aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-01-21 00:28:03 -0500
committerMark H Weaver <mhw@netris.org>2016-01-21 00:30:15 -0500
commit86fa2ea92f431fe9d23d41aa22c198ec2ce9a5f1 (patch)
tree9d0ee514085917f8bad1ec34754197cde838295a
parenta2190cccc2f2b371cf4a4259519ee3466f2f63ac (diff)
downloadguix-86fa2ea92f431fe9d23d41aa22c198ec2ce9a5f1.tar
guix-86fa2ea92f431fe9d23d41aa22c198ec2ce9a5f1.tar.gz
gnu: libtiff: Update to 4.0.6. Add fixes for CVE-2015-{8665,8683}.
* gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch, gnu/packages/patches/libtiff-oob-accesses-in-decode.patch, gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff): Update to 4.0.6. [source]: Add patches.
-rw-r--r--gnu-system.am3
-rw-r--r--gnu/packages/image.scm10
-rw-r--r--gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch107
-rw-r--r--gnu/packages/patches/libtiff-oob-accesses-in-decode.patch171
-rw-r--r--gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch49
5 files changed, 337 insertions, 3 deletions
diff --git a/gnu-system.am b/gnu-system.am
index fe421a9569..d37775d235 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -547,6 +547,9 @@ dist_patch_DATA = \
gnu/packages/patches/libmad-frame-length.patch \
gnu/packages/patches/libmad-mips-newgcc.patch \
gnu/packages/patches/libtheora-config-guess.patch \
+ gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
+ gnu/packages/patches/libtiff-oob-accesses-in-decode.patch \
+ gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch \
gnu/packages/patches/libtool-skip-tests2.patch \
gnu/packages/patches/libsndfile-CVE-2014-9496.patch \
gnu/packages/patches/libsndfile-CVE-2015-7805.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index d3ed92fde8..bf120f0184 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015 Alex Kost <alezost@gmail.com>
;;; Copyright © 2014 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
@@ -131,13 +131,17 @@ maximum quality factor.")
(define-public libtiff
(package
(name "libtiff")
- (version "4.0.5")
+ (version "4.0.6")
(source (origin
(method url-fetch)
(uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
version ".tar.gz"))
(sha256 (base32
- "171hgy4mylwmvdm7gp6ffjva81m4j56v3fbqsbfl7avzxn1slpp2"))))
+ "136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd"))
+ (patches (map search-patch
+ '("libtiff-oob-accesses-in-decode.patch"
+ "libtiff-oob-write-in-nextdecode.patch"
+ "libtiff-CVE-2015-8665+CVE-2015-8683.patch")))))
(build-system gnu-build-system)
(outputs '("out"
"doc")) ;1.3 MiB of HTML documentation
diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
new file mode 100644
index 0000000000..811516dbe9
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
@@ -0,0 +1,107 @@
+2015-12-26 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+ CVE-2015-8683 reported by zzf of Alibaba.
+
+diff -u -r1.93 -r1.94
+--- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93
++++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94
+@@ -182,20 +182,22 @@
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
+- if( td->td_samplesperpixel != 3 )
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+ {
+ sprintf(emsg,
+- "Sorry, can not handle image with %s=%d",
+- "Samples/pixel", td->td_samplesperpixel);
++ "Sorry, can not handle image with %s=%d, %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels);
+ return 0;
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+ {
+ sprintf(emsg,
+- "Sorry, can not handle image with %s=%d and %s=%d",
++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
+@@ -255,6 +257,9 @@
+ int colorchannels;
+ uint16 *red_orig, *green_orig, *blue_orig;
+ int n_color;
++
++ if( !TIFFRGBAImageOK(tif, emsg) )
++ return 0;
+
+ /* Initialize to normal values */
+ img->row_offset = 0;
+@@ -2509,29 +2514,33 @@
+ case PHOTOMETRIC_RGB:
+ switch (img->bitspersample) {
+ case 8:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >= 4)
+ img->put.contig = putRGBAAcontig8bittile;
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >= 4)
+ {
+ if (BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig8bittile;
+ }
+- else
++ else if( img->samplesperpixel >= 3 )
+ img->put.contig = putRGBcontig8bittile;
+ break;
+ case 16:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBAAcontig16bittile;
+ }
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img) &&
+ BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig16bittile;
+ }
+- else
++ else if( img->samplesperpixel >=3 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBcontig16bittile;
+@@ -2540,7 +2549,7 @@
+ }
+ break;
+ case PHOTOMETRIC_SEPARATED:
+- if (buildMap(img)) {
++ if (img->samplesperpixel >=4 && buildMap(img)) {
+ if (img->bitspersample == 8) {
+ if (!img->Map)
+ img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2636,7 +2645,7 @@
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if (buildMap(img)) {
++ if (img->samplesperpixel == 3 && buildMap(img)) {
+ if (img->bitspersample == 8)
+ img->put.contig = initCIELabConversion(img);
+ break;
diff --git a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
new file mode 100644
index 0000000000..3fea745056
--- /dev/null
+++ b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
@@ -0,0 +1,171 @@
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+ functions in non debug builds by replacing assert()s by regular if
+ checks (bugzilla #2522).
+ Fix potential out-of-bound reads in case of short input data.
+
+diff -u -r1.40 -r1.41
+--- libtiff/libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40
++++ libtiff/libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41
+@@ -1,4 +1,4 @@
+-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
++/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1997 Greg Ward Larson
+@@ -202,7 +202,11 @@
+ if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+ tp = (int16*) op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (int16*) sp->tbuf;
+ }
+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@
+ cc = tif->tif_rawcc;
+ /* get each byte string */
+ for (shft = 2*8; (shft -= 8) >= 0; ) {
+- for (i = 0; i < npixels && cc > 0; )
++ for (i = 0; i < npixels && cc > 0; ) {
+ if (*bp >= 128) { /* run */
+- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++ if( cc < 2 )
++ break;
++ rc = *bp++ + (2-128);
+ b = (int16)(*bp++ << shft);
+ cc -= 2;
+ while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@
+ while (--cc && rc-- && i < npixels)
+ tp[i++] |= (int16)*bp++ << shft;
+ }
++ }
+ if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@
+ if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ tp = (uint32 *)op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (uint32 *) sp->tbuf;
+ }
+ /* copy to array of uint32 */
+ bp = (unsigned char*) tif->tif_rawcp;
+ cc = tif->tif_rawcc;
+- for (i = 0; i < npixels && cc > 0; i++) {
++ for (i = 0; i < npixels && cc >= 3; i++) {
+ tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+ bp += 3;
+ cc -= 3;
+@@ -325,7 +336,11 @@
+ if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ tp = (uint32*) op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (uint32*) sp->tbuf;
+ }
+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@
+ cc = tif->tif_rawcc;
+ /* get each byte string */
+ for (shft = 4*8; (shft -= 8) >= 0; ) {
+- for (i = 0; i < npixels && cc > 0; )
++ for (i = 0; i < npixels && cc > 0; ) {
+ if (*bp >= 128) { /* run */
++ if( cc < 2 )
++ break;
+ rc = *bp++ + (2-128);
+ b = (uint32)*bp++ << shft;
+- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++ cc -= 2;
+ while (rc-- && i < npixels)
+ tp[i++] |= b;
+ } else { /* non-run */
+@@ -346,6 +363,7 @@
+ while (--cc && rc-- && i < npixels)
+ tp[i++] |= (uint32)*bp++ << shft;
+ }
++ }
+ if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -413,6 +431,7 @@
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module[] = "LogL16Encode";
+ LogLuvState* sp = EncoderState(tif);
+ int shft;
+ tmsize_t i;
+@@ -433,7 +452,11 @@
+ tp = (int16*) bp;
+ else {
+ tp = (int16*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* compress each byte string */
+@@ -506,6 +529,7 @@
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module[] = "LogLuvEncode24";
+ LogLuvState* sp = EncoderState(tif);
+ tmsize_t i;
+ tmsize_t npixels;
+@@ -521,7 +545,11 @@
+ tp = (uint32*) bp;
+ else {
+ tp = (uint32*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* write out encoded pixels */
+@@ -553,6 +581,7 @@
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module[] = "LogLuvEncode32";
+ LogLuvState* sp = EncoderState(tif);
+ int shft;
+ tmsize_t i;
+@@ -574,7 +603,11 @@
+ tp = (uint32*) bp;
+ else {
+ tp = (uint32*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* compress each byte string */
diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
new file mode 100644
index 0000000000..50657b667c
--- /dev/null
+++ b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
@@ -0,0 +1,49 @@
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
+ (bugzilla #2508)
+
+diff -u -r1.16 -r1.18
+--- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16
++++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18
+@@ -1,4 +1,4 @@
+-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
++/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
+
+ /*
+ * Copyright (c) 1988-1997 Sam Leffler
+@@ -37,7 +37,7 @@
+ case 0: op[0] = (unsigned char) ((v) << 6); break; \
+ case 1: op[0] |= (v) << 4; break; \
+ case 2: op[0] |= (v) << 2; break; \
+- case 3: *op++ |= (v); break; \
++ case 3: *op++ |= (v); op_offset++; break; \
+ } \
+ }
+
+@@ -103,6 +103,7 @@
+ }
+ default: {
+ uint32 npixels = 0, grey;
++ tmsize_t op_offset = 0;
+ uint32 imagewidth = tif->tif_dir.td_imagewidth;
+ if( isTiled(tif) )
+ imagewidth = tif->tif_dir.td_tilewidth;
+@@ -122,10 +123,15 @@
+ * bounds, potentially resulting in a security
+ * issue.
+ */
+- while (n-- > 0 && npixels < imagewidth)
++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+ SETPIXEL(op, grey);
+ if (npixels >= imagewidth)
+ break;
++ if (op_offset >= scanline ) {
++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
++ (long) tif->tif_row);
++ return (0);
++ }
+ if (cc == 0)
+ goto bad;
+ n = *bp++, cc--;