[Security-team] [SA19838] LibTIFF Multiple Vulnerabilities
Michael Shigorin
=?iso-8859-1?q?mike_=CE=C1_osdn=2Eorg=2Eua?=
Чт Май 4 12:03:05 MSD 2006
On Fri, Apr 28, 2006 at 09:33:54AM -0000, Secunia Security Advisories wrote:
> ORIGINAL ADVISORY:
> http://www.remotesensing.org/libtiff/v3.8.1.html
> http://bugzilla.remotesensing.org/show_bug.cgi?id=1102
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189933
Дим, я вчера немного попробовал собрать исправление, пока
споткнулся вот где:
/usr/bin/gcc -c -fPIC -pipe -Wall -O2 -march=i586 -mcpu=i686 -O -I. -I../libtiff -DJPEG_SUPPORT -DZIP_SUPPORT ../libtiff/tif_fax3.c
../libtiff/tif_fax3.c: In function `Fax3Cleanup':
../libtiff/tif_fax3.c:1081: error: structure has no member named `tif_tagmethods'
../libtiff/tif_fax3.c:1082: error: structure has no member named `tif_tagmethods'
../libtiff/tif_fax3.c:1088: error: structure has no member named `tif_tagmethods'
../libtiff/tif_fax3.c:1089: error: structure has no member named `tif_tagmethods'
make[1]: *** [tif_fax3.o] Error 1
make[1]: Leaving directory `/usr/src/RPM/BUILD/tiff-v3.5.7/libtiff'
make: *** [all] Error 2
make: Leaving directory `/usr/src/RPM/BUILD/tiff-v3.5.7'
error: Bad exit status from /usr/src/tmp/rpm-tmp.48042 (%build)
Это имя встречается только в добавляемом патче; боюсь, его там
сборкой перед вывешиванием не проверили (=> недочистили),
поскольку в tiff-v3.5.7.tar.bz2 и других патчах из предыдущего
апдейта libtiff-3.5.7-22.el3.src.rpm такого нет.
Патч из RH#189933 и spec diff прилагаю; подождать, пока кто
обтешет для 3.5.7? (mdk вроде выложили, но найти SRPMS для их
corporate/3.0 не удалось).
--
---- WBR, Michael Shigorin <mike на altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
----------- следующая часть -----------
--- ../libtiff.spec 2005-05-11 14:55:59 +0300
+++ libtiff.spec 2006-05-04 00:06:45 +0300
@@ -4,7 +4,7 @@
Name: libtiff
Version: 3.5.7
-Release: alt6.%release_tag.3
+Release: alt6.%release_tag.4
Summary: A library of functions for manipulating TIFF format image files
License: BSD-like
@@ -30,6 +30,8 @@
Patch16: %name-v3.5.7-exit.patch
Patch17: tiff-v3.5.7-alt-fax2tiff.patch
+Patch18: libtiff-3.5.7-rh-CVE-2006-2024+.patch
+
# Automatically added by buildreq on Wed Oct 01 2003
BuildRequires: libjpeg-devel zlib-devel
@@ -77,6 +79,8 @@
%patch16 -p1
%patch17 -p1
+%patch18 -p1
+
find -type d -name CVS -print0 |
xargs -r0 rm -rf --
@@ -122,6 +126,11 @@
%doc html
%changelog
+* Thu May 04 2006 Michael Shigorin <mike на altlinux.org> 3.5.7-alt6.%release_tag.4
+- security fix for CVE-2006-2024, CVE-2006-2025, CVE-2006-2026
+ (some are DoS/remote code exec); patch for 3.5.7 from RH #189933
+- note that CVE-2006-2120 isn't applicable (3.6+)
+
* Wed May 11 2005 Dmitry V. Levin <ldv на altlinux.org> 3.5.7-alt6.%release_tag.3
- Fixed one more potential heap overflow bug.
----------- следующая часть -----------
--- tiff-v3.5.7/libtiff/tif_fax3.c.multiple 2006-04-26 08:53:03.000000000 -0400
+++ tiff-v3.5.7/libtiff/tif_fax3.c 2006-04-26 08:56:10.000000000 -0400
@@ -1075,13 +1075,18 @@
static void
Fax3Cleanup(TIFF* tif)
{
- if (tif->tif_data) {
if (Fax3State(tif)->rw_mode == O_RDONLY) {
Fax3DecodeState* sp = DecoderState(tif);
+ assert (sp != 0);
+ tif->tif_tagmethods.vgetfield = sp->b.vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->b.vsetparent;
if (sp->runs)
_TIFFfree(sp->runs);
} else {
Fax3EncodeState* sp = EncoderState(tif);
+ assert (sp != 0);
+ tif->tif_tagmethods.vgetfield = sp->b.vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->b.vsetparent;
if (sp->refline)
_TIFFfree(sp->refline);
}
@@ -1089,7 +1094,6 @@
_TIFFfree(Fax3State(tif)->subaddress);
_TIFFfree(tif->tif_data);
tif->tif_data = NULL;
- }
}
#define FIELD_BADFAXLINES (FIELD_CODEC+0)
@@ -1137,6 +1141,8 @@
Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
{
Fax3BaseState* sp = Fax3State(tif);
+ assert (sp != 0);
+ assert (sp->vsetparent != 0);
switch (tag) {
case TIFFTAG_FAXMODE:
--- tiff-v3.5.7/libtiff/tif_dirread.c.multiple 2006-04-26 08:52:01.000000000 -0400
+++ tiff-v3.5.7/libtiff/tif_dirread.c 2006-04-26 08:52:24.000000000 -0400
@@ -683,13 +683,20 @@
int w = tiffDataWidth[dir->tdir_type];
tsize_t cc = dir->tdir_count * w;
+ /* Check for overflow. */
+ if (!dir->tdir_count || !w || cc / w != (tsize_t)dir->tdir_count)
+ goto bad;
+
if (!isMapped(tif)) {
if (!SeekOK(tif, dir->tdir_offset))
goto bad;
if (!ReadOK(tif, cp, cc))
goto bad;
} else {
- if (dir->tdir_offset + cc > tif->tif_size)
+ /* Check for overflow. */
+ if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset
+ || (tsize_t)dir->tdir_offset + cc < cc
+ || (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size)
goto bad;
_TIFFmemcpy(cp, tif->tif_base + dir->tdir_offset, cc);
}
--- tiff-v3.5.7/libtiff/tif_jpeg.c.multiple 2006-04-26 08:57:39.000000000 -0400
+++ tiff-v3.5.7/libtiff/tif_jpeg.c 2006-04-26 08:58:27.000000000 -0400
@@ -1276,14 +1276,18 @@
static void
JPEGCleanup(TIFF* tif)
{
- if (tif->tif_data) {
- JPEGState *sp = JState(tif);
- TIFFjpeg_destroy(sp); /* release libjpeg resources */
- if (sp->jpegtables) /* tag value */
- _TIFFfree(sp->jpegtables);
- _TIFFfree(tif->tif_data); /* release local state */
- tif->tif_data = NULL;
- }
+ JPEGState *sp = JState(tif);
+
+ assert (sp != 0);
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
+ if (sp->jpegtables) /* tag value */
+ _TIFFfree(sp->jpegtables);
+ _TIFFfree(tif->tif_data); /* release local state */
+ tif->tif_data = NULL;
}
static int
--- tiff-v3.5.7/libtiff/tif_predict.c.multiple 2006-04-26 09:14:24.000000000 -0400
+++ tiff-v3.5.7/libtiff/tif_predict.c 2006-04-26 09:16:40.000000000 -0400
@@ -388,6 +388,9 @@
{
TIFFPredictorState *sp = PredictorState(tif);
+ assert(sp != NULL);
+ assert(sp->vsetparent != NULL);
+
switch (tag) {
case TIFFTAG_PREDICTOR:
sp->predictor = (uint16) va_arg(ap, int);
@@ -405,6 +408,9 @@
{
TIFFPredictorState *sp = PredictorState(tif);
+ assert(sp != NULL);
+ assert(sp->vgetparent != NULL);
+
switch (tag) {
case TIFFTAG_PREDICTOR:
*va_arg(ap, uint16*) = sp->predictor;
@@ -437,6 +443,8 @@
TIFFPredictorInit(TIFF* tif)
{
TIFFPredictorState* sp = PredictorState(tif);
+
+ assert(sp != NULL);
/*
* Merge codec-specific tag information and
@@ -459,3 +467,19 @@
sp->pfunc = NULL; /* no predictor routine */
return (1);
}
+
+int
+TIFFPredictorCleanup(TIFF* tif)
+{
+ TIFFPredictorState* sp = PredictorState(tif);
+
+ assert(sp != 0);
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+ tif->tif_tagmethods.printdir = sp->printdir;
+ tif->tif_setupdecode = sp->setupdecode;
+ tif->tif_setupencode = sp->setupencode;
+
+ return 1;
+}
--- tiff-v3.5.7/libtiff/tif_zip.c.multiple 2006-04-26 09:17:26.000000000 -0400
+++ tiff-v3.5.7/libtiff/tif_zip.c 2006-04-26 09:18:10.000000000 -0400
@@ -249,17 +249,23 @@
ZIPCleanup(TIFF* tif)
{
ZIPState* sp = ZState(tif);
- if (sp) {
- if (sp->state&ZSTATE_INIT) {
- /* NB: avoid problems in the library */
- if (tif->tif_mode == O_RDONLY)
- inflateEnd(&sp->stream);
- else
- deflateEnd(&sp->stream);
- }
- _TIFFfree(sp);
- tif->tif_data = NULL;
- }
+
+ assert(sp != 0);
+
+ (void)TIFFPredictorCleanup(tif);
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+ if (sp->state&ZSTATE_INIT) {
+ /* NB: avoid problems in the library */
+ if (tif->tif_mode == O_RDONLY)
+ inflateEnd(&sp->stream);
+ else
+ deflateEnd(&sp->stream);
+ }
+ _TIFFfree(sp);
+ tif->tif_data = NULL;
}
static int
--- tiff-v3.5.7/libtiff/tif_pixarlog.c.multiple 2006-04-26 09:10:17.000000000 -0400
+++ tiff-v3.5.7/libtiff/tif_pixarlog.c 2006-04-26 09:11:27.000000000 -0400
@@ -1163,24 +1163,29 @@
{
PixarLogState* sp = (PixarLogState*) tif->tif_data;
- if (sp) {
- if (sp->FromLT2) _TIFFfree(sp->FromLT2);
- if (sp->From14) _TIFFfree(sp->From14);
- if (sp->From8) _TIFFfree(sp->From8);
- if (sp->ToLinearF) _TIFFfree(sp->ToLinearF);
- if (sp->ToLinear16) _TIFFfree(sp->ToLinear16);
- if (sp->ToLinear8) _TIFFfree(sp->ToLinear8);
- if (sp->state&PLSTATE_INIT) {
- if (tif->tif_mode == O_RDONLY)
- inflateEnd(&sp->stream);
- else
- deflateEnd(&sp->stream);
- }
- if (sp->tbuf)
- _TIFFfree(sp->tbuf);
- _TIFFfree(sp);
- tif->tif_data = NULL;
+ assert(sp != 0);
+
+ (void)TIFFPredictorCleanup(tif);
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+ if (sp->FromLT2) _TIFFfree(sp->FromLT2);
+ if (sp->From14) _TIFFfree(sp->From14);
+ if (sp->From8) _TIFFfree(sp->From8);
+ if (sp->ToLinearF) _TIFFfree(sp->ToLinearF);
+ if (sp->ToLinear16) _TIFFfree(sp->ToLinear16);
+ if (sp->ToLinear8) _TIFFfree(sp->ToLinear8);
+ if (sp->state&PLSTATE_INIT) {
+ if (tif->tif_mode == O_RDONLY)
+ inflateEnd(&sp->stream);
+ else
+ deflateEnd(&sp->stream);
}
+ if (sp->tbuf)
+ _TIFFfree(sp->tbuf);
+ _TIFFfree(sp);
+ tif->tif_data = NULL;
}
static int
--- tiff-v3.5.7/libtiff/tif_predict.h.multiple 2006-04-26 09:16:51.000000000 -0400
+++ tiff-v3.5.7/libtiff/tif_predict.h 2006-04-26 09:17:12.000000000 -0400
@@ -55,6 +55,7 @@
extern "C" {
#endif
extern int TIFFPredictorInit(TIFF*);
+extern int TIFFPredictorCleanup(TIFF*);
#if defined(__cplusplus)
}
#endif
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Тип : application/pgp-signature
Размер : 189 байтов
Описание: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url : <http://lists.altlinux.org/pipermail/security-team/attachments/20060504/6d987ba2/attachment-0003.bin>
Подробная информация о списке рассылки Security-team