gnu: libtiff: Update to 4.0.6. Add fixes for CVE-2015-{8665,8683}.

* gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch, gnu/packages/patches/libtiff-oob-accesses-in-decode.patch, gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff): Update to 4.0.6. [source]: Add patches.
author: Mark H Weaver <mhw@netris.org> 2016-01-21 00:28:03 -0500
committer: Mark H Weaver <mhw@netris.org> 2016-01-21 00:30:15 -0500
commit: 86fa2ea92f431fe9d23d41aa22c198ec2ce9a5f1 (patch)
tree: 9d0ee514085917f8bad1ec34754197cde838295a /gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
parent: a2190cccc2f2b371cf4a4259519ee3466f2f63ac (diff)
download: guix-86fa2ea92f431fe9d23d41aa22c198ec2ce9a5f1.tar.gz
1 files changed, 107 insertions, 0 deletions
diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
new file mode 100644
index 0000000000..811516dbe9
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
@@ -0,0 +1,107 @@
+2015-12-26  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+	interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+	for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+	TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+	CVE-2015-8683 reported by zzf of Alibaba.
+
+diff -u -r1.93 -r1.94
+--- libtiff/libtiff/tif_getimage.c	22 Nov 2015 15:31:03 -0000	1.93
++++ libtiff/libtiff/tif_getimage.c	26 Dec 2015 17:32:03 -0000	1.94
+@@ -182,20 +182,22 @@
+ 				    "Planarconfiguration", td->td_planarconfig);
+ 				return (0);
+ 			}
+-			if( td->td_samplesperpixel != 3 )
++			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel);
++                        "Sorry, can not handle image with %s=%d, %s=%d",
++                        "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels);
+                 return 0;
+             }
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d and %s=%d",
++                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+                         "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels,
+                         "Bits/sample", td->td_bitspersample);
+                 return 0;
+             }
+@@ -255,6 +257,9 @@
+ 	int colorchannels;
+ 	uint16 *red_orig, *green_orig, *blue_orig;
+ 	int n_color;
++	
++	if( !TIFFRGBAImageOK(tif, emsg) )
++		return 0;
+ 
+ 	/* Initialize to normal values */
+ 	img->row_offset = 0;
+@@ -2509,29 +2514,33 @@
+ 		case PHOTOMETRIC_RGB:
+ 			switch (img->bitspersample) {
+ 				case 8:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >= 4)
+ 						img->put.contig = putRGBAAcontig8bittile;
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >= 4)
+ 					{
+ 						if (BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig8bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >= 3 )
+ 						img->put.contig = putRGBcontig8bittile;
+ 					break;
+ 				case 16:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBAAcontig16bittile;
+ 					}
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img) &&
+ 						    BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig16bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >=3 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBcontig16bittile;
+@@ -2540,7 +2549,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_SEPARATED:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel >=4 && buildMap(img)) {
+ 				if (img->bitspersample == 8) {
+ 					if (!img->Map)
+ 						img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2636,7 +2645,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel == 3 && buildMap(img)) {
+ 				if (img->bitspersample == 8)
+ 					img->put.contig = initCIELabConversion(img);
+ 				break;
author	Mark H Weaver <mhw@netris.org>	2016-01-21 00:28:03 -0500
committer	Mark H Weaver <mhw@netris.org>	2016-01-21 00:30:15 -0500
commit	86fa2ea92f431fe9d23d41aa22c198ec2ce9a5f1 (patch)
tree	9d0ee514085917f8bad1ec34754197cde838295a /gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
parent	a2190cccc2f2b371cf4a4259519ee3466f2f63ac (diff)
download	guix-86fa2ea92f431fe9d23d41aa22c198ec2ce9a5f1.tar.gz