[libtiff/f13/master] Fix CVE-2011-0192 and a gif2tiff bug
Tom Lane
tgl at fedoraproject.org
Wed Mar 2 22:27:27 UTC 2011
commit 857207a1b2f150d05a581728e55aede6a4572fb6
Author: Tom Lane <tgl at redhat.com>
Date: Wed Mar 2 17:26:14 2011 -0500
Fix CVE-2011-0192 and a gif2tiff bug
libtiff-CVE-2011-0192.patch | 23 +++++++++++++++++++++++
libtiff-gif2tiff-overrun.patch | 22 ++++++++++++++++++++++
libtiff.spec | 12 +++++++++++-
3 files changed, 56 insertions(+), 1 deletions(-)
---
diff --git a/libtiff-CVE-2011-0192.patch b/libtiff-CVE-2011-0192.patch
new file mode 100644
index 0000000..340a161
--- /dev/null
+++ b/libtiff-CVE-2011-0192.patch
@@ -0,0 +1,23 @@
+Protect against a fax VL(n) codeword commanding a move left. Without
+this, a malicious input file can generate an indefinitely large series
+of runs without a0 ever reaching the right margin, thus overrunning
+our buffer of run lengths. Per CVE-2011-0192. This is a modified
+version of a patch proposed by Drew Yao of Apple Product Security.
+It adds an unexpected() report, and disallows the equality case, since
+emitting a run without increasing a0 still allows buffer overrun.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_fax3.h tiff-3.9.4/libtiff/tif_fax3.h
+--- tiff-3.9.4.orig/libtiff/tif_fax3.h 2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_fax3.h 2011-02-22 15:20:22.336377923 -0500
+@@ -478,6 +478,10 @@
+ break; \
+ case S_VL: \
+ CHECK_b1; \
++ if (b1 <= (int) (a0 + TabEnt->Param)) { \
++ unexpected("VL", a0); \
++ goto eol2d; \
++ } \
+ SETVALUE(b1 - a0 - TabEnt->Param); \
+ b1 -= *--pb; \
+ break; \
diff --git a/libtiff-gif2tiff-overrun.patch b/libtiff-gif2tiff-overrun.patch
new file mode 100644
index 0000000..eff7343
--- /dev/null
+++ b/libtiff-gif2tiff-overrun.patch
@@ -0,0 +1,22 @@
+gif2tiff buffer overrun. Filed upstream at
+http://bugzilla.maptools.org/show_bug.cgi?id=2270
+
+This appears not to be security critical: it's a read not a write
+overrun, so the worst possible consequence is SIGSEGV, and even that
+doesn't seem to happen on any popular architectures.
+
+
+diff -Naur tiff-3.9.4.orig/tools/gif2tiff.c tiff-3.9.4/tools/gif2tiff.c
+--- tiff-3.9.4.orig/tools/gif2tiff.c 2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/gif2tiff.c 2010-11-02 22:32:10.018264489 -0400
+@@ -503,6 +503,10 @@
+ strip = 0;
+ stripsize = TIFFStripSize(tif);
+ for (row=0; row<height; row += rowsperstrip) {
++ if (rowsperstrip > height-row) {
++ rowsperstrip = height-row;
++ stripsize = TIFFVStripSize(tif, rowsperstrip);
++ }
+ if (TIFFWriteEncodedStrip(tif, strip, newras+row*width, stripsize) < 0)
+ break;
+ strip++;
diff --git a/libtiff.spec b/libtiff.spec
index 2b901aa..2b9378f 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 3.9.4
-Release: 1%{?dist}
+Release: 3%{?dist}
License: libtiff
Group: System Environment/Libraries
@@ -18,6 +18,8 @@ Patch7: libtiff-subsampling.patch
Patch8: libtiff-unknown-fix.patch
Patch9: libtiff-checkbytecount.patch
Patch10: libtiff-tiffdump.patch
+Patch11: libtiff-CVE-2011-0192.patch
+Patch12: libtiff-gif2tiff-overrun.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel
@@ -80,6 +82,8 @@ image files using the libtiff library.
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
+%patch12 -p1
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@@ -191,6 +195,12 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/*
%changelog
+* Wed Mar 2 2011 Tom Lane <tgl at redhat.com> 3.9.4-3
+- Add patch for CVE-2011-0192
+Resolves: #681672
+- Fix non-security-critical potential SIGSEGV in gif2tiff
+Related: #648820
+
* Tue Jun 22 2010 Tom Lane <tgl at redhat.com> 3.9.4-1
- Update to libtiff 3.9.4, for numerous bug fixes including fixes for
CVE-2010-1411, CVE-2010-2065, CVE-2010-2067
More information about the scm-commits
mailing list