~ruther/guix-local

b89cbf5832fd920ef85002041bc690204b0174a3 — Leo Famulari 9 years ago a7db854 
gnu: libtiff: Fix CVE-2016-5652.

* gnu/packages/patches/libtiff-CVE-2016-5652.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/image.scm (libtiff-fixed)[source]: Use it.
patch browse .tar.gz 
3 files changed, 50 insertions(+), 1 deletions(-)

M gnu/local.mk
M gnu/packages/image.scm
A gnu/packages/patches/libtiff-CVE-2016-5652.patch

M gnu/local.mk => gnu/local.mk +1 -0
@@ 657,6 657,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/libtiff-CVE-2016-5314.patch		\
  %D%/packages/patches/libtiff-CVE-2016-5321.patch		\
  %D%/packages/patches/libtiff-CVE-2016-5323.patch		\
  %D%/packages/patches/libtiff-CVE-2016-5652.patch		\
  %D%/packages/patches/libtiff-oob-accesses-in-decode.patch	\
  %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch	\
  %D%/packages/patches/libtool-skip-tests2.patch		\


M gnu/packages/image.scm => gnu/packages/image.scm +2 -1
@@ 234,7 234,8 @@ collection of tools for doing simple manipulations of TIFF images.")
                         "libtiff-CVE-2016-3991.patch"
                         "libtiff-CVE-2016-5314.patch"
                         "libtiff-CVE-2016-5321.patch"
                         "libtiff-CVE-2016-5323.patch"))))))
                         "libtiff-CVE-2016-5323.patch"
                         "libtiff-CVE-2016-5652.patch"))))))

(define-public libwmf
  (package


A gnu/packages/patches/libtiff-CVE-2016-5652.patch => gnu/packages/patches/libtiff-CVE-2016-5652.patch +47 -0
@@ 0,0 1,47 @@
Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652

Patches exfiltrated from upstream CVS repo with:
cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c

Index: tools/tiff2pdf.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
retrieving revision 1.92
retrieving revision 1.94
diff -u -r1.92 -r1.94
--- a/tools/tiff2pdf.c	23 Sep 2016 22:12:18 -0000	1.92
+++ b/tools/tiff2pdf.c	9 Oct 2016 11:03:36 -0000	1.94
@@ -2887,21 +2887,24 @@
 				return(0);
 			}
 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
-				if (count > 0) {
-					_TIFFmemcpy(buffer, jpt, count);
+				if (count >= 4) {
+                    /* Ignore EOI marker of JpegTables */
+					_TIFFmemcpy(buffer, jpt, count - 2);
 					bufferoffset += count - 2;
+                    /* Store last 2 bytes of the JpegTables */
 					table_end[0] = buffer[bufferoffset-2];
 					table_end[1] = buffer[bufferoffset-1];
-				}
-				if (count > 0) {
 					xuint32 = bufferoffset;
+                    bufferoffset -= 2;
 					bufferoffset += TIFFReadRawTile(
 						input, 
 						tile, 
-						(tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), 
+						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
 						-1);
-						buffer[xuint32-2]=table_end[0];
-						buffer[xuint32-1]=table_end[1];
+                    /* Overwrite SOI marker of image scan with previously */
+                    /* saved end of JpegTables */
+					buffer[xuint32-2]=table_end[0];
+					buffer[xuint32-1]=table_end[1];
 				} else {
 					bufferoffset += TIFFReadRawTile(
 						input,