1. photon
  2. Commit f293352a09623dba94c006fbbaf0ec07283b2b50
Browse code

Fix CVE-2018-17100, CVE-2018-17101

Change-Id: I99afbafa036709ddb943db18992dd832f330c377
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6196
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George

ashwin-h authored on 2018/11/19 23:58:40
Showing 3 changed files
SPECS/libtiff/libtiff-4.0.9-CVE-2018-17100.patch
History View file @ f293352
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,33 @@
0 
+commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e
1 
+Author: Young_X <YangX92@hotmail.com>
2 
+Date:   Sat Sep 8 14:46:27 2018 +0800
3 
+
4 
+    avoid potential int32 overflows in multiply_ms()
5 
+
6 
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
7 
+index af6e412..c2d5925 100644
8 
+--- a/tools/ppm2tiff.c
9 
+@@ -70,15 +70,16 @@ BadPPM(char* file)
10 
+ 	exit(-2);
11 
+ }
12 
+
13 
++
14 
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
15 
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
16 
++
17 
+ static tmsize_t
18 
+ multiply_ms(tmsize_t m1, tmsize_t m2)
19 
+ {
20 
+-	tmsize_t bytes = m1 * m2;
21 
+-
22 
+-	if (m1 && bytes / m1 != m2)
23 
+-		bytes = 0;
24 
+-
25 
+-	return bytes;
26 
++        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
27 
++            return 0;
28 
++        return m1 * m2;
29 
+ }
30 
+
31 
+ int
SPECS/libtiff/libtiff-4.0.9-CVE-2018-17101.patch
History View file @ f293352
0 32 
new file mode 100644
... ... 
@@ -0,0 +1,64 @@
0 
+commit f1b94e8a3ba49febdd3361c0214a1d1149251577
1 
+Author: Young_X <YangX92@hotmail.com>
2 
+Date:   Sat Sep 8 14:36:12 2018 +0800
3 
+
4 
+    only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4
5 
+
6 
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
7 
+index 01fcf94..01d8502 100644
8 
+--- a/tools/pal2rgb.c
9 
+@@ -402,7 +402,23 @@ cpTags(TIFF* in, TIFF* out)
10 
+ {
11 
+     struct cpTag *p;
12 
+     for (p = tags; p < &tags[NTAGS]; p++)
13 
+-	cpTag(in, out, p->tag, p->count, p->type);
14 
++    {
15 
++        if( p->tag == TIFFTAG_GROUP3OPTIONS )
16 
++        {
17 
++            uint16 compression;
18 
++            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
19 
++                    compression != COMPRESSION_CCITTFAX3 )
20 
++                continue;
21 
++        }
22 
++        if( p->tag == TIFFTAG_GROUP4OPTIONS )
23 
++        {
24 
++            uint16 compression;
25 
++            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
26 
++                    compression != COMPRESSION_CCITTFAX4 )
27 
++                continue;
28 
++        }
29 
++        cpTag(in, out, p->tag, p->count, p->type);
30 
++    }
31 
+ }
32 
+ #undef NTAGS
33 
+
34 
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
35 
+index 05faba8..5bef314 100644
36 
+--- a/tools/tiff2bw.c
37 
+@@ -450,7 +450,23 @@ cpTags(TIFF* in, TIFF* out)
38 
+ {
39 
+     struct cpTag *p;
40 
+     for (p = tags; p < &tags[NTAGS]; p++)
41 
+-	cpTag(in, out, p->tag, p->count, p->type);
42 
++    {
43 
++        if( p->tag == TIFFTAG_GROUP3OPTIONS )
44 
++        {
45 
++            uint16 compression;
46 
++            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
47 
++                    compression != COMPRESSION_CCITTFAX3 )
48 
++                continue;
49 
++        }
50 
++        if( p->tag == TIFFTAG_GROUP4OPTIONS )
51 
++        {
52 
++            uint16 compression;
53 
++            if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
54 
++                    compression != COMPRESSION_CCITTFAX4 )
55 
++                continue;
56 
++        }
57 
++        cpTag(in, out, p->tag, p->count, p->type);
58 
++    }
59 
+ }
60 
+ #undef NTAGS
61 
+
SPECS/libtiff/libtiff.spec
History View file @ f293352
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        TIFF libraries and associated utilities.
2 2 
 Name:           libtiff
3 3 
 Version:        4.0.9
4 
-Release:        6%{?dist}
4 
+Release:        7%{?dist}
5 5 
 License:        libtiff
6 6 
 URL:            http://www.simplesystems.org/libtiff/
7 7 
 Group:          System Environment/Libraries
... ... 
@@ -19,6 +19,8 @@ Patch5:         libtiff-4.0-9-CVE-2017-11613-2.patch
19 19 
 Patch6:         libtiff-4.0-9-CVE-2018-7456.patch
20 20 
 Patch7:         libtiff-4.0.9-CVE-2018-8905.patch
21 21 
 Patch8:         libtiff-4.0.9-CVE-2018-10963.patch
22 
+Patch9:         libtiff-4.0.9-CVE-2018-17100.patch
23 
+Patch10:        libtiff-4.0.9-CVE-2018-17101.patch
22 24
23 25 
 BuildRequires:  libjpeg-turbo-devel
24 26 
 Requires:       libjpeg-turbo
... ... 
@@ -43,6 +45,9 @@ It contains the libraries and header files to create applications
43 43 
 %patch6 -p1
44 44 
 %patch7 -p1
45 45 
 %patch8 -p1
46 
+%patch9 -p1
47 
+%patch10 -p1
48 
+
46 49 
 %build
47 50 
 %configure \
48 51 
     --disable-static
... ... 
@@ -76,6 +81,8 @@ make %{?_smp_mflags} -k check
76 76 
 %{_datadir}/man/man3/*
77 77
78 78 
 %changelog
79 
+*   Mon Nov 19 2018 Ashwin H <ankitja@vmware.com> 4.0.9-7
80 
+-   Fix CVE-2018-17100, CVE-2018-17101
79 81 
 *   Tue Jun 19 2018 Ankit Jain <ankitja@vmware.com> 4.0.9-6
80 82 
 -   Fix CVE-2018-10963
81 83 
 *   Mon May 14 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-5