Hello, I just finished preparing new version of tiff/tiff3 packages. One of the patch has not been officially acked by upstream yet (cf http://bugzilla.maptools.org/show_bug.cgi?id=2580 ) and thus I would like some user testing before I release the DLA to make sure that my changes do not have unexpected side effects. Please get the updated packages here (for amd64): dget https://people.debian.org/~hertzog/packages/tiff_4.0.2-6+deb7u7_amd64.changes dget https://people.debian.org/~hertzog/packages/tiff3_3.9.6-11+deb7u2_amd64.changes Note in particular that libtiff-tools_4.0.2-6+deb7u7_amd64.deb drops the following tools which are no longer supported upstream (I have found no Debian packages relying on them, cf #827484 too): bmp2tiff gif2tiff ras2tiff sgi2tiff sgisv ycbcr rgb2ycbcr thumbnail In wheezy, most tools still link against libtiff4 provided by tiff3 so testing of tiff3 is important too! I also attach both debdiff for review by other Debian developers. I intend to upload the packages early next week. For tiff, my changes are in git too: https://anonscm.debian.org/cgit/collab-maint/tiff.git/log/?id=refs/heads/master-wheezy Thank you! PS: I BCCed some LTS sponsors which have the libtiff-tools package installed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
diff --git a/debian/changelog b/debian/changelog index 35e35a9..15cd76f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,25 @@ +tiff (4.0.2-6+deb7u7) UNRELEASED; urgency=high + + * Non-maintainer upload by the Debian Long Term Support Team. + * 0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch: + - CVE-2014-8128, CVE-2015-7554, CVE-2016-5318: memory corruption. + Closes: #842043 + * Drop libtiff tools that are no longer supported upstream: + bmp2tiff gif2tiff ras2tiff sgi2tiff sgisv ycbcr rgb2ycbcr thumbnail + Fixes CVE-2016-3619, CVE-2016-3620, CVE-2016-3621, CVE-2016-5319, + CVE-2015-8668, issues in bmp2tiff. + Fixes CVE-2016-3186, CVE-2016-5102, issue in gif2tiff. + Fixes CVE-2016-3631, CVE-2016-3632, CVE-2016-3633, CVE-2016-3634, + CVE-2016-8331, issues in thumbnail. + Fixes CVE-2016-3623, CVE-2016-3624, issues in rgb2ycbcr. + Closes: #842046 + * Apply upstream patch for CVE-2016-6223: information leak in + libtiff/tif_read.c. Closes: #842270 + * Backport upstream patch for CVE-2016-5652: heap based buffer overflow in + tiff2pdf. Closes: #842361 + + -- Raphaël Hertzog <hertzog@debian.org> Thu, 27 Oct 2016 15:52:53 +0200 + tiff (4.0.2-6+deb7u6) wheezy-security; urgency=medium * Non-maintainer upload by the Security Team. diff --git a/debian/gbp.conf b/debian/gbp.conf index 05f30f1..b8cf8a1 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,8 +1,8 @@ [DEFAULT] debian-branch = master-wheezy -debian-tag = debian-wheezy/%(version)s +debian-tag = debian/%(version)s upstream-branch = upstream-wheezy -upstream-tag = upstream-wheezy/%(version)s +upstream-tag = upstream/%(version)s pristine-tar = True [git-dch] diff --git a/debian/patches/0035-CVE-2015-8665_and_CVE-2015-8683.patch b/debian/patches/0035-CVE-2015-8665_and_CVE-2015-8683.patch index 9efd46c..425f7a1 100644 --- a/debian/patches/0035-CVE-2015-8665_and_CVE-2015-8683.patch +++ b/debian/patches/0035-CVE-2015-8665_and_CVE-2015-8683.patch @@ -1,11 +1,10 @@ -From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001 From: erouault <erouault> Date: Sat, 26 Dec 2015 17:32:03 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in - TIFFRGBAImage interface in case of unsupported values of - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by - limingxing and CVE-2015-8683 reported by zzf of Alibaba. +Subject: * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage + interface in case of unsupported values of SamplesPerPixel/ExtraSamples for + LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in + TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and + CVE-2015-8683 reported by zzf of Alibaba. --- ChangeLog | 8 ++++++++ @@ -13,7 +12,7 @@ Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in 2 files changed, 31 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog -index a7d283a..4beb30b 100644 +index 4eab3bb..90a4cd4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ @@ -28,11 +27,8 @@ index a7d283a..4beb30b 100644 2012-06-15 Frank Warmerdam <warmerdam@google.com> * libtiff 4.0.2 released. - 2012-09-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> - - * libtiff 4.0.3 released. diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index fd0a4f9..fae1e31 100644 +index 3436bf1..d03631a 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -1,4 +1,4 @@ @@ -119,7 +115,7 @@ index fd0a4f9..fae1e31 100644 { if (BuildMapBitdepth16To8(img)) img->put.contig = putRGBcontig16bittile; -@@ -2501,7 +2508,7 @@ PickContigCase(TIFFRGBAImage* img) +@@ -2501,7 +2510,7 @@ PickContigCase(TIFFRGBAImage* img) } break; case PHOTOMETRIC_SEPARATED: diff --git a/debian/patches/0036-CVE-2015-8781_CVE-2015-8782_CVE-2015-8783.patch b/debian/patches/0036-CVE-2015-8781_CVE-2015-8782_CVE-2015-8783.patch index 9ea1233..6d718b2 100644 --- a/debian/patches/0036-CVE-2015-8781_CVE-2015-8782_CVE-2015-8783.patch +++ b/debian/patches/0036-CVE-2015-8781_CVE-2015-8782_CVE-2015-8783.patch @@ -1,10 +1,9 @@ -From 3899f0ab62dd307f63f87ec99aaf289e104f4070 Mon Sep 17 00:00:00 2001 From: erouault <erouault> Date: Sun, 27 Dec 2015 16:25:11 +0000 -Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in - decode functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). Fix potential out-of-bound reads in case of short - input data. +Subject: * libtiff/tif_luv.c: fix potential out-of-bound writes in decode + functions in non debug builds by replacing assert()s by regular if checks + (bugzilla #2522). Fix potential out-of-bound reads in case of short input + data. --- ChangeLog | 7 +++++++ @@ -12,7 +11,7 @@ Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in 2 files changed, 52 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog -index 4beb30b..b8aa23c 100644 +index 90a4cd4..edd1105 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ @@ -27,7 +26,7 @@ index 4beb30b..b8aa23c 100644 * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c -index 4e328ba..60a174d 100644 +index eba6c08..01873d6 100644 --- a/libtiff/tif_luv.c +++ b/libtiff/tif_luv.c @@ -1,4 +1,4 @@ diff --git a/debian/patches/0037-CVE-2015-8784.patch b/debian/patches/0037-CVE-2015-8784.patch index 6e02630..8edcabe 100644 --- a/debian/patches/0037-CVE-2015-8784.patch +++ b/debian/patches/0037-CVE-2015-8784.patch @@ -1,7 +1,6 @@ -From 237c9c18b0b3479950e54a755ae428bf0f55f754 Mon Sep 17 00:00:00 2001 From: erouault <erouault> Date: Sun, 27 Dec 2015 16:55:20 +0000 -Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in +Subject: * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (bugzilla #2508) @@ -11,7 +10,7 @@ Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog -index b8aa23c..04926a3 100644 +index edd1105..1abf092 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ @@ -27,7 +26,7 @@ index b8aa23c..04926a3 100644 functions in non debug builds by replacing assert()s by regular if checks (bugzilla #2522). diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c -index 17e0311..1248caa 100644 +index 060aab3..1248caa 100644 --- a/libtiff/tif_next.c +++ b/libtiff/tif_next.c @@ -1,4 +1,4 @@ diff --git a/debian/patches/0038-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch b/debian/patches/0038-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch index a8ce3e5..14b1aea 100644 --- a/debian/patches/0038-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch +++ b/debian/patches/0038-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch @@ -1,18 +1,18 @@ -From 5248f8620acb2a42e63790e2c94222ee603939f8 Mon Sep 17 00:00:00 2001 From: erouault <erouault> Date: Tue, 28 Jun 2016 15:12:19 +0000 -Subject: [PATCH] * libtiff/tif_pixarlog.c: fix potential buffer write overrun - in PixarLogDecode() on corrupted/unexpected images (reported by Mathias +Subject: * libtiff/tif_pixarlog.c: fix potential buffer write overrun in + PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) --- - ChangeLog | 5 +++++ - libtiff/tif_pixarlog.c | 10 +++++++++- - 2 files changed, 14 insertions(+), 1 deletion(-) + libtiff/tif_pixarlog.c | 8 ++++++++ + 1 file changed, 8 insertions(+) +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 5e60ea6..a54ab3a 100644 --- a/libtiff/tif_pixarlog.c +++ b/libtiff/tif_pixarlog.c -@@ -457,6 +457,7 @@ +@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, typedef struct { TIFFPredictorState predict; z_stream stream; @@ -20,7 +20,7 @@ Subject: [PATCH] * libtiff/tif_pixarlog.c: fix potential buffer write overrun uint16 *tbuf; uint16 stride; int state; -@@ -765,6 +766,12 @@ +@@ -765,6 +766,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); return (0); } @@ -33,7 +33,7 @@ Subject: [PATCH] * libtiff/tif_pixarlog.c: fix potential buffer write overrun do { int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); if (state == Z_STREAM_END) { -@@ -874,6 +881,7 @@ +@@ -874,6 +881,7 @@ PixarLogSetupEncode(TIFF* tif) sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); diff --git a/debian/patches/0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch b/debian/patches/0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch index 167e7ac..7908ce4 100644 --- a/debian/patches/0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch +++ b/debian/patches/0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch @@ -1,18 +1,16 @@ -From 06f04a30cf8e988939ae9b3b7f6ad03c5d3d6109 Mon Sep 17 00:00:00 2001 From: erouault <erouault> Date: Mon, 11 Jul 2016 21:26:03 +0000 -Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack - allocated array on a tiled separate TIFF with more than 8 samples per pixel. - Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 - (CVE-2016-5321, bugzilla #2558) +Subject: * tools/tiffcrop.c: Avoid access outside of stack allocated array on + a tiled separate TIFF with more than 8 samples per pixel. Reported by + Kaixiang Zhang of the Cloud Security Team, Qihoo 360 (CVE-2016-5321, + bugzilla #2558) --- - ChangeLog | 7 +++++++ - tools/tiffcrop.c | 4 ++-- - 2 files changed, 9 insertions(+), 2 deletions(-) + tools/tiffcrop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index b5a49cc..0bbaadd 100644 +index 0492333..e36030c 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf, @@ -24,6 +22,3 @@ index b5a49cc..0bbaadd 100644 { /* Read each plane of a tile set into srcbuffs[s] */ tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s); if (tbytes < 0 && !ignore) --- -2.8.1 - diff --git a/debian/patches/0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch b/debian/patches/0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch index ac9cae6..41156b0 100644 --- a/debian/patches/0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch +++ b/debian/patches/0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch @@ -1,18 +1,16 @@ -From 0a00def284c468230fb159a69ceb325e46df7e1d Mon Sep 17 00:00:00 2001 From: erouault <erouault> Date: Mon, 11 Jul 2016 21:38:31 +0000 -Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) +Subject: (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) --- - ChangeLog | 2 +- - tools/tiffcrop.c | 18 +++++++++--------- - 2 files changed, 10 insertions(+), 10 deletions(-) + tools/tiffcrop.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 0bbaadd..1b24271 100644 +index e36030c..cfc7d9d 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c -@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols, +@@ -3729,7 +3729,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols, matchbits = maskbits << (8 - src_bit - bps); /* load up next sample from each plane */ @@ -21,7 +19,7 @@ index 0bbaadd..1b24271 100644 { src = in[s] + src_offset + src_byte; buff1 = ((*src) & matchbits) << (src_bit); -@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols, +@@ -3828,7 +3828,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols, src_bit = bit_offset % 8; matchbits = maskbits << (16 - src_bit - bps); @@ -30,7 +28,7 @@ index 0bbaadd..1b24271 100644 { src = in[s] + src_offset + src_byte; if (little_endian) -@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols, +@@ -3938,7 +3938,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols, src_bit = bit_offset % 8; matchbits = maskbits << (32 - src_bit - bps); @@ -39,7 +37,7 @@ index 0bbaadd..1b24271 100644 { src = in[s] + src_offset + src_byte; if (little_endian) -@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, +@@ -4064,7 +4064,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, src_bit = bit_offset % 8; matchbits = maskbits << (64 - src_bit - bps); @@ -48,7 +46,7 @@ index 0bbaadd..1b24271 100644 { src = in[s] + src_offset + src_byte; if (little_endian) -@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols, +@@ -4254,7 +4254,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols, matchbits = maskbits << (8 - src_bit - bps); /* load up next sample from each plane */ @@ -57,7 +55,7 @@ index 0bbaadd..1b24271 100644 { src = in[s] + src_offset + src_byte; buff1 = ((*src) & matchbits) << (src_bit); -@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols, +@@ -4353,7 +4353,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols, src_bit = bit_offset % 8; matchbits = maskbits << (16 - src_bit - bps); @@ -66,7 +64,7 @@ index 0bbaadd..1b24271 100644 { src = in[s] + src_offset + src_byte; if (little_endian) -@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols, +@@ -4462,7 +4462,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols, src_bit = bit_offset % 8; matchbits = maskbits << (32 - src_bit - bps); @@ -75,7 +73,7 @@ index 0bbaadd..1b24271 100644 { src = in[s] + src_offset + src_byte; if (little_endian) -@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, +@@ -4588,7 +4588,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, src_bit = bit_offset % 8; matchbits = maskbits << (64 - src_bit - bps); @@ -84,6 +82,3 @@ index 0bbaadd..1b24271 100644 { src = in[s] + src_offset + src_byte; if (little_endian) --- -2.8.1 - diff --git a/debian/patches/0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch b/debian/patches/0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch index ddc93d5..fb0840b 100644 --- a/debian/patches/0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch +++ b/debian/patches/0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch @@ -1,17 +1,15 @@ -From a2104e65edfc9964dbcec7ecf730a850be77f102 Mon Sep 17 00:00:00 2001 From: erouault <erouault> Date: Mon, 15 Aug 2016 21:05:40 +0000 -Subject: [PATCH] * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). - From patch libtiff-CVE-2016-3991.patch from libtiff-4.0.3-25.el7_2.src.rpm by +Subject: * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). From + patch libtiff-CVE-2016-3991.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543) --- - ChangeLog | 6 ++++++ - tools/tiffcrop.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- - 2 files changed, 63 insertions(+), 4 deletions(-) + tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 56 insertions(+), 3 deletions(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 1b24271..9e833b7 100644 +index cfc7d9d..6244385 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf, @@ -65,7 +63,7 @@ index 1b24271..9e833b7 100644 } tilebuf = _TIFFmalloc(tile_buffsize); -@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c +@@ -5936,12 +5957,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); tile_rowsize = TIFFTileRowSize(in); @@ -94,7 +92,7 @@ index 1b24271..9e833b7 100644 #ifdef DEBUG2 TIFFError("loadImage", "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", -@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c +@@ -5960,8 +5996,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); stsize = TIFFStripSize(in); nstrips = TIFFNumberOfStrips(in); @@ -121,6 +119,3 @@ index 1b24271..9e833b7 100644 if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) { buffsize = ((length * width * spp * bps) + 7) / 8; --- -2.9.3 - diff --git a/debian/patches/0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch b/debian/patches/0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch new file mode 100644 index 0000000..a92cfec --- /dev/null +++ b/debian/patches/0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch @@ -0,0 +1,128 @@ +From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org> +Date: Thu, 27 Oct 2016 15:36:10 +0200 +Subject: Make more tag fields known to TIFFReadDirectoryFindFieldInfo + +This avoids problems when some tags are treated as anonymous fields +whose passcount field defaults to true when the associated code (in tiff +tools) really expects false. + +I believe this covers the following 3 CVE: +CVE-2014-8128: http://bugzilla.maptools.org/show_bug.cgi?id=2499 +CVE-2015-7554: http://bugzilla.maptools.org/show_bug.cgi?id=2564 +CVE-2016-5318: http://bugzilla.maptools.org/show_bug.cgi?id=2561 + +In the tiff tools, we still have TIFFGetField calls for +TIFFTAG_JPEGPOINTTRANSFORM and TIFFTAG_JPEGLOSSLESSPREDICTORS that are +not properly defined. I'm not sure whether it can have any security +impact. + +Bug-Debian: https://bugs.debian.org/842043 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2580 +--- + libtiff/tif_dirinfo.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index cf1f496..cf1adc3 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -79,6 +79,8 @@ tiffFields[] = { + { TIFFTAG_FREEBYTECOUNTS, -1, -1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_IGNORE, 0, 0, "FreeByteCounts", NULL }, + { TIFFTAG_GRAYRESPONSEUNIT, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_IGNORE, 1, 0, "GrayResponseUnit", NULL }, + { TIFFTAG_GRAYRESPONSECURVE, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_IGNORE, 1, 0, "GrayResponseCurve", NULL }, ++ { TIFFTAG_GROUP3OPTIONS, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+7, 0, 0, "Group3Options", NULL }, ++ { TIFFTAG_GROUP4OPTIONS, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+7, 0, 0, "Group4Options", NULL }, + { TIFFTAG_RESOLUTIONUNIT, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_RESOLUTIONUNIT, 1, 0, "ResolutionUnit", NULL }, + { TIFFTAG_PAGENUMBER, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_PAGENUMBER, 1, 0, "PageNumber", NULL }, + { TIFFTAG_COLORRESPONSEUNIT, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_IGNORE, 1, 0, "ColorResponseUnit", NULL }, +@@ -87,6 +89,7 @@ tiffFields[] = { + { TIFFTAG_DATETIME, 20, 20, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "DateTime", NULL }, + { TIFFTAG_ARTIST, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Artist", NULL }, + { TIFFTAG_HOSTCOMPUTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "HostComputer", NULL }, ++ { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CODEC+0, FALSE, FALSE, "Predictor", NULL }, + { TIFFTAG_WHITEPOINT, 2, 2, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "WhitePoint", NULL }, + { TIFFTAG_PRIMARYCHROMATICITIES, 6, 6, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "PrimaryChromaticities", NULL }, + { TIFFTAG_COLORMAP, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_OTHER, TIFF_SETGET_UNDEFINED, FIELD_COLORMAP, 1, 0, "ColorMap", NULL }, +@@ -95,6 +98,9 @@ tiffFields[] = { + { TIFFTAG_TILELENGTH, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UNDEFINED, FIELD_TILEDIMENSIONS, 0, 0, "TileLength", NULL }, + { TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL }, + { TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL }, ++ { TIFFTAG_BADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+0, TRUE, FALSE, "BadFaxLines", NULL }, ++ { TIFFTAG_CLEANFAXDATA, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CODEC+1, TRUE, FALSE, "CleanFaxData", NULL }, ++ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL }, + { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", &tiffFieldArray }, + { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, + { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, +@@ -109,11 +115,30 @@ tiffFields[] = { + { TIFFTAG_XCLIPPATHUNITS, 1, 1, TIFF_SLONG, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "XClipPathUnits", NULL }, + { TIFFTAG_XCLIPPATHUNITS, 1, 1, TIFF_SBYTE, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "XClipPathUnits", NULL }, + { TIFFTAG_YCLIPPATHUNITS, 1, 1, TIFF_SLONG, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "YClipPathUnits", NULL }, ++ { TIFFTAG_INDEXED, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "Indexed", NULL }, ++ { TIFFTAG_JPEGTABLES, -3, -3, TIFF_UNDEFINED, 0, TIFF_SETGET_C32_UINT8, TIFF_SETGET_C32_UINT8, FIELD_CODEC+0, 0, 1, "JPEGTables", NULL }, ++ /* MISSING: TIFFTAG_OPIPROXY */ ++ { TIFFTAG_JPEGPROC, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CODEC+5, 0, 0, "JpegProc", NULL }, ++ { TIFFTAG_JPEGIFOFFSET, 1, 1, TIFF_LONG8, 0, TIFF_SETGET_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+0, 1, 0, "JpegInterchangeFormat", NULL }, ++ { TIFFTAG_JPEGIFBYTECOUNT, 1, 1, TIFF_LONG8, 0, TIFF_SETGET_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+1, 1, 0, "JpegInterchangeFormatLength", NULL }, ++ { TIFFTAG_JPEGRESTARTINTERVAL, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED,FIELD_CODEC+6, 0, 0, "JpegRestartInterval", NULL }, ++ /* MISSING: TIFFTAG_JPEGLOSSLESSPREDICTORS */ ++ /* MISSING: TIFFTAG_JPEGPOINTTRANSFORM */ ++ { TIFFTAG_JPEGQTABLES, TIFF_VARIABLE2, TIFF_VARIABLE2, TIFF_LONG8, 0, TIFF_SETGET_C32_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+2, 0, 1, "JpegQTables", NULL }, ++ { TIFFTAG_JPEGDCTABLES, TIFF_VARIABLE2, TIFF_VARIABLE2, TIFF_LONG8, 0, TIFF_SETGET_C32_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+3, 0, 1, "JpegDcTables", NULL }, ++ { TIFFTAG_JPEGACTABLES, TIFF_VARIABLE2, TIFF_VARIABLE2, TIFF_LONG8, 0, TIFF_SETGET_C32_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+4, 0, 1, "JpegAcTables", NULL }, + { TIFFTAG_YCBCRCOEFFICIENTS, 3, 3, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "YCbCrCoefficients", NULL }, + { TIFFTAG_YCBCRSUBSAMPLING, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_YCBCRSUBSAMPLING, 0, 0, "YCbCrSubsampling", NULL }, + { TIFFTAG_YCBCRPOSITIONING, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_YCBCRPOSITIONING, 0, 0, "YCbCrPositioning", NULL }, + { TIFFTAG_REFERENCEBLACKWHITE, 6, 6, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_REFBLACKWHITE, 1, 0, "ReferenceBlackWhite", NULL }, + { TIFFTAG_XMLPACKET, -3, -3, TIFF_BYTE, 0, TIFF_SETGET_C32_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "XMLPacket", NULL }, ++ /* MISSING: TIFFTAG_OPIIMAGEID */ ++ /* begin Island Graphics tags */ ++ /* MISSING: TIFFTAG_REFPTS */ ++ /* MISSING: TIFFTAG_REGIONTACKPOINT */ ++ /* MISSING: TIFFTAG_REGIONWARPCORNERS */ ++ /* MISSING: TIFFTAG_REGIONAFFINE */ ++ /* end Island Graphics tags */ + /* begin SGI tags */ + { TIFFTAG_MATTEING, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 0, "Matteing", NULL }, + { TIFFTAG_DATATYPE, -2, -1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_SAMPLEFORMAT, 0, 0, "DataType", NULL }, +@@ -128,18 +153,23 @@ tiffFields[] = { + { TIFFTAG_PIXAR_FOVCOT, 1, 1, TIFF_FLOAT, 0, TIFF_SETGET_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "FieldOfViewCotangent", NULL }, + { TIFFTAG_PIXAR_MATRIX_WORLDTOSCREEN, 16, 16, TIFF_FLOAT, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "MatrixWorldToScreen", NULL }, + { TIFFTAG_PIXAR_MATRIX_WORLDTOCAMERA, 16, 16, TIFF_FLOAT, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "MatrixWorldToCamera", NULL }, +- { TIFFTAG_COPYRIGHT, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Copyright", NULL }, + /* end Pixar tags */ ++ /* MISSING: TIFFTAG_WRITERSERIALNUMBER */ ++ { TIFFTAG_COPYRIGHT, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Copyright", NULL }, + { TIFFTAG_RICHTIFFIPTC, -3, -3, TIFF_LONG, 0, TIFF_SETGET_C32_UINT32, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "RichTIFFIPTC", NULL }, ++ /* MISSING: TIFFTAG_IT8* */ ++ /* MISSING: TIFFTAG_FRAMECOUNT */ + { TIFFTAG_PHOTOSHOP, -3, -3, TIFF_BYTE, 0, TIFF_SETGET_C32_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "Photoshop", NULL }, + { TIFFTAG_EXIFIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_IFD8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "EXIFIFDOffset", &exifFieldArray }, + { TIFFTAG_ICCPROFILE, -3, -3, TIFF_UNDEFINED, 0, TIFF_SETGET_C32_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "ICC Profile", NULL }, ++ /* MISSING: TIFFTAG_JBIGOPTIONS */ + { TIFFTAG_GPSIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_IFD8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "GPSIFDOffset", NULL }, + { TIFFTAG_FAXRECVPARAMS, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "FaxRecvParams", NULL }, + { TIFFTAG_FAXSUBADDRESS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxSubAddress", NULL }, + { TIFFTAG_FAXRECVTIME, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "FaxRecvTime", NULL }, + { TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL }, + { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL }, ++ /* MISSING: TIFFTAG_FEDEX_EDR */ + { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL }, + /* begin DNG tags */ + { TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL }, +@@ -181,6 +211,8 @@ tiffFields[] = { + { TIFFTAG_MAKERNOTESAFETY, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "MakerNoteSafety", NULL }, + { TIFFTAG_CALIBRATIONILLUMINANT1, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "CalibrationIlluminant1", NULL }, + { TIFFTAG_CALIBRATIONILLUMINANT2, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "CalibrationIlluminant2", NULL }, ++ /* XXX: TIFFTAG_BESTQUALITYSCALE (tag 50780) should be here but is higher up ++ * in the list. */ + { TIFFTAG_RAWDATAUNIQUEID, 16, 16, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "RawDataUniqueID", NULL }, + { TIFFTAG_ORIGINALRAWFILENAME, -1, -1, TIFF_BYTE, 0, TIFF_SETGET_C16_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 1, "OriginalRawFileName", NULL }, + { TIFFTAG_ORIGINALRAWFILEDATA, -1, -1, TIFF_UNDEFINED, 0, TIFF_SETGET_C16_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "OriginalRawFileData", NULL }, +@@ -191,6 +223,7 @@ tiffFields[] = { + { TIFFTAG_CURRENTICCPROFILE, -1, -1, TIFF_UNDEFINED, 0, TIFF_SETGET_C16_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "CurrentICCProfile", NULL }, + { TIFFTAG_CURRENTPREPROFILEMATRIX, -1, -1, TIFF_SRATIONAL, 0, TIFF_SETGET_C16_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "CurrentPreProfileMatrix", NULL }, + /* end DNG tags */ ++ /* MISSING: TIFFTAG_DCSHUESHIFTVALUES */ + /* begin pseudo tags */ + { TIFFTAG_PERSAMPLE, 0, 0, TIFF_SHORT, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_PSEUDO, TRUE, FALSE, "PerSample", NULL}, + }; diff --git a/debian/patches/0043-CVE-2016-6223.patch b/debian/patches/0043-CVE-2016-6223.patch new file mode 100644 index 0000000..bf5ba8d --- /dev/null +++ b/debian/patches/0043-CVE-2016-6223.patch @@ -0,0 +1,46 @@ +From: erouault <erouault> +Date: Sun, 10 Jul 2016 18:00:20 +0000 +Subject: Fix CVE-2016-6223: information leak in libtiff/tif_read.c + +* libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped files in +TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond +tmsize_t max value (reported by Mathias Svensson) + +Origin: upstream, https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842270 +--- + libtiff/tif_read.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 913eac8..c1beb4e 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -31,6 +31,9 @@ + #include "tiffiop.h" + #include <stdio.h> + ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + int TIFFFillStrip(TIFF* tif, uint32 strip); + int TIFFFillTile(TIFF* tif, uint32 tile); + static int TIFFStartStrip(TIFF* tif, uint32 strip); +@@ -401,7 +404,7 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size, + tmsize_t n; + ma=(tmsize_t)td->td_stripoffset[strip]; + mb=ma+size; +- if (((uint64)ma!=td->td_stripoffset[strip])||(ma>tif->tif_size)) ++ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) + n=0; + else if ((mb<ma)||(mb<size)||(mb>tif->tif_size)) + n=tif->tif_size-ma; +@@ -717,7 +720,7 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m + tmsize_t n; + ma=(tmsize_t)td->td_stripoffset[tile]; + mb=ma+size; +- if (((uint64)ma!=td->td_stripoffset[tile])||(ma>tif->tif_size)) ++ if ((td->td_stripoffset[tile] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) + n=0; + else if ((mb<ma)||(mb<size)||(mb>tif->tif_size)) + n=tif->tif_size-ma; diff --git a/debian/patches/0044-CVE-2016-5652.patch b/debian/patches/0044-CVE-2016-5652.patch new file mode 100644 index 0000000..bc03fdc --- /dev/null +++ b/debian/patches/0044-CVE-2016-5652.patch @@ -0,0 +1,52 @@ +From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org> +Date: Fri, 28 Oct 2016 14:20:32 +0200 +Subject: Fix CVE-2016-5652: write buffer overflow of 2 bytes on JPEG + compressed images + +Reported by Tyler Bohan of Cisco Talos as TALOS-CAN-0187 / +CVE-2016-5652. Also prevents writing 2 extra uninitialized bytes to the +file stream. + +http://www.talosintelligence.com/reports/TALOS-2016-0187/ + +Origin: backport, https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63 +--- + tools/tiff2pdf.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 52da6db..7ffb536 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -2852,21 +2852,24 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count > 0) { +- _TIFFmemcpy(buffer, jpt, count); ++ if (count > 4) { ++ /* Ignore EOI marker of JpegTables */ ++ _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; ++ /* Store last 2 bytes of the JpegTables */ + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; +- } +- if (count > 0) { + xuint32 = bufferoffset; ++ bufferoffset -= 2; + bufferoffset += TIFFReadRawTile( + input, + tile, +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), ++ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), + -1); +- buffer[xuint32-2]=table_end[0]; +- buffer[xuint32-1]=table_end[1]; ++ /* Overwrite SOI marker of image scan with previously */ ++ /* saved end of JpegTables */ ++ buffer[xuint32-2]=table_end[0]; ++ buffer[xuint32-1]=table_end[1]; + } else { + bufferoffset += TIFFReadRawTile( + input, diff --git a/debian/patches/series b/debian/patches/series index 74027c1..e3af08f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -39,3 +39,6 @@ 0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch 0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch 0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch +0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch +0043-CVE-2016-6223.patch +0044-CVE-2016-5652.patch diff --git a/debian/rules b/debian/rules index 40ea186..dd755f9 100755 --- a/debian/rules +++ b/debian/rules @@ -27,6 +27,11 @@ clean:: binary-post-install/libtiff-tools:: $(RM) debian/libtiff-tools/usr/bin/tiffgt $(RM) debian/libtiff-tools/usr/share/man/man1/tiffgt.1* + # Remove tools unsupported by upstream + for tool in bmp2tiff gif2tiff ras2tiff sgi2tiff sgisv ycbcr rgb2ycbcr thumbnail; do \ + $(RM) debian/libtiff-tools/usr/bin/$$tool; \ + $(RM) debian/libtiff-tools/usr/share/man/man1/$${tool}.*; \ + done # Empty dependency_libs from all .la files binary-post-install/libtiff5-dev::
diff -Nru tiff3-3.9.6/debian/changelog tiff3-3.9.6/debian/changelog --- tiff3-3.9.6/debian/changelog 2016-09-04 23:10:55.000000000 +0200 +++ tiff3-3.9.6/debian/changelog 2016-10-28 15:01:09.000000000 +0200 @@ -1,3 +1,11 @@ +tiff3 (3.9.6-11+deb7u2) UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2016-5318 and CVE-2015-7554 by letting libtiff know about + all the "tags" currently in use. + + -- Raphaël Hertzog <hertzog@debian.org> Fri, 28 Oct 2016 14:42:06 +0200 + tiff3 (3.9.6-11+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru tiff3-3.9.6/debian/patches/CVE-2016-5318_CVE-2015-7554.patch tiff3-3.9.6/debian/patches/CVE-2016-5318_CVE-2015-7554.patch --- tiff3-3.9.6/debian/patches/CVE-2016-5318_CVE-2015-7554.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff3-3.9.6/debian/patches/CVE-2016-5318_CVE-2015-7554.patch 2016-10-28 16:04:46.000000000 +0200 @@ -0,0 +1,124 @@ +From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org> +Date: Thu, 27 Oct 2016 15:36:10 +0200 +Subject: Make more tag fields known to TIFFReadDirectoryFindFieldInfo + +This avoids problems when some tags are treated as anonymous fields +whose passcount field defaults to true when the associated code (in tiff +tools) really expects false. + +I believe this covers the following 3 CVE: +CVE-2014-8128: http://bugzilla.maptools.org/show_bug.cgi?id=2499 +CVE-2015-7554: http://bugzilla.maptools.org/show_bug.cgi?id=2564 +CVE-2016-5318: http://bugzilla.maptools.org/show_bug.cgi?id=2561 + +This backport does not add the data for some tags that are using a LONG8 +type which is not supported by version 3.x of libtiff. + +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2580 +--- + libtiff/tif_dirinfo.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -132,6 +132,10 @@ tiffFieldInfo[] = { + 1, 0, "GrayResponseUnit" }, + { TIFFTAG_GRAYRESPONSECURVE,-1,-1, TIFF_SHORT, FIELD_IGNORE, + 1, 0, "GrayResponseCurve" }, ++ { TIFFTAG_GROUP3OPTIONS, 1, 1, TIFF_LONG, FIELD_CODEC+7, ++ 0, 0, "Group3Options" }, ++ { TIFFTAG_GROUP4OPTIONS, 1, 1, TIFF_LONG, FIELD_CODEC+7, ++ 0, 0, "Group4Options" }, + { TIFFTAG_RESOLUTIONUNIT, 1, 1, TIFF_SHORT, FIELD_RESOLUTIONUNIT, + 1, 0, "ResolutionUnit" }, + { TIFFTAG_PAGENUMBER, 2, 2, TIFF_SHORT, FIELD_PAGENUMBER, +@@ -172,6 +176,10 @@ tiffFieldInfo[] = { + 0, 0, "TileByteCounts" }, + { TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_SHORT, FIELD_STRIPBYTECOUNTS, + 0, 0, "TileByteCounts" }, ++ { TIFFTAG_BADFAXLINES, 1, 1, TIFF_LONG, FIELD_CODEC+0, ++ 1, 0, "BadFaxLines" }, ++ { TIFFTAG_CLEANFAXDATA, 1, 1, TIFF_SHORT, FIELD_CODEC+1, ++ 1, 0, "CleanFaxData" }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, FIELD_CODEC+2, + 1, 0, "ConsecutiveBadFaxLines" }, + { TIFFTAG_SUBIFD, -1,-1, TIFF_IFD, FIELD_SUBIFD, +@@ -215,6 +223,21 @@ tiffFieldInfo[] = { + 0, 0, "YClipPathUnits" }, + { TIFFTAG_YCLIPPATHUNITS, 1, 1, TIFF_SBYTE, FIELD_CUSTOM, + 0, 0, "YClipPathUnits" }, ++ { TIFFTAG_INDEXED, 1, 1, TIFF_SHORT, FIELD_CUSTOM, ++ 0, 0, "Indexed"}, ++ { TIFFTAG_JPEGTABLES, -3,-3, TIFF_UNDEFINED, FIELD_CODEC+0, ++ 0, 1, "JPEGTables" }, ++ /* MISSING: TIFFTAG_OPIPROXY */ ++ { TIFFTAG_JPEGPROC, 1, 1, TIFF_SHORT, FIELD_CODEC+5, ++ 0, 0, "JpegProc" }, ++ /* MISSING: TIFFTAG_JPEGIFOFFSET and TIFFTAG_JPEGIFBYTECOUNT, ++ * no TIFF_LONG8 supported in this version */ ++ { TIFFTAG_JPEGRESTARTINTERVAL,1,1, TIFF_SHORT, FIELD_CODEC+6, ++ 0, 0, "JpegRestartInterval" }, ++ /* MISSING: TIFFTAG_JPEGLOSSLESSPREDICTORS */ ++ /* MISSING: TIFFTAG_JPEGPOINTTRANSFORM */ ++ /* MISSING: TIFFTAG_JPEGQTABLES, TIFFTAG_JPEGDCTABLES, ++ * TIFFTAG_JPEGACTABLES, no TIFF_LONG8 supported in this version */ + { TIFFTAG_YCBCRCOEFFICIENTS, 3, 3, TIFF_RATIONAL, FIELD_CUSTOM, + 0, 0, "YCbCrCoefficients" }, + { TIFFTAG_YCBCRSUBSAMPLING, 2, 2, TIFF_SHORT, FIELD_YCBCRSUBSAMPLING, +@@ -228,6 +251,13 @@ tiffFieldInfo[] = { + 1, 0, "ReferenceBlackWhite" }, + { TIFFTAG_XMLPACKET, -3,-3, TIFF_BYTE, FIELD_CUSTOM, + 0, 1, "XMLPacket" }, ++ /* MISSING: TIFFTAG_OPIIMAGEID */ ++/* begin Island Graphics tags */ ++ /* MISSING: TIFFTAG_REFPTS */ ++ /* MISSING: TIFFTAG_REGIONTACKPOINT */ ++ /* MISSING: TIFFTAG_REGIONWARPCORNERS */ ++ /* MISSING: TIFFTAG_REGIONAFFINE */ ++/* end Island Graphics tags */ + /* begin SGI tags */ + { TIFFTAG_MATTEING, 1, 1, TIFF_SHORT, FIELD_EXTRASAMPLES, + 0, 0, "Matteing" }, +@@ -257,21 +287,34 @@ tiffFieldInfo[] = { + FIELD_CUSTOM, 1, 0, "MatrixWorldToScreen" }, + { TIFFTAG_PIXAR_MATRIX_WORLDTOCAMERA, 16,16, TIFF_FLOAT, + FIELD_CUSTOM, 1, 0, "MatrixWorldToCamera" }, ++ /* MISSING: TIFFTAG_WRITERSERIALNUMBER */ + { TIFFTAG_COPYRIGHT, -1, -1, TIFF_ASCII, FIELD_CUSTOM, + 1, 0, "Copyright" }, + /* end Pixar tags */ + { TIFFTAG_RICHTIFFIPTC, -3, -3, TIFF_LONG, FIELD_CUSTOM, + 0, 1, "RichTIFFIPTC" }, ++ /* MISSING: TIFFTAG_IT8* */ ++ /* MISSING: TIFFTAG_FRAMECOUNT */ + { TIFFTAG_PHOTOSHOP, -3, -3, TIFF_BYTE, FIELD_CUSTOM, + 0, 1, "Photoshop" }, + { TIFFTAG_EXIFIFD, 1, 1, TIFF_LONG, FIELD_CUSTOM, + 0, 0, "EXIFIFDOffset" }, + { TIFFTAG_ICCPROFILE, -3, -3, TIFF_UNDEFINED, FIELD_CUSTOM, + 0, 1, "ICC Profile" }, ++ /* MISSING: TIFFTAG_JBIGOPTIONS */ + { TIFFTAG_GPSIFD, 1, 1, TIFF_LONG, FIELD_CUSTOM, + 0, 0, "GPSIFDOffset" }, ++ { TIFFTAG_FAXRECVPARAMS, 1, 1, TIFF_LONG, FIELD_CUSTOM, ++ 1, 0, "FaxRecvParams" }, ++ { TIFFTAG_FAXSUBADDRESS, -1,-1, TIFF_ASCII, FIELD_CUSTOM, ++ 1, 0, "FaxSubAddress" }, ++ { TIFFTAG_FAXRECVTIME, 1, 1, TIFF_LONG, FIELD_CUSTOM, ++ 1, 0, "FaxRecvTime" }, ++ { TIFFTAG_FAXDCS, -1,-1, TIFF_ASCII, FIELD_CUSTOM, ++ 1, 0, "FaxDcs" }, + { TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, FIELD_CUSTOM, + 0, 0, "StoNits" }, ++ /* MISSING: TIFFTAG_FEDEX_EDR */ + { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_LONG, FIELD_CUSTOM, + 0, 0, "InteroperabilityIFDOffset" }, + /* begin DNG tags */ +@@ -394,6 +437,7 @@ tiffFieldInfo[] = { + { TIFFTAG_CURRENTPREPROFILEMATRIX, -1, -1, TIFF_SRATIONAL, FIELD_CUSTOM, + 0, 1, "CurrentPreProfileMatrix" }, + /* end DNG tags */ ++ /* MISSING: TIFFTAG_DCSHUESHIFTVALUES */ + }; + + static const TIFFFieldInfo diff -Nru tiff3-3.9.6/debian/patches/series tiff3-3.9.6/debian/patches/series --- tiff3-3.9.6/debian/patches/series 2016-09-04 23:10:55.000000000 +0200 +++ tiff3-3.9.6/debian/patches/series 2016-10-28 15:02:15.000000000 +0200 @@ -25,3 +25,4 @@ CVE-2016-3186.patch CVE-2013-1961.patch CVE-2010-2596.patch +CVE-2016-5318_CVE-2015-7554.patch
Attachment:
signature.asc
Description: PGP signature