[pkgsrc/trunk]: pkgsrc/graphics/tiff tiff: apply fix for CVE-2018-18557

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/graphics/tiff tiff: apply fix for CVE-2018-18557
From: maya <maya%pkgsrc.org@localhost>
Date: Fri, 26 Oct 2018 00:26:24 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/6dbcc405d297
branches:  trunk
changeset: 314353:6dbcc405d297
user:      maya <maya%pkgsrc.org@localhost>
date:      Thu Oct 25 22:58:05 2018 +0000

description:
tiff: apply fix for CVE-2018-18557

>From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault%spatialys.com@localhost>
Date: Sun, 14 Oct 2018 16:38:29 +0200
Subject: [PATCH 1/1] JBIG: fix potential out-of-bounds write in JBIGDecode()

JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
write in the buffer.
This issue was reported and analyzed by Thomas Dullien.

Also fixes a (harmless) potential use of uninitialized memory when
tif->tif_rawsize > tif->tif_rawcc

And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()

The last part (CHUNKY_STRIP_READ_SUPPORT) was adapted by myself to fit
the libtiff release.

Bump PKGREVISION.

diffstat:

 graphics/tiff/Makefile                          |   4 +-
 graphics/tiff/distinfo                          |   4 +-
 graphics/tiff/patches/patch-libtiff_tif__jbig.c |  77 +++++++++++++++++++++++++
 graphics/tiff/patches/patch-libtiff_tif__read.c |  23 +++++++
 4 files changed, 105 insertions(+), 3 deletions(-)

diffs (137 lines):

diff -r fb3b0bf21791 -r 6dbcc405d297 graphics/tiff/Makefile
--- a/graphics/tiff/Makefile    Thu Oct 25 22:41:24 2018 +0000
+++ b/graphics/tiff/Makefile    Thu Oct 25 22:58:05 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.141 2018/06/21 23:11:04 tez Exp $
+# $NetBSD: Makefile,v 1.142 2018/10/25 22:58:05 maya Exp $
 
 DISTNAME=      tiff-4.0.9
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    graphics
 MASTER_SITES=  ftp://download.osgeo.org/libtiff/
 
diff -r fb3b0bf21791 -r 6dbcc405d297 graphics/tiff/distinfo
--- a/graphics/tiff/distinfo    Thu Oct 25 22:41:24 2018 +0000
+++ b/graphics/tiff/distinfo    Thu Oct 25 22:58:05 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.90 2018/06/21 23:11:04 tez Exp $
+$NetBSD: distinfo,v 1.91 2018/10/25 22:58:05 maya Exp $
 
 SHA1 (tiff-4.0.9.tar.gz) = 87d4543579176cc568668617c22baceccd568296
 RMD160 (tiff-4.0.9.tar.gz) = ab5b3b7297e79344775b1e70c4d54c90c06836a3
@@ -7,4 +7,6 @@
 SHA1 (patch-CVE-2017-9935) = d33f3311e5bb96bf415f894237ab4dfcfafd2610
 SHA1 (patch-CVE-2018-8905) = 3a7081957ff2f4d6e777df5a9609ba89eecd8fbc
 SHA1 (patch-configure) = a0032133f06b6ac92bbf52349fabe83f74ea14a6
+SHA1 (patch-libtiff_tif__jbig.c) = feb404c5c70c0f4f10fa53351fab4db163bbccf3
+SHA1 (patch-libtiff_tif__read.c) = a69f7a462e0dfe6b01240816ed546d7e381044e8
 SHA1 (patch-tools_pal2rgb.c) = f91652e8013940c162add870ceb9845e2730bc2c
diff -r fb3b0bf21791 -r 6dbcc405d297 graphics/tiff/patches/patch-libtiff_tif__jbig.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif__jbig.c   Thu Oct 25 22:58:05 2018 +0000
@@ -0,0 +1,77 @@
+$NetBSD: patch-libtiff_tif__jbig.c,v 1.1 2018/10/25 22:58:05 maya Exp $
+
+From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 (CVE-2018-18557)
+
+JBIGDecode doesn't check if the user provided buffer is large enough
+to store the JBIG decoded image, which can potentially cause out-of-bounds
+write in the buffer.
+This issue was reported and analyzed by Thomas Dullien.
+
+Also fixes a (harmless) potential use of uninitialized memory when
+tif->tif_rawsize > tif->tif_rawcc
+
+--- libtiff/tif_jbig.c.orig    2017-06-30 13:27:54.399206925 +0000
++++ libtiff/tif_jbig.c
+@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* 
+       struct jbg_dec_state decoder;
+       int decodeStatus = 0;
+       unsigned char* pImage = NULL;
+-      (void) size, (void) s;
++      unsigned long decodedSize;
++      (void) s;
+ 
+       if (isFillOrder(tif, tif->tif_dir.td_fillorder))
+       {
+-              TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
++              TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
+       }
+ 
+       jbg_dec_init(&decoder);
+ 
+ #if defined(HAVE_JBG_NEWLEN)
+-      jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
++      jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
+       /*
+        * I do not check the return status of jbg_newlen because even if this
+        * function fails it does not necessarily mean that decoding the image
+@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* 
+        */
+ #endif /* HAVE_JBG_NEWLEN */
+ 
+-      decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
+-                                (size_t)tif->tif_rawdatasize, NULL);
++      decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
++                                (size_t)tif->tif_rawcc, NULL);
+       if (JBG_EOK != decodeStatus)
+       {
+               /*
+@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* 
+               return 0;
+       }
+ 
++      decodedSize = jbg_dec_getsize(&decoder);
++      if( (tmsize_t)decodedSize < size )
++      {
++          TIFFWarningExt(tif->tif_clientdata, "JBIG",
++                         "Only decoded %lu bytes, whereas %lu requested",
++                         decodedSize, (unsigned long)size);
++      }
++      else if( (tmsize_t)decodedSize > size )
++      {
++          TIFFErrorExt(tif->tif_clientdata, "JBIG",
++                       "Decoded %lu bytes, whereas %lu were requested",
++                       decodedSize, (unsigned long)size);
++          jbg_dec_free(&decoder);
++          return 0;
++      }
+       pImage = jbg_dec_getimage(&decoder, 0);
+-      _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
++      _TIFFmemcpy(buffer, pImage, decodedSize);
+       jbg_dec_free(&decoder);
++
++        tif->tif_rawcp += tif->tif_rawcc;
++        tif->tif_rawcc = 0;
++
+       return 1;
+ }
+ 
diff -r fb3b0bf21791 -r 6dbcc405d297 graphics/tiff/patches/patch-libtiff_tif__read.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/tiff/patches/patch-libtiff_tif__read.c   Thu Oct 25 22:58:05 2018 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-libtiff_tif__read.c,v 1.1 2018/10/25 22:58:05 maya Exp $
+
+And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
+that whole strip data is provided to JBIGDecode()
+
+Part of commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66 which fixes
+CVE-2018-18557
+
+--- libtiff/tif_read.c.orig    2017-11-18 14:42:21.664534434 +0000
++++ libtiff/tif_read.c
+@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 s
+             return 0;
+         whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
+                 || isMapped(tif);
++        if( td->td_compression == COMPRESSION_JBIG )
++        {
++            /* Ideally plugins should have a way to declare they don't support
++             * chunk strip */
++            whole_strip = 1;
++        }
+ #else
+         whole_strip = 1;
+ #endif

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated graphics/tiff to 4.0.9nb3
Next by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated lang/clang to 6.0.1nb1
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated graphics/tiff to 4.0.9nb3
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated lang/clang to 6.0.1nb1
Indexes:

Home | Main Index | Thread Index | Old Index