diff options
author | spz <spz@pkgsrc.org> | 2018-10-26 07:02:55 +0000 |
---|---|---|
committer | spz <spz@pkgsrc.org> | 2018-10-26 07:02:55 +0000 |
commit | 63c49c7cab5fe2983886b33700b2b224409fd833 (patch) | |
tree | 775b13ff1a3f3e8396abe8e15a481b99367c6a02 | |
parent | 420bd9541c8bf3d46194f7429b06438bccfad609 (diff) | |
download | pkgsrc-63c49c7cab5fe2983886b33700b2b224409fd833.tar.gz |
Pullup ticket #5853 - requested by maya
graphics/tiff: security patch
Revisions pulled up:
- graphics/tiff/Makefile 1.142
- graphics/tiff/distinfo 1.91
- graphics/tiff/patches/patch-libtiff_tif__jbig.c 1.1
- graphics/tiff/patches/patch-libtiff_tif__read.c 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: maya
Date: Thu Oct 25 22:58:05 UTC 2018
Modified Files:
pkgsrc/graphics/tiff: Makefile distinfo
Added Files:
pkgsrc/graphics/tiff/patches: patch-libtiff_tif__jbig.c
patch-libtiff_tif__read.c
Log Message:
tiff: apply fix for CVE-2018-18557
>From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 14 Oct 2018 16:38:29 +0200
Subject: [PATCH 1/1] JBIG: fix potential out-of-bounds write in JBIGDecode()
JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
write in the buffer.
This issue was reported and analyzed by Thomas Dullien.
Also fixes a (harmless) potential use of uninitialized memory when
tif->tif_rawsize > tif->tif_rawcc
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()
The last part (CHUNKY_STRIP_READ_SUPPORT) was adapted by myself to fit
the libtiff release.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.141 -r1.142 pkgsrc/graphics/tiff/Makefile
cvs rdiff -u -r1.90 -r1.91 pkgsrc/graphics/tiff/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/graphics/tiff/patches/patch-libtiff_tif__jbig.c \
pkgsrc/graphics/tiff/patches/patch-libtiff_tif__read.c
-rw-r--r-- | graphics/tiff/Makefile | 4 | ||||
-rw-r--r-- | graphics/tiff/distinfo | 4 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif__jbig.c | 77 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-libtiff_tif__read.c | 23 |
4 files changed, 105 insertions, 3 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index cbc0f4798ee..733149d72ad 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.141 2018/06/21 23:11:04 tez Exp $ +# $NetBSD: Makefile,v 1.141.4.1 2018/10/26 07:02:55 spz Exp $ DISTNAME= tiff-4.0.9 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= graphics MASTER_SITES= ftp://download.osgeo.org/libtiff/ diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index c563fb3afb5..6c009e815d2 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.90 2018/06/21 23:11:04 tez Exp $ +$NetBSD: distinfo,v 1.90.4.1 2018/10/26 07:02:55 spz Exp $ SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296 RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3 @@ -7,4 +7,6 @@ Size (tiff-4.0.9.tar.gz) = 2305681 bytes SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610 SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6 +SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3 +SHA1 (patch-libtiff_tif__read.c) = a69f7a462e0dfe6b01240816ed546d7e381044e8 SHA1 (patch-tools_pal2rgb.c) = f91652e8013940c162add870ceb9845e2730bc2c diff --git a/graphics/tiff/patches/patch-libtiff_tif__jbig.c b/graphics/tiff/patches/patch-libtiff_tif__jbig.c new file mode 100644 index 00000000000..98256dc29a4 --- /dev/null +++ b/graphics/tiff/patches/patch-libtiff_tif__jbig.c @@ -0,0 +1,77 @@ +$NetBSD: patch-libtiff_tif__jbig.c,v 1.1.2.2 2018/10/26 07:02:56 spz Exp $ + +From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 (CVE-2018-18557) + +JBIGDecode doesn't check if the user provided buffer is large enough +to store the JBIG decoded image, which can potentially cause out-of-bounds +write in the buffer. +This issue was reported and analyzed by Thomas Dullien. + +Also fixes a (harmless) potential use of uninitialized memory when +tif->tif_rawsize > tif->tif_rawcc + +--- libtiff/tif_jbig.c.orig 2017-06-30 13:27:54.399206925 +0000 ++++ libtiff/tif_jbig.c +@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* + struct jbg_dec_state decoder; + int decodeStatus = 0; + unsigned char* pImage = NULL; +- (void) size, (void) s; ++ unsigned long decodedSize; ++ (void) s; + + if (isFillOrder(tif, tif->tif_dir.td_fillorder)) + { +- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize); ++ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc); + } + + jbg_dec_init(&decoder); + + #if defined(HAVE_JBG_NEWLEN) +- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize); ++ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc); + /* + * I do not check the return status of jbg_newlen because even if this + * function fails it does not necessarily mean that decoding the image +@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* + */ + #endif /* HAVE_JBG_NEWLEN */ + +- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata, +- (size_t)tif->tif_rawdatasize, NULL); ++ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp, ++ (size_t)tif->tif_rawcc, NULL); + if (JBG_EOK != decodeStatus) + { + /* +@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* + return 0; + } + ++ decodedSize = jbg_dec_getsize(&decoder); ++ if( (tmsize_t)decodedSize < size ) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "JBIG", ++ "Only decoded %lu bytes, whereas %lu requested", ++ decodedSize, (unsigned long)size); ++ } ++ else if( (tmsize_t)decodedSize > size ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, "JBIG", ++ "Decoded %lu bytes, whereas %lu were requested", ++ decodedSize, (unsigned long)size); ++ jbg_dec_free(&decoder); ++ return 0; ++ } + pImage = jbg_dec_getimage(&decoder, 0); +- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder)); ++ _TIFFmemcpy(buffer, pImage, decodedSize); + jbg_dec_free(&decoder); ++ ++ tif->tif_rawcp += tif->tif_rawcc; ++ tif->tif_rawcc = 0; ++ + return 1; + } + diff --git a/graphics/tiff/patches/patch-libtiff_tif__read.c b/graphics/tiff/patches/patch-libtiff_tif__read.c new file mode 100644 index 00000000000..529a4e3a5cb --- /dev/null +++ b/graphics/tiff/patches/patch-libtiff_tif__read.c @@ -0,0 +1,23 @@ +$NetBSD: patch-libtiff_tif__read.c,v 1.1.2.2 2018/10/26 07:02:56 spz Exp $ + +And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure +that whole strip data is provided to JBIGDecode() + +Part of commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66 which fixes +CVE-2018-18557 + +--- libtiff/tif_read.c.orig 2017-11-18 14:42:21.664534434 +0000 ++++ libtiff/tif_read.c +@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 s + return 0; + whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10 + || isMapped(tif); ++ if( td->td_compression == COMPRESSION_JBIG ) ++ { ++ /* Ideally plugins should have a way to declare they don't support ++ * chunk strip */ ++ whole_strip = 1; ++ } + #else + whole_strip = 1; + #endif |