From: "Aaron Bauman" <bman@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/
Date: Mon, 5 Aug 2019 00:12:13 +0000 (UTC) [thread overview]
Message-ID: <1564963920.1408d12740a4cd2a6d71fe5f52386d9d77128645.bman@gentoo> (raw)
commit: 1408d12740a4cd2a6d71fe5f52386d9d77128645
Author: Aaron Bauman <bman <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 5 00:03:19 2019 +0000
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Mon Aug 5 00:12:00 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1408d127
media-libs/tiff: revbump to address open security bugs
* This commit addresses 3 outstanding security issues reported by the
individuals listed below.
* This commit involved cherry-picking the patches and adding a revbump as
the original PR's renamed the original ebuild and kept stable keywords.
Bug: https://bugs.gentoo.org/639700
Bug: https://bugs.gentoo.org/690732
Closes: https://github.com/gentoo/gentoo/pull/12543
Closes: https://github.com/gentoo/gentoo/pull/11743
Reported-by: Benjamin Gordon <bmgordon <AT> chromium.org>
Reported-by: Allen Webb <allenwebb <AT> google.com>
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org>
...-2018-17000-tif_dirwrite-null-dereference.patch | 33 +++++++++
.../tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch | 48 ++++++++++++
....0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch | 73 ++++++++++++++++++
media-libs/tiff/tiff-4.0.10-r1.ebuild | 86 ++++++++++++++++++++++
4 files changed, 240 insertions(+)
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
new file mode 100644
index 00000000000..321c6a428af
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
@@ -0,0 +1,33 @@
+https://crbug.com/901306
+
+commit 802d3cbf3043be5dce5317e140ccb1c17a6a2d39
+Author: Thomas Bernard <miniupnp@free.fr>
+Date: Tue Jan 29 11:21:47 2019 +0100
+
+ TIFFWriteDirectoryTagTransferfunction() : fix NULL dereferencing
+
+ http://bugzilla.maptools.org/show_bug.cgi?id=2833
+
+ we must check the pointer is not NULL before memcmp() the memory
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index c15a28dbd8fcb99b81fa5a1d44fcbcda881f42a7..ef30c869d30e210d90be16ce91f44087925fbad3 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
+ n=3;
+ if (n==3)
+ {
+- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
++ if (tif->tif_dir.td_transferfunction[2] == NULL ||
++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ n=2;
+ }
+ if (n==2)
+ {
+- if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
++ if (tif->tif_dir.td_transferfunction[1] == NULL ||
++ !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ n=1;
+ }
+ if (n==0)
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
new file mode 100644
index 00000000000..38d020fec24
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
@@ -0,0 +1,48 @@
+https://crbug.com/923647
+
+commit ae0bed1fe530a82faf2e9ea1775109dbf301a971
+Merge: 933784a1 0c74a9f4
+Author: Even Rouault <even.rouault@spatialys.com>
+Date: Sat Feb 2 14:46:05 2019 +0000
+
+ Merge branch 'master' into 'master'
+
+ Fix for simple memory leak that was assigned CVE-2019-6128.
+
+ See merge request libtiff/libtiff!50
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01d8502ecf7a8a7f015e49ca9378a1a741cbc06b..9492f1cf1212177bf7e97d307757d0977c898e90 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -118,12 +118,14 @@ main(int argc, char* argv[])
+ shortv != PHOTOMETRIC_PALETTE) {
+ fprintf(stderr, "%s: Expecting a palette image.\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
+ fprintf(stderr,
+ "%s: No colormap (not a valid palette image).\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ bitspersample = 0;
+@@ -131,11 +133,14 @@ main(int argc, char* argv[])
+ if (bitspersample != 8) {
+ fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
+ argv[optind]);
++ (void) TIFFClose(in);
+ return (-1);
+ }
+ out = TIFFOpen(argv[optind+1], "w");
+- if (out == NULL)
++ if (out == NULL) {
++ (void) TIFFClose(in);
+ return (-2);
++ }
+ cpTags(in, out);
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
diff --git a/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
new file mode 100644
index 00000000000..a68ba2f4bbd
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
@@ -0,0 +1,73 @@
+From 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 10:05:33 +0100
+Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
+
+fixes bug 2833
+---
+ tools/tiffcp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 2f406e2d7..f0ee2c029 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ int status = 1;
+ uint32 imagew = TIFFRasterScanlineSize(in);
+ uint32 tilew = TIFFTileRowSize(in);
+- int iskew = imagew - tilew*spp;
++ int iskew;
+ tsize_t tilesize = TIFFTileSize(in);
+ tdata_t tilebuf;
+ uint8* bufp = (uint8*) buf;
+@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
++ if (spp > (0x7fffffff / tilew))
++ {
++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
++ return 0;
++ }
++ iskew = imagew - tilew*spp;
+ tilebuf = _TIFFmalloc(tilesize);
+ if (tilebuf == 0)
+ return 0;
+--
+2.21.0
+
+
+From 7cc76e9bc40bc8eb329a718ab26ecef7dd1afd94 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 21:42:03 +0100
+Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
+
+---
+ tools/tiffcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index f0ee2c029..8c81aa4f2 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -41,6 +41,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include <ctype.h>
+
+@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
+- if (spp > (0x7fffffff / tilew))
++ if (spp > (INT_MAX / tilew))
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ return 0;
+--
+2.21.0
+
diff --git a/media-libs/tiff/tiff-4.0.10-r1.ebuild b/media-libs/tiff/tiff-4.0.10-r1.ebuild
new file mode 100644
index 00000000000..638c7c39917
--- /dev/null
+++ b/media-libs/tiff/tiff-4.0.10-r1.ebuild
@@ -0,0 +1,86 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools libtool multilib-minimal
+
+DESCRIPTION="Tag Image File Format (TIFF) library"
+HOMEPAGE="http://libtiff.maptools.org"
+SRC_URI="https://download.osgeo.org/libtiff/${P}.tar.gz"
+
+LICENSE="libtiff"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+cxx jbig jpeg lzma static-libs test webp zlib zstd"
+
+RDEPEND="
+ jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] )
+ jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] )
+ lzma? ( >=app-arch/xz-utils-5.0.5-r1[${MULTILIB_USEDEP}] )
+ webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+ zstd? ( >=app-arch/zstd-1.3.7-r1:=[${MULTILIB_USEDEP}] )
+"
+DEPEND="${RDEPEND}"
+
+REQUIRED_USE="test? ( jpeg )" #483132
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-4.0.7-pdfium-0006-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
+ "${FILESDIR}"/${PN}-4.0.7-pdfium-0008-HeapBufferOverflow-ChopUpSingleUncompressedStrip.patch
+ "${FILESDIR}"/${PN}-4.0.10-CVE-2018-17000-tif_dirwrite-null-dereference.patch
+ "${FILESDIR}"/${PN}-4.0.10-CVE-2019-6128-pal2rgb-leak.patch
+ "${FILESDIR}"/${PN}-4.0.10-CVE-2019-7663-tiffcpIntegerOverflow.patch
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/tiffconf.h
+)
+
+src_prepare() {
+ default
+
+ # tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7
+ sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die
+
+ eautoreconf
+}
+
+multilib_src_configure() {
+ local myeconfargs=(
+ --without-x
+ --with-docdir="${EPREFIX}"/usr/share/doc/${PF}
+ $(use_enable cxx)
+ $(use_enable jbig)
+ $(use_enable jpeg)
+ $(use_enable lzma)
+ $(use_enable static-libs static)
+ $(use_enable webp)
+ $(use_enable zlib)
+ $(use_enable zstd)
+ )
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+
+ # remove useless subdirs
+ if ! multilib_is_native_abi ; then
+ sed -i \
+ -e 's/ tools//' \
+ -e 's/ contrib//' \
+ -e 's/ man//' \
+ -e 's/ html//' \
+ Makefile || die
+ fi
+}
+
+multilib_src_test() {
+ if ! multilib_is_native_abi ; then
+ emake -C tools
+ fi
+ emake check
+}
+
+multilib_src_install_all() {
+ find "${ED}" -name '*.la' -delete || die
+ rm "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION} || die
+}
next reply other threads:[~2019-08-05 0:12 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-05 0:12 Aaron Bauman [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-02-22 16:23 [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/, media-libs/tiff/files/ Sam James
2023-02-22 16:21 Sam James
2022-12-10 4:10 Sam James
2022-12-01 7:17 Sam James
2019-11-03 13:46 Mikle Kolyada
2019-09-03 19:46 Aaron Bauman
2018-05-29 1:04 Mike Frysinger
2018-02-20 14:29 Lars Wendler
2017-11-19 20:52 Lars Wendler
2017-05-22 7:35 Lars Wendler
2017-04-12 19:30 Mike Frysinger
2017-04-10 21:49 Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1564963920.1408d12740a4cd2a6d71fe5f52386d9d77128645.bman@gentoo \
--to=bman@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox