pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/tiff Security fixes for SA21304:
details: https://anonhg.NetBSD.org/pkgsrc/rev/394038913736
branches: trunk
changeset: 516998:394038913736
user: salo <salo%pkgsrc.org@localhost>
date: Wed Aug 02 15:42:25 2006 +0000
description:
Security fixes for SA21304:
"Some vulnerabilities have been reported in libTIFF, which can be
exploited by malicious people to cause a DoS (Denial of Service)
or potentially compromise a vulnerable system.
The vulnerabilities are caused due to various heap and integer
overflows when processing TIFF images and can be exploited via
a specially crafted TIFF image.
Successful exploitation allows crashing applications linked against
libTIFF and may also allow execution of arbitrary code."
http://secunia.com/advisories/21304/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465
Patches from Tavis Ormandy, Google Security Team via SUSE.
Bump PKGREVISION.
diffstat:
graphics/tiff/Makefile | 4 +-
graphics/tiff/distinfo | 10 +-
graphics/tiff/patches/patch-av | 96 ++++++++++++
graphics/tiff/patches/patch-aw | 26 +++
graphics/tiff/patches/patch-ax | 308 +++++++++++++++++++++++++++++++++++++++++
graphics/tiff/patches/patch-ay | 29 +++
graphics/tiff/patches/patch-az | 119 +++++++++++++++
graphics/tiff/patches/patch-ba | 24 +++
graphics/tiff/patches/patch-bb | 27 +++
graphics/tiff/patches/patch-bc | 37 ++++
10 files changed, 677 insertions(+), 3 deletions(-)
diffs (truncated from 732 to 300 lines):
diff -r c651f9777c7f -r 394038913736 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile Wed Aug 02 15:31:02 2006 +0000
+++ b/graphics/tiff/Makefile Wed Aug 02 15:42:25 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.83 2006/06/17 20:25:23 reed Exp $
+# $NetBSD: Makefile,v 1.84 2006/08/02 15:42:25 salo Exp $
DISTNAME= tiff-3.8.2
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://libtiff.maptools.org/dl/
diff -r c651f9777c7f -r 394038913736 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo Wed Aug 02 15:31:02 2006 +0000
+++ b/graphics/tiff/distinfo Wed Aug 02 15:42:25 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.38 2006/06/08 11:05:14 salo Exp $
+$NetBSD: distinfo,v 1.39 2006/08/02 15:42:25 salo Exp $
SHA1 (tiff-3.8.2.tar.gz) = 549e67b6a15b42bfcd72fe17cda7c9a198a393eb
RMD160 (tiff-3.8.2.tar.gz) = 1b4d825e3be08764e953fc58246d0c25ab4dd17d
@@ -7,3 +7,11 @@
SHA1 (patch-ab) = b517cb8bc2212d3e6c5a70db1bdf45b85b78fc72
SHA1 (patch-at) = 4006ed90f6ab88aff30e2537d613a1b44b5c7347
SHA1 (patch-au) = c53ed7521c3918081526ad63cd0c1c45c9a0b9ff
+SHA1 (patch-av) = e1b8cec32b9706af0074c2a54bdd1fd2ea2b8e36
+SHA1 (patch-aw) = 8df07a9bc23092cfde2b364a1965efcfdc848b1e
+SHA1 (patch-ax) = 1a111d7a80bf98a650d147c035cd719d34aafc8a
+SHA1 (patch-ay) = db50f1d97b5d3b94e4d470b49642fe105977e0b7
+SHA1 (patch-az) = ec57ebacc6052221ae63084d23c7c7b4aea029d8
+SHA1 (patch-ba) = d4bd9c67a9bf2be93286f8268ac520c4b88ba3ae
+SHA1 (patch-bb) = cbc7feda655a02809de55be6470cc25cda942a08
+SHA1 (patch-bc) = 9baa1c138cd3cb6366ae3e638518b94dfea172cc
diff -r c651f9777c7f -r 394038913736 graphics/tiff/patches/patch-av
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-av Wed Aug 02 15:42:25 2006 +0000
@@ -0,0 +1,96 @@
+$NetBSD: patch-av,v 1.5 2006/08/02 15:42:25 salo Exp $
+
+Security fix for SA21304.
+
+--- libtiff/tif_dir.c.orig 2006-03-21 17:42:50.000000000 +0100
++++ libtiff/tif_dir.c 2006-08-02 17:18:41.000000000 +0200
+@@ -122,6 +122,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
+ {
+ static const char module[] = "_TIFFVSetField";
+
++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
+@@ -195,10 +196,12 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
+ break;
+ case TIFFTAG_ORIENTATION:
+ v = va_arg(ap, uint32);
++ const TIFFFieldInfo* fip;
+ if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
++ fip = _TIFFFieldWithTag(tif, tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "Bad value %lu for \"%s\" tag ignored",
+- v, _TIFFFieldWithTag(tif, tag)->field_name);
++ v, fip ? fip->field_name : "Unknown");
+ } else
+ td->td_orientation = (uint16) v;
+ break;
+@@ -387,11 +390,15 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
+ * happens, for example, when tiffcp is used to convert between
+ * compression schemes and codec-specific tags are blindly copied.
+ */
++ /*
++ * better not dereference fip if it is NULL.
++ * -- taviso%google.com@localhost 15 Jun 2006
++ */
+ if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ status = 0;
+ break;
+ }
+@@ -468,7 +475,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
+ if (fip->field_type == TIFF_ASCII)
+ _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
+ else {
+- tv->value = _TIFFmalloc(tv_size * tv->count);
++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
+ if (!tv->value) {
+ status = 0;
+ goto end;
+@@ -563,7 +570,7 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
+ }
+ }
+ if (status) {
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++ TIFFSetFieldBit(tif, fip->field_bit);
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ }
+
+@@ -572,12 +579,12 @@ end:
+ return (status);
+ badvalue:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
+- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ badvalue32:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
+- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ }
+@@ -813,12 +820,16 @@ _TIFFVGetField(TIFF* tif, ttag_t tag, va
+ * If the client tries to get a tag that is not valid
+ * for the image's codec then we'll arrive here.
+ */
++ /*
++ * dont dereference fip if it's NULL.
++ * -- taviso%google.com@localhost 15 Jun 2006
++ */
+ if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
+ {
+ TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ ret_val = 0;
+ break;
+ }
diff -r c651f9777c7f -r 394038913736 graphics/tiff/patches/patch-aw
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-aw Wed Aug 02 15:42:25 2006 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-aw,v 1.5 2006/08/02 15:42:25 salo Exp $
+
+Security fix for SA21304.
+
+--- libtiff/tif_dirinfo.c.orig 2006-02-07 14:51:03.000000000 +0100
++++ libtiff/tif_dirinfo.c 2006-08-02 17:18:41.000000000 +0200
+@@ -775,7 +775,8 @@ _TIFFFieldWithTag(TIFF* tif, ttag_t tag)
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
+ "Internal error, unknown tag 0x%x",
+ (unsigned int) tag);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
+@@ -789,7 +790,8 @@ _TIFFFieldWithName(TIFF* tif, const char
+ if (!fip) {
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
+ "Internal error, unknown tag %s", field_name);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
diff -r c651f9777c7f -r 394038913736 graphics/tiff/patches/patch-ax
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-ax Wed Aug 02 15:42:25 2006 +0000
@@ -0,0 +1,308 @@
+$NetBSD: patch-ax,v 1.5 2006/08/02 15:42:25 salo Exp $
+
+Security fix for SA21304.
+
+--- libtiff/tif_dirread.c.orig 2006-03-21 17:42:50.000000000 +0100
++++ libtiff/tif_dirread.c 2006-08-02 17:18:41.000000000 +0200
+@@ -81,6 +81,7 @@ TIFFReadDirectory(TIFF* tif)
+ uint16 dircount;
+ toff_t nextdiroff;
+ int diroutoforderwarning = 0;
++ int compressionknown = 0;
+ toff_t* new_dirlist;
+
+ tif->tif_diroff = tif->tif_nextdiroff;
+@@ -147,13 +148,20 @@ TIFFReadDirectory(TIFF* tif)
+ } else {
+ toff_t off = tif->tif_diroff;
+
+- if (off + sizeof (uint16) > tif->tif_size) {
++ /*
++ * Check for integer overflow when validating the dir_off, otherwise
++ * a very high offset may cause an OOB read and crash the client.
++ * -- taviso%google.com@localhost, 14 Jun 2006.
++ */
++ if (off + sizeof (uint16) > tif->tif_size ||
++ off + sizeof (uint16) < off) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Can not read TIFF directory count",
+ tif->tif_name);
+ return (0);
+ } else
+- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
++ _TIFFmemcpy(&dircount, tif->tif_base + off,
++ sizeof (uint16));
+ off += sizeof (uint16);
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabShort(&dircount);
+@@ -254,6 +262,7 @@ TIFFReadDirectory(TIFF* tif)
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
++
+ if (fix >= tif->tif_nfields ||
+ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+
+@@ -264,17 +273,23 @@ TIFFReadDirectory(TIFF* tif)
+ dp->tdir_tag,
+ dp->tdir_tag,
+ dp->tdir_type);
++ /*
++ * creating anonymous fields prior to knowing the compression
++ * algorithm (ie, when the field info has been merged) could cause
++ * crashes with pathological directories.
++ * -- taviso%google.com@localhost 15 Jun 2006
++ */
++ if (compressionknown)
++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
++ (TIFFDataType) dp->tdir_type), 1 );
++ else goto ignore;
+
+- TIFFMergeFieldInfo(tif,
+- _TIFFCreateAnonFieldInfo(tif,
+- dp->tdir_tag,
+- (TIFFDataType) dp->tdir_type),
+- 1 );
+ fix = 0;
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
+ }
++
+ /*
+ * Null out old tags that we ignore.
+ */
+@@ -326,6 +341,7 @@ TIFFReadDirectory(TIFF* tif)
+ dp->tdir_type, dp->tdir_offset);
+ if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
+ goto bad;
++ else compressionknown++;
+ break;
+ /* XXX: workaround for broken TIFFs */
+ } else if (dp->tdir_type == TIFF_LONG) {
+@@ -540,6 +556,7 @@ TIFFReadDirectory(TIFF* tif)
+ * Attempt to deal with a missing StripByteCounts tag.
+ */
+ if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * Some manufacturers violate the spec by not giving
+ * the size of the strips. In this case, assume there
+@@ -556,7 +573,7 @@ TIFFReadDirectory(TIFF* tif)
+ "%s: TIFF directory is missing required "
+ "\"%s\" field, calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ /*
+@@ -580,6 +597,7 @@ TIFFReadDirectory(TIFF* tif)
+ } else if (td->td_nstrips == 1
+ && td->td_stripoffset[0] != 0
+ && BYTECOUNTLOOKSBAD) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Plexus (and others) sometimes give a value of zero for
+ * a tag when they don't know what the correct value is! Try
+@@ -589,13 +607,14 @@ TIFFReadDirectory(TIFF* tif)
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if(EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
+ && td->td_nstrips > 2
+ && td->td_compression == COMPRESSION_NONE
+ && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Some vendors fill StripByteCount array with absolutely
+ * wrong values (it can be equal to StripOffset array, for
+@@ -604,7 +623,7 @@ TIFFReadDirectory(TIFF* tif)
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ }
Home |
Main Index |
Thread Index |
Old Index