Re: CVE-2017-9935 / tiff
Brian May <bam@debian.org> writes:
> I note that the previous version of tiff3 is a security update for
> tiff2pdf.
I also note that there seem to be a number of reverse depends of tiff3
in wheezy.
Here is a version of tiff3 available for testing.
https://people.debian.org/~bam/debian/pool/main/t/tiff3/
Unfortunately I cannot readily test this, due to lack of tiff2pdf
client. This is basically the same patch as for other versions however,
and the patch to the library - the only part that actually gets used -
is rather simple.
Here is the diff:
diff -Nru tiff3-3.9.6/debian/changelog tiff3-3.9.6/debian/changelog
--- tiff3-3.9.6/debian/changelog 2017-09-10 08:51:09.000000000 +1000
+++ tiff3-3.9.6/debian/changelog 2017-12-12 07:54:40.000000000 +1100
@@ -1,3 +1,11 @@
+tiff3 (3.9.6-11+deb7u9) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2017-9935: tiff2pdf: fix buffer overrun if source pages have different
+ transferfunctions.
+
+ -- Brian May <bam@debian.org> Tue, 12 Dec 2017 07:54:40 +1100
+
tiff3 (3.9.6-11+deb7u8) wheezy-security; urgency=high
* Non-maintainer upload by the Debian LTS team.
diff -Nru tiff3-3.9.6/debian/patches/CVE-2017-9935.patch tiff3-3.9.6/debian/patches/CVE-2017-9935.patch
--- tiff3-3.9.6/debian/patches/CVE-2017-9935.patch 1970-01-01 10:00:00.000000000 +1000
+++ tiff3-3.9.6/debian/patches/CVE-2017-9935.patch 2017-12-12 07:54:09.000000000 +1100
@@ -0,0 +1,141 @@
+commit 3dd8f6a357981a4090f126ab9025056c938b6940
+Author: Brian May <brian@linuxpenguins.xyz>
+Date: Thu Dec 7 07:46:47 2017 +1100
+
+ tiff2pdf: Fix CVE-2017-9935
+
+ Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+ This vulnerability - at least for the supplied test case - is because we
+ assume that a tiff will only have one transfer function that is the same
+ for all pages. This is not required by the TIFF standards.
+
+ We than read the transfer function for every page. Depending on the
+ transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+ We allocate this memory after we read in the transfer function for the
+ page.
+
+ For the first exploit - POC1, this file has 3 pages. For the first page
+ we allocate 2 extra extra XREF entries. Then for the next page 2 more
+ entries. Then for the last page the transfer function changes and we
+ allocate 4 more entries.
+
+ When we read the file into memory, we assume we have 4 bytes extra for
+ each and every page (as per the last transfer function we read). Which
+ is not correct, we only have 2 bytes extra for the first 2 pages. As a
+ result, we end up writing past the end of the buffer.
+
+ There are also some related issues that this also fixes. For example,
+ TIFFGetField can return uninitalized pointer values, and the logic to
+ detect a N=3 vs N=1 transfer function seemed rather strange.
+
+ It is also strange that we declare the transfer functions to be of type
+ float, when the standard says they are unsigned 16 bit values. This is
+ fixed in another patch.
+
+ This patch will check to ensure that the N value for every transfer
+ function is the same for every page. If this changes, we abort with an
+ error. In theory, we should perhaps check that the transfer function
+ itself is identical for every page, however we don't do that due to the
+ confusion of the type of the data in the transfer function.
+
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -842,6 +842,9 @@
+ if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+ *va_arg(ap, uint16**) = td->td_transferfunction[1];
+ *va_arg(ap, uint16**) = td->td_transferfunction[2];
++ } else {
++ *va_arg(ap, uint16**) = NULL;
++ *va_arg(ap, uint16**) = NULL;
+ }
+ break;
+ case TIFFTAG_REFERENCEBLACKWHITE:
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1002,6 +1002,8 @@
+ uint16 pagen=0;
+ uint16 paged=0;
+ uint16 xuint16=0;
++ uint16 tiff_transferfunctioncount=0;
++ float* tiff_transferfunction[3];
+
+ directorycount=TIFFNumberOfDirectories(input);
+ t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(directorycount * sizeof(T2P_PAGE));
+@@ -1102,24 +1104,48 @@
+ }
+ #endif
+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+- &(t2p->tiff_transferfunction[0]),
+- &(t2p->tiff_transferfunction[1]),
+- &(t2p->tiff_transferfunction[2]))) {
+- if(t2p->tiff_transferfunction[1] !=
+- t2p->tiff_transferfunction[0]) {
+- t2p->tiff_transferfunctioncount = 3;
+- t2p->tiff_pages[i].page_extra += 4;
+- t2p->pdf_xrefcount += 4;
+- } else {
+- t2p->tiff_transferfunctioncount = 1;
+- t2p->tiff_pages[i].page_extra += 2;
+- t2p->pdf_xrefcount += 2;
+- }
+- if(t2p->pdf_minorversion < 2)
+- t2p->pdf_minorversion = 2;
++ &(tiff_transferfunction[0]),
++ &(tiff_transferfunction[1]),
++ &(tiff_transferfunction[2]))) {
++
++ if((tiff_transferfunction[1] != (float*) NULL) &&
++ (tiff_transferfunction[2] != (float*) NULL)
++ ) {
++ tiff_transferfunctioncount=3;
++ } else {
++ tiff_transferfunctioncount=1;
++ }
+ } else {
+- t2p->tiff_transferfunctioncount=0;
++ tiff_transferfunctioncount=0;
+ }
++
++ if (i > 0){
++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Different transfer function on page %d",
++ i);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ }
++
++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
++ if(tiff_transferfunctioncount == 3){
++ t2p->tiff_pages[i].page_extra += 4;
++ t2p->pdf_xrefcount += 4;
++ if(t2p->pdf_minorversion < 2)
++ t2p->pdf_minorversion = 2;
++ } else if (tiff_transferfunctioncount == 1){
++ t2p->tiff_pages[i].page_extra += 2;
++ t2p->pdf_xrefcount += 2;
++ if(t2p->pdf_minorversion < 2)
++ t2p->pdf_minorversion = 2;
++ }
++
+ if( TIFFGetField(
+ input,
+ TIFFTAG_ICCPROFILE,
+@@ -1755,8 +1781,9 @@
+ &(t2p->tiff_transferfunction[0]),
+ &(t2p->tiff_transferfunction[1]),
+ &(t2p->tiff_transferfunction[2]))) {
+- if(t2p->tiff_transferfunction[1] !=
+- t2p->tiff_transferfunction[0]) {
++ if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
++ (t2p->tiff_transferfunction[2] != (float*) NULL)
++ ) {
+ t2p->tiff_transferfunctioncount=3;
+ } else {
+ t2p->tiff_transferfunctioncount=1;
diff -Nru tiff3-3.9.6/debian/patches/series tiff3-3.9.6/debian/patches/series
--- tiff3-3.9.6/debian/patches/series 2017-09-10 09:06:50.000000000 +1000
+++ tiff3-3.9.6/debian/patches/series 2017-12-12 07:51:38.000000000 +1100
@@ -39,3 +39,5 @@
CVE-2017-9404.patch
CVE-2017-9936.patch
CVE-2017-11335.patch
+CVE-2017-9935.patch
+use_uint16_transferfunction.patch
diff -Nru tiff3-3.9.6/debian/patches/use_uint16_transferfunction.patch tiff3-3.9.6/debian/patches/use_uint16_transferfunction.patch
--- tiff3-3.9.6/debian/patches/use_uint16_transferfunction.patch 1970-01-01 10:00:00.000000000 +1000
+++ tiff3-3.9.6/debian/patches/use_uint16_transferfunction.patch 2017-12-12 07:54:27.000000000 +1100
@@ -0,0 +1,51 @@
+commit d4f213636b6f950498a1386083199bd7f65676b9
+Author: Brian May <brian@linuxpenguins.xyz>
+Date: Thu Dec 7 07:49:20 2017 +1100
+
+ tiff2pdf: Fix apparent incorrect type for transfer table
+
+ The standard says the transfer table contains unsigned 16 bit values,
+ I have no idea why we refer to them as floats.
+
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -232,7 +232,7 @@
+ float tiff_whitechromaticities[2];
+ float tiff_primarychromaticities[6];
+ float tiff_referenceblackwhite[2];
+- float* tiff_transferfunction[3];
++ uint16* tiff_transferfunction[3];
+ int pdf_image_interpolate; /* 0 (default) : do not interpolate,
+ 1 : interpolate */
+ uint16 tiff_transferfunctioncount;
+@@ -1003,7 +1003,7 @@
+ uint16 paged=0;
+ uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+- float* tiff_transferfunction[3];
++ uint16* tiff_transferfunction[3];
+
+ directorycount=TIFFNumberOfDirectories(input);
+ t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(directorycount * sizeof(T2P_PAGE));
+@@ -1108,8 +1108,8 @@
+ &(tiff_transferfunction[1]),
+ &(tiff_transferfunction[2]))) {
+
+- if((tiff_transferfunction[1] != (float*) NULL) &&
+- (tiff_transferfunction[2] != (float*) NULL)
++ if((tiff_transferfunction[1] != (uint16*) NULL) &&
++ (tiff_transferfunction[2] != (uint16*) NULL)
+ ) {
+ tiff_transferfunctioncount=3;
+ } else {
+@@ -1781,8 +1781,8 @@
+ &(t2p->tiff_transferfunction[0]),
+ &(t2p->tiff_transferfunction[1]),
+ &(t2p->tiff_transferfunction[2]))) {
+- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[2] != (float*) NULL)
++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
++ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
+ ) {
+ t2p->tiff_transferfunctioncount=3;
+ } else {
--
Brian May <bam@debian.org>
Reply to: