diff options
author | nia <nia@pkgsrc.org> | 2022-03-25 09:32:49 +0000 |
---|---|---|
committer | nia <nia@pkgsrc.org> | 2022-03-25 09:32:49 +0000 |
commit | 6c06a79c7a5170b420337cf1a7df4b78e27d18f6 (patch) | |
tree | 9302643319b41c20fc0593a5e8a4ed09a9e05cf5 /graphics/tiff | |
parent | 169c7df06fd301131c91982764636d7937b91220 (diff) | |
download | pkgsrc-6c06a79c7a5170b420337cf1a7df4b78e27d18f6.tar.gz |
tiff: apply fixes for CVE-2022-0561 CVE-2022-0907 CVE-2022-0891
CVE-2022-0907 CVE-2022-0909
bump PKGREVISION again...
Diffstat (limited to 'graphics/tiff')
-rw-r--r-- | graphics/tiff/Makefile | 4 | ||||
-rw-r--r-- | graphics/tiff/distinfo | 7 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2022-0561 | 16 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2022-0907 | 281 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2022-0909 | 23 | ||||
-rw-r--r-- | graphics/tiff/patches/patch-CVE-2022-0924 | 44 |
6 files changed, 369 insertions, 6 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index fd6a3f5372c..5c95f4df421 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.151 2022/03/25 08:36:37 nia Exp $ +# $NetBSD: Makefile,v 1.152 2022/03/25 09:32:49 nia Exp $ DISTNAME= tiff-4.3.0 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= graphics MASTER_SITES= https://download.osgeo.org/libtiff/ diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index e6c112c2dec..5dc4398123a 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,8 +1,11 @@ -$NetBSD: distinfo,v 1.101 2022/03/25 08:36:37 nia Exp $ +$NetBSD: distinfo,v 1.102 2022/03/25 09:32:49 nia Exp $ BLAKE2s (tiff-4.3.0.tar.gz) = 28ba59df6d3d7a967dc168645bfc78f047ac8f7f548050abbbd0560f9dd21c75 SHA512 (tiff-4.3.0.tar.gz) = e04a4a6c542e58a174c1e9516af3908acf1d3d3e1096648c5514f4963f73e7af27387a76b0fbabe43cf867a18874088f963796a7cd6e45deb998692e3e235493 Size (tiff-4.3.0.tar.gz) = 2808254 bytes -SHA1 (patch-CVE-2022-0561) = ceb02d9fb6a897a50d65fd3f46ab527ea84562a4 +SHA1 (patch-CVE-2022-0561) = a40f12dc11d431d6373d7799d1d2664ea3eabee1 +SHA1 (patch-CVE-2022-0907) = 92a50bbba3cd0aa6b0bf3b85ce46d3948d4dd19d +SHA1 (patch-CVE-2022-0909) = 747db983e9dd0b79860eaaf975f698a129bf044d +SHA1 (patch-CVE-2022-0924) = 82ecc85556f01e6363694c86465bc20723ac3261 SHA1 (patch-CVE-2022-22844) = 268d67ea1a24c6078006c37bf5c56b00a6a0183f SHA1 (patch-Makefile.in) = de93f4a2cea4bffc117482fdc6875adfb9aa67e0 diff --git a/graphics/tiff/patches/patch-CVE-2022-0561 b/graphics/tiff/patches/patch-CVE-2022-0561 index 250818c866f..3699da0c787 100644 --- a/graphics/tiff/patches/patch-CVE-2022-0561 +++ b/graphics/tiff/patches/patch-CVE-2022-0561 @@ -1,4 +1,4 @@ -$NetBSD: patch-CVE-2022-0561,v 1.1 2022/03/25 08:36:37 nia Exp $ +$NetBSD: patch-CVE-2022-0561,v 1.2 2022/03/25 09:32:49 nia Exp $ https://gitlab.com/libtiff/libtiff/-/issues/362 @@ -16,7 +16,19 @@ This fixes CVE-2022-0561 and CVE-2022-0562. _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); _TIFFfree(new_sampleinfo); } -@@ -5765,8 +5766,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn +@@ -5079,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ if (dp->tdir_count > 0 ) ++ { ++ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ } + o[(uint32_t)dp->tdir_count]=0; + if (data!=0) + _TIFFfree(data); +@@ -5765,8 +5769,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn _TIFFfree(data); return(0); } diff --git a/graphics/tiff/patches/patch-CVE-2022-0907 b/graphics/tiff/patches/patch-CVE-2022-0907 new file mode 100644 index 00000000000..74320d41000 --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2022-0907 @@ -0,0 +1,281 @@ +$NetBSD: patch-CVE-2022-0907,v 1.1 2022/03/25 09:32:49 nia Exp $ + +[PATCH] add checks for return value of limitMalloc (CVE-2022-0907) +https://gitlab.com/libtiff/libtiff/-/merge_requests/314.patch + +[PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in + extractImageSection (CVE-2022-0891) +https://gitlab.com/libtiff/libtiff/-/commit/46dc8fcd4d38c3b6f35ab28e532aee80e6f609d6.patch + +--- tools/tiffcrop.c.orig 2021-03-07 18:09:46.000000000 +0000 ++++ tools/tiffcrop.c +@@ -105,8 +105,8 @@ + * of messages to monitor progress without enabling dump logs. + */ + +-static char tiffcrop_version_id[] = "2.4"; +-static char tiffcrop_rev_date[] = "12-13-2010"; ++static char tiffcrop_version_id[] = "2.4.1"; ++static char tiffcrop_rev_date[] = "03-03-2010"; + + #include "tif_config.h" + #include "libport.h" +@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *i + #ifdef DEVELMODE + uint32_t img_length; + #endif +- uint32_t j, shift1, shift2, trailing_bits; ++ uint32_t j, shift1, trailing_bits; + uint32_t row, first_row, last_row, first_col, last_col; + uint32_t src_offset, dst_offset, row_offset, col_offset; +- uint32_t offset1, offset2, full_bytes; ++ uint32_t offset1, full_bytes; + uint32_t sect_width; + #ifdef DEVELMODE + uint32_t sect_length; +@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *i + #ifdef DEVELMODE + int k; + unsigned char bitset; +- static char *bitarray = NULL; + #endif + + img_width = image->width; +@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *i + dst_offset = 0; + + #ifdef DEVELMODE +- if (bitarray == NULL) +- { +- if ((bitarray = (char *)malloc(img_width)) == NULL) +- { +- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); +- return (-1); +- } +- } ++ char bitarray[39]; + #endif + +- /* rows, columns, width, length are expressed in pixels */ ++ /* rows, columns, width, length are expressed in pixels ++ * first_row, last_row, .. are index into image array starting at 0 to width-1, ++ * last_col shall be also extracted. */ + first_row = section->y1; + last_row = section->y2; + first_col = section->x1; +@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *i + #ifdef DEVELMODE + sect_length = last_row - first_row + 1; + #endif +- img_rowsize = ((img_width * bps + 7) / 8) * spp; +- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ +- trailing_bits = (sect_width * bps) % 8; ++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved ++ * samples rather than separate planes so the same logic works to extract regions ++ * regardless of the way the data are organized in the input file. ++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 ++ */ ++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ ++ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ ++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + + #ifdef DEVELMODE + TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", +@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *i + + if ((bps % 8) == 0) + { +- col_offset = first_col * spp * bps / 8; ++ col_offset = (first_col * spp * bps) / 8; + for (row = first_row; row <= last_row; row++) + { +- /* row_offset = row * img_width * spp * bps / 8; */ + row_offset = row * img_rowsize; + src_offset = row_offset + col_offset; + +@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *i + } + else + { /* bps != 8 */ +- shift1 = spp * ((first_col * bps) % 8); +- shift2 = spp * ((last_col * bps) % 8); ++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + for (row = first_row; row <= last_row; row++) + { + /* pull out the first byte */ + row_offset = row * img_rowsize; +- offset1 = row_offset + (first_col * bps / 8); +- offset2 = row_offset + (last_col * bps / 8); ++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + + #ifdef DEVELMODE + for (j = 0, k = 7; j < 8; j++, k--) +@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *i + sprintf(&bitarray[9], " "); + for (j = 10, k = 7; j < 18; j++, k--) + { +- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; ++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; + sprintf(&bitarray[j], (bitset) ? "1" : "0"); + } + bitarray[18] = '\0'; +- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", +- row, offset1, shift1, offset2, shift2); ++ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", ++ row, offset1, shift1, offset1+full_bytes, trailing_bits); + #endif + + bytebuff1 = bytebuff2 = 0; +@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *i + + if (trailing_bits != 0) + { +- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); ++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE + TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", +- offset2, dst_offset); ++ offset1 + full_bytes, dst_offset); + for (j = 30, k = 7; j < 38; j++, k--) + { + bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; +@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *i + #endif + for (j = 0; j <= full_bytes; j++) + { +- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); +- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); ++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ ++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ ++ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); ++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); + } + #ifdef DEVELMODE +@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *i + #endif + dst_offset += full_bytes; + ++ /* Copy the trailing_bits for the last byte in the destination buffer. ++ Could come from one ore two bytes of the source buffer. */ + if (trailing_bits != 0) + { + #ifdef DEVELMODE +- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); +-#endif +- if (shift2 > shift1) +- { +- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); +- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); +- sect_buff[dst_offset] = bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 > Shift1\n"); ++ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); + #endif ++ /* More than necessary bits are already copied into last destination buffer, ++ * only masking of last byte in destination buffer is necessary.*/ ++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); + } +- else +- { +- if (shift2 < shift1) +- { +- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); +- sect_buff[dst_offset] &= bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 < Shift1\n"); +-#endif +- } +-#ifdef DEVELMODE +- else +- TIFFError ("", " Shift2 == Shift1\n"); +-#endif +- } +- } + #ifdef DEVELMODE + sprintf(&bitarray[28], " "); + sprintf(&bitarray[29], " "); +@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, + width = sections[i].x2 - sections[i].x1 + 1; + length = sections[i].y2 - sections[i].y1 + 1; + sectsize = (uint32_t) +- ceil((width * image->bps + 7) / (double)8) * image->spp * length; ++ ceil((width * image->bps * image->spp + 7) / (double)8) * length; + /* allocate a buffer if we don't have one already */ + if (createImageSection(sectsize, sect_buff_ptr)) + { +@@ -7377,7 +7357,11 @@ createImageSection(uint32_t sectsize, un + if (!sect_buff) + { + sect_buff = (unsigned char *)limitMalloc(sectsize); +- *sect_buff_ptr = sect_buff; ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + else +@@ -7393,15 +7377,15 @@ createImageSection(uint32_t sectsize, un + else + sect_buff = new_buff; + ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + } + +- if (!sect_buff) +- { +- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); +- return (-1); +- } + prev_sectsize = sectsize; + *sect_buff_ptr = sect_buff; + +@@ -7668,7 +7652,11 @@ createCroppedImage(struct image_data *im + if (!crop_buff) + { + crop_buff = (unsigned char *)limitMalloc(cropsize); +- *crop_buff_ptr = crop_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + prev_cropsize = cropsize; + } +@@ -7684,15 +7672,15 @@ createCroppedImage(struct image_data *im + } + else + crop_buff = new_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + } + } + +- if (!crop_buff) +- { +- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); +- return (-1); +- } + *crop_buff_ptr = crop_buff; + + if (crop->crop_mode & CROP_INVERT) +@@ -9251,3 +9239,4 @@ invertImage(uint16_t photometric, uint16 + * fill-column: 78 + * End: + */ ++ diff --git a/graphics/tiff/patches/patch-CVE-2022-0909 b/graphics/tiff/patches/patch-CVE-2022-0909 new file mode 100644 index 00000000000..f3ea46591d6 --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2022-0909 @@ -0,0 +1,23 @@ +$NetBSD: patch-CVE-2022-0909,v 1.1 2022/03/25 09:32:49 nia Exp $ + +[PATCH] fix FPE in tiffcrop +https://gitlab.com/libtiff/libtiff/-/merge_requests/310.patch + +--- libtiff/tif_dir.c.orig 2021-03-05 13:01:43.000000000 +0000 ++++ libtiff/tif_dir.c +@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, + break; + case TIFFTAG_XRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; diff --git a/graphics/tiff/patches/patch-CVE-2022-0924 b/graphics/tiff/patches/patch-CVE-2022-0924 new file mode 100644 index 00000000000..1be217ae2bf --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2022-0924 @@ -0,0 +1,44 @@ +$NetBSD: patch-CVE-2022-0924,v 1.1 2022/03/25 09:32:49 nia Exp $ + +[PATCH] fix heap buffer overflow in tiffcp +https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665.patch + +--- tools/tiffcp.c.orig 2021-04-08 21:48:47.000000000 +0000 ++++ tools/tiffcp.c +@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt + tdata_t obuf; + tstrip_t strip = 0; + tsample_t s; ++ uint16_t bps = 0, bytes_per_sample; + + obuf = limitMalloc(stripsize); + if (obuf == NULL) + return (0); + _TIFFmemset(obuf, 0, stripsize); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); ++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ bytes_per_sample = bps/8; + for (s = 0; s < spp; s++) { + uint32_t row; + for (row = 0; row < imagelength; row += rowsperstrip) { +@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt + + cpContigBufToSeparateBuf( + obuf, (uint8_t*) buf + row * rowsize + s, +- nrows, imagewidth, 0, 0, spp, 1); ++ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { + TIFFError(TIFFFileName(out), + "Error, can't write strip %"PRIu32, |