[PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.

DoneSubmitted by Alex Vong.
Details
2 participants
  • Alex Vong
  • Leo Famulari
Owner
unassigned
Severity
important
A
A
Alex Vong wrote on 7 Jul 2017 00:31
(address . guix-patches@gnu.org)
87r2xti4dz.fsf@gmail.com
Severity: importantTags: patch security
Hello,
This patch fixes two latest CVEs of libtiff:
From 8dc3ff7b6b34b1d0ff7ab535883df20dbc5af2c8 Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Fri, 7 Jul 2017 06:17:37 +0800Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.
* gnu/packages/patches/libtiff-CVE-2017-9936.patch, gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.* gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.* gnu/local.mk (dist_patch_DATA): Add them.--- gnu/local.mk | 2 + gnu/packages/image.scm | 4 +- gnu/packages/patches/libtiff-CVE-2017-10688.patch | 80 +++++++++++++++++++++++ gnu/packages/patches/libtiff-CVE-2017-9936.patch | 39 +++++++++++ 4 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtiff-CVE-2017-10688.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9936.patch
Toggle diff (161 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 8dbce7c05..4ae395ef8 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -766,6 +766,8 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-CVE-2016-10093.patch \ %D%/packages/patches/libtiff-CVE-2016-10094.patch \ %D%/packages/patches/libtiff-CVE-2017-5225.patch \+ %D%/packages/patches/libtiff-CVE-2017-9936.patch \+ %D%/packages/patches/libtiff-CVE-2017-10688.patch \ %D%/packages/patches/libtiff-assertion-failure.patch \ %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \ %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \diff --git a/gnu/packages/image.scm b/gnu/packages/image.scmindex 8a03cbc3c..4450980bf 100644--- a/gnu/packages/image.scm+++ b/gnu/packages/image.scm@@ -391,7 +391,9 @@ collection of tools for doing simple manipulations of TIFF images.") (method url-fetch) (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" version ".tar.gz"))- (patches (search-patches "libtiff-tiffgetfield-bugs.patch"))+ (patches (search-patches "libtiff-tiffgetfield-bugs.patch"+ "libtiff-CVE-2017-9936.patch"+ "libtiff-CVE-2017-10688.patch")) (sha256 (base32 "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))diff --git a/gnu/packages/patches/libtiff-CVE-2017-10688.patch b/gnu/packages/patches/libtiff-CVE-2017-10688.patchnew file mode 100644index 000000000..3b5d27fd7--- /dev/null+++ b/gnu/packages/patches/libtiff-CVE-2017-10688.patch@@ -0,0 +1,80 @@+Fix CVE-2017-10688:++http://bugzilla.maptools.org/show_bug.cgi?id=2712+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688+https://security-tracker.debian.org/tracker/CVE-2017-10688++Patch lifted from upstream source repository (the changes to 'ChangeLog'+don't apply to the libtiff 4.0.8 release tarball):++https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1++From 6173a57d39e04d68b139f8c1aa499a24dbe74ba1 Mon Sep 17 00:00:00 2001+From: Even Rouault <even.rouault@spatialys.com>+Date: Fri, 30 Jun 2017 17:29:44 +0000+Subject: [PATCH] * libtiff/tif_dirwrite.c: in+ TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8+ data type, replace assertion that the file is BigTIFF, by a non-fatal error.+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team+ OWL337++---+ ChangeLog | 8 +++++++++ libtiff/tif_dirwrite.c | 20 ++++++++++++++++----+ 2 files changed, 24 insertions(+), 4 deletions(-)++diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c+index 2967da58..8d6686ba 100644+--- a/libtiff/tif_dirwrite.c++++ b/libtiff/tif_dirwrite.c+@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui+ {+ uint64 m;+ assert(sizeof(uint64)==8);+- assert(tif->tif_flags&TIFF_BIGTIFF);++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");++ return(0);++ }+ m=value;+ if (tif->tif_flags&TIFF_SWAB)+ TIFFSwabLong8(&m);+@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di+ {+ assert(count<0x20000000);+ assert(sizeof(uint64)==8);+- assert(tif->tif_flags&TIFF_BIGTIFF);++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");++ return(0);++ }+ if (tif->tif_flags&TIFF_SWAB)+ TIFFSwabArrayOfLong8(value,count);+ return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));+@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u+ {+ int64 m;+ assert(sizeof(int64)==8);+- assert(tif->tif_flags&TIFF_BIGTIFF);++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");++ return(0);++ }+ m=value;+ if (tif->tif_flags&TIFF_SWAB)+ TIFFSwabLong8((uint64*)(&m));+@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d+ {+ assert(count<0x20000000);+ assert(sizeof(int64)==8);+- assert(tif->tif_flags&TIFF_BIGTIFF);++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");++ return(0);++ }+ if (tif->tif_flags&TIFF_SWAB)+ TIFFSwabArrayOfLong8((uint64*)value,count);+ return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));+-- +2.13.2+diff --git a/gnu/packages/patches/libtiff-CVE-2017-9936.patch b/gnu/packages/patches/libtiff-CVE-2017-9936.patchnew file mode 100644index 000000000..a3d51e0ef--- /dev/null+++ b/gnu/packages/patches/libtiff-CVE-2017-9936.patch@@ -0,0 +1,39 @@+Fix CVE-2017-9936:++http://bugzilla.maptools.org/show_bug.cgi?id=2706+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936+https://security-tracker.debian.org/tracker/CVE-2017-9936++Patch lifted from upstream source repository (the changes to 'ChangeLog'+don't apply to the libtiff 4.0.8 release tarball):++https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a++From fe8d7165956b88df4837034a9161dc5fd20cf67a Mon Sep 17 00:00:00 2001+From: Even Rouault <even.rouault@spatialys.com>+Date: Mon, 26 Jun 2017 15:19:59 +0000+Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of+ JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported+ by team OWL337++* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg+---+ ChangeLog | 8 +++++++-+ libtiff/tif_jbig.c | 1 ++ 2 files changed, 8 insertions(+), 1 deletion(-)++diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c+index 5f5f75e2..c75f31d9 100644+--- a/libtiff/tif_jbig.c++++ b/libtiff/tif_jbig.c+@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)+ jbg_strerror(decodeStatus)+ #endif+ );++ jbg_dec_free(&decoder);+ return 0;+ }+ +-- +2.13.2+-- 2.13.2
Cheers,Alex
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlleukgACgkQxYq4eRf1Ea54TBAAtB/o0RgBcUfD7N1WyNz5Alp1fDUA6YEJnAGbpXgfhRt7hvADBliK7gRhnEQTk5JNxwFUQ49h5DBP8fBLFITPqNSjz7O1SheJAQV7O0il/qti0jL/wMnNHCwi4V4zk0tNK3n0WPZww/bOf67r0SokH/LR4cfZAmyvoXaByLkTF3Qos+SrrtozWxeFUZ6jTK52QesklAYzwvNlmXuxDIR3UGSSj16UqV911UStXLg20+K0CL2eDK97WUd8AkUZgRVZZXCiPSJKgpxiXqq2CZlSmEYHNdvk1t5p/REqdtn8VCPEyhXdN3aGzfgXTXnILn+i6s6knKV4i65byho7Wkkg7BWNyOUqNsLYQrk/2/7Qi3T3AOV+cqDWJQfMI5yB39D6zL+sC1U1obwPN+ZV+un/A90dgAYNGXpQpNsQqfD8pGcrTEn4Z2T7ZYOFlDyhTNNyQAd14qscSlI6kzTyRk1QB4dqVuE1XHHhpoJ+xjCC4yJ18X232AU8y8NyFLM2scU4u1107vfWM6vfe84qhkYmYdFuZztnWsygbUovBl6UUXl7f0VolV/JdCtxeMN0vrBszztjL8cGySdnpFpHj9mOlr6EMSzW7rJ62th65Kz8+BJE5n7AZaWcD8dO1jxMyaGtEqGhz+SnvEzJAyrwTM6KYHorJpzprsO+Eoeuh78h4LA==lHMv-----END PGP SIGNATURE-----
L
L
Leo Famulari wrote on 7 Jul 2017 01:40
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603@debbugs.gnu.org)
20170706234038.GB1280@jasmine.lan
On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
Toggle quote (10 lines)> * gnu/packages/patches/libtiff-CVE-2017-9936.patch,> gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.> * gnu/local.mk (dist_patch_DATA): Add them.
> +Patch lifted from upstream source repository (the changes to 'ChangeLog'> +don't apply to the libtiff 4.0.8 release tarball):> +> +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
This is actually not the upstream source repository. It's a 3rd partyunofficial mirror.
To the chagrin of young packagers everywhere, libtiff is still usingCVS. Unless somebody beats me to it, I'll extract the patches from theirCVS repo later tonight.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlleynYACgkQJkb6MLrKfwjOlhAArA43UWfSe8IWbwqa+CReOJe+oJomj/c6lih7FtQgVLsWE96oNy3XI9MyifMBlrclWpvIzgB0klGTrjkx+mbTw9UAFHvhJsDRnYMbLR30pm4mJ/gXsZ0sSBPtRxcDj/iI2L6dtRMebDcDoTa6P+a0uFcvev1GhgbzizysiolGi6CXJeMLhEMneLezDPVa46eJsyaTZz42w5cvaHNMu5IuJ4I+Hn/yuh0aQKjUfzY9FPNri2P/K2hV44jRgZSYhGc3d0mMhinhL2JyNcJUajYn6ZtmtIvD05QPfQ9j6Hrto81MGqdZwMgENEnU2VgzUPAlOB/DqqxwFKJObTNjiWiVvkMY5IqXQBxdvJi4mH3fEN9TEQbNbMGq7Xp3CrwQJ1895IrtJ94p15ICTXE07TOMlgEbL2f5GD0gLbD6amCnuYbeVrlfI3SwCCLM702WdjCtnnUxEGAqcb5W9QYDF91myq++6r3zvURRzFn81ZScYJkITLRbFssHCXlZnVqmUetCGQuM0KYsjJkBB2rvjpqjWX9/+nmgHTlK+nOynN0qTVD93UEkxE3/YTbhA220leFPEXwYjHFFXMj41n/gFJDJ7IRUL/qwrLjo9PKXCCDm3e+YiY1RT3HpzkxfCagVImk6NLuPUEesr8RzvoPKlAfUVn1+dRni7iGIkzl88Vodkm4==Lw3H-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 7 Jul 2017 06:07
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603-done@debbugs.gnu.org)
20170707040726.GA2920@jasmine.lan
On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote:
Toggle quote (18 lines)> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch,> > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.> > * gnu/local.mk (dist_patch_DATA): Add them.> > > +Patch lifted from upstream source repository (the changes to 'ChangeLog'> > +don't apply to the libtiff 4.0.8 release tarball):> > +> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1> > This is actually not the upstream source repository. It's a 3rd party> unofficial mirror.> > To the chagrin of young packagers everywhere, libtiff is still using> CVS. Unless somebody beats me to it, I'll extract the patches from their> CVS repo later tonight.
I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks forgetting it started Alex!
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllfCP4ACgkQJkb6MLrKfwgGQA/+KXR7lmE1tacok/GH1AF4nsDWi4nOiW0N9/LI2zqVWFjNqXbxBb0lABBkbhysFayI9H2+TYoZJrupR1blvBdJ9cbIccP7cIdW1FV3N1A/5pcymr3TAzFwODT+c7vcNn5xx05CqeNlot2CiuffQNAuqfz3WdUGMtkdVQfH6ipSs6b3EyhHgkm2gsauWfgAkNVFCLfO5BuFtfGoHdfedUOTZl21O81NnsujrqgVg2VaXJ412r1oVjWcNRuCIkRTYoETQko6RLwYe/8vcxFc+FUoNVgB+0x9ui1ky3gp//m/GOx54VRFNnNvQe71tmuBuaF87qmutqOtICYHiyaOuB9nMXctMIfZUYADIvgQqTjt0Xyvp3WOh7INV4sXuUCVnP1cDD1RWFbVcItKoJ3GmITCk9QwV4Eb/vuWb1tpta8ZOSejORA4/2I8HIQtcsgpkwzBuLM5I58hSgzlyWh1coVkxx76h8TbKSDFq4tdlToa9GfwwQX8xJqrKX0HA+2/tum0ZhSXtfJWV+hEBXH7nWId5tQzncbZTOJm7jQ+CUn7jc58A1zb7ia4aX/LOW3QiW4uD7Fgpe+H2KvJlNOurRXUu9fmoZcNEv0fQ3wYktxsYsO276ya+lJXsjRfqKI+plDznfB1wcfJuOMpGxbSUU/qoZK3z9AQwga4+NFp+joZgGw==LknR-----END PGP SIGNATURE-----

Closed
A
A
Alex Vong wrote on 7 Jul 2017 15:20
(name . Leo Famulari)(address . leo@famulari.name)(address . 27603-done@debbugs.gnu.org)
87tw2o1j08.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:
Toggle quote (15 lines)> On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote:>> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:>> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch,>> > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.>> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.>> > * gnu/local.mk (dist_patch_DATA): Add them.>> >> > +Patch lifted from upstream source repository (the changes to 'ChangeLog'>> > +don't apply to the libtiff 4.0.8 release tarball):>> > +>> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1>> >> This is actually not the upstream source repository. It's a 3rd party>> unofficial mirror.>>
Ahhh, I blindly used the links from debian security tracker. Should havebeen more careful. I wonder why they use links from an unofficial mirror.
Toggle quote (4 lines)>> To the chagrin of young packagers everywhere, libtiff is still using>> CVS. Unless somebody beats me to it, I'll extract the patches from their>> CVS repo later tonight.>
:)
Toggle quote (3 lines)> I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for> getting it started Alex!
You're welcomed!
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllfiocACgkQxYq4eRf1Ea6FVQ/+MaC8CGsOamoopdatK5CmR+Ao0MWRhaLDTRKE6tOURup9yFpyba/1q72xhfqjVln43TNHWcBWJ9PvsAN5KTzO96CM+QOT9Ca/Stm/ilItTEhhtoUt/lROJL0Jk8rerQFcb2mVl6gIGhHHAOge+1pI7tuFCivBbj9meRBW1Q58vW7csw7tWVP0TAFiZBJy+3DPt7P7B3rNjqsa9scjBJi1Crg/LGWgj+LYUYlnNnJfIS9+MqkKfg77QvdFjF0LRvellzfAhCU2Nqwc8rOayOqRxuUumrgkmUlUo1uQ3zvMX3KYtY9c84GYBKs0JymyEt3ZetZf2T+SHyh94WaQ7+VOg+txzPSqoEUxI2m8nuH9Q3+R9EIPkfPl3Su5SSmpmEZK3fOVJwVvRnF2LxJtkxoPRqE8lGoNNfXX/OprQWINTteBgzG/DQ1iZ0AybKj4uW84asRSG7Dyy4VL8OsKgtK4EH+splPsXBd39d0+liNjo9jXXCcDS7FTzymR5SlFZ6+1P10LKEINlyopv0MRZ7CdKJpETGkgfR7XP7OU2QlCOwFJ9EzC24UTCCEXUwfHRFJkQ0KRh4vj78lE8+LvfB+iJyeo3OKnZuUEsv8tdlQjtoze4jqUPEOJRir+IkX7FjR/r5gRTrBqepssyTaBWMG8zec2Pn+5aGyuxrewfrrj6B4==4gBe-----END PGP SIGNATURE-----
Closed
L
L
Leo Famulari wrote on 7 Jul 2017 18:30
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603-done@debbugs.gnu.org)
20170707163047.GA18417@jasmine.lan
On Fri, Jul 07, 2017 at 09:20:07PM +0800, Alex Vong wrote:
Toggle quote (3 lines)> Ahhh, I blindly used the links from debian security tracker. Should have> been more careful. I wonder why they use links from an unofficial mirror.
I noticed they were doing that, and I don't understand why. It *is*convenient to have a relatively stable changeset ID in the form of Gitcommit hashes.
I asked about it on oss-security and the repo was confirmed to beunofficial:
http://seclists.org/oss-sec/2017/q1/15
It has been acknowledged by the libtiff maintainer:
http://maptools-org.996276.n3.nabble.com/git-version-control-td13746.html
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllftzcACgkQJkb6MLrKfwgqvBAAmF6uwoJehGaknNi/1vhAk9TuEsI0Agqpz7wBSwU9s7ncNVyUQ7ay0pvXFP782st5Wszh/SH+DZ9u9xTf+/wxU06dh8FeJ0/uxuvoZZzTeafXmV2SIgS/hVV2DIB4mMhqdog6+XBC0Yz1ncCBJjUe7M4Y+wooqYNi0G0awqe3LXR2mRSOmi/ZjWqsjXRLIrM1lQUm9XLK05+zKNaHfnEYC/aQDuXm7mEo5N/aiDq/TjLoMSzx4dD5h8m2xo5M/1jAZxj89YDwzCcUQ0I2kTtVW5q+q2/7rRxau7XFY5LpZnYbJ3NM2gcGfMNmCuXAYKlx4VrSXsd04NABuxeyailrFat26O5vCx7Xy4nTQrluwjateSzMEM9+B/rcCLmop1y+7/laQSxcO/xjLZSR9/Bni6aNXwKp3eHMmvoTEELXThWqU7iZJXedWxMQ2aDp0el0WeWfRNwv2hv7UcBVxyEgHvuYh+629NVtC465lpPngavTmiTbmH9WGry+RR3IyZJ6XhJPm1ZqiVavGHFxZTIrgIPuCUvTJS1VHbQ0pqTH7mwAPXaVGDEfK97gFMRp/nWzg8Sl36yoGvzEqAZr4mFxSybvp8Ar7uiau1pyDHgsSS1CgFwaTLJLy9F2dIDyTBE9XdTbtqUsk//I3446zCw0LVUbwO2X/rwr8GE1gDp62z4==HCH/-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 27603@debbugs.gnu.org