main/tiff: security fixes

CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269 CVE-2016-10270
author: Daniel Sabogal <dsabogalcc@gmail.com> 2017-05-01 00:07:25 -0400
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2017-05-03 10:02:58 +0000
commit: fa18ed2287bf127951d71bdf233db44b1e923739 (patch)
tree: b74dde74b2d7b2f8a20b693a8743e0e6abc19f0f /main
parent: 5b598aecd1e0174b9debbf49c0eea825b7a50c98 (diff)
download: aports-fa18ed2287bf127951d71bdf233db44b1e923739.tar.bz2
aports-fa18ed2287bf127951d71bdf233db44b1e923739.tar.xz
6 files changed, 364 insertions, 1 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index fb15b96291..6f83689b14 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Michael Mason <ms13sp@gmail.com>
 pkgname=tiff
 pkgver=4.0.7
-pkgrel=2
+pkgrel=3
 pkgdesc="Provides support for the Tag Image File Format or TIFF"
 url="http://www.libtiff.org/"
 arch="all"
@@ -13,6 +13,11 @@ depends_dev="zlib-dev libjpeg-turbo-dev"
 makedepends="libtool autoconf automake $depends_dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
 source="http://download.osgeo.org/libtiff/tiff-${pkgver}.tar.gz
+	CVE-2016-10266.patch
+	CVE-2016-10267.patch
+	CVE-2016-10268.patch
+	CVE-2016-10269.patch
+	CVE-2016-10270.patch
 	CVE-2017-5225.patch
 	CVE-2017-7592.patch
 	CVE-2017-7593.patch
@@ -27,6 +32,12 @@ source="http://download.osgeo.org/libtiff/tiff-${pkgver}.tar.gz
 	"
 
 # secfixes:
+#   4.0.7-r3
+#     - CVE-2016-10266
+#     - CVE-2016-10267
+#     - CVE-2016-10268
+#     - CVE-2016-10269
+#     - CVE-2016-10270
 #   4.0.7-r2:
 #     -	CVE-2017-7592
 #     -	CVE-2017-7593
@@ -79,6 +90,11 @@ tools() {
 }
 
 sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc  tiff-4.0.7.tar.gz
+5f7a86b6dc1c9bcf707a1fc9fc4b79cc0cfa457582d13f89cc5db1d59193db468ecc8fe976fe688ae7bb6cb451759420cd0a00d957b7c614dbe8fc762adc9734  CVE-2016-10266.patch
+fccbf981daedff8e4f3b610dc86823cdb0b2f1e08be345b775bd5c7ba89ef681b3cd4e04a97832753081e9df07db0a68a0a0a38cb4f538f260c475565c204f8b  CVE-2016-10267.patch
+57cd4f9aadaedac5f43d8085729ca5871a40c5bfc88fe01ec9db94162067fb9290ead0d5fba0fef1f6efc04fe2ec18a21703a314c0732be86ddfcca5275803c1  CVE-2016-10268.patch
+3a807132bf751b9e3c0e5a014b6cd9c9b98f79581b2d70167af3e29797a204fe2977349052042757f9bc634faa1afbec01462a947c739fb1ee9b7249341e4879  CVE-2016-10269.patch
+1db4890259028c1c29c15137e743e376e1044475b1a3bbdeb946a1b54708a85422217228aed5f5c8ddf2cf156ec75264b430d1d3aa3539b805809d69522f84b5  CVE-2016-10270.patch
 001a2df978f51025771c243edee2d033c91114bdd5318a05730b910add9c70f219a848faad899f27421ca18da6ce9972013aa3ecf689cf4ea37ac5409b4b6244  CVE-2017-5225.patch
 c2401f41ce4725b94159da25290270fe4029bacd934aec4d85b4468b4ee8b37fffd4f07eb12ed654863c3ad97474cd4c196db0a3a0ccf6497fc4d8e6d46a5961  CVE-2017-7592.patch
 487de0b6a4cf7f09bf23b8217ec8dbac3640f7e47cd86e885f331bc41e385146fd73c6e079768952adb6fa12148b9e52a177bf67affdfe8bdf3d8205302a3f0c  CVE-2017-7593.patch
diff --git a/main/tiff/CVE-2016-10266.patch b/main/tiff/CVE-2016-10266.patch
new file mode 100644
index 0000000000..554f5ea8c1
--- /dev/null
+++ b/main/tiff/CVE-2016-10266.patch
@@ -0,0 +1,43 @@
+From 438274f938e046d33cb0e1230b41da32ffe223e1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 2 Dec 2016 21:56:56 +0000
+Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow
+ in TIFFReadEncodedStrip() that caused an integer division by zero. Reported
+ by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
+---
+ libtiff/tif_read.c | 2 +-
+ libtiff/tiffiop.h  | 4 ++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index c26c55f4..52bbf507 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ 	rowsperstrip=td->td_rowsperstrip;
+ 	if (rowsperstrip>td->td_imagelength)
+ 		rowsperstrip=td->td_imagelength;
+-	stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
++	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
+ 	stripinplane=(strip%stripsperplane);
+ 	plane=(uint16)(strip/stripsperplane);
+ 	rows=td->td_imagelength-stripinplane*rowsperstrip;
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index ffbb647b..cb59460a 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -250,6 +250,10 @@ struct tiff {
+ #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
+ 			   ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
+ 			   0U)
++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
++#define TIFFhowmany_32_maxuint_compat(x, y) \
++			   (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
+ #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
+ #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
+ #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
+-- 
+2.11.0
+
diff --git a/main/tiff/CVE-2016-10267.patch b/main/tiff/CVE-2016-10267.patch
new file mode 100644
index 0000000000..bb4fee6a80
--- /dev/null
+++ b/main/tiff/CVE-2016-10267.patch
@@ -0,0 +1,50 @@
+From 43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:15:18 +0000
+Subject: [PATCH] * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case
+ of failure in OJPEGPreDecode(). This will avoid a divide by zero, and
+ potential other issues. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2611
+
+---
+ libtiff/tif_ojpeg.c | 8 ++++++++
+ 1 files changed, 15 insertions(+)
+
+diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
+index 1ccc3f9b..f19e8fd0 100644
+--- a/libtiff/tif_ojpeg.c
++++ b/libtiff/tif_ojpeg.c
+@@ -244,6 +244,7 @@ typedef enum {
+ 
+ typedef struct {
+ 	TIFF* tif;
++        int decoder_ok;
+ 	#ifndef LIBJPEG_ENCAP_EXTERNAL
+ 	JMP_BUF exit_jmpbuf;
+ 	#endif
+@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
+ 		}
+ 		sp->write_curstrile++;
+ 	}
++	sp->decoder_ok = 1;
+ 	return(1);
+ }
+ 
+@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)
+ static int
+ OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
+ {
++        static const char module[]="OJPEGDecode";
+ 	OJPEGState* sp=(OJPEGState*)tif->tif_data;
+ 	(void)s;
++        if( !sp->decoder_ok )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
++            return 0;
++        }
+ 	if (sp->libjpeg_jpeg_query_style==0)
+ 	{
+ 		if (OJPEGDecodeRaw(tif,buf,cc)==0)
+-- 
+2.11.0
+
diff --git a/main/tiff/CVE-2016-10268.patch b/main/tiff/CVE-2016-10268.patch
new file mode 100644
index 0000000000..ce5f9be7a2
--- /dev/null
+++ b/main/tiff/CVE-2016-10268.patch
@@ -0,0 +1,43 @@
+From 5397a417e61258c69209904e652a1f409ec3b9df Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 2 Dec 2016 22:13:32 +0000
+Subject: [PATCH] * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips
+ that can cause various issues, such as buffer overflows in the library.
+ Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2598
+
+---
+ ChangeLog      | 7 +++++++
+ tools/tiffcp.c | 2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 668b66a..0f154d6 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,12 @@
+ 2016-12-02 Even Rouault <even.rouault at spatialys.com>
+ 
++	* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that 
++	can cause various issues, such as buffer overflows in the library.
++	Reported by Agostino Sarubbo.
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
++
++2016-12-02 Even Rouault <even.rouault at spatialys.com>
++
+ 	* libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
+ 	TIFFReadEncodedStrip() that caused an integer division by zero.
+ 	Reported by Agostino Sarubbo.
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index a99c906..f294ed1 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips)
+ 		tstrip_t s, ns = TIFFNumberOfStrips(in);
+ 		uint32 row = 0;
+ 		_TIFFmemset(buf, 0, stripsize);
+-		for (s = 0; s < ns; s++) {
++		for (s = 0; s < ns && row < imagelength; s++) {
+ 			tsize_t cc = (row + rowsperstrip > imagelength) ?
+ 			    TIFFVStripSize(in, imagelength - row) : stripsize;
+ 			if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
diff --git a/main/tiff/CVE-2016-10269.patch b/main/tiff/CVE-2016-10269.patch
new file mode 100644
index 0000000000..e672032360
--- /dev/null
+++ b/main/tiff/CVE-2016-10269.patch
@@ -0,0 +1,107 @@
+From 1044b43637fa7f70fb19b93593777b78bd20da86 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Fri, 2 Dec 2016 23:05:51 +0000
+Subject: [PATCH] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based
+ buffer overflow on generation of PixarLog / LUV compressed files, with
+ ColorMap, TransferFunction attached and nasty plays with bitspersample. The
+ fix for LUV has not been tested, but suffers from the same kind of issue of
+ PixarLog. Reported by Agostino Sarubbo. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
+---
+ libtiff/tif_luv.c      | 18 ++++++++++++++----
+ libtiff/tif_pixarlog.c | 17 +++++++++++++++--
+ 2 files changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index f68a9b13..e6783db5 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -158,6 +158,7 @@
+ typedef struct logLuvState LogLuvState;
+ 
+ struct logLuvState {
++        int                     encoder_state;  /* 1 if encoder correctly initialized */
+ 	int                     user_datafmt;   /* user data format */
+ 	int                     encode_meth;    /* encoding method */
+ 	int                     pixel_size;     /* bytes per pixel */
+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
+ 		    td->td_photometric, "must be either LogLUV or LogL");
+ 		break;
+ 	}
++	sp->encoder_state = 1;
+ 	return (1);
+ notsupported:
+ 	TIFFErrorExt(tif->tif_clientdata, module,
+@@ -1563,19 +1565,27 @@ notsupported:
+ static void
+ LogLuvClose(TIFF* tif)
+ {
++        LogLuvState* sp = (LogLuvState*) tif->tif_data;
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
++	assert(sp != 0);
+ 	/*
+ 	 * For consistency, we always want to write out the same
+ 	 * bitspersample and sampleformat for our TIFF file,
+ 	 * regardless of the data format being used by the application.
+ 	 * Since this routine is called after tags have been set but
+ 	 * before they have been recorded in the file, we reset them here.
++         * Note: this is really a nasty approach. See PixarLogClose
+ 	 */
+-	td->td_samplesperpixel =
+-	    (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+-	td->td_bitspersample = 16;
+-	td->td_sampleformat = SAMPLEFORMAT_INT;
++        if( sp->encoder_state )
++        {
++            /* See PixarLogClose. Might avoid issues with tags whose size depends
++             * on those below, but not completely sure this is enough. */
++            td->td_samplesperpixel =
++                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
++            td->td_bitspersample = 16;
++            td->td_sampleformat = SAMPLEFORMAT_INT;
++        }
+ }
+ 
+ static void
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index d1246c3d..aa99bc92 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
+ static void
+ PixarLogClose(TIFF* tif)
+ {
++        PixarLogState* sp = (PixarLogState*) tif->tif_data;
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
++	assert(sp != 0);
+ 	/* In a really sneaky (and really incorrect, and untruthful, and
+ 	 * troublesome, and error-prone) maneuver that completely goes against
+ 	 * the spirit of TIFF, and breaks TIFF, on close, we covertly
+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
+ 	 * readers that don't know about PixarLog, or how to set
+ 	 * the PIXARLOGDATFMT pseudo-tag.
+ 	 */
+-	td->td_bitspersample = 8;
+-	td->td_sampleformat = SAMPLEFORMAT_UINT;
++
++        if (sp->state&PLSTATE_INIT) {
++            /* We test the state to avoid an issue such as in
++             * http://bugzilla.maptools.org/show_bug.cgi?id=2604
++             * What appends in that case is that the bitspersample is 1 and
++             * a TransferFunction is set. The size of the TransferFunction
++             * depends on 1<<bitspersample. So if we increase it, an access
++             * out of the buffer will happen at directory flushing.
++             * Another option would be to clear those targs. 
++             */
++            td->td_bitspersample = 8;
++            td->td_sampleformat = SAMPLEFORMAT_UINT;
++        }
+ }
+ 
+ static void
+-- 
+2.11.0
+
diff --git a/main/tiff/CVE-2016-10270.patch b/main/tiff/CVE-2016-10270.patch
new file mode 100644
index 0000000000..4c419decca
--- /dev/null
+++ b/main/tiff/CVE-2016-10270.patch
@@ -0,0 +1,104 @@
+From 9a72a69e035ee70ff5c41541c8c61cd97990d018 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 3 Dec 2016 11:02:15 +0000
+Subject: [PATCH] * libtiff/tif_dirread.c: modify
+ ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
+ TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
+ the total size of data. Which is faulty is the total size of data is not
+ sufficient to fill the whole image, and thus results in reading outside of
+ the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
+ by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+the above change is a better fix that makes it unnecessary.
+
+---
+ libtiff/tif_dirread.c | 22 ++++++++++------------
+ libtiff/tif_strip.c   |  9 ---------
+ 2 files changed, 25 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 3eec79c9..570d0c32 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	uint64 rowblockbytes;
+ 	uint64 stripbytes;
+ 	uint32 strip;
+-	uint64 nstrips64;
+-	uint32 nstrips32;
++	uint32 nstrips;
+ 	uint32 rowsperstrip;
+ 	uint64* newcounts;
+ 	uint64* newoffsets;
+@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	    return;
+ 
+ 	/*
+-	 * never increase the number of strips in an image
++	 * never increase the number of rows per strip
+ 	 */
+ 	if (rowsperstrip >= td->td_rowsperstrip)
+ 		return;
+-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
+-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
+-	    return;
+-	nstrips32 = (uint32)nstrips64;
++        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
++        if( nstrips == 0 )
++            return;
+ 
+-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripByteCounts\" array");
+-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
++	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripOffsets\" array");
+ 	if (newcounts == NULL || newoffsets == NULL) {
+ 		/*
+@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+ 	 * Fill the strip information arrays with new bytecounts and offsets
+ 	 * that reflect the broken-up format.
+ 	 */
+-	for (strip = 0; strip < nstrips32; strip++) {
++	for (strip = 0; strip < nstrips; strip++) {
+ 		if (stripbytes > bytecount)
+ 			stripbytes = bytecount;
+ 		newcounts[strip] = stripbytes;
+-		newoffsets[strip] = offset;
++		newoffsets[strip] = stripbytes ? offset : 0;
+ 		offset += stripbytes;
+ 		bytecount -= stripbytes;
+ 	}
+ 	/*
+ 	 * Replace old single strip info with multi-strip info.
+ 	 */
+-	td->td_stripsperimage = td->td_nstrips = nstrips32;
++	td->td_stripsperimage = td->td_nstrips = nstrips;
+ 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+ 
+ 	_TIFFfree(td->td_stripbytecount);
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
+index 4c46ecf5..1676e47d 100644
+--- a/libtiff/tif_strip.c
++++ b/libtiff/tif_strip.c
+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 	uint32 nstrips;
+ 
+-    /* If the value was already computed and store in td_nstrips, then return it,
+-       since ChopUpSingleUncompressedStrip might have altered and resized the
+-       since the td_stripbytecount and td_stripoffset arrays to the new value
+-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
+-       tif_dirread.c ~line 3612.
+-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
+-    if( td->td_nstrips )
+-        return td->td_nstrips;
+-
+ 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+-- 
+2.11.0
+
author	Daniel Sabogal <dsabogalcc@gmail.com>	2017-05-01 00:07:25 -0400
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2017-05-03 10:02:58 +0000
commit	fa18ed2287bf127951d71bdf233db44b1e923739 (patch)
tree	b74dde74b2d7b2f8a20b693a8743e0e6abc19f0f /main
parent	5b598aecd1e0174b9debbf49c0eea825b7a50c98 (diff)
download	aports-fa18ed2287bf127951d71bdf233db44b1e923739.tar.bz2 aports-fa18ed2287bf127951d71bdf233db44b1e923739.tar.xz