From 1408d12740a4cd2a6d71fe5f52386d9d77128645 Mon Sep 17 00:00:00 2001 From: Aaron Bauman Date: Sun, 4 Aug 2019 20:03:19 -0400 Subject: media-libs/tiff: revbump to address open security bugs * This commit addresses 3 outstanding security issues reported by the individuals listed below. * This commit involved cherry-picking the patches and adding a revbump as the original PR's renamed the original ebuild and kept stable keywords. Bug: https://bugs.gentoo.org/639700 Bug: https://bugs.gentoo.org/690732 Closes: https://github.com/gentoo/gentoo/pull/12543 Closes: https://github.com/gentoo/gentoo/pull/11743 Reported-by: Benjamin Gordon Reported-by: Allen Webb Signed-off-by: Aaron Bauman --- ...-2018-17000-tif_dirwrite-null-dereference.patch | 33 +++++++++ .../tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch | 48 ++++++++++++ ....0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch | 73 ++++++++++++++++++ media-libs/tiff/tiff-4.0.10-r1.ebuild | 86 ++++++++++++++++++++++ 4 files changed, 240 insertions(+) create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch create mode 100644 media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch create mode 100644 media-libs/tiff/tiff-4.0.10-r1.ebuild (limited to 'media-libs/tiff') diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch new file mode 100644 index 000000000000..321c6a428afa --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch @@ -0,0 +1,33 @@ +https://crbug.com/901306 + +commit 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 +Author: Thomas Bernard +Date: Tue Jan 29 11:21:47 2019 +0100 + + TIFFWriteDirectoryTagTransferfunction() : fix NULL dereferencing + + http://bugzilla.maptools.org/show_bug.cgi?id=2833 + + we must check the pointer is not NULL before memcmp() the memory + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index c15a28dbd8fcb99b81fa5a1d44fcbcda881f42a7..ef30c869d30e210d90be16ce91f44087925fbad3 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir + n=3; + if (n==3) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[2] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16))) + n=2; + } + if (n==2) + { +- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) ++ if (tif->tif_dir.td_transferfunction[1] == NULL || ++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16))) + n=1; + } + if (n==0) diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch new file mode 100644 index 000000000000..38d020fec246 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch @@ -0,0 +1,48 @@ +https://crbug.com/923647 + +commit ae0bed1fe530a82faf2e9ea1775109dbf301a971 +Merge: 933784a1 0c74a9f4 +Author: Even Rouault +Date: Sat Feb 2 14:46:05 2019 +0000 + + Merge branch 'master' into 'master' + + Fix for simple memory leak that was assigned CVE-2019-6128. + + See merge request libtiff/libtiff!50 + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch new file mode 100644 index 000000000000..a68ba2f4bbd2 --- /dev/null +++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch @@ -0,0 +1,73 @@ +From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow + +fixes bug 2833 +--- + tools/tiffcp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 2f406e2d7..f0ee2c029 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (0x7fffffff / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; +-- +2.21.0 + + +From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 21:42:03 +0100 +Subject: [PATCH 2/2] tiffcp.c: use INT_MAX + +--- + tools/tiffcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index f0ee2c029..8c81aa4f2 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + +- if (spp > (0x7fffffff / tilew)) ++ if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; +-- +2.21.0 + diff --git a/media-libs/tiff/tiff-4.0.10-r1.ebuild b/media-libs/tiff/tiff-4.0.10-r1.ebuild new file mode 100644 index 000000000000..638c7c39917d --- /dev/null +++ b/media-libs/tiff/tiff-4.0.10-r1.ebuild @@ -0,0 +1,86 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools libtool multilib-minimal + +DESCRIPTION="Tag Image File Format (TIFF) library" +HOMEPAGE="http://libtiff.maptools.org" +SRC_URI="https://download.osgeo.org/libtiff/${P}.tar.gz" + +LICENSE="libtiff" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="+cxx jbig jpeg lzma static-libs test webp zlib zstd" + +RDEPEND=" + jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] ) + jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1[${MULTILIB_USEDEP}] ) + webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] ) + zstd? ( >=app-arch/zstd-1.3.7-r1:=[${MULTILIB_USEDEP}] ) +" +DEPEND="${RDEPEND}" + +REQUIRED_USE="test? ( jpeg )" #483132 + +PATCHES=( + "${FILESDIR}"/${PN}-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch + "${FILESDIR}"/${PN}-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch + "${FILESDIR}"/${PN}-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch + "${FILESDIR}"/${PN}-4.0.10-CVE-2019-6128-pal2rgb-leak.patch + "${FILESDIR}"/${PN}-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch +) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/tiffconf.h +) + +src_prepare() { + default + + # tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7 + sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die + + eautoreconf +} + +multilib_src_configure() { + local myeconfargs=( + --without-x + --with-docdir="${EPREFIX}"/usr/share/doc/${PF} + $(use_enable cxx) + $(use_enable jbig) + $(use_enable jpeg) + $(use_enable lzma) + $(use_enable static-libs static) + $(use_enable webp) + $(use_enable zlib) + $(use_enable zstd) + ) + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" + + # remove useless subdirs + if ! multilib_is_native_abi ; then + sed -i \ + -e 's/ tools//' \ + -e 's/ contrib//' \ + -e 's/ man//' \ + -e 's/ html//' \ + Makefile || die + fi +} + +multilib_src_test() { + if ! multilib_is_native_abi ; then + emake -C tools + fi + emake check +} + +multilib_src_install_all() { + find "${ED}" -name '*.la' -delete || die + rm "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION} || die +} -- cgit v1.2.3-65-gdbad