diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-11-06 15:33:47 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-11-06 15:41:51 +0000 |
commit | 86cc76c18b9cc2239444f1ad05dfc7feb943b569 (patch) | |
tree | 52c72f10f2ff7caf137f2bb7a36d1cdca8d2ef10 | |
parent | e18d21d9de556e0b240ee9927d91fce46d8e31ba (diff) |
main/tiff: security fixes
-rw-r--r-- | main/tiff/APKBUILD | 12 | ||||
-rw-r--r-- | main/tiff/CVE-2018-10779.patch | 32 | ||||
-rw-r--r-- | main/tiff/CVE-2018-17100-1.patch | 112 |
3 files changed, 154 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 0068211bbcb..ef0030e24bc 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Michael Mason <ms13sp@gmail.com> pkgname=tiff pkgver=4.0.9 -pkgrel=5 +pkgrel=6 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" arch="all" @@ -20,10 +20,16 @@ source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz CVE-2018-5784.patch CVE-2018-7456.patch CVE-2018-8905.patch + CVE-2018-10779.patch CVE-2018-10963.patch + CVE-2018-17100-1.patch " # secfixes: +# 4.0.9-r6: +# - CVE-2018-10779 +# - CVE-2018-17100 +# - CVE-2018-17101 # 4.0.9-r5: # - CVE-2017-9935 # - CVE-2017-11613 @@ -102,4 +108,6 @@ sha512sums="04f3d5eefccf9c1a0393659fe27f3dddd31108c401ba0dc587bca152a1c1f6bc844b c9cb1f712241c5bbd01910d4f4becf50ba8498bb04393f45451af4ace948b6a41b3d887adc9fbce1a53edeb0aeba03868f4d31428f3c5813ed14bb4b6f4c0f96 CVE-2018-5784.patch 8f3ad4065f6ef349c4bd0fe9161cbe19744fbbc89f17c52eb4e43548ca4816f09c7f7e270cb77ced820a95ca009b5f7ad65ee79e7b23ffe1d31c137e3b2bef47 CVE-2018-7456.patch ba283d0def89bf7caee753f39b5717780e9aec2ba32b8ce400b3d86b50eb1414a92bd56ebcf5e9550436a71aa18c55e31c6b5966f24dc5ec1863f28ca769d887 CVE-2018-8905.patch -8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e CVE-2018-10963.patch" +aceae14ec9c6dcbaeb51a3d5527d0da1b0c3f1ef1e87f301615be745f9535be23305e8409105740e615f09d80642d7f84897a89cb98327ad8313d11d877f7e35 CVE-2018-10779.patch +8dd973dc365599b9821393b96713e87d834a25ad96f4fc131616e11ded6ac9d119d66054c66bba8c3669d73b59b9e3569874b05334ae02a689ee57209b85e09e CVE-2018-10963.patch +d19f584bc70bb8b0c1da910cb8642ff2e41741aaa85b23213c6cc27959d6133275b0124c6e779effeb447c559f3debfd04f377b69b8acb9fa5da8fe182c3f2aa CVE-2018-17100-1.patch" diff --git a/main/tiff/CVE-2018-10779.patch b/main/tiff/CVE-2018-10779.patch new file mode 100644 index 00000000000..828d684708c --- /dev/null +++ b/main/tiff/CVE-2018-10779.patch @@ -0,0 +1,32 @@ +From 981e43ecae83935625c86c9118c0778c942c7048 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 15 Aug 2018 16:34:40 +0200 +Subject: [PATCH] TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit + systems with large number of strips. Probably relates to + http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779 + +--- + libtiff/tif_write.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c +index 586f6fdf..a31ecd12 100644 +--- a/libtiff/tif_write.c ++++ b/libtiff/tif_write.c +@@ -538,9 +538,11 @@ TIFFSetupStrips(TIFF* tif) + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) + td->td_stripsperimage /= td->td_samplesperpixel; + td->td_stripoffset = (uint64 *) +- _TIFFmalloc(td->td_nstrips * sizeof (uint64)); ++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), ++ "for \"StripOffsets\" array"); + td->td_stripbytecount = (uint64 *) +- _TIFFmalloc(td->td_nstrips * sizeof (uint64)); ++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64), ++ "for \"StripByteCounts\" array"); + if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL) + return (0); + /* +-- +2.18.1 + diff --git a/main/tiff/CVE-2018-17100-1.patch b/main/tiff/CVE-2018-17100-1.patch new file mode 100644 index 00000000000..f5a9e1a915d --- /dev/null +++ b/main/tiff/CVE-2018-17100-1.patch @@ -0,0 +1,112 @@ +From f1b94e8a3ba49febdd3361c0214a1d1149251577 Mon Sep 17 00:00:00 2001 +From: Young_X <YangX92@hotmail.com> +Date: Sat, 8 Sep 2018 14:36:12 +0800 +Subject: [PATCH 1/3] only read/write TIFFTAG_GROUP3OPTIONS or + TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or + COMPRESSION_CCITTFAX4 + +--- + tools/pal2rgb.c | 18 +++++++++++++++++- + tools/tiff2bw.c | 18 +++++++++++++++++- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01fcf941..01d8502e 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index 05faba87..5bef3142 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +-- +2.18.1 + + +From 6da1fb3f64d43be37e640efbec60400d1f1ac39e Mon Sep 17 00:00:00 2001 +From: Young_X <YangX92@hotmail.com> +Date: Sat, 8 Sep 2018 14:46:27 +0800 +Subject: [PATCH 2/3] avoid potential int32 overflows in multiply_ms() + +--- + tools/ppm2tiff.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c +index af6e4124..c2d59257 100644 +--- a/tools/ppm2tiff.c ++++ b/tools/ppm2tiff.c +@@ -70,15 +70,16 @@ BadPPM(char* file) + exit(-2); + } + ++ ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- tmsize_t bytes = m1 * m2; +- +- if (m1 && bytes / m1 != m2) +- bytes = 0; +- +- return bytes; ++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) ++ return 0; ++ return m1 * m2; + } + + int +-- +2.18.1 |