tiff
Hello,
Attached is my proposed patch for tiff in Jessie.
Regards
--
Brian May <bam@debian.org>
diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog
--- tiff-4.0.3/debian/changelog 2018-10-28 22:03:02.000000000 +1100
+++ tiff-4.0.3/debian/changelog 2019-02-08 14:52:01.000000000 +1100
@@ -1,3 +1,22 @@
+tiff (4.0.3-12.3+deb8u8) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2018-19210: NULL pointer dereference
+ There is a NULL pointer dereference in the TIFFWriteDirectorySec function
+ in tif_dirwrite.c that will lead to a denial of service attack, as
+ demonstrated by tiffset.
+ * Fix CVE-2018-17000: NULL pointer dereference
+ A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called
+ from TIFFWriteDirectoryTagTransferfunction) allows an attacker
+ to cause a denial-of-service through a crafted tiff file. This vulnerability
+ can be triggered by the executable tiffcp.
+ * CVE-2018-12900: Heap-based buffer overflow
+ In the cpSeparateBufToContigBuf function in tiffcp.c allows remote
+ attackers to cause a denial of service (crash) or possibly have
+ unspecified other impact via a crafted TIFF file.
+
+ -- Brian May <bam@debian.org> Fri, 08 Feb 2019 14:52:01 +1100
+
tiff (4.0.3-12.3+deb8u7) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
diff -Nru tiff-4.0.3/debian/patches/CVE-2018-12900.patch tiff-4.0.3/debian/patches/CVE-2018-12900.patch
--- tiff-4.0.3/debian/patches/CVE-2018-12900.patch 1970-01-01 10:00:00.000000000 +1000
+++ tiff-4.0.3/debian/patches/CVE-2018-12900.patch 2019-02-08 14:52:01.000000000 +1100
@@ -0,0 +1,13 @@
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1394,6 +1394,10 @@
+ uint32 row;
+ uint16 bps, bytes_per_sample;
+
++ if (0xFFFFFFFF / tilew < spp) {
++ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or SamplePerPixel (%u) is too large", tilew, spp);
++ return 0;
++ }
+ tilebuf = _TIFFmalloc(tilesize);
+ if (tilebuf == 0)
+ return 0;
diff -Nru tiff-4.0.3/debian/patches/CVE-2018-17000.patch tiff-4.0.3/debian/patches/CVE-2018-17000.patch
--- tiff-4.0.3/debian/patches/CVE-2018-17000.patch 1970-01-01 10:00:00.000000000 +1000
+++ tiff-4.0.3/debian/patches/CVE-2018-17000.patch 2019-02-08 14:52:01.000000000 +1100
@@ -0,0 +1,32 @@
+From 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 29 Jan 2019 11:21:47 +0100
+Subject: [PATCH] TIFFWriteDirectoryTagTransferfunction() : fix NULL
+ dereferencing
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2833
+
+we must check the pointer is not NULL before memcmp() the memory
+---
+ libtiff/tif_dirwrite.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -1893,12 +1893,14 @@
+ n=3;
+ if (n==3)
+ {
+- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
++ if (tif->tif_dir.td_transferfunction[2] == NULL ||
++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ n=2;
+ }
+ if (n==2)
+ {
+- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
++ if (tif->tif_dir.td_transferfunction[1] == NULL ||
++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ n=1;
+ }
+ if (n==0)
diff -Nru tiff-4.0.3/debian/patches/CVE-2018-19210-1.patch tiff-4.0.3/debian/patches/CVE-2018-19210-1.patch
--- tiff-4.0.3/debian/patches/CVE-2018-19210-1.patch 1970-01-01 10:00:00.000000000 +1000
+++ tiff-4.0.3/debian/patches/CVE-2018-19210-1.patch 2019-02-08 14:50:42.000000000 +1100
@@ -0,0 +1,67 @@
+From d0a842c5dbad2609aed43c701a12ed12461d3405 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Wed, 21 Nov 2018 18:50:34 +0100
+Subject: [PATCH] tif_dir: unset transferfunction field if necessary
+
+The number of entries in the transfer table is determined as following:
+
+(td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1
+
+This means that whenever td->td_samplesperpixel or td->td_extrasamples are
+modified we also need to make sure that the number of required entries in
+the transfer table didn't change.
+
+If it changed and the number of entries is higher than before we should
+invalidate the transfer table field and free previously allocated values.
+In the other case there's nothing to do, additional tf entries won't harm
+and properly written code will just ignore them since spp - es < 1.
+
+For instance this situation might happen when reading an OJPEG compressed
+image with missing SamplesPerPixel tag. In this case the SamplesPerPixel
+field might be updated after setting the transfer table.
+
+see http://bugzilla.maptools.org/show_bug.cgi?id=2500
+
+This commit addresses CVE-2018-19210.
+---
+ libtiff/tif_dir.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -284,6 +284,18 @@
+ _TIFFfree(td->td_smaxsamplevalue);
+ td->td_smaxsamplevalue = NULL;
+ }
++ /* Test if 3 transfer functions instead of just one are now needed
++ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */
++ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) &&
++ !(td->td_samplesperpixel - td->td_extrasamples > 1))
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "SamplesPerPixel tag value is changing, "
++ "but TransferFunction was read with a different value. Cancelling it");
++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++ _TIFFfree(td->td_transferfunction[0]);
++ td->td_transferfunction[0] = NULL;
++ }
+ }
+ td->td_samplesperpixel = (uint16) v;
+ break;
+@@ -360,6 +372,16 @@
+ _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
+ break;
+ case TIFFTAG_EXTRASAMPLES:
++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
++ !(td->td_samplesperpixel - td->td_extrasamples > 1))
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "ExtraSamples tag value is changing, "
++ "but TransferFunction was read with a different value. Cancelling it");
++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++ _TIFFfree(td->td_transferfunction[0]);
++ td->td_transferfunction[0] = NULL;
++ }
+ if (!setExtraSamples(td, ap, &v))
+ goto badvalue;
+ break;
diff -Nru tiff-4.0.3/debian/patches/CVE-2018-19210-2.patch tiff-4.0.3/debian/patches/CVE-2018-19210-2.patch
--- tiff-4.0.3/debian/patches/CVE-2018-19210-2.patch 1970-01-01 10:00:00.000000000 +1000
+++ tiff-4.0.3/debian/patches/CVE-2018-19210-2.patch 2019-02-08 14:50:51.000000000 +1100
@@ -0,0 +1,68 @@
+From 38ede78b13810ff0fa8e61f86ef9aa0ab2964668 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 2 Feb 2019 15:30:14 +0100
+Subject: [PATCH] Fix warning (use of uninitialized value) added per
+ d0a842c5dbad2609aed43c701a12ed12461d3405 (fixes
+ https://gitlab.com/libtiff/libtiff/merge_requests/54#note_137742985)
+
+---
+ libtiff/tif_dir.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -88,13 +88,15 @@
+ * Install extra samples information.
+ */
+ static int
+-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
++setExtraSamples(TIFF* tif, va_list ap, uint32* v)
+ {
+ /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */
+ #define EXTRASAMPLE_COREL_UNASSALPHA 999
+
+ uint16* va;
+ uint32 i;
++ TIFFDirectory* td = &tif->tif_dir;
++ static const char module[] = "setExtraSamples";
+
+ *v = (uint16) va_arg(ap, uint16_vap);
+ if ((uint16) *v > td->td_samplesperpixel)
+@@ -116,6 +118,18 @@
+ return 0;
+ }
+ }
++
++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) &&
++ !(td->td_samplesperpixel - td->td_extrasamples > 1))
++ {
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "ExtraSamples tag value is changing, "
++ "but TransferFunction was read with a different value. Cancelling it");
++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
++ _TIFFfree(td->td_transferfunction[0]);
++ td->td_transferfunction[0] = NULL;
++ }
++
+ td->td_extrasamples = (uint16) *v;
+ _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples);
+ return 1;
+@@ -372,17 +386,7 @@
+ _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32);
+ break;
+ case TIFFTAG_EXTRASAMPLES:
+- if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - v > 1) &&
+- !(td->td_samplesperpixel - td->td_extrasamples > 1))
+- {
+- TIFFWarningExt(tif->tif_clientdata,module,
+- "ExtraSamples tag value is changing, "
+- "but TransferFunction was read with a different value. Cancelling it");
+- TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION);
+- _TIFFfree(td->td_transferfunction[0]);
+- td->td_transferfunction[0] = NULL;
+- }
+- if (!setExtraSamples(td, ap, &v))
++ if (!setExtraSamples(tif, ap, &v))
+ goto badvalue;
+ break;
+ case TIFFTAG_MATTEING:
diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series
--- tiff-4.0.3/debian/patches/series 2018-10-28 22:03:02.000000000 +1100
+++ tiff-4.0.3/debian/patches/series 2019-02-08 14:52:01.000000000 +1100
@@ -80,3 +80,7 @@
CVE-2018-17100-17101.patch
CVE-2018-18557.patch
+CVE-2018-19210-1.patch
+CVE-2018-19210-2.patch
+CVE-2018-17000.patch
+CVE-2018-12900.patch
Reply to:
- Follow-Ups:
- Re: tiff
- From: Ola Lundqvist <ola@inguza.com>
- Re: tiff
- From: Hugo Lefeuvre <hle@debian.org>
- Re: tiff
- From: Hugo Lefeuvre <hle@debian.org>
- Re: tiff
- From: Hugo Lefeuvre <hle@debian.org>