From daa5f36cc1573d500d4626779e90144c04eeddcc56ddb3fc7337f74c522ac722 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Thu, 26 Feb 2015 14:02:29 +0000 Subject: [PATCH] - security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2015-1547 bnc#914890, bnc#916925, bnc#916927 + erouault.2856.patch + erouault.2857.patch + erouault.2858.patch + erouault.2859.patch + erouault.2860.patch + erouault.2861.patch + erouault.2862.patch + erouault.2863.patch + erouault.2876.patch + bfriesen.2805.patch + tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch + tiff-handle-TIFFTAG_PREDICTOR.patch + tiff-dither-malloc-check.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=65 --- bfriesen.2805.patch | 32 ++ erouault.2856.patch | 336 ++++++++++++++++++ erouault.2857.patch | 47 +++ erouault.2858.patch | 35 ++ erouault.2859.patch | 47 +++ erouault.2860.patch | 85 +++++ erouault.2861.patch | 33 ++ erouault.2862.patch | 44 +++ erouault.2863.patch | 31 ++ erouault.2876.patch | 90 +++++ tiff-dither-malloc-check.patch | 16 + ...andle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch | 12 + tiff-handle-TIFFTAG_PREDICTOR.patch | 12 + tiff.changes | 20 ++ tiff.spec | 29 +- 15 files changed, 868 insertions(+), 1 deletion(-) create mode 100644 bfriesen.2805.patch create mode 100644 erouault.2856.patch create mode 100644 erouault.2857.patch create mode 100644 erouault.2858.patch create mode 100644 erouault.2859.patch create mode 100644 erouault.2860.patch create mode 100644 erouault.2861.patch create mode 100644 erouault.2862.patch create mode 100644 erouault.2863.patch create mode 100644 erouault.2876.patch create mode 100644 tiff-dither-malloc-check.patch create mode 100644 tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch create mode 100644 tiff-handle-TIFFTAG_PREDICTOR.patch diff --git a/bfriesen.2805.patch b/bfriesen.2805.patch new file mode 100644 index 0000000..54f68c9 --- /dev/null +++ b/bfriesen.2805.patch @@ -0,0 +1,32 @@ +--------------------- +PatchSet 2805 +Date: 2012/11/18 19:51:52 +Author: bfriesen +Branch: HEAD +Tag: (none) +Log: +* libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not +require malloc() to return NULL pointer if requested allocation +size is zero. Assure that _TIFFmalloc does. + +Members: + ChangeLog:1.924->1.925 + libtiff/tif_unix.c:1.23->1.24 + libtiff/tif_vms.c:1.11->1.12 + libtiff/tif_win32.c:1.39->1.40 + +Index: libtiff/libtiff/tif_unix.c +diff -u libtiff/libtiff/tif_unix.c:1.23 libtiff/libtiff/tif_unix.c:1.24 +--- libtiff/libtiff/tif_unix.c:1.23 Fri Jun 1 16:40:59 2012 ++++ libtiff/libtiff/tif_unix.c Sun Nov 18 12:51:52 2012 +@@ -257,6 +257,9 @@ + void* + _TIFFmalloc(tmsize_t s) + { ++ if (s == 0) ++ return ((void *) NULL); ++ + return (malloc((size_t) s)); + } + + diff --git a/erouault.2856.patch b/erouault.2856.patch new file mode 100644 index 0000000..6f2ffd5 --- /dev/null +++ b/erouault.2856.patch @@ -0,0 +1,336 @@ +--------------------- +PatchSet 2856 +Date: 2014/12/21 17:15:31 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +Fix various crasher bugs on fuzzed images. +* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for +TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing +the directory +* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or +TransferFunction if BitsPerSample has not yet been read, otherwise reading +it later will cause user code to crash if BitsPerSample > 1 +* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with +SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 +* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images +instead of imagewidth to avoid crash +* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions +* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by +libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB +* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight +* tools/tiffdump.c: fix crash due to overflow of entry count. + +Members: + ChangeLog:1.960->1.961 + libtiff/tif_dir.c:1.117->1.118 + libtiff/tif_dirread.c:1.180->1.181 + libtiff/tif_getimage.c:1.82->1.83 + libtiff/tif_next.c:1.13->1.14 + tools/bmp2tiff.c:1.23->1.24 + tools/tiff2pdf.c:1.77->1.78 + tools/tiffcrop.c:1.23->1.24 + tools/tiffdump.c:1.28->1.29 + +Index: libtiff/libtiff/tif_dir.c +diff -u libtiff/libtiff/tif_dir.c:1.117 libtiff/libtiff/tif_dir.c:1.118 +--- libtiff/libtiff/tif_dir.c:1.117 Thu Nov 20 11:47:21 2014 ++++ libtiff/libtiff/tif_dir.c Sun Dec 21 10:15:31 2014 +@@ -160,6 +160,7 @@ + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; ++ double dblval; + char* s; + const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); + uint32 standard_tag = tag; +@@ -284,10 +285,16 @@ + setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); + break; + case TIFFTAG_XRESOLUTION: +- td->td_xresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_xresolution = (float) dblval; + break; + case TIFFTAG_YRESOLUTION: +- td->td_yresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_yresolution = (float) dblval; + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -694,6 +701,16 @@ + va_end(ap); + } + return (0); ++badvaluedouble: ++ { ++ const TIFFField* fip=TIFFFieldWithTag(tif,tag); ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Bad value %f for \"%s\" tag", ++ tif->tif_name, dblval, ++ fip ? fip->field_name : "Unknown"); ++ va_end(ap); ++ } ++ return (0); + } + + /* +Index: libtiff/libtiff/tif_dirread.c +diff -u libtiff/libtiff/tif_dirread.c:1.180 libtiff/libtiff/tif_dirread.c:1.181 +--- libtiff/libtiff/tif_dirread.c:1.180 Thu Nov 20 11:47:21 2014 ++++ libtiff/libtiff/tif_dirread.c Sun Dec 21 10:15:31 2014 +@@ -3430,6 +3430,8 @@ + const TIFFField* fip; + uint32 fii=FAILED_FII; + toff_t nextdiroff; ++ int bitspersample_read = FALSE; ++ + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) + return 0; /* last offset or bad offset (IFD looping) */ +@@ -3706,6 +3708,8 @@ + } + if (!TIFFSetField(tif,dp->tdir_tag,value)) + goto bad; ++ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) ++ bitspersample_read = TRUE; + } + break; + case TIFFTAG_SMINSAMPLEVALUE: +@@ -3763,6 +3767,19 @@ + uint32 countrequired; + uint32 incrementpersample; + uint16* value=NULL; ++ /* It would be dangerous to instanciate those tag values */ ++ /* since if td_bitspersample has not yet been read (due to */ ++ /* unordered tags), it could be read afterwards with a */ ++ /* values greater than the default one (1), which may cause */ ++ /* crashes in user code */ ++ if( !bitspersample_read ) ++ { ++ fip = TIFFFieldWithTag(tif,dp->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "Ignoring %s since BitsPerSample tag not found", ++ fip ? fip->field_name : "unknown tagname"); ++ continue; ++ } + countpersample=(1L<tif_dir.td_bitspersample); + if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) + { +Index: libtiff/libtiff/tif_getimage.c +diff -u libtiff/libtiff/tif_getimage.c:1.82 libtiff/libtiff/tif_getimage.c:1.83 +--- libtiff/libtiff/tif_getimage.c:1.82 Tue Jun 5 19:17:49 2012 ++++ libtiff/libtiff/tif_getimage.c Sun Dec 21 10:15:31 2014 +@@ -1,4 +1,4 @@ +-/* $Id: tif_getimage.c,v 1.82 2012-06-06 00:17:49 fwarmerdam Exp $ */ ++/* $Id: tif_getimage.c,v 1.83 2014-12-21 15:15:31 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -182,8 +182,23 @@ + "Planarconfiguration", td->td_planarconfig); + return (0); + } ++ if( td->td_samplesperpixel != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d", ++ "Samples/pixel", td->td_samplesperpixel); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: ++ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +Index: libtiff/libtiff/tif_next.c +diff -u libtiff/libtiff/tif_next.c:1.13 libtiff/libtiff/tif_next.c:1.14 +--- libtiff/libtiff/tif_next.c:1.13 Wed Mar 10 13:56:48 2010 ++++ libtiff/libtiff/tif_next.c Sun Dec 21 10:15:32 2014 +@@ -102,6 +102,8 @@ + default: { + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; ++ if( isTiled(tif) ) ++ imagewidth = tif->tif_dir.td_tilewidth; + + /* + * The scanline is composed of a sequence of constant +Index: libtiff/tools/bmp2tiff.c +diff -u libtiff/tools/bmp2tiff.c:1.23 libtiff/tools/bmp2tiff.c:1.24 +--- libtiff/tools/bmp2tiff.c:1.23 Wed Mar 10 13:56:49 2010 ++++ libtiff/tools/bmp2tiff.c Sun Dec 21 10:15:32 2014 +@@ -403,6 +403,13 @@ + + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; ++ if( width <= 0 || length <= 0 ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + + switch (info_hdr.iBitCount) + { +@@ -593,6 +600,14 @@ + + compr_size = file_hdr.iSize - file_hdr.iOffBits; + uncompr_size = width * length; ++ /* Detect int overflow */ ++ if( uncompr_size / width != length ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, +Index: libtiff/tools/tiff2pdf.c +diff -u libtiff/tools/tiff2pdf.c:1.77 libtiff/tools/tiff2pdf.c:1.78 +--- libtiff/tools/tiff2pdf.c:1.77 Tue Dec 9 21:53:30 2014 ++++ libtiff/tools/tiff2pdf.c Sun Dec 21 10:15:32 2014 +@@ -1167,6 +1167,15 @@ + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ + TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid tile count, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tilecount/= xuint16; + } + if( t2p->tiff_tiles[i].tiles_tilecount > 0){ +@@ -1552,6 +1561,22 @@ + #endif + break; + case PHOTOMETRIC_CIELAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for CIELAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for CIELAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]= -127; + t2p->pdf_labrange[1]= 127; + t2p->pdf_labrange[2]= -127; +@@ -1567,6 +1592,22 @@ + t2p->pdf_colorspace=T2P_CS_LAB; + break; + case PHOTOMETRIC_ITULAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for ITULAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for ITULAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]=-85; + t2p->pdf_labrange[1]=85; + t2p->pdf_labrange[2]=-75; +Index: libtiff/tools/tiffcrop.c +diff -u libtiff/tools/tiffcrop.c:1.23 libtiff/tools/tiffcrop.c:1.24 +--- libtiff/tools/tiffcrop.c:1.23 Sun Dec 7 17:33:06 2014 ++++ libtiff/tools/tiffcrop.c Sun Dec 21 10:15:32 2014 +@@ -1205,9 +1205,10 @@ + tsize_t tilesize = TIFFTileSize(out); + unsigned char *tilebuf = NULL; + +- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); +- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); +- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || ++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || ++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) ++ return 1; + + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) +Index: libtiff/tools/tiffdump.c +diff -u libtiff/tools/tiffdump.c:1.28 libtiff/tools/tiffdump.c:1.29 +--- libtiff/tools/tiffdump.c:1.28 Sat Dec 6 10:58:44 2014 ++++ libtiff/tools/tiffdump.c Sun Dec 21 10:15:32 2014 +@@ -374,6 +374,8 @@ + void* datamem; + uint64 dataoffset; + int datatruncated; ++ int datasizeoverflow; ++ + tag = *(uint16*)dp; + if (swabflag) + TIFFSwabShort(&tag); +@@ -412,13 +414,14 @@ + else + typewidth = datawidth[type]; + datasize = count*typewidth; ++ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); + datafits = 1; + datamem = dp; + dataoffset = 0; + datatruncated = 0; + if (!bigtiff) + { +- if (datasize>4) ++ if (datasizeoverflow || datasize>4) + { + uint32 dataoffset32; + datafits = 0; +@@ -432,7 +435,7 @@ + } + else + { +- if (datasize>8) ++ if (datasizeoverflow || datasize>8) + { + datafits = 0; + datamem = NULL; +@@ -442,7 +445,7 @@ + } + dp += sizeof(uint64); + } +- if (datasize>0x10000) ++ if (datasizeoverflow || datasize>0x10000) + { + datatruncated = 1; + count = 0x10000/typewidth; diff --git a/erouault.2857.patch b/erouault.2857.patch new file mode 100644 index 0000000..c1e7a3c --- /dev/null +++ b/erouault.2857.patch @@ -0,0 +1,47 @@ +--------------------- +PatchSet 2857 +Date: 2014/12/21 18:28:37 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none. +Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480) +Description: fix for Debian bug #741451 +tiffcp crashes when converting JPEG-encoded TIFF to a different +encoding (like none or lzw). For example this will probably fail: +tiffcp -c none jpeg_encoded_file.tif output.tif +The reason is that when the input file contains JPEG data, +the tiffcp code forces conversion to RGB space. However, +the output normally inherits YCbCr subsampling parameters +from the input, which leads to a smaller working buffer +than necessary. The buffer is subsequently overrun inside +cpStripToTile() (called from writeBufferToContigTiles). +Note that the resulting TIFF file would be scrambled even +if tiffcp wouldn't crash, since the output file would contain +RGB data intepreted as subsampled YCbCr values. +This patch fixes the problem by forcing RGB space on the output +TIF if the input is JPEG-encoded and output is *not* JPEG-encoded. +Author: Tomasz Buchert + +Members: + ChangeLog:1.961->1.962 + tools/tiffcp.c:1.50->1.51 + +Index: libtiff/tools/tiffcp.c +diff -u libtiff/tools/tiffcp.c:1.50 libtiff/tools/tiffcp.c:1.51 +--- libtiff/tools/tiffcp.c:1.50 Tue Mar 5 22:35:09 2013 ++++ libtiff/tools/tiffcp.c Sun Dec 21 11:28:37 2014 +@@ -633,6 +633,12 @@ + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, + samplesperpixel == 1 ? + PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV); ++ else if (input_compression == COMPRESSION_JPEG && ++ samplesperpixel == 3 ) { ++ /* RGB conversion was forced above ++ hence the output will be of the same type */ ++ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB); ++ } + else + CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT); + if (fillorder != 0) diff --git a/erouault.2858.patch b/erouault.2858.patch new file mode 100644 index 0000000..2d4e076 --- /dev/null +++ b/erouault.2858.patch @@ -0,0 +1,35 @@ +--------------------- +PatchSet 2858 +Date: 2014/12/21 19:36:36 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/tiff2pdf.c: check return code of TIFFGetField() when reading +TIFFTAG_SAMPLESPERPIXEL + +Members: + ChangeLog:1.962->1.963 + tools/tiff2pdf.c:1.78->1.79 + +Index: libtiff/tools/tiff2pdf.c +diff -u libtiff/tools/tiff2pdf.c:1.78 libtiff/tools/tiff2pdf.c:1.79 +--- libtiff/tools/tiff2pdf.c:1.78 Sun Dec 21 10:15:32 2014 ++++ libtiff/tools/tiff2pdf.c Sun Dec 21 12:36:36 2014 +@@ -1166,7 +1166,15 @@ + t2p->tiff_pages[i].page_tilecount; + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ +- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Missing SamplesPerPixel, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) + { + TIFFError( diff --git a/erouault.2859.patch b/erouault.2859.patch new file mode 100644 index 0000000..6744820 --- /dev/null +++ b/erouault.2859.patch @@ -0,0 +1,47 @@ +--------------------- +PatchSet 2859 +Date: 2014/12/21 20:07:48 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes +http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) + +Members: + ChangeLog:1.963->1.964 + libtiff/tif_next.c:1.14->1.15 + + +Index: libtiff/libtiff/tif_next.c +diff -u libtiff/libtiff/tif_next.c:1.14 libtiff/libtiff/tif_next.c:1.15 +--- libtiff/libtiff/tif_next.c:1.14 Sun Dec 21 10:15:32 2014 ++++ libtiff/libtiff/tif_next.c Sun Dec 21 13:07:48 2014 +@@ -141,10 +141,27 @@ + return (0); + } + ++static int ++NeXTPreDecode(TIFF* tif, uint16 s) ++{ ++ static const char module[] = "NeXTPreDecode"; ++ TIFFDirectory *td = &tif->tif_dir; ++ (void)s; ++ ++ if( td->td_bitspersample != 2 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", ++ td->td_bitspersample); ++ return (0); ++ } ++ return (1); ++} ++ + int + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; ++ tif->tif_predecode = NeXTPreDecode; + tif->tif_decoderow = NeXTDecode; + tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; diff --git a/erouault.2860.patch b/erouault.2860.patch new file mode 100644 index 0000000..c9a199f --- /dev/null +++ b/erouault.2860.patch @@ -0,0 +1,85 @@ +--------------------- +PatchSet 2860 +Date: 2014/12/21 20:52:42 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS +or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or +COMPRESSION_CCITTFAX4 +http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) + +Members: + ChangeLog:1.964->1.965 + tools/thumbnail.c:1.17->1.18 + tools/tiffcmp.c:1.16->1.17 + + +Index: libtiff/tools/thumbnail.c +diff -u libtiff/tools/thumbnail.c:1.17 libtiff/tools/thumbnail.c:1.18 +--- libtiff/tools/thumbnail.c:1.17 Sun Dec 7 17:33:06 2014 ++++ libtiff/tools/thumbnail.c Sun Dec 21 13:52:42 2014 +@@ -274,7 +274,26 @@ + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ ++ /* if we request a tag that is defined in a codec, but that codec */ ++ /* isn't used */ ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +Index: libtiff/tools/tiffcmp.c +diff -u libtiff/tools/tiffcmp.c:1.16 libtiff/tools/tiffcmp.c:1.17 +--- libtiff/tools/tiffcmp.c:1.16 Wed Mar 10 13:56:50 2010 ++++ libtiff/tools/tiffcmp.c Sun Dec 21 13:52:42 2014 +@@ -260,6 +260,7 @@ + static int + cmptags(TIFF* tif1, TIFF* tif2) + { ++ uint16 compression1, compression2; + CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); + CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); + CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); +@@ -276,8 +277,20 @@ + CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); + CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); + CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); +- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); +- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX3 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX3 ) ++ { ++ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); ++ } ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX4 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX4 ) ++ { ++ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ } + CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); + CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); + CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip"); diff --git a/erouault.2861.patch b/erouault.2861.patch new file mode 100644 index 0000000..67284a7 --- /dev/null +++ b/erouault.2861.patch @@ -0,0 +1,33 @@ +--------------------- +PatchSet 2861 +Date: 2014/12/21 21:53:59 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/thumbnail.c: fix out-of-buffer write +http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) + +Members: + ChangeLog:1.965->1.966 + tools/thumbnail.c:1.18->1.19 + +Index: libtiff/tools/thumbnail.c +diff -u libtiff/tools/thumbnail.c:1.18 libtiff/tools/thumbnail.c:1.19 +--- libtiff/tools/thumbnail.c:1.18 Sun Dec 21 13:52:42 2014 ++++ libtiff/tools/thumbnail.c Sun Dec 21 14:53:59 2014 +@@ -568,7 +568,13 @@ + err -= limit; + sy++; + if (err >= limit) +- rows[nrows++] = br + bpr*sy; ++ { ++ /* We should perhaps error loudly, but I can't make sense of that */ ++ /* code... */ ++ if( nrows == 256 ) ++ break; ++ rows[nrows++] = br + bpr*sy; ++ } + } + setrow(row, nrows, rows); + row += tnw; diff --git a/erouault.2862.patch b/erouault.2862.patch new file mode 100644 index 0000000..8516542 --- /dev/null +++ b/erouault.2862.patch @@ -0,0 +1,44 @@ +--------------------- +PatchSet 2862 +Date: 2014/12/21 22:04:31 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES +copying. The right fix would be to properly copy it, but not worth the burden +for those esoteric utilities. +http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) + +Members: + ChangeLog:1.966->1.967 + tools/pal2rgb.c:1.13->1.14 + tools/thumbnail.c:1.19->1.20 + + +Index: libtiff/tools/pal2rgb.c +diff -u libtiff/tools/pal2rgb.c:1.13 libtiff/tools/pal2rgb.c:1.14 +--- libtiff/tools/pal2rgb.c:1.13 Fri Jul 2 07:02:56 2010 ++++ libtiff/tools/pal2rgb.c Sun Dec 21 15:04:31 2014 +@@ -372,7 +372,7 @@ + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +Index: libtiff/tools/thumbnail.c +diff -u libtiff/tools/thumbnail.c:1.19 libtiff/tools/thumbnail.c:1.20 +--- libtiff/tools/thumbnail.c:1.19 Sun Dec 21 14:53:59 2014 ++++ libtiff/tools/thumbnail.c Sun Dec 21 15:04:31 2014 +@@ -257,7 +257,7 @@ + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, diff --git a/erouault.2863.patch b/erouault.2863.patch new file mode 100644 index 0000000..42089b3 --- /dev/null +++ b/erouault.2863.patch @@ -0,0 +1,31 @@ +--------------------- +PatchSet 2863 +Date: 2014/12/21 22:58:29 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* tools/tiff2bw.c: when Photometric=RGB, the utility only works if +SamplesPerPixel = 3. Enforce that +http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) + +Members: + ChangeLog:1.967->1.968 + tools/tiff2bw.c:1.16->1.17 + +Index: libtiff/tools/tiff2bw.c +diff -u libtiff/tools/tiff2bw.c:1.16 libtiff/tools/tiff2bw.c:1.17 +--- libtiff/tools/tiff2bw.c:1.16 Thu May 2 09:44:29 2013 ++++ libtiff/tools/tiff2bw.c Sun Dec 21 15:58:30 2014 +@@ -171,6 +171,11 @@ + argv[optind], samplesperpixel); + return (-1); + } ++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { ++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", ++ argv[optind], samplesperpixel); ++ return (-1); ++ } + TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); + if (bitspersample != 8) { + fprintf(stderr, diff --git a/erouault.2876.patch b/erouault.2876.patch new file mode 100644 index 0000000..5afaad3 --- /dev/null +++ b/erouault.2876.patch @@ -0,0 +1,90 @@ +--------------------- +PatchSet 2876 +Date: 2014/12/29 14:09:11 +Author: erouault +Branch: HEAD +Tag: (none) +Log: +* libtiff/tif_next.c: add new tests to check that we don't read outside of +the compressed input stream buffer. + +* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height + +Members: + ChangeLog:1.980->1.981 + libtiff/tif_getimage.c:1.85->1.86 + libtiff/tif_next.c:1.15->1.16 + +Index: libtiff/libtiff/tif_getimage.c +diff -u libtiff/libtiff/tif_getimage.c:1.85 libtiff/libtiff/tif_getimage.c:1.86 +--- libtiff/libtiff/tif_getimage.c:1.85 Thu Dec 25 13:29:11 2014 ++++ libtiff/libtiff/tif_getimage.c Mon Dec 29 07:09:11 2014 +@@ -1871,7 +1871,7 @@ + + (void) y; + fromskew = (fromskew * 10) / 4; +- if ((h & 3) == 0 && (w & 1) == 0) { ++ if ((w & 3) == 0 && (h & 1) == 0) { + for (; h >= 2; h -= 2) { + x = w>>2; + do { +@@ -1948,7 +1948,7 @@ + /* XXX adjust fromskew */ + do { + x = w>>2; +- do { ++ while(x>0) { + int32 Cb = pp[4]; + int32 Cr = pp[5]; + +@@ -1959,7 +1959,8 @@ + + cp += 4; + pp += 6; +- } while (--x); ++ x--; ++ } + + if( (w&3) != 0 ) + { +@@ -2050,7 +2051,7 @@ + fromskew = (fromskew * 4) / 2; + do { + x = w>>1; +- do { ++ while(x>0) { + int32 Cb = pp[2]; + int32 Cr = pp[3]; + +@@ -2059,7 +2060,8 @@ + + cp += 2; + pp += 4; +- } while (--x); ++ x --; ++ } + + if( (w&1) != 0 ) + { +Index: libtiff/libtiff/tif_next.c +diff -u libtiff/libtiff/tif_next.c:1.15 libtiff/libtiff/tif_next.c:1.16 +--- libtiff/libtiff/tif_next.c:1.15 Sun Dec 21 13:07:48 2014 ++++ libtiff/libtiff/tif_next.c Mon Dec 29 07:09:11 2014 +@@ -71,7 +71,7 @@ + TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); + return (0); + } +- for (row = buf; occ > 0; occ -= scanline, row += scanline) { ++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { + n = *bp++, cc--; + switch (n) { + case LITERALROW: +@@ -90,6 +90,8 @@ + * The scanline has a literal span that begins at some + * offset. + */ ++ if( cc < 4 ) ++ goto bad; + off = (bp[0] * 256) + bp[1]; + n = (bp[2] * 256) + bp[3]; + if (cc < 4+n || off+n > scanline) diff --git a/tiff-dither-malloc-check.patch b/tiff-dither-malloc-check.patch new file mode 100644 index 0000000..7e067ac --- /dev/null +++ b/tiff-dither-malloc-check.patch @@ -0,0 +1,16 @@ +Index: tools/tiffdither.c +=================================================================== +--- tools/tiffdither.c.orig 2015-02-18 13:06:47.972867055 +0100 ++++ tools/tiffdither.c 2015-02-18 13:12:03.759562692 +0100 +@@ -77,6 +77,11 @@ + outlinesize = TIFFScanlineSize(out); + outline = (unsigned char *) _TIFFmalloc(outlinesize); + ++ if (! (inputline && thisline && nextline && outline)) { ++ fprintf(stderr, "Out of memory.\n"); ++ return; ++ } ++ + /* + * Get first line + */ diff --git a/tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch b/tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch new file mode 100644 index 0000000..c463684 --- /dev/null +++ b/tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch @@ -0,0 +1,12 @@ +Index: libtiff/tif_dirinfo.c +=================================================================== +--- libtiff/tif_dirinfo.c.orig 2015-02-20 10:55:07.511497649 +0100 ++++ libtiff/tif_dirinfo.c 2015-02-20 18:25:36.187965859 +0100 +@@ -141,6 +141,7 @@ + { TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL }, + { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, + { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, ++ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, + /* begin DNG tags */ + { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, + { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, diff --git a/tiff-handle-TIFFTAG_PREDICTOR.patch b/tiff-handle-TIFFTAG_PREDICTOR.patch new file mode 100644 index 0000000..ad94c07 --- /dev/null +++ b/tiff-handle-TIFFTAG_PREDICTOR.patch @@ -0,0 +1,12 @@ +Index: libtiff/tif_dirinfo.c +=================================================================== +--- libtiff/tif_dirinfo.c.orig 2015-02-20 18:38:55.798039584 +0100 ++++ libtiff/tif_dirinfo.c 2015-02-20 18:58:50.474095885 +0100 +@@ -142,6 +142,7 @@ + { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, + { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, ++ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL }, + /* begin DNG tags */ + { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, + { TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL }, diff --git a/tiff.changes b/tiff.changes index 5dbc71c..145ee3b 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Thu Feb 26 13:58:54 UTC 2015 - pgajdos@suse.com + +- security update: CVE-2014-9655, CVE-2014-8127, CVE-2014-8128, + CVE-2014-8129, CVE-2014-8130, CVE-2015-1547 + bnc#914890, bnc#916925, bnc#916927 + + erouault.2856.patch + + erouault.2857.patch + + erouault.2858.patch + + erouault.2859.patch + + erouault.2860.patch + + erouault.2861.patch + + erouault.2862.patch + + erouault.2863.patch + + erouault.2876.patch + + bfriesen.2805.patch + + tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch + + tiff-handle-TIFFTAG_PREDICTOR.patch + + tiff-dither-malloc-check.patch + ------------------------------------------------------------------- Mon Dec 22 19:58:43 UTC 2014 - meissner@suse.com diff --git a/tiff.spec b/tiff.spec index ba46a96..934d930 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -60,6 +60,20 @@ Patch8: tiff-4.0.3-CVE-2013-4232.patch Patch9: tiff-4.0.3-CVE-2013-4231.patch Patch10: tiff-4.0.3-CVE-2013-4244.patch Patch11: tiff-4.0.3-CVE-2013-4243.patch +Patch12: erouault.2856.patch +Patch13: erouault.2857.patch +Patch14: erouault.2858.patch +Patch15: erouault.2859.patch +Patch16: erouault.2860.patch +Patch17: erouault.2861.patch +Patch18: erouault.2862.patch +Patch19: erouault.2863.patch +Patch20: erouault.2876.patch +Patch21: bfriesen.2805.patch +Patch22: tiff-dither-malloc-check.patch +Patch23: tiff-handle-TIFFTAG_CONSECUTIVEBADFAXLINES.patch +Patch24: tiff-handle-TIFFTAG_PREDICTOR.patch + # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch @@ -115,6 +129,19 @@ the libtiff library. %patch9 %patch10 %patch11 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 +%patch23 +%patch24 %build CFLAGS="$RPM_OPT_FLAGS -fPIE"