aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/tiff/APKBUILD6
-rw-r--r--main/tiff/CVE-2012-5581.patch245
2 files changed, 249 insertions, 2 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 9138618baa..c49ddd9138 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=3.9.7
-pkgrel=0
+pkgrel=1
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
arch="all"
@@ -14,6 +14,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz
CVE-2012-4447.patch
CVE-2012-4564.patch
+ CVE-2012-5581.patch
"
_builddir="$srcdir"/$pkgname-$pkgver
@@ -52,4 +53,5 @@ tools() {
md5sums="626102f448ba441d42e3212538ad67d2 tiff-3.9.7.tar.gz
f85847db8d4cf8d9564f0f9af5bb060a CVE-2012-4447.patch
-e7b151b4a5acc8eb4b4428a98d6aa779 CVE-2012-4564.patch"
+e7b151b4a5acc8eb4b4428a98d6aa779 CVE-2012-4564.patch
+072dc152f5acc1ff1195fdf03e67ee52 CVE-2012-5581.patch"
diff --git a/main/tiff/CVE-2012-5581.patch b/main/tiff/CVE-2012-5581.patch
new file mode 100644
index 0000000000..a6bdca1370
--- /dev/null
+++ b/main/tiff/CVE-2012-5581.patch
@@ -0,0 +1,245 @@
+Fix unsafe handling of DotRange and related tags. Back-port of upstream
+patch for CVE-2012-5581. (Note: I have not pushed this into upstream CVS
+for the 3.9 branch, because I'm not entirely convinced that it won't create
+application compatibility issues --- tgl)
+
+
+diff -Naur tiff-3.9.7.orig/libtiff/tif_dir.c tiff-3.9.7/libtiff/tif_dir.c
+--- tiff-3.9.7.orig/libtiff/tif_dir.c 2012-09-22 10:48:09.000000000 -0400
++++ tiff-3.9.7/libtiff/tif_dir.c 2012-12-13 13:39:20.448864070 -0500
+@@ -494,32 +494,28 @@
+ goto end;
+ }
+
+- if ((fip->field_passcount
++ if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ uint16 v[2];
++ v[0] = (uint16)va_arg(ap, int);
++ v[1] = (uint16)va_arg(ap, int);
++ _TIFFmemcpy(tv->value, v, 4);
++ }
++ else if (fip->field_passcount
+ || fip->field_writecount == TIFF_VARIABLE
+ || fip->field_writecount == TIFF_VARIABLE2
+ || fip->field_writecount == TIFF_SPP
+- || tv->count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE
+- && fip->field_tag != TIFFTAG_WHITELEVEL) {
++ || tv->count > 1) {
+ _TIFFmemcpy(tv->value, va_arg(ap, void *),
+ tv->count * tv_size);
+ } else {
+- /*
+- * XXX: The following loop required to handle
+- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
+- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
+- * These tags are actually arrays and should be passed as
+- * array pointers to TIFFSetField() function, but actually
+- * passed as a list of separate values. This behaviour
+- * must be changed in the future!
+- */
+- int i;
+ char *val = (char *)tv->value;
+
+- for (i = 0; i < tv->count; i++, val += tv_size) {
++ assert( tv->count == 1 );
+ switch (fip->field_type) {
+ case TIFF_BYTE:
+ case TIFF_UNDEFINED:
+@@ -578,7 +574,6 @@
+ status = 0;
+ break;
+ }
+- }
+ }
+ }
+ }
+@@ -869,24 +864,27 @@
+ *va_arg(ap, uint16*) = (uint16)tv->count;
+ *va_arg(ap, void **) = tv->value;
+ ret_val = 1;
+- } else {
+- if ((fip->field_type == TIFF_ASCII
++ } else if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0];
++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1];
++ ret_val = 1;
++ } else {
++ if (fip->field_type == TIFF_ASCII
+ || fip->field_readcount == TIFF_VARIABLE
+ || fip->field_readcount == TIFF_VARIABLE2
+ || fip->field_readcount == TIFF_SPP
+- || tv->count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
++ || tv->count > 1) {
+ *va_arg(ap, void **) = tv->value;
+ ret_val = 1;
+ } else {
+- int j;
+ char *val = (char *)tv->value;
+
+- for (j = 0; j < tv->count;
+- j++, val += _TIFFDataSize(tv->info->field_type)) {
++ assert( tv->count == 1 );
+ switch (fip->field_type) {
+ case TIFF_BYTE:
+ case TIFF_UNDEFINED:
+@@ -936,7 +934,6 @@
+ ret_val = 0;
+ break;
+ }
+- }
+ }
+ }
+ break;
+diff -Naur tiff-3.9.7.orig/libtiff/tif_print.c tiff-3.9.7/libtiff/tif_print.c
+--- tiff-3.9.7.orig/libtiff/tif_print.c 2010-07-08 12:17:59.000000000 -0400
++++ tiff-3.9.7/libtiff/tif_print.c 2012-12-13 13:42:12.773478278 -0500
+@@ -112,16 +112,22 @@
+ }
+
+ static int
+-_TIFFPrettyPrintField(TIFF* tif, FILE* fd, ttag_t tag,
++_TIFFPrettyPrintField(TIFF* tif, const TIFFFieldInfo *fip, FILE* fd, ttag_t tag,
+ uint32 value_count, void *raw_data)
+ {
+ TIFFDirectory *td = &tif->tif_dir;
+
++ /* do not try to pretty print auto-defined fields */
++ if (strncmp(fip->field_name,"Tag ", 4) == 0) {
++ return 0;
++ }
++
+ switch (tag)
+ {
+ case TIFFTAG_INKSET:
+- fprintf(fd, " Ink Set: ");
+- switch (*((uint16*)raw_data)) {
++ if (value_count == 2 && fip->field_type == TIFF_SHORT) {
++ fprintf(fd, " Ink Set: ");
++ switch (*((uint16*)raw_data)) {
+ case INKSET_CMYK:
+ fprintf(fd, "CMYK\n");
+ break;
+@@ -130,11 +136,18 @@
+ *((uint16*)raw_data),
+ *((uint16*)raw_data));
+ break;
++ }
++ return 1;
+ }
+- return 1;
++ return 0;
++
+ case TIFFTAG_WHITEPOINT:
+- fprintf(fd, " White Point: %g-%g\n",
+- ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1;
++ if (value_count == 2 && fip->field_type == TIFF_RATIONAL) {
++ fprintf(fd, " White Point: %g-%g\n",
++ ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1;
++ }
++ return 0;
++
+ case TIFFTAG_REFERENCEBLACKWHITE:
+ {
+ uint16 i;
+@@ -174,10 +187,13 @@
+ (unsigned long) value_count);
+ return 1;
+ case TIFFTAG_STONITS:
+- fprintf(fd,
+- " Sample to Nits conversion factor: %.4e\n",
+- *((double*)raw_data));
+- return 1;
++ if (value_count == 1 && fip->field_type == TIFF_DOUBLE) {
++ fprintf(fd,
++ " Sample to Nits conversion factor: %.4e\n",
++ *((double*)raw_data));
++ return 1;
++ }
++ return 0;
+ }
+
+ return 0;
+@@ -524,44 +540,28 @@
+ value_count = td->td_samplesperpixel;
+ else
+ value_count = fip->field_readcount;
+- if ((fip->field_type == TIFF_ASCII
++ if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ static uint16 dotrange[2];
++ raw_data = dotrange;
++ TIFFGetField(tif, tag, dotrange+0, dotrange+1);
++ } else if (fip->field_type == TIFF_ASCII
+ || fip->field_readcount == TIFF_VARIABLE
+ || fip->field_readcount == TIFF_VARIABLE2
+ || fip->field_readcount == TIFF_SPP
+- || value_count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
++ || value_count > 1) {
+ if(TIFFGetField(tif, tag, &raw_data) != 1)
+ continue;
+- } else if (fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
+- raw_data = _TIFFmalloc(
+- _TIFFDataSize(fip->field_type)
+- * value_count);
+- mem_alloc = 1;
+- if(TIFFGetField(tif, tag, raw_data) != 1) {
+- _TIFFfree(raw_data);
+- continue;
+- }
+ } else {
+- /*
+- * XXX: Should be fixed and removed, see the
+- * notes related to TIFFTAG_PAGENUMBER,
+- * TIFFTAG_HALFTONEHINTS,
+- * TIFFTAG_YCBCRSUBSAMPLING and
+- * TIFFTAG_DOTRANGE tags in tif_dir.c. */
+- char *tmp;
+ raw_data = _TIFFmalloc(
+ _TIFFDataSize(fip->field_type)
+ * value_count);
+- tmp = raw_data;
+ mem_alloc = 1;
+- if(TIFFGetField(tif, tag, tmp,
+- tmp + _TIFFDataSize(fip->field_type)) != 1) {
++ if(TIFFGetField(tif, tag, raw_data) != 1) {
+ _TIFFfree(raw_data);
+ continue;
+ }
+@@ -574,7 +574,7 @@
+ * _TIFFPrettyPrintField() fall down and print it as any other
+ * tag.
+ */
+- if (_TIFFPrettyPrintField(tif, fd, tag, value_count, raw_data)) {
++ if (_TIFFPrettyPrintField(tif, fip, fd, tag, value_count, raw_data)) {
+ if(mem_alloc)
+ _TIFFfree(raw_data);
+ continue;