user/tiff: patch for CVE-2019-6128 and CVE-2019-7663

3 files changed, 95 insertions, 2 deletions

diff --git a/user/tiff/APKBUILD b/user/tiff/APKBUILD
index 7bb89ee3e..babef1cec 100644
--- a/user/tiff/APKBUILD
+++ b/user/tiff/APKBUILD
@@ -13,8 +13,13 @@ depends_dev="zlib-dev libjpeg-turbo-dev"
 makedepends="libtool autoconf automake $depends_dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
 source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
+	CVE-2019-6128.patch
+	CVE-2019-7663.patch
 	"
-# secfixes:
+# secfixes: libtiff
+#   4.0.10-r1:
+#     - CVE-2019-6128
+#     - CVE-2019-7663
 #   4.0.9-r1:
 #     - CVE-2017-18013
 #   4.0.9-r0:
@@ -64,4 +69,6 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8  tiff-4.0.10.tar.gz"
+sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8  tiff-4.0.10.tar.gz
+8dc336e6c863524e3622f61ec6583eebe13fde55649cd8c812e3f6752242a23ff72cfb680dfcbe47d1503a058f5f9001415ae112220729e4ab50fe81190e327e  CVE-2019-6128.patch
+6fb7e9aa0afbae96fd6e78c2401262e496f5d62980ea02712bc43f8749341d030df3625f10413f5ed3e130e88d609c2374ae69807a1f9e54ed91cbd8411aab62  CVE-2019-7663.patch"
diff --git a/user/tiff/CVE-2019-6128.patch b/user/tiff/CVE-2019-6128.patch
new file mode 100644
index 000000000..1b15b6f01
--- /dev/null
+++ b/user/tiff/CVE-2019-6128.patch
@@ -0,0 +1,49 @@
+From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Wed, 23 Jan 2019 15:03:53 -0500
+Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
+
+pal2rgb failed to free memory on a few errors. This was reported
+here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
+---
+ tools/pal2rgb.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 01d8502e..9492f1cf 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -118,12 +118,14 @@ main(int argc, char* argv[])
+ 	    shortv != PHOTOMETRIC_PALETTE) {
+ 		fprintf(stderr, "%s: Expecting a palette image.\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
+ 		fprintf(stderr,
+ 		    "%s: No colormap (not a valid palette image).\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	bitspersample = 0;
+@@ -131,11 +133,14 @@ main(int argc, char* argv[])
+ 	if (bitspersample != 8) {
+ 		fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
+ 		    argv[optind]);
++		(void) TIFFClose(in);
+ 		return (-1);
+ 	}
+ 	out = TIFFOpen(argv[optind+1], "w");
+-	if (out == NULL)
++	if (out == NULL) {
++		(void) TIFFClose(in);
+ 		return (-2);
++	}
+ 	cpTags(in, out);
+ 	TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
+ 	TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
+-- 
+2.21.0
+
diff --git a/user/tiff/CVE-2019-7663.patch b/user/tiff/CVE-2019-7663.patch
new file mode 100644
index 000000000..8049566c6
--- /dev/null
+++ b/user/tiff/CVE-2019-7663.patch
@@ -0,0 +1,37 @@
+From 802d3cbf3043be5dce5317e140ccb1c17a6a2d39 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 29 Jan 2019 11:21:47 +0100
+Subject: [PATCH] TIFFWriteDirectoryTagTransferfunction() : fix NULL
+ dereferencing
+
+http://bugzilla.maptools.org/show_bug.cgi?id=2833
+
+we must check the pointer is not NULL before memcmp() the memory
+---
+ libtiff/tif_dirwrite.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index c15a28db..ef30c869 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -1893,12 +1893,14 @@ TIFFWriteDirectoryTagTransferfunction(TIFF* tif, uint32* ndir, TIFFDirEntry* dir
+ 		n=3;
+ 	if (n==3)
+ 	{
+-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
++		if (tif->tif_dir.td_transferfunction[2] == NULL ||
++		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[2],m*sizeof(uint16)))
+ 			n=2;
+ 	}
+ 	if (n==2)
+ 	{
+-		if (!_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
++		if (tif->tif_dir.td_transferfunction[1] == NULL ||
++		    !_TIFFmemcmp(tif->tif_dir.td_transferfunction[0],tif->tif_dir.td_transferfunction[1],m*sizeof(uint16)))
+ 			n=1;
+ 	}
+ 	if (n==0)
+-- 
+2.21.0
+