commit 20671c6b0ec6e3bbfe4970b9baf25a79fbc36b44 Author: Fredrik Rinnestam <fredrik@crux.nu> Date: Thu Jul 5 20:14:53 2012 +0200 [notify] libtiff: resolves CVE-2012-2088 and CVE-2012-2113 diff --git a/libtiff/.md5sum b/libtiff/.md5sum index fef759e..93348c1 100644 --- a/libtiff/.md5sum +++ b/libtiff/.md5sum @@ -1 +1,3 @@ +f8f762ce62748d4d39d753823158342b CVE-2012-2088.patch +45e96e9c6f56a16dd3f7d3b7cca61bc5 CVE-2012-2113.patch 6920f3bf628d791d49f268b83612ed23 tiff-3.9.6.tar.gz diff --git a/libtiff/CVE-2012-2088.patch b/libtiff/CVE-2012-2088.patch new file mode 100644 index 0000000..2484b78 --- /dev/null +++ b/libtiff/CVE-2012-2088.patch @@ -0,0 +1,162 @@ +Index: libtiff/tif_strip.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v +retrieving revision 1.19.2.3 +diff -c -r1.19.2.3 tif_strip.c +*** libtiff/tif_strip.c 15 Dec 2010 00:50:30 -0000 1.19.2.3 +--- libtiff/tif_strip.c 17 Apr 2012 18:14:22 -0000 +*************** +*** 107,112 **** +--- 107,113 ---- + TIFFVStripSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; ++ uint32 stripsize; + + if (nrows == (uint32) -1) + nrows = td->td_imagelength; +*************** +*** 122,128 **** + * YCbCr data for the extended image. + */ + uint16 ycbcrsubsampling[2]; +! tsize_t w, scanline, samplingarea; + + TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, + ycbcrsubsampling + 0, +--- 123,129 ---- + * YCbCr data for the extended image. + */ + uint16 ycbcrsubsampling[2]; +! uint32 w, scanline, samplingarea; + + TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, + ycbcrsubsampling + 0, +*************** +*** 141,153 **** + nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); + /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ + scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); +! return ((tsize_t) + summarize(tif, scanline, + multiply(tif, 2, scanline / samplingarea, +! "TIFFVStripSize"), "TIFFVStripSize")); + } else +! return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), +! "TIFFVStripSize")); + } + + +--- 142,160 ---- + nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); + /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ + scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); +! stripsize = + summarize(tif, scanline, + multiply(tif, 2, scanline / samplingarea, +! "TIFFVStripSize"), "TIFFVStripSize"); + } else +! stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), +! "TIFFVStripSize"); +! /* Because tsize_t is signed, we might have conversion overflow */ +! if (((tsize_t) stripsize) < 0) { +! TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); +! stripsize = 0; +! } +! return (tsize_t) stripsize; + } + + +Index: libtiff/tif_tile.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_tile.c,v +retrieving revision 1.12.2.1 +diff -c -r1.12.2.1 tif_tile.c +*** libtiff/tif_tile.c 8 Jun 2010 18:50:43 -0000 1.12.2.1 +--- libtiff/tif_tile.c 17 Apr 2012 18:14:22 -0000 +*************** +*** 174,180 **** + TIFFTileRowSize(TIFF* tif) + { + TIFFDirectory *td = &tif->tif_dir; +! tsize_t rowsize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0) + return ((tsize_t) 0); +--- 174,180 ---- + TIFFTileRowSize(TIFF* tif) + { + TIFFDirectory *td = &tif->tif_dir; +! uint32 rowsize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0) + return ((tsize_t) 0); +*************** +*** 193,199 **** + TIFFVTileSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; +! tsize_t tilesize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0 || + td->td_tiledepth == 0) +--- 193,199 ---- + TIFFVTileSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; +! uint32 tilesize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0 || + td->td_tiledepth == 0) +*************** +*** 209,220 **** + * horizontal/vertical subsampling area include + * YCbCr data for the extended image. + */ +! tsize_t w = + TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); +! tsize_t rowsize = + TIFFhowmany8(multiply(tif, w, td->td_bitspersample, + "TIFFVTileSize")); +! tsize_t samplingarea = + td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; + if (samplingarea == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); +--- 209,220 ---- + * horizontal/vertical subsampling area include + * YCbCr data for the extended image. + */ +! uint32 w = + TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); +! uint32 rowsize = + TIFFhowmany8(multiply(tif, w, td->td_bitspersample, + "TIFFVTileSize")); +! uint32 samplingarea = + td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; + if (samplingarea == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); +*************** +*** 230,237 **** + } else + tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), + "TIFFVTileSize"); +! return ((tsize_t) +! multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); + } + + /* +--- 230,242 ---- + } else + tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), + "TIFFVTileSize"); +! tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); +! /* Because tsize_t is signed, we might have conversion overflow */ +! if (((tsize_t) tilesize) < 0) { +! TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); +! tilesize = 0; +! } +! return (tsize_t) tilesize; + } + + /* + diff --git a/libtiff/CVE-2012-2113.patch b/libtiff/CVE-2012-2113.patch new file mode 100644 index 0000000..c5063fd --- /dev/null +++ b/libtiff/CVE-2012-2113.patch @@ -0,0 +1,340 @@ +mv Index: tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.37.2.19 +diff -c -r1.37.2.19 tiff2pdf.c +*** tools/tiff2pdf.c 13 Dec 2010 05:41:11 -0000 1.37.2.19 +--- tools/tiff2pdf.c 17 Apr 2012 20:15:03 -0000 +*************** +*** 431,436 **** +--- 431,464 ---- + (void) handle, (void) data, (void) offset; + } + ++ static uint64 ++ checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p) ++ { ++ uint64 bytes = summand1 + summand2; ++ ++ if (bytes - summand1 != summand2) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ bytes = 0; ++ } ++ ++ return bytes; ++ } ++ ++ static uint64 ++ checkMultiply64(uint64 first, uint64 second, T2P* t2p) ++ { ++ uint64 bytes = first * second; ++ ++ if (second && bytes / second != first) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ bytes = 0; ++ } ++ ++ return bytes; ++ } ++ + /* + + This is the main function. +*************** +*** 1773,1781 **** + tstrip_t i=0; + tstrip_t stripcount=0; + #endif +! #ifdef OJPEG_SUPPORT +! tsize_t k = 0; +! #endif + + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT +--- 1801,1807 ---- + tstrip_t i=0; + tstrip_t stripcount=0; + #endif +! uint64 k = 0; + + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT +*************** +*** 1803,1821 **** + } + stripcount=TIFFNumberOfStrips(input); + for(i=0;i<stripcount;i++){ +! k += sbc[i]; + } + if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ + if(t2p->tiff_dataoffset != 0){ + if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ + if(t2p->tiff_datasize < k) { +- t2p->pdf_ojpegiflength=t2p->tiff_datasize; +- t2p->tiff_datasize+=k; +- t2p->tiff_datasize+=6; +- t2p->tiff_datasize+=2*stripcount; + TIFFWarning(TIFF2PDF_MODULE, + "Input file %s has short JPEG interchange file byte count", + TIFFFileName(input)); + return; + } + return; +--- 1829,1853 ---- + } + stripcount=TIFFNumberOfStrips(input); + for(i=0;i<stripcount;i++){ +! k = checkAdd64(k, sbc[i], t2p); + } + if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ + if(t2p->tiff_dataoffset != 0){ + if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ + if(t2p->tiff_datasize < k) { + TIFFWarning(TIFF2PDF_MODULE, + "Input file %s has short JPEG interchange file byte count", + TIFFFileName(input)); ++ t2p->pdf_ojpegiflength=t2p->tiff_datasize; ++ k = checkAdd64(k, t2p->tiff_datasize, t2p); ++ k = checkAdd64(k, 6, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + return; +*************** +*** 1828,1836 **** + } + } + } +! t2p->tiff_datasize+=k; +! t2p->tiff_datasize+=2*stripcount; +! t2p->tiff_datasize+=2048; + return; + } + #endif +--- 1860,1873 ---- + } + } + } +! k = checkAdd64(k, stripcount, t2p); +! k = checkAdd64(k, stripcount, t2p); +! k = checkAdd64(k, 2048, t2p); +! t2p->tiff_datasize = (tsize_t) k; +! if ((uint64) t2p->tiff_datasize != k) { +! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); +! t2p->t2p_error = T2P_ERR_ERROR; +! } + return; + } + #endif +*************** +*** 1839,1849 **** + uint32 count = 0; + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ + if(count > 4){ +! t2p->tiff_datasize += count; +! t2p->tiff_datasize -= 2; /* don't use EOI of header */ + } + } else { +! t2p->tiff_datasize = 2; /* SOI for first strip */ + } + stripcount=TIFFNumberOfStrips(input); + if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ +--- 1876,1886 ---- + uint32 count = 0; + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ + if(count > 4){ +! k += count; +! k -= 2; /* don't use EOI of header */ + } + } else { +! k = 2; /* SOI for first strip */ + } + stripcount=TIFFNumberOfStrips(input); + if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ +*************** +*** 1854,1871 **** + return; + } + for(i=0;i<stripcount;i++){ +! t2p->tiff_datasize += sbc[i]; +! t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ + } +- t2p->tiff_datasize +=2; /* use EOI of last strip */ + return; + } + #endif + (void) 0; + } +! t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length; + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +! t2p->tiff_datasize*= t2p->tiff_samplesperpixel; + } + + return; +--- 1891,1923 ---- + return; + } + for(i=0;i<stripcount;i++){ +! k = checkAdd64(k, sbc[i], t2p); +! k -=4; /* don't use SOI or EOI of strip */ +! } +! k = checkAdd64(k, 2, t2p); /* use EOI of last strip */ +! t2p->tiff_datasize = (tsize_t) k; +! if ((uint64) t2p->tiff_datasize != k) { +! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); +! t2p->t2p_error = T2P_ERR_ERROR; + } + return; + } + #endif + (void) 0; + } +! k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +! k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); +! } +! if (k == 0) { +! /* Assume we had overflow inside TIFFScanlineSize */ +! t2p->t2p_error = T2P_ERR_ERROR; +! } +! +! t2p->tiff_datasize = (tsize_t) k; +! if ((uint64) t2p->tiff_datasize != k) { +! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); +! t2p->t2p_error = T2P_ERR_ERROR; + } + + return; +*************** +*** 1883,1888 **** +--- 1935,1941 ---- + #ifdef JPEG_SUPPORT + unsigned char* jpt; + #endif ++ uint64 k; + + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); +*************** +*** 1894,1907 **** + #endif + ){ + t2p->tiff_datasize=TIFFTileSize(input); + return; + } else { + TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); +! t2p->tiff_datasize=tbc[tile]; + #ifdef OJPEG_SUPPORT + if(t2p->tiff_compression==COMPRESSION_OJPEG){ +! t2p->tiff_datasize+=2048; +! return; + } + #endif + #ifdef JPEG_SUPPORT +--- 1947,1963 ---- + #endif + ){ + t2p->tiff_datasize=TIFFTileSize(input); ++ if (t2p->tiff_datasize == 0) { ++ /* Assume we had overflow inside TIFFTileSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } else { + TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); +! k=tbc[tile]; + #ifdef OJPEG_SUPPORT + if(t2p->tiff_compression==COMPRESSION_OJPEG){ +! k = checkAdd64(k, 2048, t2p); + } + #endif + #ifdef JPEG_SUPPORT +*************** +*** 1909,1926 **** + uint32 count = 0; + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ + if(count > 4){ +! t2p->tiff_datasize += count; +! t2p->tiff_datasize -= 2; /* don't use EOI of header or SOI of tile */ + } + } + } + #endif + return; + } + } +! t2p->tiff_datasize=TIFFTileSize(input); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +! t2p->tiff_datasize*= t2p->tiff_samplesperpixel; + } + + return; +--- 1965,1997 ---- + uint32 count = 0; + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ + if(count > 4){ +! k = checkAdd64(k, count, t2p); +! k -= 2; /* don't use EOI of header or SOI of tile */ + } + } + } + #endif ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + } +! k = TIFFTileSize(input); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +! k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); +! } +! if (k == 0) { +! /* Assume we had overflow inside TIFFTileSize */ +! t2p->t2p_error = T2P_ERR_ERROR; +! } +! +! t2p->tiff_datasize = (tsize_t) k; +! if ((uint64) t2p->tiff_datasize != k) { +! TIFFError(TIFF2PDF_MODULE, "Integer overflow"); +! t2p->t2p_error = T2P_ERR_ERROR; + } + + return; +*************** +*** 2013,2018 **** +--- 2084,2093 ---- + uint32 max_striplength=0; + #endif + ++ /* Fail if prior error (in particular, can't trust tiff_datasize) */ ++ if (t2p->t2p_error != T2P_ERR_OK) ++ return(0); ++ + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT + if(t2p->pdf_compression == T2P_COMPRESS_G4){ +*************** +*** 2586,2591 **** +--- 2661,2670 ---- + uint32 xuint32=0; + #endif + ++ /* Fail if prior error (in particular, can't trust tiff_datasize) */ ++ if (t2p->t2p_error != T2P_ERR_OK) ++ return(0); ++ + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + + diff --git a/libtiff/Pkgfile b/libtiff/Pkgfile index 2de0c74..9ee323c 100644 --- a/libtiff/Pkgfile +++ b/libtiff/Pkgfile @@ -5,11 +5,14 @@ name=libtiff version=3.9.6 -release=1 -source=(http://download.osgeo.org/libtiff/tiff-$version.tar.gz) +release=2 +source=(http://download.osgeo.org/libtiff/tiff-$version.tar.gz \ + CVE-2012-2088.patch CVE-2012-2113.patch) build() { cd tiff-$version + patch -p0 -i $SRC/CVE-2012-2088.patch + patch -p0 -i $SRC/CVE-2012-2113.patch ./configure --prefix=/usr --mandir=/usr/man make make DESTDIR=$PKG install