summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2016-10-26 08:26:48 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:38 (GMT)
commitab1919a3be588013066edcb98e34fef85a6b864d (patch)
treeec2763d3127d87f029487dbc09d532e2bdaa77ba
parentc52d4669d132d444d2b30141a9a5d8baa44b429f (diff)
downloadpoky-ab1919a3be588013066edcb98e34fef85a6b864d.tar.gz
tiff: Security fix CVE-2016-3622
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622 http://www.openwall.com/lists/oss-security/2016/04/07/4 Patch from: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 (From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb) (From OE-Core rev: 928eadf8442cf87fb2d4159602bd732336d74bb7) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch129
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.6.bb1
2 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
new file mode 100644
index 0000000..0c8b716
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
@@ -0,0 +1,129 @@
1From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
2From: bfriesen <bfriesen>
3Date: Sat, 24 Sep 2016 23:11:55 +0000
4Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
5 to read floating point images.
6
7* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
8requirements of floating point predictor (3). Fixes CVE-2016-3622
9"Divide By Zero in the tiff2rgba tool."
10
11CVE: CVE-2016-3622
12Upstream-Status: Backport
13https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
14
15Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
16---
17 ChangeLog | 11 ++++++++++-
18 libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
19 libtiff/tif_predict.c | 11 ++++++++++-
20 3 files changed, 40 insertions(+), 20 deletions(-)
21
22diff --git a/ChangeLog b/ChangeLog
23index 26d6f47..a628277 100644
24--- a/ChangeLog
25+++ b/ChangeLog
26@@ -1,3 +1,12 @@
27+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
28+
29+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
30+ read floating point images.
31+
32+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
33+ requirements of floating point predictor (3). Fixes CVE-2016-3622
34+ "Divide By Zero in the tiff2rgba tool."
35+
36 2016-08-15 Even Rouault <even.rouault at spatialys.com>
37
38 * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
39diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
40index 386cee0..3e689ee 100644
41--- a/libtiff/tif_getimage.c
42+++ b/libtiff/tif_getimage.c
43@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
44 td->td_bitspersample);
45 return (0);
46 }
47+ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
48+ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
49+ return (0);
50+ }
51 colorchannels = td->td_samplesperpixel - td->td_extrasamples;
52 if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
53 switch (colorchannels) {
54@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
55 "Planarconfiguration", td->td_planarconfig);
56 return (0);
57 }
58- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
59- {
60- sprintf(emsg,
61- "Sorry, can not handle image with %s=%d, %s=%d",
62- "Samples/pixel", td->td_samplesperpixel,
63- "colorchannels", colorchannels);
64- return 0;
65- }
66+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
67+ sprintf(emsg,
68+ "Sorry, can not handle image with %s=%d, %s=%d",
69+ "Samples/pixel", td->td_samplesperpixel,
70+ "colorchannels", colorchannels);
71+ return 0;
72+ }
73 break;
74 case PHOTOMETRIC_CIELAB:
75- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
76- {
77- sprintf(emsg,
78- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
79- "Samples/pixel", td->td_samplesperpixel,
80- "colorchannels", colorchannels,
81- "Bits/sample", td->td_bitspersample);
82- return 0;
83- }
84+ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
85+ sprintf(emsg,
86+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
87+ "Samples/pixel", td->td_samplesperpixel,
88+ "colorchannels", colorchannels,
89+ "Bits/sample", td->td_bitspersample);
90+ return 0;
91+ }
92 break;
93- default:
94+ default:
95 sprintf(emsg, "Sorry, can not handle image with %s=%d",
96 photoTag, photometric);
97 return (0);
98diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
99index 081eb11..555f2f9 100644
100--- a/libtiff/tif_predict.c
101+++ b/libtiff/tif_predict.c
102@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
103 td->td_sampleformat);
104 return 0;
105 }
106+ if (td->td_bitspersample != 16
107+ && td->td_bitspersample != 24
108+ && td->td_bitspersample != 32
109+ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
110+ TIFFErrorExt(tif->tif_clientdata, module,
111+ "Floating point \"Predictor\" not supported with %d-bit samples",
112+ td->td_bitspersample);
113+ return 0;
114+ }
115 break;
116 default:
117 TIFFErrorExt(tif->tif_clientdata, module,
118@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
119 }
120 /*
121 * Allocate buffer to keep the decoded bytes before
122- * rearranging in the ight order
123+ * rearranging in the right order
124 */
125 }
126
127--
1282.7.4
129
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 466dfbb..796d86e 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
14 file://CVE-2016-3990.patch \ 14 file://CVE-2016-3990.patch \
15 file://CVE-2016-3991.patch \ 15 file://CVE-2016-3991.patch \
16 file://CVE-2016-3623.patch \ 16 file://CVE-2016-3623.patch \
17 file://CVE-2016-3622.patch \
17 " 18 "
18 19
19SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" 20SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"