[libtiff] Add upstream patches for CVE-2012-4447, CVE-2012-4564
Tom Lane
tgl at fedoraproject.org
Thu Dec 13 19:15:18 UTC 2012
commit 1d5ae67789ee9b9bb89db4862e18f164d8e08462
Author: Tom Lane <tgl at redhat.com>
Date: Thu Dec 13 14:14:22 2012 -0500
Add upstream patches for CVE-2012-4447, CVE-2012-4564
libtiff-CVE-2012-4447.patch | 40 +++++++++++++++++++
libtiff-CVE-2012-4564.patch | 86 ++++++++++++++++++++++++++++++++++++++++++
libtiff-am-version.patch | 31 +++++++++++++++
libtiff-printdir-width.patch | 20 ++++++++++
libtiff.spec | 17 ++++++++-
5 files changed, 193 insertions(+), 1 deletions(-)
---
diff --git a/libtiff-CVE-2012-4447.patch b/libtiff-CVE-2012-4447.patch
new file mode 100644
index 0000000..ebf9a00
--- /dev/null
+++ b/libtiff-CVE-2012-4447.patch
@@ -0,0 +1,40 @@
+Upstream patch for CVE-2012-4447.
+
+
+diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
+--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400
++++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500
+@@ -644,6 +644,20 @@
+ return bytes;
+ }
+
++static tmsize_t
++add_ms(tmsize_t m1, tmsize_t m2)
++{
++ tmsize_t bytes = m1 + m2;
++
++ /* if either input is zero, assume overflow already occurred */
++ if (m1 == 0 || m2 == 0)
++ bytes = 0;
++ else if (bytes <= m1 || bytes <= m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ static int
+ PixarLogFixupTags(TIFF* tif)
+ {
+@@ -671,9 +685,11 @@
+ td->td_samplesperpixel : 1);
+ tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
+ td->td_rowsperstrip), sizeof(uint16));
++ /* add one more stride in case input ends mid-stride */
++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ if (tbuf_size == 0)
+ return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
+- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
++ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ if (sp->tbuf == NULL)
+ return (0);
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
diff --git a/libtiff-CVE-2012-4564.patch b/libtiff-CVE-2012-4564.patch
new file mode 100644
index 0000000..3d7946c
--- /dev/null
+++ b/libtiff-CVE-2012-4564.patch
@@ -0,0 +1,86 @@
+Upstream patch for CVE-2012-4564.
+
+
+diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c
+--- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400
++++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500
+@@ -72,6 +72,17 @@
+ exit(-2);
+ }
+
++static tmsize_t
++multiply_ms(tmsize_t m1, tmsize_t m2)
++{
++ tmsize_t bytes = m1 * m2;
++
++ if (m1 && bytes / m1 != m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ int
+ main(int argc, char* argv[])
+ {
+@@ -79,7 +90,7 @@
+ uint32 rowsperstrip = (uint32) -1;
+ double resolution = -1;
+ unsigned char *buf = NULL;
+- tsize_t linebytes = 0;
++ tmsize_t linebytes = 0;
+ uint16 spp = 1;
+ uint16 bpp = 8;
+ TIFF *out;
+@@ -89,6 +100,7 @@
+ int c;
+ extern int optind;
+ extern char* optarg;
++ tmsize_t scanline_size;
+
+ if (argc < 2) {
+ fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -221,7 +233,8 @@
+ }
+ switch (bpp) {
+ case 1:
+- linebytes = (spp * w + (8 - 1)) / 8;
++ /* if round-up overflows, result will be zero, OK */
++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ if (rowsperstrip == (uint32) -1) {
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+ } else {
+@@ -230,15 +243,31 @@
+ }
+ break;
+ case 8:
+- linebytes = spp * w;
++ linebytes = multiply_ms(spp, w);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ TIFFDefaultStripSize(out, rowsperstrip));
+ break;
+ }
+- if (TIFFScanlineSize(out) > linebytes)
++ if (linebytes == 0) {
++ fprintf(stderr, "%s: scanline size overflow\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ scanline_size = TIFFScanlineSize(out);
++ if (scanline_size == 0) {
++ /* overflow - TIFFScanlineSize already printed a message */
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ if (scanline_size < linebytes)
+ buf = (unsigned char *)_TIFFmalloc(linebytes);
+ else
+- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++ buf = (unsigned char *)_TIFFmalloc(scanline_size);
++ if (buf == NULL) {
++ fprintf(stderr, "%s: Not enough memory\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
+ if (resolution > 0) {
+ TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/libtiff-am-version.patch b/libtiff-am-version.patch
new file mode 100644
index 0000000..c94c2e0
--- /dev/null
+++ b/libtiff-am-version.patch
@@ -0,0 +1,31 @@
+Back off the minimum required automake version to 1.11. There isn't
+anything in libtiff currently that actually requires 1.12, and changing
+this allows the package to be built on pre-F18 machines for easier testing.
+
+This patch can go away once we no longer care about testing on pre-F18.
+
+
+diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
+--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400
++++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400
+@@ -25,7 +25,7 @@
+
+ docdir = $(LIBTIFF_DOCDIR)
+
+-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
+ ACLOCAL_AMFLAGS = -I m4
+
+ docfiles = \
+diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
+--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400
++++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400
+@@ -23,7 +23,7 @@
+
+ # Process this file with automake to produce Makefile.in.
+
+-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
+
+ LIBTIFF = $(top_builddir)/libtiff/libtiff.la
+
diff --git a/libtiff-printdir-width.patch b/libtiff-printdir-width.patch
new file mode 100644
index 0000000..f41f027
--- /dev/null
+++ b/libtiff-printdir-width.patch
@@ -0,0 +1,20 @@
+Back-patch upstream patch of 2012-12-12 ("Fix TIFF_VARIABLE/TIFF_VARIABLE2
+confusion in TIFFPrintDirectory").
+
+
+diff -Naur tiff-4.0.3.orig/libtiff/tif_print.c tiff-4.0.3/libtiff/tif_print.c
+--- tiff-4.0.3.orig/libtiff/tif_print.c 2012-08-19 12:56:35.000000000 -0400
++++ tiff-4.0.3/libtiff/tif_print.c 2012-12-12 16:53:05.355927641 -0500
+@@ -582,10 +582,10 @@
+ continue;
+
+ if(fip->field_passcount) {
+- if (fip->field_readcount == TIFF_VARIABLE ) {
++ if (fip->field_readcount == TIFF_VARIABLE2 ) {
+ if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
+ continue;
+- } else if (fip->field_readcount == TIFF_VARIABLE2 ) {
++ } else if (fip->field_readcount == TIFF_VARIABLE ) {
+ uint16 small_value_count;
+ if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
+ continue;
diff --git a/libtiff.spec b/libtiff.spec
index 4e194fd..96355cc 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.3
-Release: 1%{?dist}
+Release: 2%{?dist}
License: libtiff
Group: System Environment/Libraries
@@ -9,6 +9,11 @@ URL: http://www.remotesensing.org/libtiff/
Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
+Patch0: libtiff-am-version.patch
+Patch1: libtiff-CVE-2012-4447.patch
+Patch2: libtiff-CVE-2012-4564.patch
+Patch3: libtiff-printdir-width.patch
+
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig
@@ -58,6 +63,11 @@ image files using the libtiff library.
%prep
%setup -q -n tiff-%{version}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@@ -160,6 +170,11 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
+* Thu Dec 13 2012 Tom Lane <tgl at redhat.com> 4.0.3-2
+- Add upstream patches for CVE-2012-4447, CVE-2012-4564
+ (note: CVE-2012-5581 is already fixed in 4.0.3)
+Resolves: #880907
+
* Thu Oct 4 2012 Tom Lane <tgl at redhat.com> 4.0.3-1
- Update to libtiff 4.0.3
More information about the scm-commits
mailing list