[notify] libtiff: patches for CVE-2013-1960, CVE-2013-4243

2013-10-24 14:31:38 +02:00 · 2013-10-24 14:31:38 +02:00 · 51fee6388c
commit 51fee6388c
parent edb44e9381
4 changed files with 189 additions and 2 deletions
--- a/libtiff/.md5sum
+++ b/libtiff/.md5sum
@ -1,4 +1,6 @@
 6c1189a715708edc8ba926977b33895f  gif2tiff-buffer-overflow.patch
 2c0dabc854c95e7453fc56d2fd50a503  lzw-oob-write.patch
+e9de577a81571ab8ffac84aac8c64381  tiff-4.0.3-CVE-2013-1960.patch
+682ee6498fe06ffe0b44370164acf0b4  tiff-4.0.3-CVE-2013-4243.patch
 051c1068e6a0627f461948c365290410  tiff-4.0.3.tar.gz
 35aee7eea6949c2d26ffa52872991115  tiff2pdf_use-after-free.patch
--- a/libtiff/Pkgfile
+++ b/libtiff/Pkgfile
@ -5,15 +5,18 @@

 name=libtiff
 version=4.0.3
-release=3
+release=4
 source=(http://download.osgeo.org/libtiff/tiff-$version.tar.gz \
-        gif2tiff-buffer-overflow.patch tiff2pdf_use-after-free.patch lzw-oob-write.patch)
+        gif2tiff-buffer-overflow.patch tiff2pdf_use-after-free.patch lzw-oob-write.patch \
+	tiff-4.0.3-CVE-2013-4243.patch tiff-4.0.3-CVE-2013-1960.patch )

 build() {
    cd tiff-$version
    patch -d tools -p0 -i $SRC/tiff2pdf_use-after-free.patch
    patch -d tools -p0 -i $SRC/gif2tiff-buffer-overflow.patch
    patch -d tools -p0 -i $SRC/lzw-oob-write.patch
+    patch -p0 -i $SRC/tiff-4.0.3-CVE-2013-4243.patch
+    patch -p1 -i $SRC/tiff-4.0.3-CVE-2013-1960.patch

    ./configure --prefix=/usr --mandir=/usr/man
    make
--- a/libtiff/tiff-4.0.3-CVE-2013-1960.patch
+++ b/libtiff/tiff-4.0.3-CVE-2013-1960.patch
@ -0,0 +1,145 @@
+diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
+--- tiff-4.0.3.orig/tools/tiff2pdf.c	2012-07-25 22:56:43.000000000 -0400
+++ tiff-4.0.3/tools/tiff2pdf.c	2013-05-02 12:04:49.057090227 -0400
+@@ -3341,33 +3341,56 @@
+ 	uint32 height){
+ 
+ 	tsize_t i=0;
+-	uint16 ri =0;
+-	uint16 v_samp=1;
+-	uint16 h_samp=1;
+-	int j=0;
+-	
+-	i++;
+-	
+-	while(i<(*striplength)){
+
+	while (i < *striplength) {
+		tsize_t datalen;
+		uint16 ri;
+		uint16 v_samp;
+		uint16 h_samp;
+		int j;
+		int ncomp;
+
+		/* marker header: one or more FFs */
+		if (strip[i] != 0xff)
+			return(0);
+		i++;
+		while (i < *striplength && strip[i] == 0xff)
+			i++;
+		if (i >= *striplength)
+			return(0);
+		/* SOI is the only pre-SOS marker without a length word */
+		if (strip[i] == 0xd8)
+			datalen = 0;
+		else {
+			if ((*striplength - i) <= 2)
+				return(0);
+			datalen = (strip[i+1] << 8) | strip[i+2];
+			if (datalen < 2 || datalen >= (*striplength - i))
+				return(0);
+		}
+ 		switch( strip[i] ){
+-			case 0xd8:
+-				/* SOI - start of image */
+			case 0xd8:	/* SOI - start of image */
+ 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ 				*bufferoffset+=2;
+-				i+=2;
+ 				break;
+-			case 0xc0:
+-			case 0xc1:
+-			case 0xc3:
+-			case 0xc9:
+-			case 0xca:
+			case 0xc0:	/* SOF0 */
+			case 0xc1:	/* SOF1 */
+			case 0xc3:	/* SOF3 */
+			case 0xc9:	/* SOF9 */
+			case 0xca:	/* SOF10 */
+ 				if(no==0){
+-					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-					for(j=0;j<buffer[*bufferoffset+9];j++){
+-						if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) 
+-							h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+-						if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) 
+-							v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
+					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+					ncomp = buffer[*bufferoffset+9];
+					if (ncomp < 1 || ncomp > 4)
+						return(0);
+					v_samp=1;
+					h_samp=1;
+					for(j=0;j<ncomp;j++){
+						uint16 samp = buffer[*bufferoffset+11+(3*j)];
+						if( (samp>>4) > h_samp) 
+							h_samp = (samp>>4);
+						if( (samp & 0x0f) > v_samp) 
+							v_samp = (samp & 0x0f);
+ 					}
+ 					v_samp*=8;
+ 					h_samp*=8;
+@@ -3381,45 +3404,43 @@
+                                           (unsigned char) ((height>>8) & 0xff);
+ 					buffer[*bufferoffset+6]=
+                                             (unsigned char) (height & 0xff);
+-					*bufferoffset+=strip[i+2]+2;
+-					i+=strip[i+2]+2;
+-
+					*bufferoffset+=datalen+2;
+					/* insert a DRI marker */
+ 					buffer[(*bufferoffset)++]=0xff;
+ 					buffer[(*bufferoffset)++]=0xdd;
+ 					buffer[(*bufferoffset)++]=0x00;
+ 					buffer[(*bufferoffset)++]=0x04;
+ 					buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ 					buffer[(*bufferoffset)++]= ri & 0xff;
+-				} else {
+-					i+=strip[i+2]+2;
+ 				}
+ 				break;
+-			case 0xc4:
+-			case 0xdb:
+-				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-				*bufferoffset+=strip[i+2]+2;
+-				i+=strip[i+2]+2;
+			case 0xc4: /* DHT */
+			case 0xdb: /* DQT */
+				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+				*bufferoffset+=datalen+2;
+ 				break;
+-			case 0xda:
+			case 0xda: /* SOS */
+ 				if(no==0){
+-					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+-					*bufferoffset+=strip[i+2]+2;
+-					i+=strip[i+2]+2;
+					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+					*bufferoffset+=datalen+2;
+ 				} else {
+ 					buffer[(*bufferoffset)++]=0xff;
+ 					buffer[(*bufferoffset)++]=
+                                             (unsigned char)(0xd0 | ((no-1)%8));
+-					i+=strip[i+2]+2;
+ 				}
+-				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+-				*bufferoffset+=(*striplength)-i-1;
+				i += datalen + 1;
+				/* copy remainder of strip */
+				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
+				*bufferoffset+= *striplength - i;
+ 				return(1);
+ 			default:
+-				i+=strip[i+2]+2;
+				/* ignore any other marker */
+				break;
+ 		}
+		i += datalen + 1;
+ 	}
+-	
+ 
+	/* failed to find SOS marker */
+ 	return(0);
+ }
+ #endif
--- a/libtiff/tiff-4.0.3-CVE-2013-4243.patch
+++ b/libtiff/tiff-4.0.3-CVE-2013-4243.patch
@ -0,0 +1,37 @@
+Index: tools/gif2tiff.c
+===================================================================
+--- tools/gif2tiff.c.orig
+++ tools/gif2tiff.c
+@@ -280,6 +280,10 @@ readgifimage(char* mode)
+         fprintf(stderr, "no colormap present for image\n");
+         return (0);
+     }
+    if (width == 0 || height == 0) {
+        fprintf(stderr, "Invalid value of width or height\n");
+        return(0);
+    }
+     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+         fprintf(stderr, "not enough memory for image\n");
+         return (0);
+@@ -406,6 +410,10 @@ process(register int code, unsigned char
+             fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+             return 0;
+         }
+        if (*fill >= raster + width*height) {
+            fprintf(stderr, "raster full before eoi code\n");
+            return 0;
+        }
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+ 	return 1;
+@@ -436,6 +444,10 @@ process(register int code, unsigned char
+     }
+     oldcode = incode;
+     do {
+        if (*fill >= raster + width*height) {
+            fprintf(stderr, "raster full before eoi code\n");
+            return 0;
+        }
+ 	*(*fill)++ = *--stackp;
+     } while (stackp > stack);
+     return 1;