#27603 [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 6 Jul 2017 22:32:18 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 06 18:32:17 2017
Received: from localhost ([127.0.0.1]:55490 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dTFJk-0007nZ-1B
	for submit@debbugs.gnu.org; Thu, 06 Jul 2017 18:32:17 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46197)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alexvong1995@gmail.com>) id 1dTFJf-0007nK-Vc
 for submit@debbugs.gnu.org; Thu, 06 Jul 2017 18:32:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dTFJZ-0006ip-A8
 for submit@debbugs.gnu.org; Thu, 06 Jul 2017 18:32:02 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_05,
 FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:45850)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1dTFJZ-0006if-57
 for submit@debbugs.gnu.org; Thu, 06 Jul 2017 18:32:01 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37157)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dTFJX-0002EX-Cp
 for guix-patches@gnu.org; Thu, 06 Jul 2017 18:32:00 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dTFJT-0006d3-7m
 for guix-patches@gnu.org; Thu, 06 Jul 2017 18:31:59 -0400
Received: from mail-pg0-x234.google.com ([2607:f8b0:400e:c05::234]:36492)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1dTFJS-0006cP-TR
 for guix-patches@gnu.org; Thu, 06 Jul 2017 18:31:55 -0400
Received: by mail-pg0-x234.google.com with SMTP id u62so7465455pgb.3
 for <guix-patches@gnu.org>; Thu, 06 Jul 2017 15:31:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:user-agent:mime-version;
 bh=Evd85gLB6df/C+nD45RfpNLDPhsgvA3BJ4HsEXSS1wE=;
 b=Q9fbNaV/biGjV7Pll2qtcOk5duWxWbWBqj3xKEBFPgNrUiKm4LYIYRPMhLUjpgPb2D
 8DyFv/u00BIJhcJJ6iZR3f5IXlEjHooemoaalTeF2OPrmmeDU7N8BdQX3I7zGluKV3C9
 1xui+74GshGyjqOQzE3Itq1IxELSho6fR9liit42X0dn9gOQHCvoTSOOC6Vb1+BBLdPC
 3gHbG0Rq90LI2kqIkU+ck+XHWK4CTvWTSTKdNDn6m2BJ+qdpxFEX4mjQcsvZsbvzcCJh
 xBxGkw6N0UyxHI2rhMBPo/g1eTxFH7r9l9D+2PlakTmJSH//OgWJy+F+FhaGv+qeylg8
 xV8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:user-agent
 :mime-version;
 bh=Evd85gLB6df/C+nD45RfpNLDPhsgvA3BJ4HsEXSS1wE=;
 b=Q2GHpPFV/nXocEMVQm+LYGtYitMvtAf/MB8lbfPKT6wjz2nq6NFNUvP8RaEuSKpwvU
 ZgaUYdg7kb9c0zouzGGlwkcJ58hYfmqN4fz+T8Stn22to4dld2MXIr60dW2vIDL4UD7w
 On/sucDTLD7TwK1zpt61cpNAK7fITBnblwvgr54Rtbg4O38j2EUjgpNy2vKmGYxNwo/M
 /oXz9KYpOBStGadWCBbfNLCCUaova2/Ymxaba50xUGendb7NaQElcYBVx5kTmSZUGd/N
 3HU1LAltBSxIrjYwy2GctxZwpZALGpOrliugrA36dA9UJ7ErAVlgMA7TfWLGhwfnLg/C
 Mn2A==
X-Gm-Message-State: AIVw113B732i8glLw1kc8nBiWaTFcSkbXqVqcjEVi2CSHwM07zFyipfB
 7DTSUrbNMA0soQ==
X-Received: by 10.98.135.140 with SMTP id i134mr27813538pfe.237.1499380313981; 
 Thu, 06 Jul 2017 15:31:53 -0700 (PDT)
Received: from debian (pcd372176.netvigator.com. [203.218.162.176])
 by smtp.gmail.com with ESMTPSA id 71sm1528529pge.45.2017.07.06.15.31.51
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 06 Jul 2017 15:31:52 -0700 (PDT)
From: Alex Vong <alexvong1995@gmail.com>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.
Date: Fri, 07 Jul 2017 06:31:36 +0800
Message-ID: <87r2xti4dz.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -3.8 (---)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 1.2 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Severity: important Tags: patch security Hello, This patch
    fixes two latest CVEs of libtiff: [...] 
 
 Content analysis details:   (1.2 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
                             digit (alexvong1995[at]gmail.com)
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                             (alexvong1995[at]gmail.com)
  0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

[Message part 1 (text/plain, inline)]

Severity: important
Tags: patch security

Hello,

This patch fixes two latest CVEs of libtiff:

[0001-gnu-libtiff-Fix-CVE-2017-9936-10688.patch (text/x-diff, inline)]

From 8dc3ff7b6b34b1d0ff7ab535883df20dbc5af2c8 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Fri, 7 Jul 2017 06:17:37 +0800
Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.

* gnu/packages/patches/libtiff-CVE-2017-9936.patch,
  gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
* gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
* gnu/local.mk (dist_patch_DATA): Add them.
---
 gnu/local.mk                                      |  2 +
 gnu/packages/image.scm                            |  4 +-
 gnu/packages/patches/libtiff-CVE-2017-10688.patch | 80 +++++++++++++++++++++++
 gnu/packages/patches/libtiff-CVE-2017-9936.patch  | 39 +++++++++++
 4 files changed, 124 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libtiff-CVE-2017-10688.patch
 create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9936.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 8dbce7c05..4ae395ef8 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -766,6 +766,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtiff-CVE-2016-10093.patch		\
   %D%/packages/patches/libtiff-CVE-2016-10094.patch		\
   %D%/packages/patches/libtiff-CVE-2017-5225.patch		\
+  %D%/packages/patches/libtiff-CVE-2017-9936.patch		\
+  %D%/packages/patches/libtiff-CVE-2017-10688.patch		\
   %D%/packages/patches/libtiff-assertion-failure.patch		\
   %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch	\
   %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch	\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 8a03cbc3c..4450980bf 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -391,7 +391,9 @@ collection of tools for doing simple manipulations of TIFF images.")
        (method url-fetch)
        (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
                            version ".tar.gz"))
-       (patches (search-patches "libtiff-tiffgetfield-bugs.patch"))
+       (patches (search-patches "libtiff-tiffgetfield-bugs.patch"
+                                "libtiff-CVE-2017-9936.patch"
+                                "libtiff-CVE-2017-10688.patch"))
        (sha256
         (base32
          "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))))
diff --git a/gnu/packages/patches/libtiff-CVE-2017-10688.patch b/gnu/packages/patches/libtiff-CVE-2017-10688.patch
new file mode 100644
index 000000000..3b5d27fd7
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-10688.patch
@@ -0,0 +1,80 @@
+Fix CVE-2017-10688:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2712
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688
+https://security-tracker.debian.org/tracker/CVE-2017-10688
+
+Patch lifted from upstream source repository (the changes to 'ChangeLog'
+don't apply to the libtiff 4.0.8 release tarball):
+
+https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
+
+From 6173a57d39e04d68b139f8c1aa499a24dbe74ba1 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 30 Jun 2017 17:29:44 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: in
+ TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
+ data type, replace assertion that the file is BigTIFF, by a non-fatal error.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
+ OWL337
+
+---
+ ChangeLog              |  8 ++++++++
+ libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 2967da58..8d6686ba 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
+ {
+ 	uint64 m;
+ 	assert(sizeof(uint64)==8);
+-	assert(tif->tif_flags&TIFF_BIGTIFF);
++	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
++		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
++		return(0);
++	}
+ 	m=value;
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabLong8(&m);
+@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
+ {
+ 	assert(count<0x20000000);
+ 	assert(sizeof(uint64)==8);
+-	assert(tif->tif_flags&TIFF_BIGTIFF);
++	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
++		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
++		return(0);
++	}
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabArrayOfLong8(value,count);
+ 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
+@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
+ {
+ 	int64 m;
+ 	assert(sizeof(int64)==8);
+-	assert(tif->tif_flags&TIFF_BIGTIFF);
++	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
++		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
++		return(0);
++	}
+ 	m=value;
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabLong8((uint64*)(&m));
+@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
+ {
+ 	assert(count<0x20000000);
+ 	assert(sizeof(int64)==8);
+-	assert(tif->tif_flags&TIFF_BIGTIFF);
++	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
++		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
++		return(0);
++	}
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabArrayOfLong8((uint64*)value,count);
+ 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
+-- 
+2.13.2
+
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9936.patch b/gnu/packages/patches/libtiff-CVE-2017-9936.patch
new file mode 100644
index 000000000..a3d51e0ef
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-9936.patch
@@ -0,0 +1,39 @@
+Fix CVE-2017-9936:
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2706
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936
+https://security-tracker.debian.org/tracker/CVE-2017-9936
+
+Patch lifted from upstream source repository (the changes to 'ChangeLog'
+don't apply to the libtiff 4.0.8 release tarball):
+
+https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a
+
+From fe8d7165956b88df4837034a9161dc5fd20cf67a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 26 Jun 2017 15:19:59 +0000
+Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of
+ JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
+ by team OWL337
+
+* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
+---
+ ChangeLog          | 8 +++++++-
+ libtiff/tif_jbig.c | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 5f5f75e2..c75f31d9 100644
+--- a/libtiff/tif_jbig.c
++++ b/libtiff/tif_jbig.c
+@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ 			     jbg_strerror(decodeStatus)
+ #endif
+ 			     );
++		jbg_dec_free(&decoder);
+ 		return 0;
+ 	}
+ 
+-- 
+2.13.2
+
-- 
2.13.2

[Message part 3 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.