From ee295f46b9845a8b8d29dc66742222a00df3e9a7566915872d7af7586cdbf7ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Wed, 17 Oct 2018 11:39:01 +0000 Subject: [PATCH 1/2] Accepting request 642627 from home:pgajdos - security update * CVE-2018-17100 [bsc#1108637] + tiff-CVE-2018-17100.patch * CVE-2018-17101 [bsc#1108627] + tiff-CVE-2018-17101.patch OBS-URL: https://build.opensuse.org/request/show/642627 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=125 --- tiff-CVE-2018-17100.patch | 27 ++++++++++++++++++ tiff-CVE-2018-17101.patch | 58 +++++++++++++++++++++++++++++++++++++++ tiff.changes | 9 ++++++ tiff.spec | 6 +++- 4 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 tiff-CVE-2018-17100.patch create mode 100644 tiff-CVE-2018-17101.patch diff --git a/tiff-CVE-2018-17100.patch b/tiff-CVE-2018-17100.patch new file mode 100644 index 0000000..cb0c8a4 --- /dev/null +++ b/tiff-CVE-2018-17100.patch @@ -0,0 +1,27 @@ +Index: tiff-4.0.9/tools/ppm2tiff.c +=================================================================== +--- tiff-4.0.9.orig/tools/ppm2tiff.c 2018-10-17 12:25:05.271940872 +0200 ++++ tiff-4.0.9/tools/ppm2tiff.c 2018-10-17 12:26:15.468262130 +0200 +@@ -72,15 +72,16 @@ BadPPM(char* file) + exit(-2); + } + ++ ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- tmsize_t bytes = m1 * m2; +- +- if (m1 && bytes / m1 != m2) +- bytes = 0; +- +- return bytes; ++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) ++ return 0; ++ return m1 * m2; + } + + int diff --git a/tiff-CVE-2018-17101.patch b/tiff-CVE-2018-17101.patch new file mode 100644 index 0000000..fc00c0b --- /dev/null +++ b/tiff-CVE-2018-17101.patch @@ -0,0 +1,58 @@ +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01fcf941..01d8502e 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index 05faba87..5bef3142 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + diff --git a/tiff.changes b/tiff.changes index 89909d1..ae31368 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Oct 17 11:29:07 UTC 2018 - Petr Gajdos + +- security update + * CVE-2018-17100 [bsc#1108637] + + tiff-CVE-2018-17100.patch + * CVE-2018-17101 [bsc#1108627] + + tiff-CVE-2018-17101.patch + ------------------------------------------------------------------- Fri Aug 24 11:43:53 UTC 2018 - pgajdos@suse.com diff --git a/tiff.spec b/tiff.spec index 0250b61..2e48802 100644 --- a/tiff.spec +++ b/tiff.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -38,6 +38,8 @@ Patch6: tiff-CVE-2018-7456.patch Patch7: tiff-CVE-2017-11613.patch Patch8: tiff-CVE-2018-8905.patch Patch9: tiff-CVE-2018-10779.patch +Patch10: tiff-CVE-2018-17100.patch +Patch11: tiff-CVE-2018-17101.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -109,6 +111,8 @@ the libtiff library. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build CFLAGS="%{optflags} -fPIE" From b67797b39c76f8ea29be0be2d7115338afde750b8481e72fa0a144cab1dab46f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Fri, 19 Oct 2018 08:39:38 +0000 Subject: [PATCH 2/2] Accepting request 643137 from home:pgajdos - security update * CVE-2018-17795 [bsc#1110358] % tiff-4.0.9-bsc1046077-CVE-2017-9935.patch renamed to tiff-CVE-2017-9935,CVE-2018-17795.patch * CVE-2018-16335 [bsc#1106853] % tiff-CVE-2017-11613.patch renamed to tiff-CVE-2017-11613,CVE-2018-16335,15209.patch - add a possibility to build with ASAN OBS-URL: https://build.opensuse.org/request/show/643137 OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=126 --- ...> tiff-CVE-2017-11613,CVE-2018-16335,15209.patch | 0 ...patch => tiff-CVE-2017-9935,CVE-2018-17795.patch | 0 tiff.changes | 12 ++++++++++++ tiff.spec | 13 +++++++++++-- 4 files changed, 23 insertions(+), 2 deletions(-) rename tiff-CVE-2017-11613.patch => tiff-CVE-2017-11613,CVE-2018-16335,15209.patch (100%) rename tiff-4.0.9-bsc1046077-CVE-2017-9935.patch => tiff-CVE-2017-9935,CVE-2018-17795.patch (100%) diff --git a/tiff-CVE-2017-11613.patch b/tiff-CVE-2017-11613,CVE-2018-16335,15209.patch similarity index 100% rename from tiff-CVE-2017-11613.patch rename to tiff-CVE-2017-11613,CVE-2018-16335,15209.patch diff --git a/tiff-4.0.9-bsc1046077-CVE-2017-9935.patch b/tiff-CVE-2017-9935,CVE-2018-17795.patch similarity index 100% rename from tiff-4.0.9-bsc1046077-CVE-2017-9935.patch rename to tiff-CVE-2017-9935,CVE-2018-17795.patch diff --git a/tiff.changes b/tiff.changes index ae31368..4fbb244 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri Oct 19 07:02:18 UTC 2018 - Petr Gajdos + +- security update + * CVE-2018-17795 [bsc#1110358] + % tiff-4.0.9-bsc1046077-CVE-2017-9935.patch renamed to + tiff-CVE-2017-9935,CVE-2018-17795.patch + * CVE-2018-16335 [bsc#1106853] + % tiff-CVE-2017-11613.patch renamed to + tiff-CVE-2017-11613,CVE-2018-16335,15209.patch +- add a possibility to build with ASAN + ------------------------------------------------------------------- Wed Oct 17 11:29:07 UTC 2018 - Petr Gajdos diff --git a/tiff.spec b/tiff.spec index 2e48802..af34684 100644 --- a/tiff.spec +++ b/tiff.spec @@ -16,6 +16,8 @@ # +%define asan_build 0 + Name: tiff Version: 4.0.9 Release: 0 @@ -30,12 +32,12 @@ Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # Contained in upstream repo. See bsc#1046077 for commit IDs. -Patch2: tiff-4.0.9-bsc1046077-CVE-2017-9935.patch +Patch2: tiff-CVE-2017-9935,CVE-2018-17795.patch Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch Patch4: tiff-CVE-2018-10963.patch Patch5: tiff-CVE-2017-18013.patch Patch6: tiff-CVE-2018-7456.patch -Patch7: tiff-CVE-2017-11613.patch +Patch7: tiff-CVE-2017-11613,CVE-2018-16335,15209.patch Patch8: tiff-CVE-2018-8905.patch Patch9: tiff-CVE-2018-10779.patch Patch10: tiff-CVE-2018-17100.patch @@ -117,6 +119,9 @@ the libtiff library. %build CFLAGS="%{optflags} -fPIE" %configure --disable-static +%if %{asan_build} +find -name Makefile | xargs sed -i 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' +%endif make %{?_smp_mflags} LDFLAGS="-pie" %install @@ -141,6 +146,10 @@ for tool in pal2rgb; do done %check +%if %{asan_build} +# ASAN needs /proc to be mounted +exit 0 +%endif for i in tools test; do (cd $i && make %{?_smp_mflags} check) done