From ede60552f334120b66313522df1e39f50876002c Mon Sep 17 00:00:00 2001 From: bsiegert Date: Thu, 18 Jul 2019 13:32:31 +0000 Subject: Pullup ticket #6004 - requested by nia graphics/tiff: security fix Revisions pulled up: - graphics/tiff/Makefile 1.145 - graphics/tiff/distinfo 1.94 - graphics/tiff/patches/patch-CVE-2018-12900 1.1 - graphics/tiff/patches/patch-CVE-2018-17000 1.1 - graphics/tiff/patches/patch-CVE-2018-19210 1.1 - graphics/tiff/patches/patch-CVE-2019-6128 1.1 --- Module Name: pkgsrc Committed By: nia Date: Wed Jul 17 09:25:45 UTC 2019 Modified Files: pkgsrc/graphics/tiff: Makefile distinfo Added Files: pkgsrc/graphics/tiff/patches: patch-CVE-2018-12900 patch-CVE-2018-17000 patch-CVE-2018-19210 patch-CVE-2019-6128 Log Message: tiff: Apply patches from upstream's git for the following CVEs: CVE-2018-12900 - buffer-overflow CVE-2018-17000 - denial-of-service CVE-2018-19210 - null-pointer-dereference CVE-2019-6128 - memory-leak Bump PKGREVISION. --- graphics/tiff/Makefile | 3 +- graphics/tiff/distinfo | 6 ++- graphics/tiff/patches/patch-CVE-2018-12900 | 39 ++++++++++++++++ graphics/tiff/patches/patch-CVE-2018-17000 | 26 +++++++++++ graphics/tiff/patches/patch-CVE-2018-19210 | 74 ++++++++++++++++++++++++++++++ graphics/tiff/patches/patch-CVE-2019-6128 | 40 ++++++++++++++++ 6 files changed, 186 insertions(+), 2 deletions(-) create mode 100644 graphics/tiff/patches/patch-CVE-2018-12900 create mode 100644 graphics/tiff/patches/patch-CVE-2018-17000 create mode 100644 graphics/tiff/patches/patch-CVE-2018-19210 create mode 100644 graphics/tiff/patches/patch-CVE-2019-6128 (limited to 'graphics') diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile index c739afff4a6..ff36946a3bb 100644 --- a/graphics/tiff/Makefile +++ b/graphics/tiff/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.144 2018/11/10 21:14:53 maya Exp $ +# $NetBSD: Makefile,v 1.144.6.1 2019/07/18 13:32:31 bsiegert Exp $ DISTNAME= tiff-4.0.10 +PKGREVISION= 1 CATEGORIES= graphics MASTER_SITES= https://download.osgeo.org/libtiff/ diff --git a/graphics/tiff/distinfo b/graphics/tiff/distinfo index 5abafc2bffe..854b2d19f51 100644 --- a/graphics/tiff/distinfo +++ b/graphics/tiff/distinfo @@ -1,7 +1,11 @@ -$NetBSD: distinfo,v 1.93 2018/11/10 21:14:53 maya Exp $ +$NetBSD: distinfo,v 1.93.6.1 2019/07/18 13:32:31 bsiegert Exp $ SHA1 (tiff-4.0.10.tar.gz) = c783b80f05cdacf282aa022dc5f5b0ede5e021ae RMD160 (tiff-4.0.10.tar.gz) = b25cc4002f2493e71763d0a465a50e9d6ee2aff0 SHA512 (tiff-4.0.10.tar.gz) = d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8 Size (tiff-4.0.10.tar.gz) = 2402867 bytes +SHA1 (patch-CVE-2018-12900) = 31d6dcc66a293aa722d7d27b7edd48db50cf9482 +SHA1 (patch-CVE-2018-17000) = c7e4047c007a7519cfbd09125a0b3d5de48af069 +SHA1 (patch-CVE-2018-19210) = d915af6121a13aca5b30dd8506cdae49198e67b6 +SHA1 (patch-CVE-2019-6128) = cb18a950e95ceec348294178348847eeb7340bab SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6 diff --git a/graphics/tiff/patches/patch-CVE-2018-12900 b/graphics/tiff/patches/patch-CVE-2018-12900 new file mode 100644 index 00000000000..5e80e395762 --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2018-12900 @@ -0,0 +1,39 @@ +$NetBSD: patch-CVE-2018-12900,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $ + +Fixes CVE-2018-12900 + +Upstream commit: +https://gitlab.com/libtiff/libtiff/commit/27124e9148b2056d0e0bf4033b4924d5d2a38d01.patch + +--- tools/tiffcp.c.orig 2018-10-13 13:58:55.000000000 +0000 ++++ tools/tiffcp.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1408,7 +1409,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuf + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1417,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuf + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (INT_MAX / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; diff --git a/graphics/tiff/patches/patch-CVE-2018-17000 b/graphics/tiff/patches/patch-CVE-2018-17000 new file mode 100644 index 00000000000..d42aaa01f3e --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2018-17000 @@ -0,0 +1,26 @@ +$NetBSD: patch-CVE-2018-17000,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $ + +Fixes CVE-2018-17000 + +Upstream commit: +https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39.patch + +--- libtiff/tif_dirwrite.c.orig 2018-06-24 20:26:30.000000000 +0000 ++++ libtiff/tif_dirwrite.c +@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TI + n=3; + if (n==3) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + n=2; + } + if (n==2) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[1] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + n=1; + } + if (n==0) diff --git a/graphics/tiff/patches/patch-CVE-2018-19210 b/graphics/tiff/patches/patch-CVE-2018-19210 new file mode 100644 index 00000000000..c64811fcd55 --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2018-19210 @@ -0,0 +1,74 @@ +$NetBSD: patch-CVE-2018-19210,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $ + +Fixes CVE-2018-19210 + +Upstream commits: +https://gitlab.com/libtiff/libtiff/commit/1edeee44c8b9cb3f647ac175d434f5d9f2b03aeb.patch +https://gitlab.com/libtiff/libtiff/commit/38ede78b13810ff0fa8e61f86ef9aa0ab2964668.patch + +--- libtiff/tif_dir.c.orig 2018-05-05 13:50:35.000000000 +0000 ++++ libtiff/tif_dir.c +@@ -88,13 +88,15 @@ setDoubleArrayOneValue(double** vpp, dou + * Install extra samples information. + */ + static int +-setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v) ++setExtraSamples(TIFF* tif, va_list ap, uint32* v) + { + /* XXX: Unassociated alpha data == 999 is a known Corel Draw bug, see below */ + #define EXTRASAMPLE_COREL_UNASSALPHA 999 + + uint16* va; + uint32 i; ++ TIFFDirectory* td = &tif->tif_dir; ++ static const char module[] = "setExtraSamples"; + + *v = (uint16) va_arg(ap, uint16_vap); + if ((uint16) *v > td->td_samplesperpixel) +@@ -116,6 +118,18 @@ setExtraSamples(TIFFDirectory* td, va_li + return 0; + } + } ++ ++ if ( td->td_transferfunction[0] != NULL && (td->td_samplesperpixel - *v > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "ExtraSamples tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } ++ + td->td_extrasamples = (uint16) *v; + _TIFFsetShortArray(&td->td_sampleinfo, va, td->td_extrasamples); + return 1; +@@ -285,6 +299,18 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va + _TIFFfree(td->td_smaxsamplevalue); + td->td_smaxsamplevalue = NULL; + } ++ /* Test if 3 transfer functions instead of just one are now needed ++ See http://bugzilla.maptools.org/show_bug.cgi?id=2820 */ ++ if( td->td_transferfunction[0] != NULL && (v - td->td_extrasamples > 1) && ++ !(td->td_samplesperpixel - td->td_extrasamples > 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "SamplesPerPixel tag value is changing, " ++ "but TransferFunction was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_TRANSFERFUNCTION); ++ _TIFFfree(td->td_transferfunction[0]); ++ td->td_transferfunction[0] = NULL; ++ } + } + td->td_samplesperpixel = (uint16) v; + break; +@@ -361,7 +387,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va + _TIFFsetShortArray(&td->td_colormap[2], va_arg(ap, uint16*), v32); + break; + case TIFFTAG_EXTRASAMPLES: +- if (!setExtraSamples(td, ap, &v)) ++ if (!setExtraSamples(tif, ap, &v)) + goto badvalue; + break; + case TIFFTAG_MATTEING: diff --git a/graphics/tiff/patches/patch-CVE-2019-6128 b/graphics/tiff/patches/patch-CVE-2019-6128 new file mode 100644 index 00000000000..e5f4b51e1f6 --- /dev/null +++ b/graphics/tiff/patches/patch-CVE-2019-6128 @@ -0,0 +1,40 @@ +$NetBSD: patch-CVE-2019-6128,v 1.1.2.2 2019/07/18 13:32:31 bsiegert Exp $ + +Fix for a simple memory leak that was assigned CVE-2019-6128. + +Upstream commit: +https://gitlab.com/libtiff/libtiff/commit/ae0bed1fe530a82faf2e9ea1775109dbf301a971.patch + +--- tools/pal2rgb.c.orig 2018-10-13 13:58:55.000000000 +0000 ++++ tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); -- cgit v1.2.3