aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-10-29 19:23:05 -0400
committerLeo Famulari <leo@famulari.name>2016-10-30 19:07:49 -0400
commitb89cbf5832fd920ef85002041bc690204b0174a3 (patch)
treedce25b5e84a52dffe44793b748e7060da6989ba8
parenta7db8540a712b039aa518bfc4c58e7a6ce823858 (diff)
downloadpatches-b89cbf5832fd920ef85002041bc690204b0174a3.tar
patches-b89cbf5832fd920ef85002041bc690204b0174a3.tar.gz
gnu: libtiff: Fix CVE-2016-5652.
* gnu/packages/patches/libtiff-CVE-2016-5652.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/image.scm (libtiff-fixed)[source]: Use it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/image.scm3
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-5652.patch47
3 files changed, 50 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 8ee8b8c66c..24013a52be 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -657,6 +657,7 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-CVE-2016-5314.patch \
%D%/packages/patches/libtiff-CVE-2016-5321.patch \
%D%/packages/patches/libtiff-CVE-2016-5323.patch \
+ %D%/packages/patches/libtiff-CVE-2016-5652.patch \
%D%/packages/patches/libtiff-oob-accesses-in-decode.patch \
%D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 873a7f23c6..3a1209f4b1 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -234,7 +234,8 @@ collection of tools for doing simple manipulations of TIFF images.")
"libtiff-CVE-2016-3991.patch"
"libtiff-CVE-2016-5314.patch"
"libtiff-CVE-2016-5321.patch"
- "libtiff-CVE-2016-5323.patch"))))))
+ "libtiff-CVE-2016-5323.patch"
+ "libtiff-CVE-2016-5652.patch"))))))
(define-public libwmf
(package
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5652.patch b/gnu/packages/patches/libtiff-CVE-2016-5652.patch
new file mode 100644
index 0000000000..54b87d0185
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-5652.patch
@@ -0,0 +1,47 @@
+Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
+
+Patches exfiltrated from upstream CVS repo with:
+cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
+
+Index: tools/tiff2pdf.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
+retrieving revision 1.92
+retrieving revision 1.94
+diff -u -r1.92 -r1.94
+--- a/tools/tiff2pdf.c 23 Sep 2016 22:12:18 -0000 1.92
++++ b/tools/tiff2pdf.c 9 Oct 2016 11:03:36 -0000 1.94
+@@ -2887,21 +2887,24 @@
+ return(0);
+ }
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+- if (count > 0) {
+- _TIFFmemcpy(buffer, jpt, count);
++ if (count >= 4) {
++ /* Ignore EOI marker of JpegTables */
++ _TIFFmemcpy(buffer, jpt, count - 2);
+ bufferoffset += count - 2;
++ /* Store last 2 bytes of the JpegTables */
+ table_end[0] = buffer[bufferoffset-2];
+ table_end[1] = buffer[bufferoffset-1];
+- }
+- if (count > 0) {
+ xuint32 = bufferoffset;
++ bufferoffset -= 2;
+ bufferoffset += TIFFReadRawTile(
+ input,
+ tile,
+- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),
++ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
+ -1);
+- buffer[xuint32-2]=table_end[0];
+- buffer[xuint32-1]=table_end[1];
++ /* Overwrite SOI marker of image scan with previously */
++ /* saved end of JpegTables */
++ buffer[xuint32-2]=table_end[0];
++ buffer[xuint32-1]=table_end[1];
+ } else {
+ bufferoffset += TIFFReadRawTile(
+ input,