Package: tiff / 4.0.8-2+deb9u4

Metadata

Package Version Patches format
tiff 4.0.8-2+deb9u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01 CVE 2015 7554.patch | (download)

tools/tiffsplit.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

---
02 CVE.patch | (download)

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_color.c | 6 3 + 3 - 0 !
2 files changed, 10 insertions(+), 3 deletions(-)

 [patch] * libtiff/tif_color.c: tiffycbcrtorgbinit(): stricter
 clamping to avoid int32 overflow in TIFFYCbCrtoRGB(). Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 Credit to OSS Fuzz


03 CVE.patch | (download)

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_getimage.c | 2 1 + 1 - 0 !
2 files changed, 9 insertions(+), 1 deletion(-)

 [patch] * libtiff/tif_getimage.c: initycbcrconversion(): stricter
 validation for refBlackWhite coefficients values. To avoid invalid
 float->int32 conversion (when refBlackWhite[0] == 2147483648.f) Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 Credit to OSS Fuzz


04 CVE 2016 10095_CVE 2017 9147.patch | (download)

ChangeLog | 20 20 + 0 - 0 !
libtiff/tif_dir.h | 3 2 + 1 - 0 !
libtiff/tif_dirinfo.c | 105 104 + 1 - 0 !
libtiff/tif_dirread.c | 6 5 + 1 - 0 !
4 files changed, 131 insertions(+), 3 deletions(-)

---
05 CVE 2017 9936.patch | (download)

ChangeLog | 6 6 + 0 - 0 !
libtiff/tif_jbig.c | 1 1 + 0 - 0 !
2 files changed, 7 insertions(+)

 [patch] * libtiff/tif_jbig.c: fix memory leak in error code path of
 JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
 by team OWL337

* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg

06 OOM_in_gtTileContig.patch | (download)

ChangeLog | 11 11 + 0 - 0 !
libtiff/tif_getimage.c | 59 35 + 24 - 0 !
libtiff/tif_read.c | 78 67 + 11 - 0 !
libtiff/tiffiop.h | 5 5 + 0 - 0 !
4 files changed, 118 insertions(+), 35 deletions(-)

 [patch] * libtiff/tif_read.c, tiffiop.h: add a
 _TIFFReadEncodedStripAndAllocBuffer() function, variant of
 TIFFReadEncodedStrip() that allocates the decoded buffer only after a first
 successful TIFFFillStrip(). This avoids excessive memory allocation on
 corrupted files. * libtiff/tif_getimage.c: use
 _TIFFReadEncodedStripAndAllocBuffer(). Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 . Credit to OSS
 Fuzz


07 CVE 2017 10688.patch | (download)

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_dirwrite.c | 20 16 + 4 - 0 !
2 files changed, 24 insertions(+), 4 deletions(-)

 [patch] * libtiff/tif_dirwrite.c: in
 TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
 data type, replace assertion that the file is BigTIFF, by a non-fatal error.
 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
 OWL337


08 CVE 2017 11335.patch | (download)

ChangeLog | 7 7 + 0 - 0 !
tools/tiff2pdf.c | 7 6 + 1 - 0 !
2 files changed, 13 insertions(+), 1 deletion(-)

 [patch] * tools/tiff2pdf.c: prevent heap buffer overflow write in
 "Raw" mode on PlanarConfig=Contig input images. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337


09 CVE 2017 12944.patch | (download)

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_dirread.c | 88 83 + 5 - 0 !
2 files changed, 91 insertions(+), 5 deletions(-)

 [patch] * libtiff/tif_read.c: add protection against excessive memory
 allocation attempts in TIFFReadDirEntryArray() on short files. Effective for
 mmap'ed case. And non-mmap'ed case, but restricted to 64bit builds. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2675


10 CVE 2017 13726.patch | (download)

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_dirwrite.c | 7 6 + 1 - 0 !
2 files changed, 13 insertions(+), 1 deletion(-)

 [patch] * libtiff/tif_dirwrite.c: replace assertion related to not
 finding the SubIFD tag by runtime check. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337


11 CVE 2017 13727.patch | (download)

ChangeLog | 10 9 + 1 - 0 !
libtiff/tif_dirwrite.c | 9 8 + 1 - 0 !
2 files changed, 17 insertions(+), 2 deletions(-)

 [patch] * libtiff/tif_dirwrite.c: replace assertion to tag value not
 fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
 TIFFWriteDirectoryTagSubifd()). Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337

SubIFD tag by runtime check (in TIFFWriteDirectorySec())

12 CVE 2017 18013.patch | (download)

libtiff/tif_print.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch] libtiff/tif_print.c: tiffprintdirectory(): fix null pointer dereference on corrupted file. fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770


13 CVE 2017 9935.patch | (download)

libtiff/tif_dir.c | 3 3 + 0 - 0 !
tools/tiff2pdf.c | 69 46 + 23 - 0 !
2 files changed, 49 insertions(+), 23 deletions(-)

---
14 CVE 2017 11613_part1.patch | (download)

libtiff/tif_dirread.c | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 [patch] chopupsingleuncompressedstrip: avoid memory exhaustion (cve-2017-11613)

In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
enough and we are in read only mode, validate that the file size is consistent
with that number of strips to avoid useless attempts at allocating a lot of
memory for the td_stripbytecount and td_stripoffset arrays.

Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724

15 CVE 2017 11613_part2.patch | (download)

libtiff/tif_dirread.c | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 [patch] chopupsingleuncompressedstrip: avoid memory exhaustion (cve-2017-11613)

Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
Credit to OSS Fuzz

Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724

16 CVE 2018 7456.patch | (download)

libtiff/tif_dirread.c | 62 62 + 0 - 0 !
libtiff/tif_print.c | 2 1 + 1 - 0 !
2 files changed, 63 insertions(+), 1 deletion(-)

 [patch] fix null pointer dereference in tiffprintdirectory

The TIFFPrintDirectory function relies on the following assumptions,
supposed to be guaranteed by the specification:

(a) A Transfer Function field is only present if the TIFF file has
    photometric type < 3.

(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
    has count SamplesPerPixel - (Color Channels) and contains
    information about supplementary channels.

While respect of (a) and (b) are essential for the well functioning of
TIFFPrintDirectory, no checks are realized neither by the callee nor
by TIFFPrintDirectory itself. Hence, following scenarios might happen
and trigger the NULL pointer dereference:

(1) TIFF File of photometric type 4 or more has illegal Transfer
    Function field.

(2) TIFF File has photometric type 3 or less and defines a
    SamplesPerPixel field such that SamplesPerPixel > Color Channels
    without defining all extra samples in the ExtraSamples fields.

In this patch, we address both issues with respect of the following
principles:

(A) In the case of (1), the defined transfer table should be printed
    safely even if it isn't 'legal'. This allows us to avoid expensive
    checks in TIFFPrintDirectory. Also, it is quite possible that
    an alternative photometric type would be developed (not part of the
    standard) and would allow definition of Transfer Table. We want
    libtiff to be able to handle this scenario out of the box.

(B) In the case of (2), the transfer table should be printed at its
    right size, that is if TIFF file has photometric type Palette
    then the transfer table should have one row and not three, even
    if two extra samples are declared.

In order to fulfill (A) we simply add a new 'i < 3' end condition to
the broken TIFFPrintDirectory loop. This makes sure that in any case
where (b) would be respected but not (a), everything stays fine.

(B) is fulfilled by the loop condition
'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
long as (b) is respected.

Naturally, we also make sure (b) is respected. This is done in the
TIFFReadDirectory function by making sure any non-color channel is
counted in ExtraSamples.

This commit addresses CVE-2018-7456.

17 CVE 2017 17095.patch | (download)

tools/pal2rgb.c | 17 15 + 2 - 0 !
1 file changed, 15 insertions(+), 2 deletions(-)

 [patch] add workaround to pal2rgb buffer overflow.


18 CVE 2018 18557.patch | (download)

libtiff/tif_jbig.c | 32 26 + 6 - 0 !
libtiff/tif_read.c | 6 6 + 0 - 0 !
2 files changed, 32 insertions(+), 6 deletions(-)

 [patch] jbig: fix potential out-of-bounds write in jbigdecode()

JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
write in the buffer.
This issue was reported and analyzed by Thomas Dullien.

Also fixes a (harmless) potential use of uninitialized memory when
tif->tif_rawsize > tif->tif_rawcc

And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()

19 CVE 2018 5784.patch | (download)

contrib/addtiffo/tif_overview.c | 14 13 + 1 - 0 !
tools/tiff2pdf.c | 10 10 + 0 - 0 !
tools/tiffcrop.c | 13 11 + 2 - 0 !
3 files changed, 34 insertions(+), 3 deletions(-)

 [patch] fix for bug 2772

It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
directory reader has a failsafe that will break out of this loop after
reading 65535 directory entries, but it will continue processing,
consuming time and resources to process what is essentially a bogus TIFF
document.

This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.


20 CVE 2018 8905.patch | (download)

libtiff/tif_lzw.c | 18 12 + 6 - 0 !
1 file changed, 12 insertions(+), 6 deletions(-)

 [patch] lzwdecodecompat(): fix potential index-out-of-bounds write.  fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / cve-2018-8905

The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.

 libtiff/tif_lzw.c | 17 
21 CVE 2018 17101.patch | (download)

tools/pal2rgb.c | 18 17 + 1 - 0 !
tools/tiff2bw.c | 18 17 + 1 - 0 !
2 files changed, 34 insertions(+), 2 deletions(-)

 [patch] only read/write tifftag_group3options or
 TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
 COMPRESSION_CCITTFAX4


22 CVE 2018 10963.patch | (download)

libtiff/tif_dirwrite.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch] tiffwritedirectorysec: avoid assertion. fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963