tiff: Security fix CVE-2016-5323

CVE-2016-5323 libtiff: a maliciously crafted TIFF file could cause the application to crash when using tiffcrop command External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5323 http://bugzilla.maptools.org/show_bug.cgi?id=2559 Patch from: https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31 (From OE-Core rev: 4ad1220e0a7f9ca9096860f4f9ae7017b36e29e4) (From OE-Core rev: e066ba81ac7aecd3d9dfa1cb5d89acb6dc073e8f) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2016-08-10 15:11:20 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-23 15:27:04 +0100
commit: b9e99832b93ba18e75444c4a610870191a41ec92 (patch)
tree: 2647b0859611b818266164ffdc0afc592b6c1e50
parent: 440e3cd2c268e106485b9b0c977400e3f7a49799 (diff)
download: poky-b9e99832b93ba18e75444c4a610870191a41ec92.tar.gz
2 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
new file mode 100644
index 0000000000..41eab91ab4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
@@ -0,0 +1,107 @@
+From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 11 Jul 2016 21:38:31 +0000
+Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
+CVE: CVE-2016-5323
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ ChangeLog        |  2 +-
+ tools/tiffcrop.c | 16 ++++++++--------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 4e0302f..62dc1b5 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -3,7 +3,7 @@
+        * tools/tiffcrop.c: Avoid access outside of stack allocated array
+        on a tiled separate TIFF with more than 8 samples per pixel.
+        Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
+-       (CVE-2016-5321, bugzilla #2558)
+       (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
+ 
+ 2016-07-10 Even Rouault <even.rouault at spatialys.com>
+ 
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 6fc8fc1..27abc0b 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
+ 
+       matchbits = maskbits << (8 - src_bit - bps); 
+       /* load up next sample from each plane */
+-      for (s = 0; s < spp; s++)
+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+        src = in[s] + src_offset + src_byte;
+         buff1 = ((*src) & matchbits) << (src_bit);
+@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (16 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+        src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (32 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+        src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (64 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+        {
+        src = in[s] + src_offset + src_byte;
+        if (little_endian)
+@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
+ 
+       matchbits = maskbits << (8 - src_bit - bps); 
+       /* load up next sample from each plane */
+-      for (s = 0; s < spp; s++)
+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+        src = in[s] + src_offset + src_byte;
+         buff1 = ((*src) & matchbits) << (src_bit);
+@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (16 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+        src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (32 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+        src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (64 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+        {
+        src = in[s] + src_offset + src_byte;
+        if (little_endian)
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 63df126627..83d88df1c1 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2015-8784.patch \
           file://CVE-2016-3186.patch \
           file://CVE-2016-5321.patch \
+           file://CVE-2016-5323.patch \
          "
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
author	Yi Zhao <yi.zhao@windriver.com>	2016-08-10 15:11:20 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-09-23 15:27:04 +0100
commit	b9e99832b93ba18e75444c4a610870191a41ec92 (patch)
tree	2647b0859611b818266164ffdc0afc592b6c1e50
parent	440e3cd2c268e106485b9b0c977400e3f7a49799 (diff)
download	poky-b9e99832b93ba18e75444c4a610870191a41ec92.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch new file mode 100644 index 0000000000..41eab91ab4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
@@ -0,0 +1,107 @@
		1	From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Mon, 11 Jul 2016 21:38:31 +0000
		4	Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
		5
		6	CVE: CVE-2016-5323
		7	Upstream-Status: Backport
		8	https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31
		9
		10	Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
		11	---
		12	ChangeLog \| 2 +-
		13	tools/tiffcrop.c \| 16 ++++++++--------
		14	2 files changed, 9 insertions(+), 9 deletions(-)
		15
		16	diff --git a/ChangeLog b/ChangeLog
		17	index 4e0302f..62dc1b5 100644
		18	--- a/ChangeLog
		19	+++ b/ChangeLog
		20	@@ -3,7 +3,7 @@
		21	* tools/tiffcrop.c: Avoid access outside of stack allocated array
		22	on a tiled separate TIFF with more than 8 samples per pixel.
		23	Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
		24	- (CVE-2016-5321, bugzilla #2558)
		25	+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
		26
		27	2016-07-10 Even Rouault <even.rouault at spatialys.com>
		28
		29	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		30	index 6fc8fc1..27abc0b 100644
		31	--- a/tools/tiffcrop.c
		32	+++ b/tools/tiffcrop.c
		33	@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 in[], uint8 out, uint32 cols,
		34
		35	matchbits = maskbits << (8 - src_bit - bps);
		36	/* load up next sample from each plane */
		37	- for (s = 0; s < spp; s++)
		38	+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
		39	{
		40	src = in[s] + src_offset + src_byte;
		41	buff1 = ((*src) & matchbits) << (src_bit);
		42	@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 in[], uint8 out, uint32 cols,
		43	src_bit = bit_offset % 8;
		44
		45	matchbits = maskbits << (16 - src_bit - bps);
		46	- for (s = 0; s < spp; s++)
		47	+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
		48	{
		49	src = in[s] + src_offset + src_byte;
		50	if (little_endian)
		51	@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 in[], uint8 out, uint32 cols,
		52	src_bit = bit_offset % 8;
		53
		54	matchbits = maskbits << (32 - src_bit - bps);
		55	- for (s = 0; s < spp; s++)
		56	+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
		57	{
		58	src = in[s] + src_offset + src_byte;
		59	if (little_endian)
		60	@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 in[], uint8 out, uint32 cols,
		61	src_bit = bit_offset % 8;
		62
		63	matchbits = maskbits << (64 - src_bit - bps);
		64	- for (s = 0; s < spp; s++)
		65	+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
		66	{
		67	src = in[s] + src_offset + src_byte;
		68	if (little_endian)
		69	@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 in[], uint8 out, uint32 cols,
		70
		71	matchbits = maskbits << (8 - src_bit - bps);
		72	/* load up next sample from each plane */
		73	- for (s = 0; s < spp; s++)
		74	+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
		75	{
		76	src = in[s] + src_offset + src_byte;
		77	buff1 = ((*src) & matchbits) << (src_bit);
		78	@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 in[], uint8 out, uint32 cols,
		79	src_bit = bit_offset % 8;
		80
		81	matchbits = maskbits << (16 - src_bit - bps);
		82	- for (s = 0; s < spp; s++)
		83	+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
		84	{
		85	src = in[s] + src_offset + src_byte;
		86	if (little_endian)
		87	@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 in[], uint8 out, uint32 cols,
		88	src_bit = bit_offset % 8;
		89
		90	matchbits = maskbits << (32 - src_bit - bps);
		91	- for (s = 0; s < spp; s++)
		92	+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
		93	{
		94	src = in[s] + src_offset + src_byte;
		95	if (little_endian)
		96	@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 in[], uint8 out, uint32 cols,
		97	src_bit = bit_offset % 8;
		98
		99	matchbits = maskbits << (64 - src_bit - bps);
		100	- for (s = 0; s < spp; s++)
		101	+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
		102	{
		103	src = in[s] + src_offset + src_byte;
		104	if (little_endian)
		105	--
		106	2.7.4
		107


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 63df126627..83d88df1c1 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
10	file://CVE-2015-8784.patch \	10	file://CVE-2015-8784.patch \
11	file://CVE-2016-3186.patch \	11	file://CVE-2016-3186.patch \
12	file://CVE-2016-5321.patch \	12	file://CVE-2016-5321.patch \
		13	file://CVE-2016-5323.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"	16	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"