%{optflags} -fPIE" From 219d98803df95d60c9b3d3c3cff977fa63b7b0c474ca7694c20a10e996afe821 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Tue, 12 Feb 2019 14:47:56 +0000 Subject: [PATCH 4/4] - security update * CVE-2019-7663 [bsc#1125113] + tiff-CVE-2019-7663.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=137 --- tiff-CVE-2019-7663.patch | 48 ++++++++++++++++++++++++++++++++++++++++ tiff.changes | 7 ++++++ tiff.spec | 5 +++++ 3 files changed, 60 insertions(+) create mode 100644 tiff-CVE-2019-7663.patch diff --git a/tiff-CVE-2019-7663.patch b/tiff-CVE-2019-7663.patch new file mode 100644 index 0000000..5872c54 --- /dev/null +++ b/tiff-CVE-2019-7663.patch @@ -0,0 +1,48 @@ +Index: tiff-4.0.10/libtiff/tif_dirwrite.c +=================================================================== +--- tiff-4.0.10.orig/libtiff/tif_dirwrite.c ++++ tiff-4.0.10/libtiff/tif_dirwrite.c +@@ -1896,12 +1896,14 @@ TIFFWriteDirectoryTagTransferfunction(TI + n=3; + if (n==3) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + n=2; + } + if (n==2) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[1] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + n=1; + } + if (n==0) +Index: tiff-4.0.10/tools/tiffcp.c +=================================================================== +--- tiff-4.0.10.orig/tools/tiffcp.c ++++ tiff-4.0.10/tools/tiffcp.c +@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1416,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuf + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (0x7fffffff / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; ++ + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; diff --git a/tiff.changes b/tiff.changes index 71d44c6..15097fc 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Feb 12 15:36:02 UTC 2019 - mvetter@suse.com + +- security update + * CVE-2019-7663 [bsc#1125113] + + tiff-CVE-2019-7663.patch + ------------------------------------------------------------------- Mon Feb 4 14:04:09 UTC 2019 - mvetter@suse.com diff --git a/tiff.spec b/tiff.spec index 480e61b..b2b5603 100644 --- a/tiff.spec +++ b/tiff.spec @@ -38,6 +38,10 @@ Patch3: tiff-CVE-2018-17000,19210.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2836 # https://gitlab.com/libtiff/libtiff/merge_requests/50 Patch4: tiff-CVE-2019-6128.patch +# http://bugzilla.maptools.org/show_bug.cgi?id=2833 +# https://gitlab.com/libtiff/libtiff/merge_requests/54 +# https://gitlab.com/libtiff/libtiff/merge_requests/60 +Patch5: tiff-CVE-2019-7663.patch BuildRequires: gcc-c++ BuildRequires: libjbig-devel BuildRequires: libjpeg-devel @@ -79,6 +83,7 @@ the libtiff library. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build CFLAGS="%{optflags} -fPIE"