Hello community, here is the log from the commit of package tiff for openSUSE:Factory checked in at 2018-10-23 20:35:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tiff (Old) and /work/SRC/openSUSE:Factory/.tiff.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tiff" Tue Oct 23 20:35:56 2018 rev:75 rq:643138 version:4.0.9 Changes: -------- --- /work/SRC/openSUSE:Factory/tiff/tiff.changes 2018-09-11 17:10:52.348005826 +0200 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff.changes 2018-10-23 20:35:59.720859357 +0200 @@ -1,0 +2,21 @@ +Fri Oct 19 07:02:18 UTC 2018 - Petr Gajdos <[email protected]> + +- security update + * CVE-2018-17795 [bsc#1110358] + % tiff-4.0.9-bsc1046077-CVE-2017-9935.patch renamed to + tiff-CVE-2017-9935,CVE-2018-17795.patch + * CVE-2018-16335 [bsc#1106853] + % tiff-CVE-2017-11613.patch renamed to + tiff-CVE-2017-11613,CVE-2018-16335,15209.patch +- add a possibility to build with ASAN + +------------------------------------------------------------------- +Wed Oct 17 11:29:07 UTC 2018 - Petr Gajdos <[email protected]> + +- security update + * CVE-2018-17100 [bsc#1108637] + + tiff-CVE-2018-17100.patch + * CVE-2018-17101 [bsc#1108627] + + tiff-CVE-2018-17101.patch + +------------------------------------------------------------------- Old: ---- tiff-4.0.9-bsc1046077-CVE-2017-9935.patch tiff-CVE-2017-11613.patch New: ---- tiff-CVE-2017-11613,CVE-2018-16335,15209.patch tiff-CVE-2017-9935,CVE-2018-17795.patch tiff-CVE-2018-17100.patch tiff-CVE-2018-17101.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tiff.spec ++++++ --- /var/tmp/diff_new_pack.MjCrrw/_old 2018-10-23 20:36:00.908857937 +0200 +++ /var/tmp/diff_new_pack.MjCrrw/_new 2018-10-23 20:36:00.912857932 +0200 @@ -12,10 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # +%define asan_build 0 + Name: tiff Version: 4.0.9 Release: 0 @@ -30,14 +32,16 @@ # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch # Contained in upstream repo. See bsc#1046077 for commit IDs. -Patch2: tiff-4.0.9-bsc1046077-CVE-2017-9935.patch +Patch2: tiff-CVE-2017-9935,CVE-2018-17795.patch Patch3: tiff-4.0.9-bsc1081690-CVE-2018-5784.patch Patch4: tiff-CVE-2018-10963.patch Patch5: tiff-CVE-2017-18013.patch Patch6: tiff-CVE-2018-7456.patch -Patch7: tiff-CVE-2017-11613.patch +Patch7: tiff-CVE-2017-11613,CVE-2018-16335,15209.patch Patch8: tiff-CVE-2018-8905.patch Patch9: tiff-CVE-2018-10779.patch +Patch10: tiff-CVE-2018-17100.patch +Patch11: tiff-CVE-2018-17101.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel @@ -109,10 +113,15 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build CFLAGS="%{optflags} -fPIE" %configure --disable-static +%if %{asan_build} +find -name Makefile | xargs sed -i 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' +%endif make %{?_smp_mflags} LDFLAGS="-pie" %install @@ -137,6 +146,10 @@ done %check +%if %{asan_build} +# ASAN needs /proc to be mounted +exit 0 +%endif for i in tools test; do (cd $i && make %{?_smp_mflags} check) done ++++++ tiff-CVE-2017-11613,CVE-2018-16335,15209.patch ++++++ Index: tiff-4.0.9/libtiff/tif_dirread.c =================================================================== --- tiff-4.0.9.orig/libtiff/tif_dirread.c 2018-06-04 16:49:48.940452546 +0200 +++ tiff-4.0.9/libtiff/tif_dirread.c 2018-06-04 16:50:18.572859131 +0200 @@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) if( nstrips == 0 ) return; + /* If we are going to allocate a lot of memory, make sure that the */ + /* file is as big as needed */ + if( tif->tif_mode == O_RDONLY && + nstrips > 1000000 && + (offset >= TIFFGetFileSize(tif) || + stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) + { + return; + } + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), "for chopped \"StripByteCounts\" array"); newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), ++++++ tiff-CVE-2017-9935,CVE-2018-17795.patch ++++++ >From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 From: Brian May <[email protected]> Date: Thu, 7 Dec 2017 07:46:47 +1100 Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 This vulnerability - at least for the supplied test case - is because we assume that a tiff will only have one transfer function that is the same for all pages. This is not required by the TIFF standards. We than read the transfer function for every page. Depending on the transfer function, we allocate either 2 or 4 bytes to the XREF buffer. We allocate this memory after we read in the transfer function for the page. For the first exploit - POC1, this file has 3 pages. For the first page we allocate 2 extra extra XREF entries. Then for the next page 2 more entries. Then for the last page the transfer function changes and we allocate 4 more entries. When we read the file into memory, we assume we have 4 bytes extra for each and every page (as per the last transfer function we read). Which is not correct, we only have 2 bytes extra for the first 2 pages. As a result, we end up writing past the end of the buffer. There are also some related issues that this also fixes. For example, TIFFGetField can return uninitalized pointer values, and the logic to detect a N=3 vs N=1 transfer function seemed rather strange. It is also strange that we declare the transfer functions to be of type float, when the standard says they are unsigned 16 bit values. This is fixed in another patch. This patch will check to ensure that the N value for every transfer function is the same for every page. If this changes, we abort with an error. In theory, we should perhaps check that the transfer function itself is identical for every page, however we don't do that due to the confusion of the type of the data in the transfer function. --- libtiff/tif_dir.c | 3 +++ tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++++++++++++++--------------------- 2 files changed, 47 insertions(+), 21 deletions(-) >From d4f213636b6f950498a1386083199bd7f65676b9 Mon Sep 17 00:00:00 2001 From: Brian May <[email protected]> Date: Thu, 7 Dec 2017 07:49:20 +1100 Subject: [PATCH] tiff2pdf: Fix apparent incorrect type for transfer table The standard says the transfer table contains unsigned 16 bit values, I have no idea why we refer to them as floats. --- tools/tiff2pdf.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c index 2ccaf44..cbf2b69 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c @@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) if (td->td_samplesperpixel - td->td_extrasamples > 1) { *va_arg(ap, uint16**) = td->td_transferfunction[1]; *va_arg(ap, uint16**) = td->td_transferfunction[2]; + } else { + *va_arg(ap, uint16**) = NULL; + *va_arg(ap, uint16**) = NULL; } break; case TIFFTAG_REFERENCEBLACKWHITE: diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index d1a9b09..c3ec074 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ uint16 pagen=0; uint16 paged=0; uint16 xuint16=0; + uint16 tiff_transferfunctioncount=0; + float* tiff_transferfunction[3]; directorycount=TIFFNumberOfDirectories(input); t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); @@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ } #endif if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, - &(t2p->tiff_transferfunction[0]), - &(t2p->tiff_transferfunction[1]), - &(t2p->tiff_transferfunction[2]))) { - if((t2p->tiff_transferfunction[1] != (float*) NULL) && - (t2p->tiff_transferfunction[2] != (float*) NULL) && - (t2p->tiff_transferfunction[1] != - t2p->tiff_transferfunction[0])) { - t2p->tiff_transferfunctioncount = 3; - t2p->tiff_pages[i].page_extra += 4; - t2p->pdf_xrefcount += 4; - } else { - t2p->tiff_transferfunctioncount = 1; - t2p->tiff_pages[i].page_extra += 2; - t2p->pdf_xrefcount += 2; - } - if(t2p->pdf_minorversion < 2) - t2p->pdf_minorversion = 2; + &(tiff_transferfunction[0]), + &(tiff_transferfunction[1]), + &(tiff_transferfunction[2]))) { + + if((tiff_transferfunction[1] != (float*) NULL) && + (tiff_transferfunction[2] != (float*) NULL) + ) { + tiff_transferfunctioncount=3; + } else { + tiff_transferfunctioncount=1; + } } else { - t2p->tiff_transferfunctioncount=0; + tiff_transferfunctioncount=0; } + + if (i > 0){ + if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ + TIFFError( + TIFF2PDF_MODULE, + "Different transfer function on page %d", + i); + t2p->t2p_error = T2P_ERR_ERROR; + return; + } + } + + t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; + t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; + t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; + t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; + if(tiff_transferfunctioncount == 3){ + t2p->tiff_pages[i].page_extra += 4; + t2p->pdf_xrefcount += 4; + if(t2p->pdf_minorversion < 2) + t2p->pdf_minorversion = 2; + } else if (tiff_transferfunctioncount == 1){ + t2p->tiff_pages[i].page_extra += 2; + t2p->pdf_xrefcount += 2; + if(t2p->pdf_minorversion < 2) + t2p->pdf_minorversion = 2; + } + if( TIFFGetField( input, TIFFTAG_ICCPROFILE, @@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ &(t2p->tiff_transferfunction[1]), &(t2p->tiff_transferfunction[2]))) { if((t2p->tiff_transferfunction[1] != (float*) NULL) && - (t2p->tiff_transferfunction[2] != (float*) NULL) && - (t2p->tiff_transferfunction[1] != - t2p->tiff_transferfunction[0])) { + (t2p->tiff_transferfunction[2] != (float*) NULL) + ) { t2p->tiff_transferfunctioncount=3; } else { t2p->tiff_transferfunctioncount=1; diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c index c3ec074..484776c 100644 --- a/tools/tiff2pdf.c +++ b/tools/tiff2pdf.c @@ -237,7 +237,7 @@ typedef struct { float tiff_whitechromaticities[2]; float tiff_primarychromaticities[6]; float tiff_referenceblackwhite[2]; - float* tiff_transferfunction[3]; + uint16* tiff_transferfunction[3]; int pdf_image_interpolate; /* 0 (default) : do not interpolate, 1 : interpolate */ uint16 tiff_transferfunctioncount; @@ -1048,7 +1048,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ uint16 paged=0; uint16 xuint16=0; uint16 tiff_transferfunctioncount=0; - float* tiff_transferfunction[3]; + uint16* tiff_transferfunction[3]; directorycount=TIFFNumberOfDirectories(input); t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); @@ -1153,8 +1153,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ &(tiff_transferfunction[1]), &(tiff_transferfunction[2]))) { - if((tiff_transferfunction[1] != (float*) NULL) && - (tiff_transferfunction[2] != (float*) NULL) + if((tiff_transferfunction[1] != (uint16*) NULL) && + (tiff_transferfunction[2] != (uint16*) NULL) ) { tiff_transferfunctioncount=3; } else { @@ -1851,8 +1851,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ &(t2p->tiff_transferfunction[0]), &(t2p->tiff_transferfunction[1]), &(t2p->tiff_transferfunction[2]))) { - if((t2p->tiff_transferfunction[1] != (float*) NULL) && - (t2p->tiff_transferfunction[2] != (float*) NULL) + if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && + (t2p->tiff_transferfunction[2] != (uint16*) NULL) ) { t2p->tiff_transferfunctioncount=3; } else { -- libgit2 0.26.0 ++++++ tiff-CVE-2017-11613.patch -> tiff-CVE-2018-17100.patch ++++++ --- /work/SRC/openSUSE:Factory/tiff/tiff-CVE-2017-11613.patch 2018-06-08 23:20:01.358187551 +0200 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff-CVE-2018-17100.patch 2018-10-23 20:35:58.876860365 +0200 @@ -1,21 +1,27 @@ -Index: tiff-4.0.9/libtiff/tif_dirread.c +Index: tiff-4.0.9/tools/ppm2tiff.c =================================================================== ---- tiff-4.0.9.orig/libtiff/tif_dirread.c 2018-06-04 16:49:48.940452546 +0200 -+++ tiff-4.0.9/libtiff/tif_dirread.c 2018-06-04 16:50:18.572859131 +0200 -@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - if( nstrips == 0 ) - return; +--- tiff-4.0.9.orig/tools/ppm2tiff.c 2018-10-17 12:25:05.271940872 +0200 ++++ tiff-4.0.9/tools/ppm2tiff.c 2018-10-17 12:26:15.468262130 +0200 +@@ -72,15 +72,16 @@ BadPPM(char* file) + exit(-2); + } -+ /* If we are going to allocate a lot of memory, make sure that the */ -+ /* file is as big as needed */ -+ if( tif->tif_mode == O_RDONLY && -+ nstrips > 1000000 && -+ (offset >= TIFFGetFileSize(tif) || -+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) -+ { -+ return; -+ } + - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), ++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) ++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) ++ + static tmsize_t + multiply_ms(tmsize_t m1, tmsize_t m2) + { +- tmsize_t bytes = m1 * m2; +- +- if (m1 && bytes / m1 != m2) +- bytes = 0; +- +- return bytes; ++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) ++ return 0; ++ return m1 * m2; + } + + int ++++++ tiff-CVE-2017-11613.patch -> tiff-CVE-2018-17101.patch ++++++ --- /work/SRC/openSUSE:Factory/tiff/tiff-CVE-2017-11613.patch 2018-06-08 23:20:01.358187551 +0200 +++ /work/SRC/openSUSE:Factory/.tiff.new/tiff-CVE-2018-17101.patch 2018-10-23 20:35:59.372859772 +0200 @@ -1,21 +1,58 @@ -Index: tiff-4.0.9/libtiff/tif_dirread.c -=================================================================== ---- tiff-4.0.9.orig/libtiff/tif_dirread.c 2018-06-04 16:49:48.940452546 +0200 -+++ tiff-4.0.9/libtiff/tif_dirread.c 2018-06-04 16:50:18.572859131 +0200 -@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) - if( nstrips == 0 ) - return; +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01fcf941..01d8502e 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS -+ /* If we are going to allocate a lot of memory, make sure that the */ -+ /* file is as big as needed */ -+ if( tif->tif_mode == O_RDONLY && -+ nstrips > 1000000 && -+ (offset >= TIFFGetFileSize(tif) || -+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index 05faba87..5bef3142 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) + { -+ return; ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; + } -+ - newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); - newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS +
