diff options
author | akash hadke <akash.hadke@kpit.com> | 2021-05-24 13:06:57 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-06-03 16:30:55 +0100 |
commit | a59a11eb566abea85cb0527291b079de6f20bb59 (patch) | |
tree | 65d20e19284901af3b10bfea2888f99e54b7c7ca | |
parent | 0b6e24d0ddb407127f6310fac5380cf7d3343826 (diff) | |
download | poky-a59a11eb566abea85cb0527291b079de6f20bb59.tar.gz |
tiff: Add fix for CVE-2020-35521 and CVE-2020-35522
Added fix for CVE-2020-35521 and CVE-2020-35522
Link: https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch
Added below support patches for CVE-2020-35521 and CVE-2020-35522
1. 001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch
2. 002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch
(From OE-Core rev: 03a65159093e0b2df4bc867c873b5c43721b9a9c)
Signed-off-by: akash hadke <akash.hadke@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
4 files changed, 297 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..9b4724a325 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From 02875964eba5c4a2ea98c41562835428214adfe7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Sat, 7 Mar 2020 13:21:56 +0100 | ||
4 | Subject: [PATCH] tiff2rgba: output usage to stdout when using -h | ||
5 | |||
6 | also uses std C EXIT_FAILURE / EXIT_SUCCESS | ||
7 | see #17 | ||
8 | |||
9 | Signed-off-by: akash hadke <akash.hadke@kpit.com> | ||
10 | --- | ||
11 | tools/tiff2rgba.c | 39 ++++++++++++++++++++++++--------------- | ||
12 | 1 file changed, 24 insertions(+), 15 deletions(-) | ||
13 | --- | ||
14 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch] | ||
15 | --- | ||
16 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
17 | index 2eb6f6c4..ef643653 100644 | ||
18 | --- a/tools/tiff2rgba.c | ||
19 | +++ b/tools/tiff2rgba.c | ||
20 | @@ -39,6 +39,13 @@ | ||
21 | #include "tiffiop.h" | ||
22 | #include "tiffio.h" | ||
23 | |||
24 | +#ifndef EXIT_SUCCESS | ||
25 | +#define EXIT_SUCCESS 0 | ||
26 | +#endif | ||
27 | +#ifndef EXIT_FAILURE | ||
28 | +#define EXIT_FAILURE 1 | ||
29 | +#endif | ||
30 | + | ||
31 | #define streq(a,b) (strcmp(a,b) == 0) | ||
32 | #define CopyField(tag, v) \ | ||
33 | if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v) | ||
34 | @@ -68,7 +75,7 @@ main(int argc, char* argv[]) | ||
35 | extern char *optarg; | ||
36 | #endif | ||
37 | |||
38 | - while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1) | ||
39 | + while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1) | ||
40 | switch (c) { | ||
41 | case 'b': | ||
42 | process_by_block = 1; | ||
43 | @@ -86,7 +93,7 @@ main(int argc, char* argv[]) | ||
44 | else if (streq(optarg, "zip")) | ||
45 | compression = COMPRESSION_DEFLATE; | ||
46 | else | ||
47 | - usage(-1); | ||
48 | + usage(EXIT_FAILURE); | ||
49 | break; | ||
50 | |||
51 | case 'r': | ||
52 | @@ -105,17 +112,20 @@ main(int argc, char* argv[]) | ||
53 | bigtiff_output = 1; | ||
54 | break; | ||
55 | |||
56 | + case 'h': | ||
57 | + usage(EXIT_SUCCESS); | ||
58 | + /*NOTREACHED*/ | ||
59 | case '?': | ||
60 | - usage(0); | ||
61 | + usage(EXIT_FAILURE); | ||
62 | /*NOTREACHED*/ | ||
63 | } | ||
64 | |||
65 | if (argc - optind < 2) | ||
66 | - usage(-1); | ||
67 | + usage(EXIT_FAILURE); | ||
68 | |||
69 | out = TIFFOpen(argv[argc-1], bigtiff_output?"w8":"w"); | ||
70 | if (out == NULL) | ||
71 | - return (-2); | ||
72 | + return (EXIT_FAILURE); | ||
73 | |||
74 | for (; optind < argc-1; optind++) { | ||
75 | in = TIFFOpen(argv[optind], "r"); | ||
76 | @@ -132,7 +142,7 @@ main(int argc, char* argv[]) | ||
77 | } | ||
78 | } | ||
79 | (void) TIFFClose(out); | ||
80 | - return (0); | ||
81 | + return (EXIT_SUCCESS); | ||
82 | } | ||
83 | |||
84 | static int | ||
85 | @@ -166,7 +176,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
86 | if (tile_width != (rastersize / tile_height) / sizeof( uint32)) | ||
87 | { | ||
88 | TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); | ||
89 | - exit(-1); | ||
90 | + exit(EXIT_FAILURE); | ||
91 | } | ||
92 | raster = (uint32*)_TIFFmalloc(rastersize); | ||
93 | if (raster == 0) { | ||
94 | @@ -182,7 +192,7 @@ cvt_by_tile( TIFF *in, TIFF *out ) | ||
95 | if (tile_width != wrk_linesize / sizeof (uint32)) | ||
96 | { | ||
97 | TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); | ||
98 | - exit(-1); | ||
99 | + exit(EXIT_FAILURE); | ||
100 | } | ||
101 | wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); | ||
102 | if (!wrk_line) { | ||
103 | @@ -279,7 +289,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
104 | if (width != (rastersize / rowsperstrip) / sizeof( uint32)) | ||
105 | { | ||
106 | TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); | ||
107 | - exit(-1); | ||
108 | + exit(EXIT_FAILURE); | ||
109 | } | ||
110 | raster = (uint32*)_TIFFmalloc(rastersize); | ||
111 | if (raster == 0) { | ||
112 | @@ -295,7 +305,7 @@ cvt_by_strip( TIFF *in, TIFF *out ) | ||
113 | if (width != wrk_linesize / sizeof (uint32)) | ||
114 | { | ||
115 | TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); | ||
116 | - exit(-1); | ||
117 | + exit(EXIT_FAILURE); | ||
118 | } | ||
119 | wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); | ||
120 | if (!wrk_line) { | ||
121 | @@ -528,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out) | ||
122 | return( cvt_whole_image( in, out ) ); | ||
123 | } | ||
124 | |||
125 | -static char* stuff[] = { | ||
126 | +const static char* stuff[] = { | ||
127 | "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", | ||
128 | "where comp is one of the following compression algorithms:", | ||
129 | " jpeg\t\tJPEG encoding", | ||
130 | @@ -547,13 +557,12 @@ static char* stuff[] = { | ||
131 | static void | ||
132 | usage(int code) | ||
133 | { | ||
134 | - char buf[BUFSIZ]; | ||
135 | int i; | ||
136 | + FILE * out = (code == EXIT_SUCCESS) ? stdout : stderr; | ||
137 | |||
138 | - setbuf(stderr, buf); | ||
139 | - fprintf(stderr, "%s\n\n", TIFFGetVersion()); | ||
140 | + fprintf(out, "%s\n\n", TIFFGetVersion()); | ||
141 | for (i = 0; stuff[i] != NULL; i++) | ||
142 | - fprintf(stderr, "%s\n", stuff[i]); | ||
143 | + fprintf(out, "%s\n", stuff[i]); | ||
144 | exit(code); | ||
145 | } | ||
146 | |||
147 | -- | ||
148 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..b6e1842a54 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From ca70b5e702b9f503333344b2d46691de9feae84e Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 3 Oct 2020 18:16:27 +0200 | ||
4 | Subject: [PATCH] tiff2rgba.c: fix -Wold-style-declaration warning | ||
5 | |||
6 | Signed-off-by: akash hadke <akash.hadke@kpit.com> | ||
7 | --- | ||
8 | tools/tiff2rgba.c | 2 +- | ||
9 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
10 | --- | ||
11 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch] | ||
12 | --- | ||
13 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
14 | index ef643653..fbc383aa 100644 | ||
15 | --- a/tools/tiff2rgba.c | ||
16 | +++ b/tools/tiff2rgba.c | ||
17 | @@ -538,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out) | ||
18 | return( cvt_whole_image( in, out ) ); | ||
19 | } | ||
20 | |||
21 | -const static char* stuff[] = { | ||
22 | +static const char* stuff[] = { | ||
23 | "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", | ||
24 | "where comp is one of the following compression algorithms:", | ||
25 | " jpeg\t\tJPEG encoding", | ||
26 | -- | ||
27 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch new file mode 100644 index 0000000000..129721ff3e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Bernard <miniupnp@free.fr> | ||
3 | Date: Sun, 15 Nov 2020 17:02:51 +0100 | ||
4 | Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba | ||
5 | |||
6 | fixes #207 | ||
7 | fixes #209 | ||
8 | |||
9 | Signed-off-by: akash hadke <akash.hadke@kpit.com> | ||
10 | --- | ||
11 | tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- | ||
12 | 1 file changed, 23 insertions(+), 2 deletions(-) | ||
13 | --- | ||
14 | CVE: CVE-2020-35521 | ||
15 | CVE: CVE-2020-35522 | ||
16 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch] | ||
17 | --- | ||
18 | diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c | ||
19 | index fbc383aa..764395f6 100644 | ||
20 | --- a/tools/tiff2rgba.c | ||
21 | +++ b/tools/tiff2rgba.c | ||
22 | @@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1; | ||
23 | int process_by_block = 0; /* default is whole image at once */ | ||
24 | int no_alpha = 0; | ||
25 | int bigtiff_output = 0; | ||
26 | +#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) | ||
27 | +/* malloc size limit (in bytes) | ||
28 | + * disabled when set to 0 */ | ||
29 | +static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; | ||
30 | |||
31 | |||
32 | static int tiffcvt(TIFF* in, TIFF* out); | ||
33 | @@ -75,8 +79,11 @@ main(int argc, char* argv[]) | ||
34 | extern char *optarg; | ||
35 | #endif | ||
36 | |||
37 | - while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1) | ||
38 | + while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1) | ||
39 | switch (c) { | ||
40 | + case 'M': | ||
41 | + maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; | ||
42 | + break; | ||
43 | case 'b': | ||
44 | process_by_block = 1; | ||
45 | break; | ||
46 | @@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) | ||
47 | (unsigned long)width, (unsigned long)height); | ||
48 | return 0; | ||
49 | } | ||
50 | + if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { | ||
51 | + TIFFError(TIFFFileName(in), | ||
52 | + "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", | ||
53 | + (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); | ||
54 | + return 0; | ||
55 | + } | ||
56 | |||
57 | rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); | ||
58 | TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); | ||
59 | @@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out) | ||
60 | TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); | ||
61 | CopyField(TIFFTAG_DOCUMENTNAME, stringv); | ||
62 | |||
63 | + if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) | ||
64 | + { | ||
65 | + TIFFError(TIFFFileName(in), | ||
66 | + "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", | ||
67 | + (uint64)TIFFStripSize(in), (uint64)maxMalloc); | ||
68 | + return 0; | ||
69 | + } | ||
70 | if( process_by_block && TIFFIsTiled( in ) ) | ||
71 | return( cvt_by_tile( in, out ) ); | ||
72 | else if( process_by_block ) | ||
73 | @@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out) | ||
74 | } | ||
75 | |||
76 | static const char* stuff[] = { | ||
77 | - "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", | ||
78 | + "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", | ||
79 | "where comp is one of the following compression algorithms:", | ||
80 | " jpeg\t\tJPEG encoding", | ||
81 | " zip\t\tZip/Deflate encoding", | ||
82 | @@ -551,6 +571,7 @@ static const char* stuff[] = { | ||
83 | " -b (progress by block rather than as a whole image)", | ||
84 | " -n don't emit alpha component.", | ||
85 | " -8 write BigTIFF file instead of ClassicTIFF", | ||
86 | + " -M set the memory allocation limit in MiB. 0 to disable limit", | ||
87 | NULL | ||
88 | }; | ||
89 | |||
90 | -- | ||
91 | GitLab | ||
92 | |||
93 | |||
94 | From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001 | ||
95 | From: Thomas Bernard <miniupnp@free.fr> | ||
96 | Date: Sun, 15 Nov 2020 17:08:42 +0100 | ||
97 | Subject: [PATCH 2/2] tiff2rgba.1: -M option | ||
98 | |||
99 | --- | ||
100 | man/tiff2rgba.1 | 4 ++++ | ||
101 | 1 file changed, 4 insertions(+) | ||
102 | |||
103 | diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1 | ||
104 | index d9c9baae..fe9ebb2c 100644 | ||
105 | --- a/man/tiff2rgba.1 | ||
106 | +++ b/man/tiff2rgba.1 | ||
107 | @@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file. | ||
108 | Currently this does not work if the | ||
109 | .B \-b | ||
110 | flag is also in effect. | ||
111 | +.TP | ||
112 | +.BI \-M " size" | ||
113 | +Set maximum memory allocation size (in MiB). The default is 256MiB. | ||
114 | +Set to 0 to disable the limit. | ||
115 | .SH "SEE ALSO" | ||
116 | .BR tiff2bw (1), | ||
117 | .BR TIFFReadRGBAImage (3t), | ||
118 | -- | ||
119 | GitLab | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index cfea18ed29..43f210111d 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | |||
@@ -12,6 +12,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
12 | file://CVE-2020-35523.patch \ | 12 | file://CVE-2020-35523.patch \ |
13 | file://CVE-2020-35524-1.patch \ | 13 | file://CVE-2020-35524-1.patch \ |
14 | file://CVE-2020-35524-2.patch \ | 14 | file://CVE-2020-35524-2.patch \ |
15 | file://001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \ | ||
16 | file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \ | ||
17 | file://CVE-2020-35521_and_CVE-2020-35522.patch \ | ||
15 | " | 18 | " |
16 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" | 19 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" |
17 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" | 20 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" |