Browse code
Fix CVE-2018-17100 CVE-2018-17101
Change-Id: I51538093f76d8ff7d2f3c1a3736e0aad30a641d5
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6265
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Sharath George
ashwin-h authored on 2018/12/03 04:41:48Showing 3 changed files
- SPECS/libtiff/libtiff-4.0.9-CVE-2018-17100.patch
- SPECS/libtiff/libtiff-4.0.9-CVE-2018-17101.patch
- SPECS/libtiff/libtiff.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,33 @@ |
| 0 |
+commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e |
|
| 1 |
+Author: Young_X <YangX92@hotmail.com> |
|
| 2 |
+Date: Sat Sep 8 14:46:27 2018 +0800 |
|
| 3 |
+ |
|
| 4 |
+ avoid potential int32 overflows in multiply_ms() |
|
| 5 |
+ |
|
| 6 |
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c |
|
| 7 |
+index af6e412..c2d5925 100644 |
|
| 8 |
+--- a/tools/ppm2tiff.c |
|
| 9 |
+@@ -70,15 +70,16 @@ BadPPM(char* file) |
|
| 10 |
+ exit(-2); |
|
| 11 |
+ } |
|
| 12 |
+ |
|
| 13 |
++ |
|
| 14 |
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0)) |
|
| 15 |
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1) |
|
| 16 |
++ |
|
| 17 |
+ static tmsize_t |
|
| 18 |
+ multiply_ms(tmsize_t m1, tmsize_t m2) |
|
| 19 |
+ {
|
|
| 20 |
+- tmsize_t bytes = m1 * m2; |
|
| 21 |
+- |
|
| 22 |
+- if (m1 && bytes / m1 != m2) |
|
| 23 |
+- bytes = 0; |
|
| 24 |
+- |
|
| 25 |
+- return bytes; |
|
| 26 |
++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 ) |
|
| 27 |
++ return 0; |
|
| 28 |
++ return m1 * m2; |
|
| 29 |
+ } |
|
| 30 |
+ |
|
| 31 |
+ int |
| 0 | 32 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,64 @@ |
| 0 |
+commit f1b94e8a3ba49febdd3361c0214a1d1149251577 |
|
| 1 |
+Author: Young_X <YangX92@hotmail.com> |
|
| 2 |
+Date: Sat Sep 8 14:36:12 2018 +0800 |
|
| 3 |
+ |
|
| 4 |
+ only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 |
|
| 5 |
+ |
|
| 6 |
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c |
|
| 7 |
+index 01fcf94..01d8502 100644 |
|
| 8 |
+--- a/tools/pal2rgb.c |
|
| 9 |
+@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out) |
|
| 10 |
+ {
|
|
| 11 |
+ struct cpTag *p; |
|
| 12 |
+ for (p = tags; p < &tags[NTAGS]; p++) |
|
| 13 |
+- cpTag(in, out, p->tag, p->count, p->type); |
|
| 14 |
++ {
|
|
| 15 |
++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) |
|
| 16 |
++ {
|
|
| 17 |
++ uint16 compression; |
|
| 18 |
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || |
|
| 19 |
++ compression != COMPRESSION_CCITTFAX3 ) |
|
| 20 |
++ continue; |
|
| 21 |
++ } |
|
| 22 |
++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) |
|
| 23 |
++ {
|
|
| 24 |
++ uint16 compression; |
|
| 25 |
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || |
|
| 26 |
++ compression != COMPRESSION_CCITTFAX4 ) |
|
| 27 |
++ continue; |
|
| 28 |
++ } |
|
| 29 |
++ cpTag(in, out, p->tag, p->count, p->type); |
|
| 30 |
++ } |
|
| 31 |
+ } |
|
| 32 |
+ #undef NTAGS |
|
| 33 |
+ |
|
| 34 |
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c |
|
| 35 |
+index 05faba8..5bef314 100644 |
|
| 36 |
+--- a/tools/tiff2bw.c |
|
| 37 |
+@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out) |
|
| 38 |
+ {
|
|
| 39 |
+ struct cpTag *p; |
|
| 40 |
+ for (p = tags; p < &tags[NTAGS]; p++) |
|
| 41 |
+- cpTag(in, out, p->tag, p->count, p->type); |
|
| 42 |
++ {
|
|
| 43 |
++ if( p->tag == TIFFTAG_GROUP3OPTIONS ) |
|
| 44 |
++ {
|
|
| 45 |
++ uint16 compression; |
|
| 46 |
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || |
|
| 47 |
++ compression != COMPRESSION_CCITTFAX3 ) |
|
| 48 |
++ continue; |
|
| 49 |
++ } |
|
| 50 |
++ if( p->tag == TIFFTAG_GROUP4OPTIONS ) |
|
| 51 |
++ {
|
|
| 52 |
++ uint16 compression; |
|
| 53 |
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) || |
|
| 54 |
++ compression != COMPRESSION_CCITTFAX4 ) |
|
| 55 |
++ continue; |
|
| 56 |
++ } |
|
| 57 |
++ cpTag(in, out, p->tag, p->count, p->type); |
|
| 58 |
++ } |
|
| 59 |
+ } |
|
| 60 |
+ #undef NTAGS |
|
| 61 |
+ |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: TIFF libraries and associated utilities. |
| 2 | 2 |
Name: libtiff |
| 3 | 3 |
Version: 4.0.9 |
| 4 |
-Release: 4%{?dist}
|
|
| 4 |
+Release: 5%{?dist}
|
|
| 5 | 5 |
License: libtiff |
| 6 | 6 |
URL: http://www.simplesystems.org/libtiff/ |
| 7 | 7 |
Group: System Environment/Libraries |
| ... | ... |
@@ -17,6 +17,8 @@ Patch4: libtiff-4.0-9-CVE-2017-11613-1.patch |
| 17 | 17 |
Patch5: libtiff-4.0-9-CVE-2017-11613-2.patch |
| 18 | 18 |
Patch6: libtiff-4.0-9-CVE-2018-7456.patch |
| 19 | 19 |
Patch7: libtiff-4.0.9-CVE-2018-8905.patch |
| 20 |
+Patch8: libtiff-4.0.9-CVE-2018-17100.patch |
|
| 21 |
+Patch9: libtiff-4.0.9-CVE-2018-17101.patch |
|
| 20 | 22 |
BuildRequires: libjpeg-turbo-devel |
| 21 | 23 |
Requires: libjpeg-turbo |
| 22 | 24 |
%description |
| ... | ... |
@@ -39,6 +41,8 @@ It contains the libraries and header files to create applications |
| 39 | 39 |
%patch5 -p1 |
| 40 | 40 |
%patch6 -p1 |
| 41 | 41 |
%patch7 -p1 |
| 42 |
+%patch8 -p1 |
|
| 43 |
+%patch9 -p1 |
|
| 42 | 44 |
%build |
| 43 | 45 |
%configure \ |
| 44 | 46 |
--disable-static |
| ... | ... |
@@ -72,6 +76,8 @@ make %{?_smp_mflags} -k check
|
| 72 | 72 |
%{_datadir}/man/man3/*
|
| 73 | 73 |
|
| 74 | 74 |
%changelog |
| 75 |
+* Sun Dec 02 2018 Ashwin H <xiaolinl@vmware.com> 4.0.9-5 |
|
| 76 |
+- Fix CVE-2018-17100, CVE-2018-17101 |
|
| 75 | 77 |
* Mon May 14 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-4 |
| 76 | 78 |
- Fix CVE-2018-7456, CVE-2018-8905, CVE-2018-5784, CVE-2017-11613 |
| 77 | 79 |
* Wed Feb 14 2018 Dheeraj Shetty <dheerajs@vmware.com> 4.0.9-3 |