Brian May <b...@debian.org> writes: > I note that the previous version of tiff3 is a security update for > tiff2pdf.
I also note that there seem to be a number of reverse depends of tiff3 in wheezy. Here is a version of tiff3 available for testing. https://people.debian.org/~bam/debian/pool/main/t/tiff3/ Unfortunately I cannot readily test this, due to lack of tiff2pdf client. This is basically the same patch as for other versions however, and the patch to the library - the only part that actually gets used - is rather simple. Here is the diff: diff -Nru tiff3-3.9.6/debian/changelog tiff3-3.9.6/debian/changelog --- tiff3-3.9.6/debian/changelog 2017-09-10 08:51:09.000000000 +1000 +++ tiff3-3.9.6/debian/changelog 2017-12-12 07:54:40.000000000 +1100 @@ -1,3 +1,11 @@ +tiff3 (3.9.6-11+deb7u9) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2017-9935: tiff2pdf: fix buffer overrun if source pages have different + transferfunctions. + + -- Brian May <b...@debian.org> Tue, 12 Dec 2017 07:54:40 +1100 + tiff3 (3.9.6-11+deb7u8) wheezy-security; urgency=high * Non-maintainer upload by the Debian LTS team. diff -Nru tiff3-3.9.6/debian/patches/CVE-2017-9935.patch tiff3-3.9.6/debian/patches/CVE-2017-9935.patch --- tiff3-3.9.6/debian/patches/CVE-2017-9935.patch 1970-01-01 10:00:00.000000000 +1000 +++ tiff3-3.9.6/debian/patches/CVE-2017-9935.patch 2017-12-12 07:54:09.000000000 +1100 @@ -0,0 +1,141 @@ +commit 3dd8f6a357981a4090f126ab9025056c938b6940 +Author: Brian May <br...@linuxpenguins.xyz> +Date: Thu Dec 7 07:46:47 2017 +1100 + + tiff2pdf: Fix CVE-2017-9935 + + Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + + This vulnerability - at least for the supplied test case - is because we + assume that a tiff will only have one transfer function that is the same + for all pages. This is not required by the TIFF standards. + + We than read the transfer function for every page. Depending on the + transfer function, we allocate either 2 or 4 bytes to the XREF buffer. + We allocate this memory after we read in the transfer function for the + page. + + For the first exploit - POC1, this file has 3 pages. For the first page + we allocate 2 extra extra XREF entries. Then for the next page 2 more + entries. Then for the last page the transfer function changes and we + allocate 4 more entries. + + When we read the file into memory, we assume we have 4 bytes extra for + each and every page (as per the last transfer function we read). Which + is not correct, we only have 2 bytes extra for the first 2 pages. As a + result, we end up writing past the end of the buffer. + + There are also some related issues that this also fixes. For example, + TIFFGetField can return uninitalized pointer values, and the logic to + detect a N=3 vs N=1 transfer function seemed rather strange. + + It is also strange that we declare the transfer functions to be of type + float, when the standard says they are unsigned 16 bit values. This is + fixed in another patch. + + This patch will check to ensure that the N value for every transfer + function is the same for every page. If this changes, we abort with an + error. In theory, we should perhaps check that the transfer function + itself is identical for every page, however we don't do that due to the + confusion of the type of the data in the transfer function. + +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -842,6 +842,9 @@ + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1002,6 +1002,8 @@ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(directorycount * sizeof(T2P_PAGE)); +@@ -1102,24 +1104,48 @@ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if(t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0]) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (float*) NULL) && ++ (tiff_transferfunction[2] != (float*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1755,8 +1781,9 @@ + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if(t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0]) { ++ if((t2p->tiff_transferfunction[1] != (float*) NULL) && ++ (t2p->tiff_transferfunction[2] != (float*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; diff -Nru tiff3-3.9.6/debian/patches/series tiff3-3.9.6/debian/patches/series --- tiff3-3.9.6/debian/patches/series 2017-09-10 09:06:50.000000000 +1000 +++ tiff3-3.9.6/debian/patches/series 2017-12-12 07:51:38.000000000 +1100 @@ -39,3 +39,5 @@ CVE-2017-9404.patch CVE-2017-9936.patch CVE-2017-11335.patch +CVE-2017-9935.patch +use_uint16_transferfunction.patch diff -Nru tiff3-3.9.6/debian/patches/use_uint16_transferfunction.patch tiff3-3.9.6/debian/patches/use_uint16_transferfunction.patch --- tiff3-3.9.6/debian/patches/use_uint16_transferfunction.patch 1970-01-01 10:00:00.000000000 +1000 +++ tiff3-3.9.6/debian/patches/use_uint16_transferfunction.patch 2017-12-12 07:54:27.000000000 +1100 @@ -0,0 +1,51 @@ +commit d4f213636b6f950498a1386083199bd7f65676b9 +Author: Brian May <br...@linuxpenguins.xyz> +Date: Thu Dec 7 07:49:20 2017 +1100 + + tiff2pdf: Fix apparent incorrect type for transfer table + + The standard says the transfer table contains unsigned 16 bit values, + I have no idea why we refer to them as floats. + +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -232,7 +232,7 @@ + float tiff_whitechromaticities[2]; + float tiff_primarychromaticities[6]; + float tiff_referenceblackwhite[2]; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + int pdf_image_interpolate; /* 0 (default) : do not interpolate, + 1 : interpolate */ + uint16 tiff_transferfunctioncount; +@@ -1003,7 +1003,7 @@ + uint16 paged=0; + uint16 xuint16=0; + uint16 tiff_transferfunctioncount=0; +- float* tiff_transferfunction[3]; ++ uint16* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(directorycount * sizeof(T2P_PAGE)); +@@ -1108,8 +1108,8 @@ + &(tiff_transferfunction[1]), + &(tiff_transferfunction[2]))) { + +- if((tiff_transferfunction[1] != (float*) NULL) && +- (tiff_transferfunction[2] != (float*) NULL) ++ if((tiff_transferfunction[1] != (uint16*) NULL) && ++ (tiff_transferfunction[2] != (uint16*) NULL) + ) { + tiff_transferfunctioncount=3; + } else { +@@ -1781,8 +1781,8 @@ + &(t2p->tiff_transferfunction[0]), + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) ++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) && ++ (t2p->tiff_transferfunction[2] != (uint16*) NULL) + ) { + t2p->tiff_transferfunctioncount=3; + } else { -- Brian May <b...@debian.org>
