From f02ef36534a88364266548d979b7e2fa19bfc98124d25c36ef5a9929ce27e5cd Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Fri, 16 Feb 2018 14:14:43 +0000 Subject: [PATCH] - bsc#1046077: Add tiff-4.0.9-bsc1046077-CVE-2017-9935.patch Fix Heap-based buffer overflow in t2p_write_pdf OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=111 --- tiff-4.0.9-bsc1046077-CVE-2017-9935.patch | 209 ++++++++++++++++++++++ tiff.changes | 6 + tiff.spec | 5 +- 3 files changed, 219 insertions(+), 1 deletion(-) create mode 100644 tiff-4.0.9-bsc1046077-CVE-2017-9935.patch diff --git a/tiff-4.0.9-bsc1046077-CVE-2017-9935.patch b/tiff-4.0.9-bsc1046077-CVE-2017-9935.patch new file mode 100644 index 0000000..fdea74b --- /dev/null +++ b/tiff-4.0.9-bsc1046077-CVE-2017-9935.patch @@ -0,0 +1,209 @@ +From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++++++++++++++--------------------- + 2 files changed, 47 insertions(+), 21 deletions(-) + +From d4f213636b6f950498a1386083199bd7f65676b9 Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:49:20 +1100 +Subject: [PATCH] tiff2pdf: Fix apparent incorrect type for transfer table + +The standard says the transfer table contains unsigned 16 bit values, +I have no idea why we refer to them as floats. +--- + tools/tiff2pdf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 2ccaf44..cbf2b69 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index d1a9b09..c3ec074 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (float*) NULL) && ++ (tiff_transferfunction[2] != (float*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { + if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ (t2p->tiff_transferfunction[2] != (float*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index c3ec074..484776c 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -237,7 +237,7 @@ typedef struct { + float tiff_whitechromaticities[2]; + float tiff_primarychromaticities[6]; + float tiff_referenceblackwhite[2]; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + int pdf_image_interpolate; /* 0 (default) : do not interpolate, + 1 : interpolate */ + uint16 tiff_transferfunctioncount; +@@ -1048,7 +1048,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 paged=0; + uint16 xuint16=0; + uint16 tiff_transferfunctioncount=0; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1153,8 +1153,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + &(tiff_transferfunction[1]), + &(tiff_transferfunction[2]))) { + +- if((tiff_transferfunction[1] != (float*) NULL) && +- (tiff_transferfunction[2] != (float*) NULL) ++ if((tiff_transferfunction[1] != (uint16*) NULL) && ++ (tiff_transferfunction[2] != (uint16*) NULL) + ) { + tiff_transferfunctioncount=3; + } else { +@@ -1851,8 +1851,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) ++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && ++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) + ) { + t2p->tiff_transferfunctioncount=3; + } else { +-- +libgit2 0.26.0 + diff --git a/tiff.changes b/tiff.changes index 5d29275..1f61912 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Feb 16 14:05:39 UTC 2018 - mvetter@suse.com + +- bsc#1046077: Add tiff-4.0.9-bsc1046077-CVE-2017-9935.patch + Fix Heap-based buffer overflow in t2p_write_pdf + ------------------------------------------------------------------- Thu Dec 21 13:03:18 UTC 2017 - dimstar@opensuse.org diff --git a/tiff.spec b/tiff.spec index c28ce70..3c10660 100644 --- a/tiff.spec +++ b/tiff.spec @@ -1,7 +1,7 @@ # # spec file for package tiff # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,8 @@ Source3: baselibs.conf Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch +# Contained in upstream repo. See bsc#1046077 for commit IDs. +Patch2: tiff-4.0.9-bsc1046077-CVE-2017-9935.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -92,6 +94,7 @@ the libtiff library. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build CFLAGS="%{optflags} -fPIE"