Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package tiff It fixes most of the open security vulnerabilities (some are still fixed upstream, but we should fix up what we have so far). unblock tiff/4.0.3-12.1 diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog --- tiff-4.0.3/debian/changelog 2014-12-30 17:32:33.000000000 +0100 +++ tiff-4.0.3/debian/changelog 2015-02-21 13:07:45.000000000 +0100 @@ -1,3 +1,11 @@ +tiff (4.0.3-12.1) unstable; urgency=medium + + * NMU as discussed with Ondrej, the future adopter of tiff + * Fix multiple security issues, exact details will be recorded in the + Debian security tracker + + -- Moritz Muehlenhoff <j...@debian.org> Sat, 21 Feb 2015 13:06:08 +0100 + tiff (4.0.3-12) unstable; urgency=high * Fix integer overflow in bmp2tiff. CVE-2014-9330. (Closes: #773987) diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8127-1.patch tiff-4.0.3/debian/patches/CVE-2014-8127-1.patch --- tiff-4.0.3/debian/patches/CVE-2014-8127-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-8127-1.patch 2015-02-21 13:05:27.000000000 +0100 @@ -0,0 +1,28 @@ +From 0782c759084daaf9e4de7ee6be7543081823455e Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 20:58:29 +0000 +Subject: [PATCH] * tools/tiff2bw.c: when Photometric=RGB, the utility only + works if SamplesPerPixel = 3. Enforce that + http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) + +--- + ChangeLog | 6 ++++++ + tools/tiff2bw.c | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c +index 22467cd..94b8e31 100644 +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -171,6 +171,11 @@ main(int argc, char* argv[]) + argv[optind], samplesperpixel); + return (-1); + } ++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { ++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", ++ argv[optind], samplesperpixel); ++ return (-1); ++ } + TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); + if (bitspersample != 8) { + fprintf(stderr, diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8127-2.patch tiff-4.0.3/debian/patches/CVE-2014-8127-2.patch --- tiff-4.0.3/debian/patches/CVE-2014-8127-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-8127-2.patch 2015-02-21 13:05:27.000000000 +0100 @@ -0,0 +1,40 @@ +From 3996fa0f84f4a8b7e65fe4b8f0681711022034ea Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 20:04:31 +0000 +Subject: [PATCH] * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling + TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not + worth the burden for those esoteric utilities. + http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) + +--- + ChangeLog | 7 +++++++ + tools/pal2rgb.c | 2 +- + tools/thumbnail.c | 2 +- + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index bfe7899..3fc3de3 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -372,7 +372,7 @@ static struct cpTag { + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index c50bbff..73f9c34 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -257,7 +257,7 @@ static struct cpTag { + { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, + { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, + { TIFFTAG_INKSET, 1, TIFF_SHORT }, +- { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, ++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */ + { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, + { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, + { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8127-3.patch tiff-4.0.3/debian/patches/CVE-2014-8127-3.patch --- tiff-4.0.3/debian/patches/CVE-2014-8127-3.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-8127-3.patch 2015-02-21 13:05:27.000000000 +0100 @@ -0,0 +1,43 @@ +From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Tue, 23 Dec 2014 10:15:35 +0000 +Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a + uint64 value with <= 0 by casting it to int64 first. This solves crashing bug + on corrupted images generated by afl. + +--- + ChangeLog | 6 ++++++ + libtiff/tif_read.c | 6 +++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c +index 2ba822a..dfc5b07 100644 +--- a/libtiff/tif_read.c ++++ b/libtiff/tif_read.c +@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) + return ((tmsize_t)(-1)); + } + bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid strip byte count, strip %lu", +@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[strip]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "Invalid strip byte count %I64u, strip %lu", +@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) + if ((tif->tif_flags&TIFF_NOREADRAW)==0) + { + uint64 bytecount = td->td_stripbytecount[tile]; +- if (bytecount <= 0) { ++ if ((int64)bytecount <= 0) { + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + TIFFErrorExt(tif->tif_clientdata, module, + "%I64u: Invalid tile byte count, tile %lu", diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8127-4.patch tiff-4.0.3/debian/patches/CVE-2014-8127-4.patch --- tiff-4.0.3/debian/patches/CVE-2014-8127-4.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-8127-4.patch 2015-02-21 13:05:27.000000000 +0100 @@ -0,0 +1,293 @@ +From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 15:15:31 +0000 +Subject: [PATCH] Fix various crasher bugs on fuzzed images. * + libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for + TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing + the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read + ColorMap or TransferFunction if BitsPerSample has not yet been read, + otherwise reading it later will cause user code to crash if BitsPerSample > 1 + * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with + SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample + != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images + instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int + overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to + invalid tile count (should likely be checked by libtiff too). Detect invalid + settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * + tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * + tools/tiffdump.c: fix crash due to overflow of entry count. + +--- + ChangeLog | 19 +++++++++++++++++++ + libtiff/tif_dir.c | 21 +++++++++++++++++++-- + libtiff/tif_dirread.c | 17 +++++++++++++++++ + libtiff/tif_getimage.c | 15 +++++++++++++++ + libtiff/tif_next.c | 2 ++ + tools/bmp2tiff.c | 15 +++++++++++++++ + tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++ + tools/tiffcrop.c | 7 ++++--- + tools/tiffdump.c | 9 ++++++--- + 9 files changed, 138 insertions(+), 8 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 98cf66d..ab43a28 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; ++ double dblval; + char* s; + const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY); + uint32 standard_tag = tag; +@@ -284,10 +285,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel); + break; + case TIFFTAG_XRESOLUTION: +- td->td_xresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_xresolution = (float) dblval; + break; + case TIFFTAG_YRESOLUTION: +- td->td_yresolution = (float) va_arg(ap, double); ++ dblval = va_arg(ap, double); ++ if( dblval < 0 ) ++ goto badvaluedouble; ++ td->td_yresolution = (float) dblval; + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -694,6 +701,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + va_end(ap); + } + return (0); ++badvaluedouble: ++ { ++ const TIFFField* fip=TIFFFieldWithTag(tif,tag); ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Bad value %f for \"%s\" tag", ++ tif->tif_name, dblval, ++ fip ? fip->field_name : "Unknown"); ++ va_end(ap); ++ } ++ return (0); + } + + /* +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 391c823..f66c9a7 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3430,6 +3430,8 @@ TIFFReadDirectory(TIFF* tif) + const TIFFField* fip; + uint32 fii=FAILED_FII; + toff_t nextdiroff; ++ int bitspersample_read = FALSE; ++ + tif->tif_diroff=tif->tif_nextdiroff; + if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) + return 0; /* last offset or bad offset (IFD looping) */ +@@ -3706,6 +3708,8 @@ TIFFReadDirectory(TIFF* tif) + } + if (!TIFFSetField(tif,dp->tdir_tag,value)) + goto bad; ++ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE ) ++ bitspersample_read = TRUE; + } + break; + case TIFFTAG_SMINSAMPLEVALUE: +@@ -3763,6 +3767,19 @@ TIFFReadDirectory(TIFF* tif) + uint32 countrequired; + uint32 incrementpersample; + uint16* value=NULL; ++ /* It would be dangerous to instanciate those tag values */ ++ /* since if td_bitspersample has not yet been read (due to */ ++ /* unordered tags), it could be read afterwards with a */ ++ /* values greater than the default one (1), which may cause */ ++ /* crashes in user code */ ++ if( !bitspersample_read ) ++ { ++ fip = TIFFFieldWithTag(tif,dp->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "Ignoring %s since BitsPerSample tag not found", ++ fip ? fip->field_name : "unknown tagname"); ++ continue; ++ } + countpersample=(1L<<tif->tif_dir.td_bitspersample); + if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample)) + { +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 074d32a..396ad08 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -182,8 +182,23 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + "Planarconfiguration", td->td_planarconfig); + return (0); + } ++ if( td->td_samplesperpixel != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d", ++ "Samples/pixel", td->td_samplesperpixel); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: ++ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index 55e2537..a53c716 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + default: { + uint32 npixels = 0, grey; + uint32 imagewidth = tif->tif_dir.td_imagewidth; ++ if( isTiled(tif) ) ++ imagewidth = tif->tif_dir.td_tilewidth; + + /* + * The scanline is composed of a sequence of constant +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index dfda963..f202b41 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1167,6 +1167,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ + TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid tile count, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tilecount/= xuint16; + } + if( t2p->tiff_tiles[i].tiles_tilecount > 0){ +@@ -1552,6 +1561,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + #endif + break; + case PHOTOMETRIC_CIELAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for CIELAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for CIELAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]= -127; + t2p->pdf_labrange[1]= 127; + t2p->pdf_labrange[2]= -127; +@@ -1567,6 +1592,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + t2p->pdf_colorspace=T2P_CS_LAB; + break; + case PHOTOMETRIC_ITULAB: ++ if( t2p->tiff_samplesperpixel != 3){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Unsupported samplesperpixel = %d for ITULAB", ++ t2p->tiff_samplesperpixel); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ if( t2p->tiff_bitspersample != 8){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Invalid bitspersample = %d for ITULAB", ++ t2p->tiff_bitspersample); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->pdf_labrange[0]=-85; + t2p->pdf_labrange[1]=85; + t2p->pdf_labrange[2]=-75; +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f5530bb..4088463 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, + tsize_t tilesize = TIFFTileSize(out); + unsigned char *tilebuf = NULL; + +- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); +- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); +- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || ++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || ++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) ++ return 1; + + tile_buffsize = tilesize; + if (tilesize < (tsize_t)(tl * tile_rowsize)) +diff --git a/tools/tiffdump.c b/tools/tiffdump.c +index cf5d62f..8247765 100644 +--- a/tools/tiffdump.c ++++ b/tools/tiffdump.c +@@ -374,6 +374,8 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + void* datamem; + uint64 dataoffset; + int datatruncated; ++ int datasizeoverflow; ++ + tag = *(uint16*)dp; + if (swabflag) + TIFFSwabShort(&tag); +@@ -412,13 +414,14 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + else + typewidth = datawidth[type]; + datasize = count*typewidth; ++ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count); + datafits = 1; + datamem = dp; + dataoffset = 0; + datatruncated = 0; + if (!bigtiff) + { +- if (datasize>4) ++ if (datasizeoverflow || datasize>4) + { + uint32 dataoffset32; + datafits = 0; +@@ -432,7 +435,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + } + else + { +- if (datasize>8) ++ if (datasizeoverflow || datasize>8) + { + datafits = 0; + datamem = NULL; +@@ -442,7 +445,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off) + } + dp += sizeof(uint64); + } +- if (datasize>0x10000) ++ if (datasizeoverflow || datasize>0x10000) + { + datatruncated = 1; + count = 0x10000/typewidth; diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8128-1.patch tiff-4.0.3/debian/patches/CVE-2014-8128-1.patch --- tiff-4.0.3/debian/patches/CVE-2014-8128-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-8128-1.patch 2015-02-21 13:05:27.000000000 +0100 @@ -0,0 +1,30 @@ +From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 19:53:59 +0000 +Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write + http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) + +--- + ChangeLog | 5 +++++ + tools/thumbnail.c | 8 +++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index fab63f6..c50bbff 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh) + err -= limit; + sy++; + if (err >= limit) +- rows[nrows++] = br + bpr*sy; ++ { ++ /* We should perhaps error loudly, but I can't make sense of that */ ++ /* code... */ ++ if( nrows == 256 ) ++ break; ++ rows[nrows++] = br + bpr*sy; ++ } + } + setrow(row, nrows, rows); + row += tnw; diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8128-2.patch tiff-4.0.3/debian/patches/CVE-2014-8128-2.patch --- tiff-4.0.3/debian/patches/CVE-2014-8128-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-8128-2.patch 2015-02-21 13:05:27.000000000 +0100 @@ -0,0 +1,81 @@ +From 8b6e80fca434525497e5a31c3309a3bab5b3c1c8 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 18:52:42 +0000 +Subject: [PATCH] * tools/thumbnail.c, tools/tiffcmp.c: only read/write + TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is + COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 + http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) + +--- + ChangeLog | 7 +++++++ + tools/thumbnail.c | 21 ++++++++++++++++++++- + tools/tiffcmp.c | 17 +++++++++++++++-- + 3 files changed, 42 insertions(+), 3 deletions(-) + +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index a98a881..fab63f6 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -274,7 +274,26 @@ cpTags(TIFF* in, TIFF* out) + { + struct cpTag *p; + for (p = tags; p < &tags[NTAGS]; p++) +- cpTag(in, out, p->tag, p->count, p->type); ++ { ++ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */ ++ /* if we request a tag that is defined in a codec, but that codec */ ++ /* isn't used */ ++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX3 ) ++ continue; ++ } ++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) ++ { ++ uint16 compression; ++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || ++ compression != COMPRESSION_CCITTFAX4 ) ++ continue; ++ } ++ cpTag(in, out, p->tag, p->count, p->type); ++ } + } + #undef NTAGS + +diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c +index 508a461..d6392af 100644 +--- a/tools/tiffcmp.c ++++ b/tools/tiffcmp.c +@@ -260,6 +260,7 @@ tiffcmp(TIFF* tif1, TIFF* tif2) + static int + cmptags(TIFF* tif1, TIFF* tif2) + { ++ uint16 compression1, compression2; + CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType"); + CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth"); + CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength"); +@@ -276,8 +277,20 @@ cmptags(TIFF* tif1, TIFF* tif2) + CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat"); + CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution"); + CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution"); +- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); +- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX3 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX3 ) ++ { ++ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options"); ++ } ++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) && ++ compression1 == COMPRESSION_CCITTFAX4 && ++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) && ++ compression2 == COMPRESSION_CCITTFAX4 ) ++ { ++ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options"); ++ } + CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit"); + CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration"); + CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip"); diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8128-3.patch tiff-4.0.3/debian/patches/CVE-2014-8128-3.patch --- tiff-4.0.3/debian/patches/CVE-2014-8128-3.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-8128-3.patch 2015-02-21 13:08:16.000000000 +0100 @@ -0,0 +1,32 @@ +From 266bc48054b018a2f1d74562aa48eb2f509436d5 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 17:36:36 +0000 +Subject: [PATCH] * tools/tiff2pdf.c: check return code of TIFFGetField() when + reading TIFFTAG_SAMPLESPERPIXEL + +--- + ChangeLog | 5 +++++ + tools/tiff2pdf.c | 10 +++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +Index: tiff-4.0.3/tools/tiff2pdf.c +=================================================================== +--- tiff-4.0.3.orig/tools/tiff2pdf.c ++++ tiff-4.0.3/tools/tiff2pdf.c +@@ -1164,7 +1164,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* + t2p->tiff_pages[i].page_tilecount; + if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0) + && (xuint16 == PLANARCONFIG_SEPARATE ) ){ +- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16); ++ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) ) ++ { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Missing SamplesPerPixel, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 ) + { + TIFFError( diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8129.patch tiff-4.0.3/debian/patches/CVE-2014-8129.patch --- tiff-4.0.3/debian/patches/CVE-2014-8129.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-8129.patch 2015-02-21 13:05:27.000000000 +0100 @@ -0,0 +1,43 @@ +From cd82b5267ad4c10eb91e4ee8a716a81362cf851c Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Sun, 21 Dec 2014 18:07:48 +0000 +Subject: [PATCH] * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) + +--- + ChangeLog | 5 +++++ + libtiff/tif_next.c | 17 +++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index a53c716..d834196 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -141,10 +141,27 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + return (0); + } + ++static int ++NeXTPreDecode(TIFF* tif, uint16 s) ++{ ++ static const char module[] = "NeXTPreDecode"; ++ TIFFDirectory *td = &tif->tif_dir; ++ (void)s; ++ ++ if( td->td_bitspersample != 2 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d", ++ td->td_bitspersample); ++ return (0); ++ } ++ return (1); ++} ++ + int + TIFFInitNeXT(TIFF* tif, int scheme) + { + (void) scheme; ++ tif->tif_predecode = NeXTPreDecode; + tif->tif_decoderow = NeXTDecode; + tif->tif_decodestrip = NeXTDecode; + tif->tif_decodetile = NeXTDecode; diff -Nru tiff-4.0.3/debian/patches/CVE-2014-9655.patch tiff-4.0.3/debian/patches/CVE-2014-9655.patch --- tiff-4.0.3/debian/patches/CVE-2014-9655.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.0.3/debian/patches/CVE-2014-9655.patch 2015-02-21 13:05:27.000000000 +0100 @@ -0,0 +1,86 @@ +From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Mon, 29 Dec 2014 12:09:11 +0000 +Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't + read outside of the compressed input stream buffer. + +* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height +--- + ChangeLog | 9 +++++++++ + libtiff/tif_getimage.c | 12 +++++++----- + libtiff/tif_next.c | 4 +++- + 3 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a4f46d9..3ad8ee7 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + + (void) y; + fromskew = (fromskew * 10) / 4; +- if ((h & 3) == 0 && (w & 1) == 0) { ++ if ((w & 3) == 0 && (h & 1) == 0) { + for (; h >= 2; h -= 2) { + x = w>>2; + do { +@@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + /* XXX adjust fromskew */ + do { + x = w>>2; +- do { ++ while(x>0) { + int32 Cb = pp[4]; + int32 Cr = pp[5]; + +@@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + + cp += 4; + pp += 6; +- } while (--x); ++ x--; ++ } + + if( (w&3) != 0 ) + { +@@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + fromskew = (fromskew * 4) / 2; + do { + x = w>>1; +- do { ++ while(x>0) { + int32 Cb = pp[2]; + int32 Cr = pp[3]; + +@@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + + cp += 2; + pp += 4; +- } while (--x); ++ x --; ++ } + + if( (w&1) != 0 ) + { +diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c +index d834196..dd669cc 100644 +--- a/libtiff/tif_next.c ++++ b/libtiff/tif_next.c +@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read"); + return (0); + } +- for (row = buf; occ > 0; occ -= scanline, row += scanline) { ++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) { + n = *bp++, cc--; + switch (n) { + case LITERALROW: +@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s) + * The scanline has a literal span that begins at some + * offset. + */ ++ if( cc < 4 ) ++ goto bad; + off = (bp[0] * 256) + bp[1]; + n = (bp[2] * 256) + bp[3]; + if (cc < 4+n || off+n > scanline) diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series --- tiff-4.0.3/debian/patches/series 2014-12-30 17:32:33.000000000 +0100 +++ tiff-4.0.3/debian/patches/series 2015-02-21 13:11:07.000000000 +0100 @@ -8,3 +8,12 @@ CVE-2013-4243.patch jpeg-colorspace.patch CVE-2014-9330.patch +CVE-2014-8127-1.patch +CVE-2014-8127-2.patch +CVE-2014-8127-3.patch +CVE-2014-8127-4.patch +CVE-2014-8128-1.patch +CVE-2014-8128-2.patch +CVE-2014-8128-3.patch +CVE-2014-8129.patch +CVE-2014-9655.patch -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150221203758.3655.14942.reportbug@pisco.westfalen.local