main/tiff: security fixes

(CVE-2018-10779, CVE-2018-17100, CVE-2018-17101) Fixes #9586
author: Leonardo Arena <rnalrd@alpinelinux.org> 2018-11-06 15:33:47 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2018-11-06 15:41:51 +0000
commit: 86cc76c18b9cc2239444f1ad05dfc7feb943b569 (patch)
tree: 52c72f10f2ff7caf137f2bb7a36d1cdca8d2ef10
parent: e18d21d9de556e0b240ee9927d91fce46d8e31ba (diff)
3 files changed, 154 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 0068211bbcb..ef0030e24bc 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Michael Mason <ms13sp@gmail.com>
 pkgname=tiff
 pkgver=4.0.9
-pkgrel=5
+pkgrel=6
 pkgdesc="Provides support for the Tag Image File Format or TIFF"
 url="http://www.libtiff.org/"
 arch="all"
@@ -20,10 +20,16 @@ source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
 	CVE-2018-5784.patch
 	CVE-2018-7456.patch
 	CVE-2018-8905.patch
+	CVE-2018-10779.patch
 	CVE-2018-10963.patch
+	CVE-2018-17100-1.patch
 	"
 
 # secfixes:
+#   4.0.9-r6:
+#     - CVE-2018-10779
+#     - CVE-2018-17100
+#     - CVE-2018-17101
 #   4.0.9-r5:
 #     - CVE-2017-9935
 #     - CVE-2017-11613
@@ -102,4 +108,6 @@ sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844b
 c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96  CVE-2018-5784.patch
 8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47  CVE-2018-7456.patch
 ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887  CVE-2018-8905.patch
-8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e  CVE-2018-10963.patch"
+aceae14ec9c6dcbaeb51a3d5527d0da1b0c3f1ef1e87f301615be745f9535be23305e8409105740e615f09d80642d7f84897a89cb98327ad8313d11d877f7e35  CVE-2018-10779.patch
+8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e  CVE-2018-10963.patch
+d19f584bc70bb8b0c1da910cb8642ff2e41741aaa85b23213c6cc27959d6133275b0124c6e779effeb447c559f3debfd04f377b69b8acb9fa5da8fe182c3f2aa  CVE-2018-17100-1.patch"
diff --git a/main/tiff/CVE-2018-10779.patch b/main/tiff/CVE-2018-10779.patch
new file mode 100644
index 00000000000..828d684708c
--- /dev/null
+++ b/main/tiff/CVE-2018-10779.patch
@@ -0,0 +1,32 @@
+From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 15 Aug 2018 16:34:40 +0200
+Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit
+ systems with large number of strips. Probably relates to
+ http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
+
+---
+ libtiff/tif_write.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
+index 586f6fdf..a31ecd12 100644
+--- a/libtiff/tif_write.c
++++ b/libtiff/tif_write.c
+@@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif)
+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ 		td->td_stripsperimage /= td->td_samplesperpixel;
+ 	td->td_stripoffset = (uint64 *)
+-	    _TIFFmalloc(td->td_nstrips * sizeof (uint64));
++            _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
++                             "for \"StripOffsets\" array");
+ 	td->td_stripbytecount = (uint64 *)
+-	    _TIFFmalloc(td->td_nstrips * sizeof (uint64));
++            _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
++                             "for \"StripByteCounts\" array");
+ 	if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
+ 		return (0);
+ 	/*
+-- 
+2.18.1
+
diff --git a/main/tiff/CVE-2018-17100-1.patch b/main/tiff/CVE-2018-17100-1.patch
new file mode 100644
index 00000000000..f5a9e1a915d
--- /dev/null
+++ b/main/tiff/CVE-2018-17100-1.patch
@@ -0,0 +1,112 @@
+From f1b94e8a3ba49febdd3361c0214a1d1149251577 Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:36:12 +0800
+Subject: [PATCH 1/3] only read/write TIFFTAG_GROUP3OPTIONS or
+ TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
+ COMPRESSION_CCITTFAX4
+
+---
+ tools/pal2rgb.c | 18 +++++++++++++++++-
+ tools/tiff2bw.c | 18 +++++++++++++++++-
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01fcf941..01d8502e 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
+-	cpTag(in, out, p->tag, p->count, p->type);
++    {
++        if( p->tag == TIFFTAG_GROUP3OPTIONS )
++        {
++            uint16 compression;
++            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                    compression != COMPRESSION_CCITTFAX3 )
++                continue;
++        }
++        if( p->tag == TIFFTAG_GROUP4OPTIONS )
++        {
++            uint16 compression;
++            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                    compression != COMPRESSION_CCITTFAX4 )
++                continue;
++        }
++        cpTag(in, out, p->tag, p->count, p->type);
++    }
+ }
+ #undef NTAGS
+ 
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index 05faba87..5bef3142 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+     struct cpTag *p;
+     for (p = tags; p < &tags[NTAGS]; p++)
+-	cpTag(in, out, p->tag, p->count, p->type);
++    {
++        if( p->tag == TIFFTAG_GROUP3OPTIONS )
++        {
++            uint16 compression;
++            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                    compression != COMPRESSION_CCITTFAX3 )
++                continue;
++        }
++        if( p->tag == TIFFTAG_GROUP4OPTIONS )
++        {
++            uint16 compression;
++            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++                    compression != COMPRESSION_CCITTFAX4 )
++                continue;
++        }
++        cpTag(in, out, p->tag, p->count, p->type);
++    }
+ }
+ #undef NTAGS
+ 
+-- 
+2.18.1
+
+
+From 6da1fb3f64d43be37e640efbec60400d1f1ac39e Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:46:27 +0800
+Subject: [PATCH 2/3] avoid potential int32 overflows in multiply_ms()
+
+---
+ tools/ppm2tiff.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index af6e4124..c2d59257 100644
+--- a/tools/ppm2tiff.c
++++ b/tools/ppm2tiff.c
+@@ -70,15 +70,16 @@ BadPPM(char* file)
+ 	exit(-2);
+ }
+ 
++
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-	tmsize_t bytes = m1 * m2;
+-
+-	if (m1 && bytes / m1 != m2)
+-		bytes = 0;
+-
+-	return bytes;
++        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++            return 0;
++        return m1 * m2;
+ }
+ 
+ int
+-- 
+2.18.1
author	Leonardo Arena <rnalrd@alpinelinux.org>	2018-11-06 15:33:47 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2018-11-06 15:41:51 +0000
commit	86cc76c18b9cc2239444f1ad05dfc7feb943b569 (patch)
tree	52c72f10f2ff7caf137f2bb7a36d1cdca8d2ef10
parent	e18d21d9de556e0b240ee9927d91fce46d8e31ba (diff)