pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/tiff tiff: apply fix for CVE-2018-18557
details: https://anonhg.NetBSD.org/pkgsrc/rev/70f522ccd525
branches: trunk
changeset: 324658:70f522ccd525
user: maya <maya%pkgsrc.org@localhost>
date: Thu Oct 25 22:58:05 2018 +0000
description:
tiff: apply fix for CVE-2018-18557
>From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault%spatialys.com@localhost>
Date: Sun, 14 Oct 2018 16:38:29 +0200
Subject: [PATCH 1/1] JBIG: fix potential out-of-bounds write in JBIGDecode()
JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
write in the buffer.
This issue was reported and analyzed by Thomas Dullien.
Also fixes a (harmless) potential use of uninitialized memory when
tif->tif_rawsize > tif->tif_rawcc
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()
The last part (CHUNKY_STRIP_READ_SUPPORT) was adapted by myself to fit
the libtiff release.
Bump PKGREVISION.
diffstat:
graphics/tiff/Makefile | 4 +-
graphics/tiff/distinfo | 4 +-
graphics/tiff/patches/patch-libtiff_tif__jbig.c | 77 +++++++++++++++++++++++++
graphics/tiff/patches/patch-libtiff_tif__read.c | 23 +++++++
4 files changed, 105 insertions(+), 3 deletions(-)
diffs (137 lines):
diff -r 38ab761ebf62 -r 70f522ccd525 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile Thu Oct 25 22:41:24 2018 +0000
+++ b/graphics/tiff/Makefile Thu Oct 25 22:58:05 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.141 2018/06/21 23:11:04 tez Exp $
+# $NetBSD: Makefile,v 1.142 2018/10/25 22:58:05 maya Exp $
DISTNAME= tiff-4.0.9
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= graphics
MASTER_SITES= ftp://download.osgeo.org/libtiff/
diff -r 38ab761ebf62 -r 70f522ccd525 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo Thu Oct 25 22:41:24 2018 +0000
+++ b/graphics/tiff/distinfo Thu Oct 25 22:58:05 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.90 2018/06/21 23:11:04 tez Exp $
+$NetBSD: distinfo,v 1.91 2018/10/25 22:58:05 maya Exp $
SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296
RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3
@@ -7,4 +7,6 @@
SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610
SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc
SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
+SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3
+SHA1 (patch-libtiff_tif__read.c) = a69f7a462e0dfe6b01240816ed546d7e381044e8
SHA1 (patch-tools_pal2rgb.c) = f91652e8013940c162add870ceb9845e2730bc2c
diff -r 38ab761ebf62 -r 70f522ccd525 graphics/tiff/patches/patch-libtiff_tif__jbig.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif__jbig.c Thu Oct 25 22:58:05 2018 +0000
@@ -0,0 +1,77 @@
+$NetBSD: patch-libtiff_tif__jbig.c,v 1.1 2018/10/25 22:58:05 maya Exp $
+
+From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 (CVE-2018-18557)
+
+JBIGDecode doesn't check if the user provided buffer is large enough
+to store the JBIG decoded image, which can potentially cause out-of-bounds
+write in the buffer.
+This issue was reported and analyzed by Thomas Dullien.
+
+Also fixes a (harmless) potential use of uninitialized memory when
+tif->tif_rawsize > tif->tif_rawcc
+
+--- libtiff/tif_jbig.c.orig 2017-06-30 13:27:54.399206925 +0000
++++ libtiff/tif_jbig.c
+@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8*
+ struct jbg_dec_state decoder;
+ int decodeStatus = 0;
+ unsigned char* pImage = NULL;
+- (void) size, (void) s;
++ unsigned long decodedSize;
++ (void) s;
+
+ if (isFillOrder(tif, tif->tif_dir.td_fillorder))
+ {
+- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
++ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
+ }
+
+ jbg_dec_init(&decoder);
+
+ #if defined(HAVE_JBG_NEWLEN)
+- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
++ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
+ /*
+ * I do not check the return status of jbg_newlen because even if this
+ * function fails it does not necessarily mean that decoding the image
+@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8*
+ */
+ #endif /* HAVE_JBG_NEWLEN */
+
+- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
+- (size_t)tif->tif_rawdatasize, NULL);
++ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
++ (size_t)tif->tif_rawcc, NULL);
+ if (JBG_EOK != decodeStatus)
+ {
+ /*
+@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8*
+ return 0;
+ }
+
++ decodedSize = jbg_dec_getsize(&decoder);
++ if( (tmsize_t)decodedSize < size )
++ {
++ TIFFWarningExt(tif->tif_clientdata, "JBIG",
++ "Only decoded %lu bytes, whereas %lu requested",
++ decodedSize, (unsigned long)size);
++ }
++ else if( (tmsize_t)decodedSize > size )
++ {
++ TIFFErrorExt(tif->tif_clientdata, "JBIG",
++ "Decoded %lu bytes, whereas %lu were requested",
++ decodedSize, (unsigned long)size);
++ jbg_dec_free(&decoder);
++ return 0;
++ }
+ pImage = jbg_dec_getimage(&decoder, 0);
+- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
++ _TIFFmemcpy(buffer, pImage, decodedSize);
+ jbg_dec_free(&decoder);
++
++ tif->tif_rawcp += tif->tif_rawcc;
++ tif->tif_rawcc = 0;
++
+ return 1;
+ }
+
diff -r 38ab761ebf62 -r 70f522ccd525 graphics/tiff/patches/patch-libtiff_tif__read.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif__read.c Thu Oct 25 22:58:05 2018 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-libtiff_tif__read.c,v 1.1 2018/10/25 22:58:05 maya Exp $
+
+And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
+that whole strip data is provided to JBIGDecode()
+
+Part of commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66 which fixes
+CVE-2018-18557
+
+--- libtiff/tif_read.c.orig 2017-11-18 14:42:21.664534434 +0000
++++ libtiff/tif_read.c
+@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 s
+ return 0;
+ whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
+ || isMapped(tif);
++ if( td->td_compression == COMPRESSION_JBIG )
++ {
++ /* Ideally plugins should have a way to declare they don't support
++ * chunk strip */
++ whole_strip = 1;
++ }
+ #else
+ whole_strip = 1;
+ #endif
Home |
Main Index |
Thread Index |
Old Index