Package: tiff
Version: 4.0.3-12.3
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch
*** /tmp/tmpy2ySAQ/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: Backport more security-relevant commits
- debian/patches/CVE-2014-81xx-9.patch
- debian/patches/CVE-2014-9655-1.patch
- debian/patches/CVE-2014-9655-3.patch
- debian/patches/read_overrun.patch
- debian/patches/estimatestripbytecounts_return_code.patch
- debian/patches/CVE-2014-8130.patch
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers vivid-updates
APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid'),
(100, 'vivid-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-10-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8130.patch tiff-4.0.3/debian/patches/CVE-2014-8130.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8130.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.3/debian/patches/CVE-2014-8130.patch 2015-03-30 10:19:40.000000000 -0400
@@ -0,0 +1,42 @@
+From 3c5eb8b1be544e41d2c336191bc4936300ad7543 Mon Sep 17 00:00:00 2001
+From: bfriesen <bfriesen>
+Date: Sun, 18 Nov 2012 17:51:52 +0000
+Subject: [PATCH] * libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does
+ not require malloc() to return NULL pointer if requested allocation size is
+ zero. Assure that _TIFFmalloc does.
+
+---
+ ChangeLog | 6 ++++++
+ libtiff/tif_unix.c | 3 +++
+ libtiff/tif_vms.c | 3 +++
+ libtiff/tif_win32.c | 3 +++
+ 4 files changed, 15 insertions(+)
+
+Index: tiff-4.0.3/libtiff/tif_unix.c
+===================================================================
+--- tiff-4.0.3.orig/libtiff/tif_unix.c 2015-03-27 14:47:11.002353413 -0400
++++ tiff-4.0.3/libtiff/tif_unix.c 2015-03-27 14:47:10.998353377 -0400
+@@ -257,6 +257,9 @@
+ void*
+ _TIFFmalloc(tmsize_t s)
+ {
++ if (s == 0)
++ return ((void *) NULL);
++
+ return (malloc((size_t) s));
+ }
+
+Index: tiff-4.0.3/libtiff/tif_win32.c
+===================================================================
+--- tiff-4.0.3.orig/libtiff/tif_win32.c 2015-03-27 14:47:11.002353413 -0400
++++ tiff-4.0.3/libtiff/tif_win32.c 2015-03-27 14:47:10.998353377 -0400
+@@ -329,6 +329,9 @@
+ void*
+ _TIFFmalloc(tmsize_t s)
+ {
++ if (s == 0)
++ return ((void *) NULL);
++
+ return (malloc((size_t) s));
+ }
+
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-81xx-9.patch tiff-4.0.3/debian/patches/CVE-2014-81xx-9.patch
--- tiff-4.0.3/debian/patches/CVE-2014-81xx-9.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.3/debian/patches/CVE-2014-81xx-9.patch 2015-03-30 10:18:36.000000000 -0400
@@ -0,0 +1,35 @@
+Backport of:
+
+From 77837423c3a125a3b39ddae246ff904f437cf845 Mon Sep 17 00:00:00 2001
+From: bfriesen <bfriesen>
+Date: Mon, 22 Dec 2014 02:52:38 +0000
+Subject: [PATCH] * tools/tiffdump.c: Guard against arithmetic overflow when
+ calculating allocation buffer sizes.
+
+---
+ ChangeLog | 5 +++++
+ tools/tiffdump.c | 21 ++++++++++++++++++---
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+Index: tiff-4.0.3/tools/tiffdump.c
+===================================================================
+--- tiff-4.0.3.orig/tools/tiffdump.c 2015-01-29 09:36:19.521556646 -0500
++++ tiff-4.0.3/tools/tiffdump.c 2015-01-29 09:36:19.521556646 -0500
+@@ -34,6 +34,8 @@
+ # include <unistd.h>
+ #endif
+
++#include "tiffiop.h"
++
+ #ifdef HAVE_FCNTL_H
+ # include <fcntl.h>
+ #endif
+@@ -303,7 +305,7 @@
+ dircount = (uint16)dircount64;
+ direntrysize = 20;
+ }
+- dirmem = _TIFFmalloc(dircount * direntrysize);
++ dirmem = _TIFFmalloc(TIFFSafeMultiply(tmsize_t,dircount,direntrysize));
+ if (dirmem == NULL) {
+ Fatal("No space for TIFF directory");
+ goto done;
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-9655-1.patch tiff-4.0.3/debian/patches/CVE-2014-9655-1.patch
--- tiff-4.0.3/debian/patches/CVE-2014-9655-1.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.3/debian/patches/CVE-2014-9655-1.patch 2015-03-30 10:18:59.000000000 -0400
@@ -0,0 +1,26 @@
+From 24a2eee78bb057acb2c3992acd002654c1747718 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 24 Dec 2014 16:57:18 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c: avoid divide by zero on invalid
+ YCbCr subsampling. http://bugzilla.maptools.org/show_bug.cgi?id=2235
+
+---
+ ChangeLog | 5 +++++
+ libtiff/tif_getimage.c | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 396ad08..417ac7b 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -875,6 +875,10 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+
+ TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
++ if( subsamplingver == 0 ) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
++ return (0);
++ }
+ scanline = TIFFScanlineSize(tif);
+ fromskew = (w < imagewidth ? imagewidth - w : 0);
+ for (row = 0; row < h; row += nrow)
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-9655-3.patch tiff-4.0.3/debian/patches/CVE-2014-9655-3.patch
--- tiff-4.0.3/debian/patches/CVE-2014-9655-3.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.3/debian/patches/CVE-2014-9655-3.patch 2015-03-30 10:19:12.000000000 -0400
@@ -0,0 +1,42 @@
+From feed76c99f132f02a938de3b566442bff61388ef Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 29 Dec 2014 18:28:46 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c: move test on vertical value of
+ YCbCr subsampling. to avoid buffer leak (fix previous fix, found by Coverity
+ scan)
+
+---
+ ChangeLog | 5 +++--
+ libtiff/tif_getimage.c | 12 +++++++-----
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 3ad8ee7..1a53c8b 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -857,6 +857,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ int32 fromskew, toskew;
+ int ret = 1, flip;
+
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
++ if( subsamplingver == 0 ) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
++ return (0);
++ }
++
+ buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
+@@ -874,11 +880,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ }
+
+ TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+- TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
+- if( subsamplingver == 0 ) {
+- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
+- return (0);
+- }
++
+ scanline = TIFFScanlineSize(tif);
+ fromskew = (w < imagewidth ? imagewidth - w : 0);
+ for (row = 0; row < h; row += nrow)
diff -Nru tiff-4.0.3/debian/patches/estimatestripbytecounts_return_code.patch tiff-4.0.3/debian/patches/estimatestripbytecounts_return_code.patch
--- tiff-4.0.3/debian/patches/estimatestripbytecounts_return_code.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.3/debian/patches/estimatestripbytecounts_return_code.patch 2015-03-30 10:19:32.000000000 -0400
@@ -0,0 +1,26 @@
+From 8bf2ef81c053562177eba5b34006da3823a2e440 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Tue, 23 Dec 2014 11:06:54 +0000
+Subject: [PATCH] * libtiff/tif_dirread.c: In EstimateStripByteCounts(), check
+ return code of _TIFFFillStriles(). This solves crashing bug on corrupted
+ images generated by afl.
+
+---
+ ChangeLog | 6 ++++++
+ libtiff/tif_dirread.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index f66c9a7..0a9fa90 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4295,7 +4295,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount)
+ TIFFDirectory *td = &tif->tif_dir;
+ uint32 strip;
+
+- _TIFFFillStriles( tif );
++ if( !_TIFFFillStriles( tif ) )
++ return -1;
+
+ if (td->td_stripbytecount)
+ _TIFFfree(td->td_stripbytecount);
diff -Nru tiff-4.0.3/debian/patches/read_overrun.patch tiff-4.0.3/debian/patches/read_overrun.patch
--- tiff-4.0.3/debian/patches/read_overrun.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.3/debian/patches/read_overrun.patch 2015-03-30 10:19:26.000000000 -0400
@@ -0,0 +1,68 @@
+From 5ef99cbffd5d5042fbd11f5e36d1b602e58c578d Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 7 Dec 2014 22:33:06 +0000
+Subject: [PATCH] tools/thumbnail.c, tools/tiffcrop.c: fix heap read over-run
+ found with Valgrind and Address Sanitizer on test suite
+
+---
+ ChangeLog | 5 +++++
+ tools/thumbnail.c | 7 ++++++-
+ tools/tiffcrop.c | 9 +++++++--
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+Index: tiff-4.0.3/tools/thumbnail.c
+===================================================================
+--- tiff-4.0.3.orig/tools/thumbnail.c 2015-03-27 13:02:15.686967377 -0400
++++ tiff-4.0.3/tools/thumbnail.c 2015-03-27 13:02:15.686967377 -0400
+@@ -610,12 +610,17 @@
+ rowsize = TIFFScanlineSize(in);
+ rastersize = sh * rowsize;
+ fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
+- raster = (unsigned char*)_TIFFmalloc(rastersize);
++ /* +3 : add a few guard bytes since setrow() can read a bit */
++ /* outside buffer */
++ raster = (unsigned char*)_TIFFmalloc(rastersize+3);
+ if (!raster) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate space for raster buffer.");
+ return 0;
+ }
++ raster[rastersize] = 0;
++ raster[rastersize+1] = 0;
++ raster[rastersize+2] = 0;
+ rp = raster;
+ for (s = 0; s < ns; s++) {
+ (void) TIFFReadEncodedStrip(in, s, rp, -1);
+Index: tiff-4.0.3/tools/tiffcrop.c
+===================================================================
+--- tiff-4.0.3.orig/tools/tiffcrop.c 2015-03-27 13:02:15.686967377 -0400
++++ tiff-4.0.3/tools/tiffcrop.c 2015-03-27 13:02:15.686967377 -0400
+@@ -5996,8 +5996,10 @@
+ }
+
+ read_buff = *read_ptr;
++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
++ /* outside buffer */
+ if (!read_buff)
+- read_buff = (unsigned char *)_TIFFmalloc(buffsize);
++ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+ else
+ {
+ if (prev_readsize < buffsize)
+@@ -6006,12 +6008,15 @@
+ if (!new_buff)
+ {
+ free (read_buff);
+- read_buff = (unsigned char *)_TIFFmalloc(buffsize);
++ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+ }
+ else
+ read_buff = new_buff;
+ }
+ }
++ read_buff[buffsize] = 0;
++ read_buff[buffsize+1] = 0;
++ read_buff[buffsize+2] = 0;
+
+ if (!read_buff)
+ {
diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series
--- tiff-4.0.3/debian/patches/series 2015-03-23 14:24:49.000000000 -0400
+++ tiff-4.0.3/debian/patches/series 2015-03-30 10:19:40.000000000 -0400
@@ -20,3 +20,9 @@
CVE-2014-8128-4.patch
CVE-2014-8128-5.patch
+CVE-2014-81xx-9.patch
+CVE-2014-9655-1.patch
+CVE-2014-9655-3.patch
+read_overrun.patch
+estimatestripbytecounts_return_code.patch
+CVE-2014-8130.patch
