Hello community, here is the log from the commit of package tiff.1668 for openSUSE:12.1:Update checked in at 2013-05-21 15:06:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/tiff.1668 (Old) and /work/SRC/openSUSE:12.1:Update/.tiff.1668.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff.1668" Changes: -------- New Changes file: --- /dev/null 2013-05-15 01:32:43.420028506 +0200 +++ /work/SRC/openSUSE:12.1:Update/.tiff.1668.new/tiff.changes 2013-05-21 15:06:56.000000000 +0200 @@ -0,0 +1,451 @@ +------------------------------------------------------------------- +Thu May 2 12:10:39 UTC 2013 - [email protected] + +- security update + * CVE-2013-1961.patch [bnc#818117] + * CVE-2013-1960.patch [bnc#817573] + +------------------------------------------------------------------- +Mon Nov 12 14:39:37 UTC 2012 - [email protected] + +- new patches + * tiff-3.9.5-CVE-2012-4447.patch [bnc#781995] + * tiff-3.9.5-CVE-2012-4564.patch [bnc#787892] + * tiff-3.9.5-CVE-2012-5581.patch [bnc#791607] +- run tests + +------------------------------------------------------------------- +Thu Jul 12 13:56:26 UTC 2012 - [email protected] + +- fixed CVE-2012-3401 [bnc#770816] + +------------------------------------------------------------------- +Wed Jun 20 09:55:10 UTC 2012 - [email protected] + +- fixed + * CVE-2012-2113 [bnc#767852] + * CVE-2012-2088 [bnc#767854] + +------------------------------------------------------------------- +Mon Apr 2 12:08:30 UTC 2012 - [email protected] + +- fixed CVE-2012-1173 [bnc#753362] + +------------------------------------------------------------------- +Fri Aug 5 21:09:33 UTC 2011 - [email protected] + +- Do not use -fno-strict-aliasing, no longer needed + and will probably slow down the code. +- Fix self-obsoletion warning + +------------------------------------------------------------------- +Thu Apr 14 14:02:12 CEST 2011 - [email protected] + +- updated to 3.9.5: + * fixed integer overflow CVE-2010-4665 + * fixed buffer overflow in ojpeg decoder + * upstreamed: + - oob-read.patch + - CVE-2011-0192.patch + - getimage-64bit.patch + - CVE-2011-1167.patch + - scanlinesize.patch + +------------------------------------------------------------------- +Thu Mar 31 21:49:49 CEST 2011 - [email protected] + +- fixed regression caused by previous update [bnc#682871] + * modified CVE-2011-0192.patch +- fixed buffer overflow in thunder decoder [bnc#683337] + * added CVE-2011-1167.patch + +------------------------------------------------------------------- +Thu Feb 17 15:40:54 CET 2011 - [email protected] + +- fixed buffer overflow [bnc#672510] + * CVE-2011-0192.patch + +------------------------------------------------------------------- +Mon Sep 6 14:56:09 CEST 2010 - [email protected] + +- fixed "Possibly exploitable memory corruption issue in libtiff" + (see http://bugzilla.maptools.org/show_bug.cgi?id=2228) + [bnc#624215] + * scanlinesize.patch +- fixed crash while using libjpeg7 and higher + * dont-fancy-upsampling.patch + +------------------------------------------------------------------- +Mon Jul 12 16:36:48 CEST 2010 - [email protected] + +- updated to 3.9.4: fixes CVE-2010-2065 -- obsoletes + * integer-overflow.patch + * NULL-deref.patch +- fixes CVE-2010-2067 + +------------------------------------------------------------------- +Wed Jun 23 10:32:01 CEST 2010 - [email protected] + +- fixed CVE-2010-2065 + * integer-overflow.patch + * NULL-deref.patch +- fixed out of bounds read + * oob-read.patch +- fixed CVE-2010-2233 + * getimage-64bit.patch +- [bnc#612879] + +------------------------------------------------------------------- +Mon Apr 26 15:07:09 CEST 2010 - [email protected] + +- fixed tiff2pdf output [bnc#599475] + +------------------------------------------------------------------- +Fri Mar 26 08:49:41 UTC 2010 - [email protected] + +- fixed typo + +------------------------------------------------------------------- +Tue Mar 16 13:37:23 CET 2010 - [email protected] + +- updated to 3.9.2: fixed many CVE's and obsoletes almost all + our patches (see ChangeLog for details) + +------------------------------------------------------------------- +Tue Dec 15 19:38:18 CET 2009 - [email protected] + +- add baselibs.conf as a source +- enable parallel building + +------------------------------------------------------------------- +Thu Aug 6 14:02:07 CEST 2009 - [email protected] + +- fixed integer overflows [bnc#519796] + * CVE-2009-2347.patch + +------------------------------------------------------------------- +Thu Jul 2 16:33:02 CEST 2009 - [email protected] + +- fixed lzw overflow CVE-2009-2285 [bnc#518698] + +------------------------------------------------------------------- +Wed Feb 4 15:49:04 CET 2009 - [email protected] + +- fixed an endless loop on invalid images + (bnc#444079) CVE-2008-1586 + +------------------------------------------------------------------- +Tue Jan 13 16:19:37 CET 2009 - [email protected] + +- obsolete old libtiff-64bit on ppc64 (bnc#437293) + +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - [email protected] + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Sun Sep 7 11:24:56 CEST 2008 - [email protected] + +- Fix conflicting options. + +------------------------------------------------------------------- +Tue Aug 19 17:45:10 CEST 2008 - [email protected] + +- fixed buffer overflows in LZW code (CVE-2008-2327) [bnc#414946] + +------------------------------------------------------------------- +Sun May 18 10:37:18 CEST 2008 - [email protected] + +- fix rename of xxbit packages + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - [email protected] + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Fri Jul 27 15:58:49 CEST 2007 - [email protected] + +- add provides and obsoletes for libtiff to libtiff3 package + +------------------------------------------------------------------- +Thu Jul 19 15:01:40 CEST 2007 - [email protected] + +- renamed libtiff to libtiff3 +- do not package static libraries +- added zlib-devel to BuildRequires + +------------------------------------------------------------------- +Mon Jun 12 13:40:43 CEST 2006 - [email protected] + +- fixed a typo in the previous change [#179051] + +------------------------------------------------------------------- +Fri Jun 2 17:17:55 CEST 2006 - [email protected] + +- fixed buffer overflow in tiffsplit (CVE-2006-2656) [#179051] +- fixed buffer overflow in tiff2pdf [#179587] + +------------------------------------------------------------------- +Wed Apr 12 11:01:27 CEST 2006 - [email protected] + +- updated to 3.8.2 [#165237] + * bugfix release + * fixed several segfaults caused by incorrect tiff data + ++++ 254 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.tiff.1668.new/tiff.changes New: ---- CVE-2012-1173.patch CVE-2012-2088.patch CVE-2012-2113.patch CVE-2012-3401.patch CVE-2012-4447.patch CVE-2012-4564.patch CVE-2012-5581.patch CVE-2013-1960.patch CVE-2013-1961.patch README.SUSE baselibs.conf tiff-3.9.5-dont-fancy-upsampling.patch tiff-3.9.5-seek.patch tiff-3.9.5-tiff2pdf-colors.patch tiff-3.9.5.tar.bz2 tiff.changes tiff.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ # # spec file for package tiff # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: tiff BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: tiff-64bit %endif # Url: http://www.remotesensing.org/libtiff/ Version: 3.9.5 Release: 0 Summary: Tools for Converting from and to the Tiff Format License: PERMISSIVE-OSI-COMPLIANT and MIT Group: Productivity/Graphics/Convertors Source: tiff-%{version}.tar.bz2 Source2: README.SUSE Source3: baselibs.conf Patch2: tiff-%{version}-seek.patch Patch3: tiff-%{version}-tiff2pdf-colors.patch Patch9: tiff-%{version}-dont-fancy-upsampling.patch Patch10: CVE-2012-1173.patch Patch11: CVE-2012-2113.patch Patch12: CVE-2012-2088.patch Patch13: CVE-2012-3401.patch Patch14: CVE-2012-4447.patch Patch15: CVE-2012-4564.patch Patch16: CVE-2012-5581.patch Patch17: CVE-2013-1961.patch Patch18: CVE-2013-1960.patch # FYI: this issue is solved another way # http://bugzilla.maptools.org/show_bug.cgi?id=1985#c1 # Patch9: tiff-%{version}-lzw-CVE-2009-2285.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package contains the library and support programs for the TIFF image format. Authors: -------- Sam Leffler <[email protected]> %package -n libtiff3 Summary: The Tiff Library (with JPEG and compression support) License: PERMISSIVE-OSI-COMPLIANT and MIT Group: System/Libraries Provides: libtiff = %{version} Obsoletes: libtiff < %{version} # bug437293 %ifarch ppc64 Obsoletes: libtiff-64bit %endif # %description -n libtiff3 This package includes the tiff libraries. To link a program with libtiff, you will have to add -ljpeg and -lz to include the necessary libjpeg and libz in the linking process. Authors: -------- Sam Leffler <[email protected]> %package -n libtiff-devel Summary: Development Tools for Programs which will use the libtiff Library License: PERMISSIVE-OSI-COMPLIANT Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libjpeg-devel Requires: libstdc++-devel Requires: libtiff3 = %{version} Requires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: tiff-devel-64bit %endif # %description -n libtiff-devel This package contains the header files and static libraries for developing programs which will manipulate TIFF format image files using the libtiff library. %prep %setup -q %patch2 %patch3 -p1 %patch9 -p1 %patch10 %patch11 %patch12 %patch13 %patch14 %patch15 %patch16 -p1 %patch17 %patch18 find -type d -name "CVS" | xargs rm -rfv find -type d | xargs chmod 755 %build rm m4/ltversion.m4 m4/ltsugar.m4 m4/ltoptions.m4 m4/libtool.m4 autoreconf --force --install -v %configure --disable-static --with-pic make %{?_smp_mflags} %install mkdir -p $RPM_BUILD_ROOT/{%{_mandir}/{man1,man3},usr/{bin,lib,include}} make install DESTDIR=$RPM_BUILD_ROOT for f in `find $RPM_BUILD_ROOT/%{_mandir} -type f -print ` ; do if [ `wc -l <$f` -eq 1 ] && grep -q "^\.so " $f ; then linkto=`sed -e "s|^\.so ||" $f` [ -f "`dirname $f`/$linkto" ] && ln -sf "$linkto" $f fi done cp %{S:2} . rm -rf $RPM_BUILD_ROOT/usr/share/doc/tiff* rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la find html -name "Makefile*" | xargs rm %post -n libtiff3 -p /sbin/ldconfig %postun -n libtiff3 -p /sbin/ldconfig %clean rm -rf $RPM_BUILD_ROOT %check cd test make check %files %defattr(-,root,root) /usr/bin/* %doc html %doc README COPYRIGHT VERSION ChangeLog TODO RELEASE-DATE %doc %{_mandir}/man1/* %files -n libtiff3 %defattr(-,root,root) %doc README COPYRIGHT README.SUSE %{_libdir}/*.so.* %files -n libtiff-devel %defattr(-,root,root) /usr/include/* %{_libdir}/*.so %doc %{_mandir}/man3/* %changelog ++++++ CVE-2012-1173.patch ++++++ Index: libtiff/tif_getimage.c =================================================================== --- libtiff/tif_getimage.c.orig +++ libtiff/tif_getimage.c @@ -673,18 +673,24 @@ gtTileSeparate(TIFFRGBAImage* img, uint3 unsigned char* p2; unsigned char* pa; tsize_t tilesize; + tsize_t bufsize; int32 fromskew, toskew; int alpha = img->alpha; uint32 nrow; int ret = 1, flip; tilesize = TIFFTileSize(tif); - buf = (unsigned char*) _TIFFmalloc((alpha?4:3)*tilesize); + bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,tilesize); + if (bufsize == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); + return (0); + } + buf = (unsigned char*) _TIFFmalloc(bufsize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); return (0); } - _TIFFmemset(buf, 0, (alpha?4:3)*tilesize); + _TIFFmemset(buf, 0, bufsize); p0 = buf; p1 = p0 + tilesize; p2 = p1 + tilesize; @@ -880,17 +886,23 @@ gtStripSeparate(TIFFRGBAImage* img, uint uint32 rowsperstrip, offset_row; uint32 imagewidth = img->width; tsize_t stripsize; + tsize_t bufsize; int32 fromskew, toskew; int alpha = img->alpha; int ret = 1, flip; stripsize = TIFFStripSize(tif); - p0 = buf = (unsigned char *)_TIFFmalloc((alpha?4:3)*stripsize); + bufsize = TIFFSafeMultiply(tsize_t,alpha?4:3,stripsize); + if (bufsize == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); + return (0); + } + p0 = buf = (unsigned char *)_TIFFmalloc(bufsize); if (buf == 0) { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); return (0); } - _TIFFmemset(buf, 0, (alpha?4:3)*stripsize); + _TIFFmemset(buf, 0, bufsize); p1 = p0 + stripsize; p2 = p1 + stripsize; pa = (alpha?(p2+stripsize):NULL); Index: libtiff/tiffiop.h =================================================================== --- libtiff/tiffiop.h.orig +++ libtiff/tiffiop.h @@ -246,7 +246,7 @@ struct tiff { #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) /* Safe multiply which returns zero if there is an integer overflow */ -#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) +#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) #define TIFFmax(A,B) ((A)>(B)?(A):(B)) #define TIFFmin(A,B) ((A)<(B)?(A):(B)) ++++++ CVE-2012-2088.patch ++++++ Index: libtiff/tif_strip.c =================================================================== --- libtiff/tif_strip.c.orig +++ libtiff/tif_strip.c @@ -107,6 +107,7 @@ tsize_t TIFFVStripSize(TIFF* tif, uint32 nrows) { TIFFDirectory *td = &tif->tif_dir; + uint32 stripsize; if (nrows == (uint32) -1) nrows = td->td_imagelength; @@ -122,7 +123,7 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) * YCbCr data for the extended image. */ uint16 ycbcrsubsampling[2]; - tsize_t w, scanline, samplingarea; + uint32 w, scanline, samplingarea; TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ycbcrsubsampling + 0, @@ -141,13 +142,19 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); - return ((tsize_t) + stripsize = summarize(tif, scanline, multiply(tif, 2, scanline / samplingarea, - "TIFFVStripSize"), "TIFFVStripSize")); + "TIFFVStripSize"), "TIFFVStripSize"); } else - return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), - "TIFFVStripSize")); + stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), + "TIFFVStripSize"); + /* Because tsize_t is signed, we might have conversion overflow */ + if (((tsize_t) stripsize) < 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); + stripsize = 0; + } + return (tsize_t) stripsize; } Index: libtiff/tif_tile.c =================================================================== --- libtiff/tif_tile.c.orig +++ libtiff/tif_tile.c @@ -174,7 +174,7 @@ tsize_t TIFFTileRowSize(TIFF* tif) { TIFFDirectory *td = &tif->tif_dir; - tsize_t rowsize; + uint32 rowsize; if (td->td_tilelength == 0 || td->td_tilewidth == 0) return ((tsize_t) 0); @@ -193,7 +193,7 @@ tsize_t TIFFVTileSize(TIFF* tif, uint32 nrows) { TIFFDirectory *td = &tif->tif_dir; - tsize_t tilesize; + uint32 tilesize; if (td->td_tilelength == 0 || td->td_tilewidth == 0 || td->td_tiledepth == 0) @@ -209,12 +209,12 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) * horizontal/vertical subsampling area include * YCbCr data for the extended image. */ - tsize_t w = + uint32 w = TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); - tsize_t rowsize = + uint32 rowsize = TIFFhowmany8(multiply(tif, w, td->td_bitspersample, "TIFFVTileSize")); - tsize_t samplingarea = + uint32 samplingarea = td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; if (samplingarea == 0) { TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); @@ -230,8 +230,13 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) } else tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), "TIFFVTileSize"); - return ((tsize_t) - multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); + tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); + /* Because tsize_t is signed, we might have conversion overflow */ + if (((tsize_t) tilesize) < 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); + tilesize = 0; + } + return (tsize_t) tilesize; } /* ++++++ CVE-2012-2113.patch ++++++ mv Index: tools/tiff2pdf.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v retrieving revision 1.37.2.19 Index: tools/tiff2pdf.c =================================================================== --- tools/tiff2pdf.c.orig +++ tools/tiff2pdf.c @@ -431,6 +431,34 @@ t2p_unmapproc(thandle_t handle, tdata_t (void) handle, (void) data, (void) offset; } +static uint64 +checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p) +{ + uint64 bytes = summand1 + summand2; + + if (bytes - summand1 != summand2) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + bytes = 0; + } + + return bytes; +} + +static uint64 +checkMultiply64(uint64 first, uint64 second, T2P* t2p) +{ + uint64 bytes = first * second; + + if (second && bytes / second != first) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + bytes = 0; + } + + return bytes; +} + /* This is the main function. @@ -1773,9 +1801,7 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* tstrip_t i=0; tstrip_t stripcount=0; #endif -#ifdef OJPEG_SUPPORT - tsize_t k = 0; -#endif + uint64 k = 0; if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT @@ -1803,19 +1829,25 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* } stripcount=TIFFNumberOfStrips(input); for(i=0;i<stripcount;i++){ - k += sbc[i]; + k = checkAdd64(k, sbc[i], t2p); } if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ if(t2p->tiff_dataoffset != 0){ if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ if(t2p->tiff_datasize < k) { - t2p->pdf_ojpegiflength=t2p->tiff_datasize; - t2p->tiff_datasize+=k; - t2p->tiff_datasize+=6; - t2p->tiff_datasize+=2*stripcount; TIFFWarning(TIFF2PDF_MODULE, "Input file %s has short JPEG interchange file byte count", TIFFFileName(input)); + t2p->pdf_ojpegiflength=t2p->tiff_datasize; + k = checkAdd64(k, t2p->tiff_datasize, t2p); + k = checkAdd64(k, 6, t2p); + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, stripcount, t2p); + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } return; @@ -1828,9 +1860,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* } } } - t2p->tiff_datasize+=k; - t2p->tiff_datasize+=2*stripcount; - t2p->tiff_datasize+=2048; + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, stripcount, t2p); + k = checkAdd64(k, 2048, t2p); + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } #endif @@ -1839,11 +1876,11 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ if(count > 4){ - t2p->tiff_datasize += count; - t2p->tiff_datasize -= 2; /* don't use EOI of header */ + k += count; + k -= 2; /* don't use EOI of header */ } } else { - t2p->tiff_datasize = 2; /* SOI for first strip */ + k = 2; /* SOI for first strip */ } stripcount=TIFFNumberOfStrips(input); if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ @@ -1854,18 +1891,33 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* return; } for(i=0;i<stripcount;i++){ - t2p->tiff_datasize += sbc[i]; - t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ + k = checkAdd64(k, sbc[i], t2p); + k -=4; /* don't use SOI or EOI of strip */ + } + k = checkAdd64(k, 2, t2p); /* use EOI of last strip */ + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; } - t2p->tiff_datasize +=2; /* use EOI of last strip */ return; } #endif (void) 0; } - t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length; + k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ - t2p->tiff_datasize*= t2p->tiff_samplesperpixel; + k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); + } + if (k == 0) { + /* Assume we had overflow inside TIFFScanlineSize */ + t2p->t2p_error = T2P_ERR_ERROR; + } + + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; } return; @@ -1883,6 +1935,7 @@ void t2p_read_tiff_size_tile(T2P* t2p, T #ifdef JPEG_SUPPORT unsigned char* jpt; #endif + uint64 k; edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); @@ -1894,14 +1947,17 @@ void t2p_read_tiff_size_tile(T2P* t2p, T #endif ){ t2p->tiff_datasize=TIFFTileSize(input); + if (t2p->tiff_datasize == 0) { + /* Assume we had overflow inside TIFFTileSize */ + t2p->t2p_error = T2P_ERR_ERROR; + } return; } else { TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); - t2p->tiff_datasize=tbc[tile]; + k=tbc[tile]; #ifdef OJPEG_SUPPORT if(t2p->tiff_compression==COMPRESSION_OJPEG){ - t2p->tiff_datasize+=2048; - return; + k = checkAdd64(k, 2048, t2p); } #endif #ifdef JPEG_SUPPORT @@ -1909,18 +1965,33 @@ void t2p_read_tiff_size_tile(T2P* t2p, T uint32 count = 0; if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ if(count > 4){ - t2p->tiff_datasize += count; - t2p->tiff_datasize -= 2; /* don't use EOI of header or SOI of tile */ + k = checkAdd64(k, count, t2p); + k -= 2; /* don't use EOI of header or SOI of tile */ } } } #endif + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; + } return; } } - t2p->tiff_datasize=TIFFTileSize(input); + k = TIFFTileSize(input); if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ - t2p->tiff_datasize*= t2p->tiff_samplesperpixel; + k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); + } + if (k == 0) { + /* Assume we had overflow inside TIFFTileSize */ + t2p->t2p_error = T2P_ERR_ERROR; + } + + t2p->tiff_datasize = (tsize_t) k; + if ((uint64) t2p->tiff_datasize != k) { + TIFFError(TIFF2PDF_MODULE, "Integer overflow"); + t2p->t2p_error = T2P_ERR_ERROR; } return; @@ -2013,6 +2084,10 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p uint32 max_striplength=0; #endif + /* Fail if prior error (in particular, can't trust tiff_datasize) */ + if (t2p->t2p_error != T2P_ERR_OK) + return(0); + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ #ifdef CCITT_SUPPORT if(t2p->pdf_compression == T2P_COMPRESS_G4){ @@ -2586,6 +2661,10 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P uint32 xuint32=0; #endif + /* Fail if prior error (in particular, can't trust tiff_datasize) */ + if (t2p->t2p_error != T2P_ERR_OK) + return(0); + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); ++++++ CVE-2012-3401.patch ++++++ Index: tools/tiff2pdf.c =================================================================== --- tools/tiff2pdf.c.orig +++ tools/tiff2pdf.c @@ -1066,6 +1066,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* "Can't set directory %u of input file %s", i, TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; return; } if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ ++++++ CVE-2012-4447.patch ++++++ Index: libtiff/tif_pixarlog.c =================================================================== --- libtiff/tif_pixarlog.c.orig +++ libtiff/tif_pixarlog.c @@ -93,6 +93,8 @@ #include <stdlib.h> #include <math.h> +#include <limits.h> + /* Tables for converting to/from 11 bit coded values */ #define TSIZE 2048 /* decode table size (11-bit tokens) */ @@ -664,7 +666,15 @@ PixarLogSetupDecode(TIFF* tif) td->td_rowsperstrip), sizeof(uint16)); if (tbuf_size == 0) return (0); - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + + int i_stride = sp->stride * sizeof(uint16); + if (tbuf_size > (INT_MAX - i_stride)) { + TIFFErrorExt(tif->tif_clientdata, module, "%s: overflow!", + tif->tif_name); + return (0); + } + + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size + i_stride); if (sp->tbuf == NULL) return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) @@ -829,7 +839,15 @@ PixarLogSetupEncode(TIFF* tif) td->td_rowsperstrip), sizeof(uint16)); if (tbuf_size == 0) return (0); - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + + int i_stride = sp->stride * sizeof(uint16); + if (tbuf_size > (INT_MAX - i_stride)) { + TIFFErrorExt(tif->tif_clientdata, module, "%s: overflow!", + tif->tif_name); + return (0); + } + + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size + i_stride); if (sp->tbuf == NULL) return (0); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) ++++++ CVE-2012-4564.patch ++++++ Index: tools/ppm2tiff.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/tools/ppm2tiff.c,v --- tools/ppm2tiff.c 10 Apr 2010 19:22:34 -0000 1.16 +++ tools/ppm2tiff.c 31 Oct 2012 06:25:13 -0000 @@ -89,6 +89,7 @@ int c; extern int optind; extern char* optarg; + tsize_t scanline_size; if (argc < 2) { fprintf(stderr, "%s: Too few arguments\n", argv[0]); @@ -237,8 +238,16 @@ } if (TIFFScanlineSize(out) > linebytes) buf = (unsigned char *)_TIFFmalloc(linebytes); - else - buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + scanline_size = TIFFScanlineSize(out); + if (scanline_size != 0) + buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + else { + fprintf(stderr, "%s: scanline size overflow\n",infile); + (void) TIFFClose(out); + exit(-2); + } + } if (resolution > 0) { TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution); TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution); ++++++ CVE-2012-5581.patch ++++++ Index: tiff-3.9.5/libtiff/tif_dir.c =================================================================== --- tiff-3.9.5.orig/libtiff/tif_dir.c +++ tiff-3.9.5/libtiff/tif_dir.c @@ -493,32 +493,27 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va status = 0; goto end; } - - if ((fip->field_passcount + if (fip->field_tag == TIFFTAG_DOTRANGE + && strcmp(fip->field_name,"DotRange") == 0) { + /* TODO: This is an evil exception and should not have been + handled this way ... likely best if we move it into + the directory structure with an explicit field in + libtiff 4.1 and assign it a FIELD_ value */ + uint16 v[2]; + v[0] = (uint16)va_arg(ap, int); + v[1] = (uint16)va_arg(ap, int); + _TIFFmemcpy(tv->value, &v, 4); + } else if (fip->field_passcount || fip->field_writecount == TIFF_VARIABLE || fip->field_writecount == TIFF_VARIABLE2 || fip->field_writecount == TIFF_SPP - || tv->count > 1) - && fip->field_tag != TIFFTAG_PAGENUMBER - && fip->field_tag != TIFFTAG_HALFTONEHINTS - && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING - && fip->field_tag != TIFFTAG_DOTRANGE) { + || tv->count > 1) { _TIFFmemcpy(tv->value, va_arg(ap, void *), tv->count * tv_size); } else { - /* - * XXX: The following loop required to handle - * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS, - * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags. - * These tags are actually arrays and should be passed as - * array pointers to TIFFSetField() function, but actually - * passed as a list of separate values. This behaviour - * must be changed in the future! - */ - int i; + assert( tv->count == 1 ); char *val = (char *)tv->value; - for (i = 0; i < tv->count; i++, val += tv_size) { switch (fip->field_type) { case TIFF_BYTE: case TIFF_UNDEFINED: @@ -577,7 +572,6 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va status = 0; break; } - } } } } ++++++ CVE-2013-1960.patch ++++++ https://bugzilla.novell.com/show_bug.cgi?id=817573#c1 CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in t2_process_jpeg_strip() ======================================================================================= A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, in the tp_process_jpeg_strip() function. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash or, potentially, arbitrary code execution with the privileges of the user running the tiff2pdf binary. Index: tools/tiff2pdf.c =================================================================== --- tools/tiff2pdf.c.orig +++ tools/tiff2pdf.c @@ -3341,33 +3341,56 @@ int t2p_process_jpeg_strip( uint32 height){ tsize_t i=0; - uint16 ri =0; - uint16 v_samp=1; - uint16 h_samp=1; - int j=0; - - i++; - - while(i<(*striplength)){ + + while (i < *striplength) { + tsize_t datalen; + uint16 ri; + uint16 v_samp; + uint16 h_samp; + int j; + int ncomp; + + /* marker header: one or more FFs */ + if (strip[i] != 0xff) + return(0); + i++; + while (i < *striplength && strip[i] == 0xff) + i++; + if (i >= *striplength) + return(0); + /* SOI is the only pre-SOS marker without a length word */ + if (strip[i] == 0xd8) + datalen = 0; + else { + if ((*striplength - i) <= 2) + return(0); + datalen = (strip[i+1] << 8) | strip[i+2]; + if (datalen < 2 || datalen >= (*striplength - i)) + return(0); + } switch( strip[i] ){ - case 0xd8: - /* SOI - start of image */ + case 0xd8: /* SOI - start of image */ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); *bufferoffset+=2; - i+=2; break; - case 0xc0: - case 0xc1: - case 0xc3: - case 0xc9: - case 0xca: + case 0xc0: /* SOF0 */ + case 0xc1: /* SOF1 */ + case 0xc3: /* SOF3 */ + case 0xc9: /* SOF9 */ + case 0xca: /* SOF10 */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - for(j=0;j<buffer[*bufferoffset+9];j++){ - if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) - h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); - if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) - v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + ncomp = buffer[*bufferoffset+9]; + if (ncomp < 1 || ncomp > 4) + return(0); + v_samp=1; + h_samp=1; + for(j=0;j<ncomp;j++){ + uint16 samp = buffer[*bufferoffset+11+(3*j)]; + if( (samp>>4) > h_samp) + h_samp = (samp>>4); + if( (samp & 0x0f) > v_samp) + v_samp = (samp & 0x0f); } v_samp*=8; h_samp*=8; @@ -3381,45 +3404,43 @@ int t2p_process_jpeg_strip( (unsigned char) ((height>>8) & 0xff); buffer[*bufferoffset+6]= (unsigned char) (height & 0xff); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; - + *bufferoffset+=datalen+2; + /* insert a DRI marker */ buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]=0xdd; buffer[(*bufferoffset)++]=0x00; buffer[(*bufferoffset)++]=0x04; buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; buffer[(*bufferoffset)++]= ri & 0xff; - } else { - i+=strip[i+2]+2; } break; - case 0xc4: - case 0xdb: - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + case 0xc4: /* DHT */ + case 0xdb: /* DQT */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; break; - case 0xda: + case 0xda: /* SOS */ if(no==0){ - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); - *bufferoffset+=strip[i+2]+2; - i+=strip[i+2]+2; + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); + *bufferoffset+=datalen+2; } else { buffer[(*bufferoffset)++]=0xff; buffer[(*bufferoffset)++]= (unsigned char)(0xd0 | ((no-1)%8)); - i+=strip[i+2]+2; } - _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); - *bufferoffset+=(*striplength)-i-1; + i += datalen + 1; + /* copy remainder of strip */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); + *bufferoffset+= *striplength - i; return(1); default: - i+=strip[i+2]+2; + /* ignore any other marker */ + break; } + i += datalen + 1; } - + /* failed to find SOS marker */ return(0); } #endif ++++++ CVE-2013-1961.patch ++++++ ++++ 774 lines (skipped) ++++++ README.SUSE ++++++ The documentation for tiff programs and library is in package tiff in directory /usr/share/doc/packages/tiff.++++++ baselibs.conf ++++++ libtiff3 obsoletes "libtiff-<targettype> <= <version>" provides "libtiff-<targettype> = <version>" libtiff-devel requires -libtiff-<targettype> requires "libtiff3-<targettype> = <version>" ++++++ tiff-3.9.5-dont-fancy-upsampling.patch ++++++ Index: tiff-3.9.4/libtiff/tif_jpeg.c =================================================================== --- tiff-3.9.4.orig/libtiff/tif_jpeg.c +++ tiff-3.9.4/libtiff/tif_jpeg.c @@ -850,6 +850,7 @@ JPEGPreDecode(TIFF* tif, tsample_t s) if (downsampled_output) { /* Need to use raw-data interface to libjpeg */ sp->cinfo.d.raw_data_out = TRUE; + sp->cinfo.d.do_fancy_upsampling = FALSE; tif->tif_decoderow = JPEGDecodeRaw; tif->tif_decodestrip = JPEGDecodeRaw; tif->tif_decodetile = JPEGDecodeRaw; ++++++ tiff-3.9.5-seek.patch ++++++ Index: libtiff/tiffiop.h =================================================================== --- libtiff/tiffiop.h.orig +++ libtiff/tiffiop.h @@ -209,7 +209,7 @@ struct tiff { #define TIFFWriteFile(tif, buf, size) \ ((*(tif)->tif_writeproc)((tif)->tif_clientdata,buf,size)) #define TIFFSeekFile(tif, off, whence) \ - ((*(tif)->tif_seekproc)((tif)->tif_clientdata,(toff_t)(off),whence)) + ((tif)->tif_seekproc?((*(tif)->tif_seekproc)((tif)->tif_clientdata,(toff_t)(off),whence)):0) #define TIFFCloseFile(tif) \ ((*(tif)->tif_closeproc)((tif)->tif_clientdata)) #define TIFFGetFileSize(tif) \ ++++++ tiff-3.9.5-tiff2pdf-colors.patch ++++++ --- tiff-3.9.2_/tools/tiff2pdf.c 2009-01-01 01:10:43.000000000 +0100 +++ tiff-3.9.2/tools/tiff2pdf.c 2010-04-24 17:39:00.000000000 +0200 @@ -5072,7 +5072,7 @@ if(t2p->tiff_photometric != PHOTOMETRIC_YCBCR) { written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13); - written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 0 >>\n", 24); + written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 1 >>\n", 24); } break; #endif -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
