From 22c181a02a1580b255489dd0ca504413c2d09165 Mon Sep 17 00:00:00 2001 From: J0WI Date: Fri, 21 Oct 2022 19:21:30 +0200 Subject: main/tiff: add security patches --- main/tiff/APKBUILD | 17 +++- main/tiff/CVE-2022-2056-8.patch | 180 +++++++++++++++++++++++++++++++++++++++ main/tiff/CVE-2022-2519-21.patch | 132 ++++++++++++++++++++++++++++ main/tiff/CVE-2022-34526.patch | 28 ++++++ 4 files changed, 356 insertions(+), 1 deletion(-) create mode 100644 main/tiff/CVE-2022-2056-8.patch create mode 100644 main/tiff/CVE-2022-2519-21.patch create mode 100644 main/tiff/CVE-2022-34526.patch diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index 717b4a2e458..5e4ba5d1323 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Michael Mason pkgname=tiff pkgver=4.4.0 -pkgrel=2 +pkgrel=3 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="https://gitlab.com/libtiff/libtiff" arch="all" @@ -13,6 +13,9 @@ makedepends="libtool autoconf automake $depends_dev" checkdepends="diffutils" subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx" source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.tar.gz + CVE-2022-2056-8.patch + CVE-2022-2519-21.patch + CVE-2022-34526.patch CVE-2022-3970.patch CVE-2023-0795-9.patch CVE-2023-0800-4.patch @@ -20,6 +23,14 @@ source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.t builddir="$srcdir/libtiff-v$pkgver" # secfixes: +# 4.4.0-r3: +# - CVE-2022-2056 +# - CVE-2022-2057 +# - CVE-2022-2058 +# - CVE-2022-2519 +# - CVE-2022-2520 +# - CVE-2022-2521 +# - CVE-2022-34526 # 4.4.0-r2: # - CVE-2023-0795 # - CVE-2023-0796 @@ -47,6 +58,7 @@ builddir="$srcdir/libtiff-v$pkgver" # - CVE-2022-0909 # - CVE-2022-0924 # - CVE-2022-22844 +# - CVE-2022-34266 # 4.2.0-r0: # - CVE-2020-35521 # - CVE-2020-35522 @@ -136,6 +148,9 @@ tools() { sha512sums=" 93955a2b802cf243e41d49048499da73862b5d3ffc005e3eddf0bf948a8bd1537f7c9e7f112e72d082549b4c49e256b9da9a3b6d8039ad8fc5c09a941b7e75d7 libtiff-v4.4.0.tar.gz +5e36f443bbbfdd1270cb1f4d3ce4b0b415d658fe7e14764b315db73606ea28e854661cda74f1c5ccb00a2247431b966b9ac5271a1e3204837f79cb6fc50bf5bf CVE-2022-2056-8.patch +bceb639a8fc18d892b9aca0d34256b2269e0677c19f357636ecad354e5c75aba742f811b6ec014afdf9250dc6a2971bb6f1a1671db73385e0fc8ed310729a812 CVE-2022-2519-21.patch +083a49f005bdba484ec78d1d7d8fd5a2c355f88d3a4a0a02b5c0522dc81ed5116fbeb4d45db886006277745b77c337c1bdce0b655d6a81ae570f079a2dfea57c CVE-2022-34526.patch 59d7079109f9e60f25e08330a046334d4ad54328b214fb7c7054d438e01e7372786b2df4d656286ecd531abda7eee15cc46f169a83b2f83468cc5b47adc4d9af CVE-2022-3970.patch 1266bbaf4db924fef4aaecddb24ccb330058eb5a55091edf48750e3100c60758f706f7916f0be74c44b96794e44726280a11df0f66ca918f98699ac29a4fb23f CVE-2023-0795-9.patch 6ba09194d6d342c0a312f7d4b1a45fbc76bca6c8288fb39d88d5a22210612d74252c86205add6a9802baa5ea86e2672e1f173cfeda965b3c900b36e998392134 CVE-2023-0800-4.patch diff --git a/main/tiff/CVE-2022-2056-8.patch b/main/tiff/CVE-2022-2056-8.patch new file mode 100644 index 00000000000..f62a41ad747 --- /dev/null +++ b/main/tiff/CVE-2022-2056-8.patch @@ -0,0 +1,180 @@ +From dd1bcc7abb26094e93636e85520f0d8f81ab0fab Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Sat, 11 Jun 2022 09:31:43 +0000 +Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428) + +--- + libtiff/tif_aux.c | 9 +++++++ + libtiff/tiffiop.h | 1 + + tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- + 3 files changed, 44 insertions(+), 28 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 140f26c7..5b88c8d0 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val ) + return (float)val; + } + ++uint32_t _TIFFClampDoubleToUInt32(double val) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val != val ) ++ return 0xFFFFFFFFU; ++ return (uint32_t)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index e3af461d..4e8bdac2 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t); + extern float _TIFFUInt64ToFloat(uint64_t); + + extern float _TIFFClampDoubleToFloat(double); ++extern uint32_t _TIFFClampDoubleToUInt32(double); + + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip, +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 1f827b2b..90286a5e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) + { +- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres); +- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres); +- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres); +- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); + } + else + { +- x1 = (uint32_t) (crop->corners[i].X1); +- x2 = (uint32_t) (crop->corners[i].X2); +- y1 = (uint32_t) (crop->corners[i].Y1); +- y2 = (uint32_t) (crop->corners[i].Y2); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } + /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 + * b) Corners are expected to be submitted as top-left to bottom-right. +@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { /* User has specified pixels as reference unit */ +- tmargin = (uint32_t)(crop->margins[0]); +- lmargin = (uint32_t)(crop->margins[1]); +- bmargin = (uint32_t)(crop->margins[2]); +- rmargin = (uint32_t)(crop->margins[3]); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); + } + else + { /* inches or centimeters specified */ +- tmargin = (uint32_t)(crop->margins[0] * scale * yres); +- lmargin = (uint32_t)(crop->margins[1] * scale * xres); +- bmargin = (uint32_t)(crop->margins[2] * scale * yres); +- rmargin = (uint32_t)(crop->margins[3] * scale * xres); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + + if ((lmargin + rmargin) > image->width) +@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32_t)crop->width; ++ width = _TIFFClampDoubleToUInt32(crop->width); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32_t)crop->length; ++ length = _TIFFClampDoubleToUInt32(crop->length); + else + length = image->length - tmargin - bmargin; + } + else + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32_t)(crop->width * scale * image->xres); ++ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32_t)(crop->length * scale * image->yres); ++ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); + else + length = image->length - tmargin - bmargin; + } +@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) + { /* inches or centimeters specified */ +- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); +- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); + } + else + { /* Otherwise user has specified pixels as reference unit */ +- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8)); +- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + + if ((hmargin * 2.0) > (pwidth * page->hres)) +@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->mode & PAGE_MODE_PAPERSIZE ) + { +- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2)); +- olength = (uint32_t)((plength * page->vres) - (vmargin * 2)); ++ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); ++ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); + } + else + { +- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres)); +- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres)); ++ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); ++ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); + } + } + +@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + if (olength > ilength) + olength = ilength; + ++ if (owidth == 0 || olength == 0) ++ { ++ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); ++ exit(EXIT_FAILURE); ++ } ++ + /* Compute the number of pages required for Portrait or Landscape */ + switch (page->orient) + { +-- +GitLab + diff --git a/main/tiff/CVE-2022-2519-21.patch b/main/tiff/CVE-2022-2519-21.patch new file mode 100644 index 00000000000..1664139d87d --- /dev/null +++ b/main/tiff/CVE-2022-2519-21.patch @@ -0,0 +1,132 @@ +From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Mon, 15 Aug 2022 22:11:03 +0200 +Subject: [PATCH 1/2] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://?= + =?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?= + =?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?= + =?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?= + =?UTF-8?q?=20-Z=20and=20-z.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is now checked and ends tiffcrop if those arguments are not mutually exclusive. + +This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424 +--- + tools/tiffcrop.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 90286a5e..c3b758ec 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -108,12 +108,12 @@ + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. + * +- * Note: The (-X|-Y), -Z and -z options are mutually exclusive. ++ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. + * In no case should the options be applied to a given selection successively. + */ + +-static char tiffcrop_version_id[] = "2.5"; +-static char tiffcrop_rev_date[] = "02-09-2022"; ++static char tiffcrop_version_id[] = "2.5.1"; ++static char tiffcrop_rev_date[] = "15-08-2022"; + + #include "tif_config.h" + #include "libport.h" +@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022"; + #define ROTATECW_270 32 + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) + +-#define CROP_NONE 0 +-#define CROP_MARGINS 1 +-#define CROP_WIDTH 2 +-#define CROP_LENGTH 4 +-#define CROP_ZONES 8 +-#define CROP_REGIONS 16 ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ ++#define CROP_MARGINS 1 /* "-m" */ ++#define CROP_WIDTH 2 /* "-X" */ ++#define CROP_LENGTH 4 /* "-Y" */ ++#define CROP_ZONES 8 /* "-Z" */ ++#define CROP_REGIONS 16 /* "-z" */ + #define CROP_ROTATE 32 + #define CROP_MIRROR 64 + #define CROP_INVERT 128 +@@ -316,7 +316,7 @@ struct crop_mask { + #define PAGE_MODE_RESOLUTION 1 + #define PAGE_MODE_PAPERSIZE 2 + #define PAGE_MODE_MARGINS 4 +-#define PAGE_MODE_ROWSCOLS 8 ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ + + #define INVERT_DATA_ONLY 10 + #define INVERT_DATA_AND_TAG 11 +@@ -781,7 +781,7 @@ static const char usage_info[] = + " The four debug/dump options are independent, though it makes little sense to\n" + " specify a dump file without specifying a detail level.\n" + "\n" +-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" ++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" + " In no case should the options be applied to a given selection successively.\n" + "\n" + ; +@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + /*NOTREACHED*/ + } + } +- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/ +- char XY, Z, R; ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ ++ char XY, Z, R, S; + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); + Z = (crop_data->crop_mode & CROP_ZONES); + R = (crop_data->crop_mode & CROP_REGIONS); +- if ((XY && Z) || (XY && R) || (Z && R)) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit"); ++ S = (page->mode & PAGE_MODE_ROWSCOLS); ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } + } /* end process_command_opts */ +-- +GitLab + + +From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 20 Aug 2022 23:35:26 +0200 +Subject: [PATCH 2/2] tiffcrop -S option: Make decision simpler. + +--- + tools/tiffcrop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c3b758ec..8fd856dc 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + } + /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ + char XY, Z, R, S; +- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); +- Z = (crop_data->crop_mode & CROP_ZONES); +- R = (crop_data->crop_mode & CROP_REGIONS); +- S = (page->mode & PAGE_MODE_ROWSCOLS); +- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; ++ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; ++ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; ++ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; ++ if (XY + Z + R + S > 1) { + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } +-- +GitLab + diff --git a/main/tiff/CVE-2022-34526.patch b/main/tiff/CVE-2022-34526.patch new file mode 100644 index 00000000000..cb3a4d3c77e --- /dev/null +++ b/main/tiff/CVE-2022-34526.patch @@ -0,0 +1,28 @@ +From 275735d0354e39c0ac1dc3c0db2120d6f31d1990 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 27 Jun 2022 16:09:43 +0200 +Subject: [PATCH] _TIFFCheckFieldIsValidForCodec(): return FALSE when passed a + codec-specific tag and the codec is not configured (fixes #433) + +This avoids crashes when querying such tags +--- + libtiff/tif_dirinfo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index c30f569b..3371cb5c 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -1191,6 +1191,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) + default: + return 1; + } ++ if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) { ++ return 0; ++ } + /* Check if codec specific tags are allowed for the current + * compression scheme (codec) */ + switch (tif->tif_dir.td_compression) { +-- +GitLab + -- cgit v1.2.3