gnu: libtiff: Update to 4.0.6. Add fixes for CVE-2015-{8665,8683}.
* gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch, gnu/packages/patches/libtiff-oob-accesses-in-decode.patch, gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff): Update to 4.0.6. [source]: Add patches.master
parent
a2190cccc2
commit
86fa2ea92f
|
@ -547,6 +547,9 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/libmad-frame-length.patch \
|
||||
gnu/packages/patches/libmad-mips-newgcc.patch \
|
||||
gnu/packages/patches/libtheora-config-guess.patch \
|
||||
gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
|
||||
gnu/packages/patches/libtiff-oob-accesses-in-decode.patch \
|
||||
gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch \
|
||||
gnu/packages/patches/libtool-skip-tests2.patch \
|
||||
gnu/packages/patches/libsndfile-CVE-2014-9496.patch \
|
||||
gnu/packages/patches/libsndfile-CVE-2015-7805.patch \
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
|
||||
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
|
||||
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
|
||||
;;; Copyright © 2014, 2015 Alex Kost <alezost@gmail.com>
|
||||
;;; Copyright © 2014 Ricardo Wurmus <rekado@elephly.net>
|
||||
;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
|
||||
|
@ -131,13 +131,17 @@ maximum quality factor.")
|
|||
(define-public libtiff
|
||||
(package
|
||||
(name "libtiff")
|
||||
(version "4.0.5")
|
||||
(version "4.0.6")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
|
||||
version ".tar.gz"))
|
||||
(sha256 (base32
|
||||
"171hgy4mylwmvdm7gp6ffjva81m4j56v3fbqsbfl7avzxn1slpp2"))))
|
||||
"136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd"))
|
||||
(patches (map search-patch
|
||||
'("libtiff-oob-accesses-in-decode.patch"
|
||||
"libtiff-oob-write-in-nextdecode.patch"
|
||||
"libtiff-CVE-2015-8665+CVE-2015-8683.patch")))))
|
||||
(build-system gnu-build-system)
|
||||
(outputs '("out"
|
||||
"doc")) ;1.3 MiB of HTML documentation
|
||||
|
|
|
@ -0,0 +1,107 @@
|
|||
2015-12-26 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
|
||||
interface in case of unsupported values of SamplesPerPixel/ExtraSamples
|
||||
for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
|
||||
TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
|
||||
CVE-2015-8683 reported by zzf of Alibaba.
|
||||
|
||||
diff -u -r1.93 -r1.94
|
||||
--- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93
|
||||
+++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94
|
||||
@@ -182,20 +182,22 @@
|
||||
"Planarconfiguration", td->td_planarconfig);
|
||||
return (0);
|
||||
}
|
||||
- if( td->td_samplesperpixel != 3 )
|
||||
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
|
||||
{
|
||||
sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d",
|
||||
- "Samples/pixel", td->td_samplesperpixel);
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels);
|
||||
return 0;
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
|
||||
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
|
||||
{
|
||||
sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d and %s=%d",
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
|
||||
"Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels,
|
||||
"Bits/sample", td->td_bitspersample);
|
||||
return 0;
|
||||
}
|
||||
@@ -255,6 +257,9 @@
|
||||
int colorchannels;
|
||||
uint16 *red_orig, *green_orig, *blue_orig;
|
||||
int n_color;
|
||||
+
|
||||
+ if( !TIFFRGBAImageOK(tif, emsg) )
|
||||
+ return 0;
|
||||
|
||||
/* Initialize to normal values */
|
||||
img->row_offset = 0;
|
||||
@@ -2509,29 +2514,33 @@
|
||||
case PHOTOMETRIC_RGB:
|
||||
switch (img->bitspersample) {
|
||||
case 8:
|
||||
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
|
||||
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
|
||||
+ img->samplesperpixel >= 4)
|
||||
img->put.contig = putRGBAAcontig8bittile;
|
||||
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
|
||||
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
|
||||
+ img->samplesperpixel >= 4)
|
||||
{
|
||||
if (BuildMapUaToAa(img))
|
||||
img->put.contig = putRGBUAcontig8bittile;
|
||||
}
|
||||
- else
|
||||
+ else if( img->samplesperpixel >= 3 )
|
||||
img->put.contig = putRGBcontig8bittile;
|
||||
break;
|
||||
case 16:
|
||||
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
|
||||
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
|
||||
+ img->samplesperpixel >=4 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img))
|
||||
img->put.contig = putRGBAAcontig16bittile;
|
||||
}
|
||||
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
|
||||
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
|
||||
+ img->samplesperpixel >=4 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img) &&
|
||||
BuildMapUaToAa(img))
|
||||
img->put.contig = putRGBUAcontig16bittile;
|
||||
}
|
||||
- else
|
||||
+ else if( img->samplesperpixel >=3 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img))
|
||||
img->put.contig = putRGBcontig16bittile;
|
||||
@@ -2540,7 +2549,7 @@
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_SEPARATED:
|
||||
- if (buildMap(img)) {
|
||||
+ if (img->samplesperpixel >=4 && buildMap(img)) {
|
||||
if (img->bitspersample == 8) {
|
||||
if (!img->Map)
|
||||
img->put.contig = putRGBcontig8bitCMYKtile;
|
||||
@@ -2636,7 +2645,7 @@
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
- if (buildMap(img)) {
|
||||
+ if (img->samplesperpixel == 3 && buildMap(img)) {
|
||||
if (img->bitspersample == 8)
|
||||
img->put.contig = initCIELabConversion(img);
|
||||
break;
|
|
@ -0,0 +1,171 @@
|
|||
2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
|
||||
functions in non debug builds by replacing assert()s by regular if
|
||||
checks (bugzilla #2522).
|
||||
Fix potential out-of-bound reads in case of short input data.
|
||||
|
||||
diff -u -r1.40 -r1.41
|
||||
--- libtiff/libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40
|
||||
+++ libtiff/libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
|
||||
+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1997 Greg Ward Larson
|
||||
@@ -202,7 +202,11 @@
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
|
||||
tp = (int16*) op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (int16*) sp->tbuf;
|
||||
}
|
||||
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
|
||||
@@ -211,9 +215,11 @@
|
||||
cc = tif->tif_rawcc;
|
||||
/* get each byte string */
|
||||
for (shft = 2*8; (shft -= 8) >= 0; ) {
|
||||
- for (i = 0; i < npixels && cc > 0; )
|
||||
+ for (i = 0; i < npixels && cc > 0; ) {
|
||||
if (*bp >= 128) { /* run */
|
||||
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
|
||||
+ if( cc < 2 )
|
||||
+ break;
|
||||
+ rc = *bp++ + (2-128);
|
||||
b = (int16)(*bp++ << shft);
|
||||
cc -= 2;
|
||||
while (rc-- && i < npixels)
|
||||
@@ -223,6 +229,7 @@
|
||||
while (--cc && rc-- && i < npixels)
|
||||
tp[i++] |= (int16)*bp++ << shft;
|
||||
}
|
||||
+ }
|
||||
if (i != npixels) {
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -268,13 +275,17 @@
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
|
||||
tp = (uint32 *)op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (uint32 *) sp->tbuf;
|
||||
}
|
||||
/* copy to array of uint32 */
|
||||
bp = (unsigned char*) tif->tif_rawcp;
|
||||
cc = tif->tif_rawcc;
|
||||
- for (i = 0; i < npixels && cc > 0; i++) {
|
||||
+ for (i = 0; i < npixels && cc >= 3; i++) {
|
||||
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
|
||||
bp += 3;
|
||||
cc -= 3;
|
||||
@@ -325,7 +336,11 @@
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
|
||||
tp = (uint32*) op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (uint32*) sp->tbuf;
|
||||
}
|
||||
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
|
||||
@@ -334,11 +349,13 @@
|
||||
cc = tif->tif_rawcc;
|
||||
/* get each byte string */
|
||||
for (shft = 4*8; (shft -= 8) >= 0; ) {
|
||||
- for (i = 0; i < npixels && cc > 0; )
|
||||
+ for (i = 0; i < npixels && cc > 0; ) {
|
||||
if (*bp >= 128) { /* run */
|
||||
+ if( cc < 2 )
|
||||
+ break;
|
||||
rc = *bp++ + (2-128);
|
||||
b = (uint32)*bp++ << shft;
|
||||
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
|
||||
+ cc -= 2;
|
||||
while (rc-- && i < npixels)
|
||||
tp[i++] |= b;
|
||||
} else { /* non-run */
|
||||
@@ -346,6 +363,7 @@
|
||||
while (--cc && rc-- && i < npixels)
|
||||
tp[i++] |= (uint32)*bp++ << shft;
|
||||
}
|
||||
+ }
|
||||
if (i != npixels) {
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -413,6 +431,7 @@
|
||||
static int
|
||||
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogL16Encode";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
int shft;
|
||||
tmsize_t i;
|
||||
@@ -433,7 +452,11 @@
|
||||
tp = (int16*) bp;
|
||||
else {
|
||||
tp = (int16*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* compress each byte string */
|
||||
@@ -506,6 +529,7 @@
|
||||
static int
|
||||
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogLuvEncode24";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
tmsize_t i;
|
||||
tmsize_t npixels;
|
||||
@@ -521,7 +545,11 @@
|
||||
tp = (uint32*) bp;
|
||||
else {
|
||||
tp = (uint32*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* write out encoded pixels */
|
||||
@@ -553,6 +581,7 @@
|
||||
static int
|
||||
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogLuvEncode32";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
int shft;
|
||||
tmsize_t i;
|
||||
@@ -574,7 +603,11 @@
|
||||
tp = (uint32*) bp;
|
||||
else {
|
||||
tp = (uint32*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* compress each byte string */
|
|
@ -0,0 +1,49 @@
|
|||
2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
|
||||
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
|
||||
(bugzilla #2508)
|
||||
|
||||
diff -u -r1.16 -r1.18
|
||||
--- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16
|
||||
+++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
|
||||
+/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988-1997 Sam Leffler
|
||||
@@ -37,7 +37,7 @@
|
||||
case 0: op[0] = (unsigned char) ((v) << 6); break; \
|
||||
case 1: op[0] |= (v) << 4; break; \
|
||||
case 2: op[0] |= (v) << 2; break; \
|
||||
- case 3: *op++ |= (v); break; \
|
||||
+ case 3: *op++ |= (v); op_offset++; break; \
|
||||
} \
|
||||
}
|
||||
|
||||
@@ -103,6 +103,7 @@
|
||||
}
|
||||
default: {
|
||||
uint32 npixels = 0, grey;
|
||||
+ tmsize_t op_offset = 0;
|
||||
uint32 imagewidth = tif->tif_dir.td_imagewidth;
|
||||
if( isTiled(tif) )
|
||||
imagewidth = tif->tif_dir.td_tilewidth;
|
||||
@@ -122,10 +123,15 @@
|
||||
* bounds, potentially resulting in a security
|
||||
* issue.
|
||||
*/
|
||||
- while (n-- > 0 && npixels < imagewidth)
|
||||
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
|
||||
SETPIXEL(op, grey);
|
||||
if (npixels >= imagewidth)
|
||||
break;
|
||||
+ if (op_offset >= scanline ) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
|
||||
+ (long) tif->tif_row);
|
||||
+ return (0);
|
||||
+ }
|
||||
if (cc == 0)
|
||||
goto bad;
|
||||
n = *bp++, cc--;
|
Reference in New Issue