1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
|
Changes in TIFF v4.0.7
======================
.. table:: References
:widths: auto
====================== ==========================================
Current Version v4.0.7 (:tag:`Release-v4-0-7`)
Previous Version :doc:`v4.0.6 <v4.0.6>`
Master Download Site `<https://download.osgeo.org/libtiff/>`_
Master HTTP Site #1 `<http://www.simplesystems.org/libtiff/>`_
Master HTTP Site #2 `<http://libtiff.maptools.org/>`_
====================== ==========================================
This document describes the changes made to the software between the
*previous* and *current* versions (see above). If you don't
find something listed here, then it was not done in this timeframe, or
it was not considered important enough to be mentioned. The following
information is located here:
Major changes
-------------
* The libtiff tools :program:`bmp2tiff`, :program:`gif2tiff`, :program:`ras2tiff`, :program:`sgi2tiff`,
:program:`sgisv`, and :program:`ycbcr` are completely removed from the distribution.
these tools were written in the late 1980s and early 1990s for
test and demonstration purposes. In some cases the tools were
never updated to support updates to the file format, or the
file formats are now rarely used. In all cases these tools
increased the libtiff security and maintenance exposure beyond
the value offered by the tool.
Software configuration changes
------------------------------
* None
Library changes
---------------
* :file:`libtiff/tif_dirread.c`: in :c:func:`TIFFFetchNormalTag`, do not
dereference :c:macro:`NULL` pointer when values of tags with
:c:macro:`TIFF_SETGET_C16_ASCII` / :c:macro:`TIFF_SETGET_C32_ASCII` access are
0-byte arrays. Fixes
:bugzilla:`2593` (regression
introduced by previous fix done on 2016-11-11 for
:cve:`2016-9297`). Reported by Henri Salo. Assigned as
:cve:`2016-9448`
* :file:`libtiff/tif_aux.c`: fix crash in :c:func:`TIFFVGetFieldDefaulted` when
requesting Predictor tag and that the zip/lzw codec is not
configured. Fixes
:bugzilla:`2591`
* :file:`libtiff/tif_dirread.c`: in :c:func:`TIFFFetchNormalTag`, make sure
that values of tags with :c:macro:`TIFF_SETGET_C16_ASCII` /
:c:macro:`TIFF_SETGET_C32_ASCII` access are :c:macro:`NULL` terminated, to avoid
potential read outside buffer in :c:func:`_TIFFPrintField`. Fixes
:bugzilla:`2590`
* :file:`libtiff/tif_dirread.c`: reject images with OJPEG compression
that have no ``TileOffsets``/``StripOffsets`` tag, when OJPEG
compression is disabled. Prevent :c:macro:`NULL` pointer dereference in
:c:func:`TIFFReadRawStrip1` and other functions that expect
:c:member:`td_stripbytecount` to be non :c:macro:`NULL`. Fixes
:bugzilla:`2585`
* :file:`libtiff/tif_strip.c`: make :c:func:`TIFFNumberOfStrips` return the
``td->td_nstrips`` value when it is non-zero, instead of
recomputing it. This is needed in :c:macro:`TIFF_STRIPCHOP` mode where
:c:member:`td_nstrips` is modified. Fixes a read outsize of array in
:program:`tiffsplit` (or other utilities using :c:func:`TIFFNumberOfStrips`).
Fixes :bugzilla:`2587`
(:cve:`2016-9273`)
* :file:`libtiff/tif_predict.h`, :file:`libtiff/tif_predict.c`: Replace
assertions by runtime checks to avoid assertions in debug
mode, or buffer overflows in release mode. Can happen when
dealing with unusual tile size like YCbCr with
subsampling. Reported as MSVR 35105 by Axel Souchet & Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations
* :file:`libtiff/tif_dir.c`: discard values of ``SMinSampleValue`` and
``SMaxSampleValue`` when they have been read and the value of
``SamplesPerPixel`` is changed afterwards (like when reading a
OJPEG compressed image with a missing ``SamplesPerPixel`` tag, and
whose photometric is ``RGB`` or ``YCbCr``, forcing ``SamplesPerPixel``
being 3). Otherwise when rewriting the directory (for example
with tiffset, we will expect 3 values whereas the array had
been allocated with just one), thus causing a out of bound
read access. Fixes
:bugzilla:`2500`
(:cve:`2014-8127`, duplicate: :cve:`2016-3658`)
* :file:`libtiff/tif_dirwrite.c`: avoid :c:macro:`NULL` pointer dereference on
:c:member:`td_stripoffset` when writing directory, if :c:macro:`FIELD_STRIPOFFSETS`
was artificially set for a hack case in OJPEG case. Fixes
:bugzilla:`2500`
(:cve:`2014-8127`, duplicate: :cve:`2016-3658`)
* :file:`libtiff/tif_getimage.c` (:c:func:`TIFFRGBAImageOK`): Reject attempts to
read floating point images.
* :file:`libtiff/tif_predict.c` (:c:func:`PredictorSetup`): Enforce
bits-per-sample requirements of floating point predictor (3).
Fixes :cve:`2016-3622` "Divide By Zero in the :program:`tiff2rgba` tool."
* :file:`libtiff/tif_pixarlog.c`: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* :file:`libtiff/tif_write.c`: fix issue in error code path of
:c:func:`TIFFFlushData1` that didn't reset the :c:member:`tif_rawcc` and :c:member:`tif_rawcp`
members. I'm not completely sure if that could happen in
practice outside of the odd behaviour of :c:func:`t2p_seekproc` of
tiff2pdf). The report points that a better fix could be to
check the return value of :c:func:`TIFFFlushData1` in places where it
isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal
Chauhan & Suha Can from the MSRC Vulnerabilities & Mitigations
team.
* :file:`libtiff/tif_pixarlog.c`: Fix write buffer overflow in
:c:func:`PixarLogEncode` if more input samples are provided than
expected by :c:func:`PixarLogSetupEncode`. Idea based on
:file:`libtiff-CVE-2016-3990.patch` from
:file:`libtiff-4.0.3-25.el7_2.src.rpm` by Nikola Forro, but with
different and simpler check. (:bugzilla:`2544`)
* :file:`libtiff/tif_read.c`: Fix out-of-bounds read on memory-mapped
files in :c:func:`TIFFReadRawStrip1` and :c:func:`TIFFReadRawTile1` when
``stripoffset`` is beyond :c:type:`tmsize_t` max value (reported by Mathias
Svensson)
* :file:`libtiff/tif_read.c`: make :c:func:`TIFFReadEncodedStrip` and
:c:func:`TIFFReadEncodedTile` directly use user provided buffer when
no compression (and other conditions) to save a :c:func:`memcpy`
* :file:`libtiff/tif_write.c`: make :c:func:`TIFFWriteEncodedStrip` and
:c:func:`TIFFWriteEncodedTile` directly use user provided buffer when
no compression to save a :c:func:`memcpy`.
* :file:`libtiff/tif_luv.c`: validate that for :c:macro:`COMPRESSION_SGILOG` and
:c:macro:`PHOTOMETRIC_LOGL`, there is only one sample per pixel. Avoid
potential invalid memory write on corrupted/unexpected images
when using the :c:func:`TIFFRGBAImageBegin` interface (reported by
Clay Wood)
* :file:`libtiff/tif_pixarlog.c`: fix potential buffer write overrun in
:c:func:`PixarLogDecode` on corrupted/unexpected images (reported by
Mathias Svensson) (:cve:`2016-5875`)
* libtiff/libtiff.def: Added ``_TIFFMultiply32`` and
``_TIFFMultiply64`` to libtiff.def
* :file:`libtiff/tif_config.vc.h` (:c:macro:`HAVE_SNPRINTF`): Add a '1' to the
:c:macro:`HAVE_SNPRINTF` definition.
* :file:`libtiff/tif_config.vc.h` (:c:macro:`HAVE_SNPRINTF`): Applied patch by
Edward Lam to define :c:macro:`HAVE_SNPRINTF` for Visual Studio 2015.
* :file:`libtiff/tif_dirread.c`: when compiled with :c:macro:`DEFER_STRILE_LOAD`,
fix regression, introduced on 2014-12-23, when reading a
one-strip file without a ``StripByteCounts`` tag. GDAL #6490
* :file:`libtiff/*`: upstream typo fixes (mostly contributed by Kurt
Schwehr) coming from GDAL internal libtiff
* :file:`libtiff/tif_fax3.h`: make :c:member:`Param` member of :c:struct:`TIFFFaxTabEnt`
structure a :c:type:`uint16` to reduce size of the binary.
* :file:`libtiff/tif_read.c`, :file:`tif_dirread.c`: fix indentation issues
raised by GCC 6 ``-Wmisleading-indentation``
* :file:`libtiff/tif_pixarlog.c`: avoid zlib error messages to pass a
:c:macro:`NULL` string to ``%s`` formatter, which is undefined behaviour in
:c:func:`sprintf`.
* :file:`libtiff/tif_next.c`: fix potential out-of-bound write in :c:func:`NeXTDecode`
triggered by `<http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif>`_
(:bugzilla:`2508`)
* :file:`libtiff/tif_luv.c`: fix potential out-of-bound writes in
decode functions in non debug builds by replacing :c:func:`assert` by
regular ``if`` checks (:bugzilla:`2522`). Fix potential
out-of-bound reads in case of short input data.
* :file:`libtiff/tif_getimage.c`: fix out-of-bound reads in
:c:type:`TIFFRGBAImage` interface in case of unsupported values of
``SamplesPerPixel``/``ExtraSamples`` for LogLUV / CIELab. Add explicit
call to :c:func:`TIFFRGBAImageOK` in :c:func:`TIFFRGBAImageBegin`. Fix
:cve:`2015-8665` reported by limingxing and :cve:`2015-8683`
reported by zzf of Alibaba.
* :file:`libtiff/tif_dirread.c`: workaround false positive warning of
Clang Static Analyzer about :c:macro:`NULL` pointer dereference in
:c:func:`TIFFCheckDirOffset`.
* :file:`libtiff/tif_fax3.c`: remove dead assignment in
:c:func:`Fax3PutEOLgdal`. Found by Clang Static Analyzer
* :file:`libtiff/tif_dirwrite.c`: fix truncation to 32 bit of file
offsets in :c:func:`TIFFLinkDirectory` and :c:func:`TIFFWriteDirectorySec`
when aligning directory offsets on a even offset (affects
BigTIFF). This was a regression of the changeset of
2015-10-19.
* :file:`libtiff/tif_write.c`: :c:func:`TIFFWriteEncodedStrip` and
:c:func:`TIFFWriteEncodedTile` should return -1 in case of failure of
:c:func:`tif_encodestrip` as documented
* :file:`libtiff/tif_dumpmode.c`: :c:func:`DumpModeEncode` should return 0 in
case of failure so that the above mentioned functions detect
the error.
* :file:`libtiff/*.c`: fix MSVC warnings related to cast shortening and
assignment within conditional expression
* :file:`libtiff/*.c`: fix clang -Wshorten-64-to-32 warnings
* :file:`libtiff/tif_dirread.c`: prevent reading ColorMap or
TransferFunction if ``BitsPerPixel`` > 24, so as to avoid huge
memory allocation and file read attempts
* :file:`libtiff/tif_dirread.c`: remove duplicated assignment (reported
by Clang static analyzer)
* :file:`libtiff/tif_dir.c`, :file:`libtiff/tif_dirinfo.c`,
:file:`libtiff/tif_compress.c`, :file:`libtiff/tif_jpeg_12.c`: suppress
warnings about 'no previous declaration/prototype'
* :file:`libtiff/tiffiop.h`, :file:`libtiff/tif_dirwrite.c`: suffix constants
by U to fix 'warning: negative integer implicitly converted to
unsigned type' warning (part of ``-Wconversion``)
* :file:`libtiff/tif_dir.c`, :file:`libtiff/tif_dirread.c`,
:file:`libtiff/tif_getimage.c`, :file:`libtiff/tif_print.c`: fix ``-Wshadow``
warnings (only in :file:`libtiff/`)
Tools changes
-------------
* tools/Makefile.am: The libtiff tools :program:`bmp2tiff`, :program:`gif2tiff`,
:program:`ras2tiff`, :program:`sgi2tiff`, :program:`sgisv`, and :program:`ycbcr` are completely removed
from the distribution. The libtiff tools :program:`rgb2ycbcr` and
:program:`thumbnail` are only built in the build tree for testing. Old
files are put in new :file:`archive` subdirectory of the source
repository, but not in distribution archives. These changes
are made in order to lessen the maintenance burden.
* :file:`tools/tiff2pdf.c`: avoid undefined behaviour related to
overlapping of source and destination buffer in :c:func:`memcpy` call
in :c:func:`t2p_sample_rgbaa_to_rgb` Fixes
:bugzilla:`2577`
* :file:`tools/tiff2pdf.c`: fix potential integer overflows on 32 bit
builds in :c:func:`t2p_read_tiff_size` Fixes
:bugzilla:`2576`
* :file:`tools/fax2tiff.c`: fix segfault when specifying ``-r`` without
argument. Patch by Yuriy M. Kaminskiy. Fixes
:bugzilla:`2572`
* :file:`tools/tiffinfo.c`: fix out-of-bound read on some tiled images.
(:bugzilla:`2517`)
* :file:`tools/tiffcrop.c`: fix multiple uint32 overflows in
:c:func:`writeBufferToSeparateStrips`, :c:func:`writeBufferToContigTiles` and
:c:func:`writeBufferToSeparateTiles` that could cause heap buffer
overflows. Reported by Henri Salo from Nixu Corporation.
Fixes :bugzilla:`2592`
* :file:`tools/tiffcrop.c`: fix out-of-bound read of up to 3 bytes in
:c:func:`readContigTilesIntoBuffer`. Reported as MSVR 35092 by Axel
Souchet & Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* :file:`tools/tiff2pdf.c`: fix write buffer overflow of 2 bytes on
JPEG compressed images. Reported by Tyler Bohan of Cisco Talos
as TALOS-CAN-0187 / :cve:`2016-5652`. Also prevents writing 2
extra uninitialized bytes to the file stream.
* :file:`tools/tiffcp.c`: fix out-of-bounds write on tiled images with odd
tile width vs image width. Reported as MSVR 35103
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* :file:`tools/tiff2pdf.c`: fix read -largely- outsize of buffer in
:c:func:`t2p_readwrite_pdf_image_tile`, causing crash, when reading a
JPEG compressed image with :c:macro:`TIFFTAG_JPEGTABLES` length being
one. Reported as MSVR 35101 by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* :file:`tools/tiffcp.c`: fix read of undefined variable in case of
missing required tags. Found on test case of MSVR 35100.
* :file:`tools/tiffcrop.c`: fix read of undefined buffer in
:c:func:`readContigStripsIntoBuffer` due to uint16 overflow. Probably
not a security issue but I can be wrong. Reported as MSVR
35100 by Axel Souchet from the MSRC Vulnerabilities &
Mitigations team.
* :file:`tools/tiffcrop.c`: fix various out-of-bounds write
vulnerabilities in heap or stack allocated buffers. Reported
as MSVR 35093, MSVR 35096 and MSVR 35097. Discovered by Axel
Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* :file:`tools/tiff2pdf.c`: fix out-of-bounds write vulnerabilities in
heap allocate buffer in :c:func:`t2p_process_jpeg_strip`. Reported as
MSVR 35098. Discovered by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
* :file:`tools/tiff2bw.c`: fix weight computation that could result of
color value overflow (no security implication). Fix :bugzilla:`2550`.
Patch by Frank Freudenberg.
* :file:`tools/rgb2ycbcr.c`: validate values of ``-v`` and ``-h`` parameters to
avoid potential divide by zero. Fixes :cve:`2016-3623` (:bugzilla:`2569`)
* :file:`tools/tiffcrop.c`: Fix out-of-bounds write in :c:func:`loadImage`.
From patch :file:`libtiff-CVE-2016-3991.patch` from
:file:`libtiff-4.0.3-25.el7_2.src.rpm` by Nikola Forro (:bugzilla:`2543`)
* :file:`tools/tiff2rgba.c`: Fix integer overflow in size of allocated
buffer, when ``-b`` mode is enabled, that could result in
out-of-bounds write. Based initially on patch
:file:`tiff-CVE-2016-3945.patch` from :file:`libtiff-4.0.3-25.el7_2.src.rpm`
by Nikola Forro, with correction for invalid tests that
rejected valid files. (:bugzilla:`2545`)
* :file:`tools/tiffcrop.c`: Avoid access outside of stack allocated
array on a tiled separate TIFF with more than 8 samples per
pixel. Reported by Kaixiang Zhang of the Cloud Security Team,
Qihoo 360 (:cve:`2016-5321` / :cve:`2016-5323` , :bugzilla:`2558` /
:bugzilla:`2559`)
* :file:`tools/tiffdump.c`: fix a few misaligned 64-bit reads warned by
``-fsanitize``
* :file:`tools/tiffdump.c` (:c:func:`ReadDirectory`): Remove :c:type:`uint32` cast to
:c:func:`_TIFFmalloc` argument which resulted in Coverity report.
Added more mutiplication overflow checks.
Contributed software changes
----------------------------
None
|