summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2016-10-26 08:26:47 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:38 (GMT)
commitc52d4669d132d444d2b30141a9a5d8baa44b429f (patch)
tree7a5d2d3a5f53ca30c2fb84a490051156d50e011f
parentb9624e772b25710253655eba111ff95115159158 (diff)
downloadpoky-c52d4669d132d444d2b30141a9a5d8baa44b429f.tar.gz
tiff: Security fix CVE-2016-3623
CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623 http://bugzilla.maptools.org/show_bug.cgi?id=2569 Patch from: https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b (From OE-Core rev: d66824eee47b7513b919ea04bdf41dc48a9d85e9) (From OE-Core rev: f0e77ffa6bbc3adc61a2abd5dbc9228e830c055d) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch52
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.6.bb1
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
new file mode 100644
index 0000000..f554ac5
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
@@ -0,0 +1,52 @@
1From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Mon, 15 Aug 2016 21:26:56 +0000
4Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters
5 to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
6
7CVE: CVE-2016-3623
8Upstream-Status: Backport
9https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
10
11Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
12---
13 ChangeLog | 5 +++++
14 tools/rgb2ycbcr.c | 4 ++++
15 2 files changed, 9 insertions(+)
16
17diff --git a/ChangeLog b/ChangeLog
18index 5d60608..3e6642a 100644
19--- a/ChangeLog
20+++ b/ChangeLog
21@@ -1,5 +1,10 @@
22 2016-08-15 Even Rouault <even.rouault at spatialys.com>
23
24+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
25+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
26+
27+2016-08-15 Even Rouault <even.rouault at spatialys.com>
28+
29 * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
30 From patch libtiff-CVE-2016-3991.patch from
31 libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
32diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
33index 3829d6b..51f4259 100644
34--- a/tools/rgb2ycbcr.c
35+++ b/tools/rgb2ycbcr.c
36@@ -95,9 +95,13 @@ main(int argc, char* argv[])
37 break;
38 case 'h':
39 horizSubSampling = atoi(optarg);
40+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
41+ usage(-1);
42 break;
43 case 'v':
44 vertSubSampling = atoi(optarg);
45+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
46+ usage(-1);
47 break;
48 case 'r':
49 rowsperstrip = atoi(optarg);
50--
512.7.4
52
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 713cf24..466dfbb 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
13 file://CVE-2016-3945.patch \ 13 file://CVE-2016-3945.patch \
14 file://CVE-2016-3990.patch \ 14 file://CVE-2016-3990.patch \
15 file://CVE-2016-3991.patch \ 15 file://CVE-2016-3991.patch \
16 file://CVE-2016-3623.patch \
16 " 17 "
17 18
18SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" 19SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"