Change-Id: Ia0dc04339bb3c2c07c90eb5dceaf66bb1c0f2a43
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4501
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,153 @@ |
0 |
+From faf20bd484aece918692831da5fad236b983fa08 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Brian May <brian@linuxpenguins.xyz> |
|
2 |
+Date: Thu, 7 Dec 2017 07:46:47 +1100 |
|
3 |
+Subject: [PATCH] Fix CVE-2017-9935 |
|
4 |
+ |
|
5 |
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 |
|
6 |
+ |
|
7 |
+This vulnerability - at least for the supplied test case - is because we |
|
8 |
+assume that a tiff will only have one transfer function that is the same |
|
9 |
+for all pages. This is not required by the TIFF standards. |
|
10 |
+ |
|
11 |
+We than read the transfer function for every page. Depending on the |
|
12 |
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer. |
|
13 |
+We allocate this memory after we read in the transfer function for the |
|
14 |
+page. |
|
15 |
+ |
|
16 |
+For the first exploit - POC1, this file has 3 pages. For the first page |
|
17 |
+we allocate 2 extra extra XREF entries. Then for the next page 2 more |
|
18 |
+entries. Then for the last page the transfer function changes and we |
|
19 |
+allocate 4 more entries. |
|
20 |
+ |
|
21 |
+When we read the file into memory, we assume we have 4 bytes extra for |
|
22 |
+each and every page (as per the last transfer function we read). Which |
|
23 |
+is not correct, we only have 2 bytes extra for the first 2 pages. As a |
|
24 |
+result, we end up writing past the end of the buffer. |
|
25 |
+ |
|
26 |
+There are also some related issues that this also fixes. For example, |
|
27 |
+TIFFGetField can return uninitalized pointer values, and the logic to |
|
28 |
+detect a N=3 vs N=1 transfer function seemed rather strange. |
|
29 |
+ |
|
30 |
+It is also strange that we declare the transfer functions to be of type |
|
31 |
+float, when the standard says they are unsigned 16 bit values. This is |
|
32 |
+fixed in another patch. |
|
33 |
+ |
|
34 |
+This patch will check to ensure that the N value for every transfer |
|
35 |
+function is the same for every page. If this changes, we abort with an |
|
36 |
+error. In theory, we should perhaps check that the transfer function |
|
37 |
+itself is identical for every page, however we don't do that due to the |
|
38 |
+confusion of the type of the data in the transfer function. |
|
39 |
+--- |
|
40 |
+ libtiff/tif_dir.c | 3 +++ |
|
41 |
+ tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++++++++++++++--------------------- |
|
42 |
+ 2 files changed, 47 insertions(+), 21 deletions(-) |
|
43 |
+ |
|
44 |
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c |
|
45 |
+index 2ccaf44..cbf2b69 100644 |
|
46 |
+--- a/libtiff/tif_dir.c |
|
47 |
+@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) |
|
48 |
+ if (td->td_samplesperpixel - td->td_extrasamples > 1) { |
|
49 |
+ *va_arg(ap, uint16**) = td->td_transferfunction[1]; |
|
50 |
+ *va_arg(ap, uint16**) = td->td_transferfunction[2]; |
|
51 |
++ } else { |
|
52 |
++ *va_arg(ap, uint16**) = NULL; |
|
53 |
++ *va_arg(ap, uint16**) = NULL; |
|
54 |
+ } |
|
55 |
+ break; |
|
56 |
+ case TIFFTAG_REFERENCEBLACKWHITE: |
|
57 |
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c |
|
58 |
+index d1a9b09..c3ec074 100644 |
|
59 |
+--- a/tools/tiff2pdf.c |
|
60 |
+@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ |
|
61 |
+ uint16 pagen=0; |
|
62 |
+ uint16 paged=0; |
|
63 |
+ uint16 xuint16=0; |
|
64 |
++ uint16 tiff_transferfunctioncount=0; |
|
65 |
++ float* tiff_transferfunction[3]; |
|
66 |
+ |
|
67 |
+ directorycount=TIFFNumberOfDirectories(input); |
|
68 |
+ t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); |
|
69 |
+@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ |
|
70 |
+ } |
|
71 |
+ #endif |
|
72 |
+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, |
|
73 |
+- &(t2p->tiff_transferfunction[0]), |
|
74 |
+- &(t2p->tiff_transferfunction[1]), |
|
75 |
+- &(t2p->tiff_transferfunction[2]))) { |
|
76 |
+- if((t2p->tiff_transferfunction[1] != (float*) NULL) && |
|
77 |
+- (t2p->tiff_transferfunction[2] != (float*) NULL) && |
|
78 |
+- (t2p->tiff_transferfunction[1] != |
|
79 |
+- t2p->tiff_transferfunction[0])) { |
|
80 |
+- t2p->tiff_transferfunctioncount = 3; |
|
81 |
+- t2p->tiff_pages[i].page_extra += 4; |
|
82 |
+- t2p->pdf_xrefcount += 4; |
|
83 |
+- } else { |
|
84 |
+- t2p->tiff_transferfunctioncount = 1; |
|
85 |
+- t2p->tiff_pages[i].page_extra += 2; |
|
86 |
+- t2p->pdf_xrefcount += 2; |
|
87 |
+- } |
|
88 |
+- if(t2p->pdf_minorversion < 2) |
|
89 |
+- t2p->pdf_minorversion = 2; |
|
90 |
++ &(tiff_transferfunction[0]), |
|
91 |
++ &(tiff_transferfunction[1]), |
|
92 |
++ &(tiff_transferfunction[2]))) { |
|
93 |
++ |
|
94 |
++ if((tiff_transferfunction[1] != (float*) NULL) && |
|
95 |
++ (tiff_transferfunction[2] != (float*) NULL) |
|
96 |
++ ) { |
|
97 |
++ tiff_transferfunctioncount=3; |
|
98 |
++ } else { |
|
99 |
++ tiff_transferfunctioncount=1; |
|
100 |
++ } |
|
101 |
+ } else { |
|
102 |
+- t2p->tiff_transferfunctioncount=0; |
|
103 |
++ tiff_transferfunctioncount=0; |
|
104 |
+ } |
|
105 |
++ |
|
106 |
++ if (i > 0){ |
|
107 |
++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ |
|
108 |
++ TIFFError( |
|
109 |
++ TIFF2PDF_MODULE, |
|
110 |
++ "Different transfer function on page %d", |
|
111 |
++ i); |
|
112 |
++ t2p->t2p_error = T2P_ERR_ERROR; |
|
113 |
++ return; |
|
114 |
++ } |
|
115 |
++ } |
|
116 |
++ |
|
117 |
++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; |
|
118 |
++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; |
|
119 |
++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; |
|
120 |
++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; |
|
121 |
++ if(tiff_transferfunctioncount == 3){ |
|
122 |
++ t2p->tiff_pages[i].page_extra += 4; |
|
123 |
++ t2p->pdf_xrefcount += 4; |
|
124 |
++ if(t2p->pdf_minorversion < 2) |
|
125 |
++ t2p->pdf_minorversion = 2; |
|
126 |
++ } else if (tiff_transferfunctioncount == 1){ |
|
127 |
++ t2p->tiff_pages[i].page_extra += 2; |
|
128 |
++ t2p->pdf_xrefcount += 2; |
|
129 |
++ if(t2p->pdf_minorversion < 2) |
|
130 |
++ t2p->pdf_minorversion = 2; |
|
131 |
++ } |
|
132 |
++ |
|
133 |
+ if( TIFFGetField( |
|
134 |
+ input, |
|
135 |
+ TIFFTAG_ICCPROFILE, |
|
136 |
+@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ |
|
137 |
+ &(t2p->tiff_transferfunction[1]), |
|
138 |
+ &(t2p->tiff_transferfunction[2]))) { |
|
139 |
+ if((t2p->tiff_transferfunction[1] != (float*) NULL) && |
|
140 |
+- (t2p->tiff_transferfunction[2] != (float*) NULL) && |
|
141 |
+- (t2p->tiff_transferfunction[1] != |
|
142 |
+- t2p->tiff_transferfunction[0])) { |
|
143 |
++ (t2p->tiff_transferfunction[2] != (float*) NULL) |
|
144 |
++ ) { |
|
145 |
+ t2p->tiff_transferfunctioncount=3; |
|
146 |
+ } else { |
|
147 |
+ t2p->tiff_transferfunctioncount=1; |
|
148 |
+-- |
|
149 |
+libgit2 0.26.0 |
|
150 |
+ |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: TIFF libraries and associated utilities. |
2 | 2 |
Name: libtiff |
3 | 3 |
Version: 4.0.8 |
4 |
-Release: 6%{?dist} |
|
4 |
+Release: 7%{?dist} |
|
5 | 5 |
License: libtiff |
6 | 6 |
URL: http://www.simplesystems.org/libtiff/ |
7 | 7 |
Group: System Environment/Libraries |
... | ... |
@@ -18,6 +18,7 @@ Patch4: libtiff-4.0.8-CVE-2017-11335.patch |
18 | 18 |
Patch5: libtiff-4.0.8-CVE-2017-12944.patch |
19 | 19 |
Patch6: libtiff-4.0.8-CVE-2017-13726.patch |
20 | 20 |
Patch7: libtiff-4.0.8-CVE-2017-13727.patch |
21 |
+Patch8: libtiff-4.0.8-CVE-2017-9935.patch |
|
21 | 22 |
BuildRequires: libjpeg-turbo-devel |
22 | 23 |
Requires: libjpeg-turbo |
23 | 24 |
%description |
... | ... |
@@ -40,6 +41,7 @@ It contains the libraries and header files to create applications |
40 | 40 |
%patch5 -p1 |
41 | 41 |
%patch6 -p1 |
42 | 42 |
%patch7 -p1 |
43 |
+%patch8 -p1 |
|
43 | 44 |
%build |
44 | 45 |
%configure \ |
45 | 46 |
--disable-static |
... | ... |
@@ -73,6 +75,8 @@ make %{?_smp_mflags} -k check |
73 | 73 |
%{_datadir}/man/man3/* |
74 | 74 |
|
75 | 75 |
%changelog |
76 |
+* Mon Dec 11 2017 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-7 |
|
77 |
+- Added patch for CVE-2017-9935 |
|
76 | 78 |
* Mon Nov 27 2017 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-6 |
77 | 79 |
- Added patches for CVE-2017-13726, CVE-2017-13727 |
78 | 80 |
* Mon Nov 13 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.0.8-5 |