summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2016-11-14 09:46:52 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2017-02-10 11:21:39 (GMT)
commitca6d95959976c2804d82641c5eb55cfc003f09bc (patch)
tree8ccea0bb8a3096b41118aa6711f8f975145c3f0e
parent88246c60937b662064cc10b3771faf6b73466a5b (diff)
downloadpoky-ca6d95959976c2804d82641c5eb55cfc003f09bc.tar.gz
tiff: Security fix CVE-2016-3658
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658 http://bugzilla.maptools.org/show_bug.cgi?id=2546 Patch from: https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d (From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a) (From OE-Core rev: cc266584158c8dfc8583d21534665b6152a4f7ee) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch111
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.6.bb1
2 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
new file mode 100644
index 0000000..6cb12f2
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
@@ -0,0 +1,111 @@
1From: 45c68450bef8ad876f310b495165c513cad8b67d
2From: Even Rouault <even.rouault@spatialys.com>
3
4* libtiff/tif_dir.c: discard values of SMinSampleValue and
5SMaxSampleValue when they have been read and the value of
6SamplesPerPixel is changed afterwards (like when reading a
7OJPEG compressed image with a missing SamplesPerPixel tag,
8and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
9being 3). Otherwise when rewriting the directory (for example
10with tiffset, we will expect 3 values whereas the array had been
11allocated with just one), thus causing a out of bound read access.
12Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
13(CVE-2014-8127, duplicate: CVE-2016-3658)
14
15* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
16when writing directory, if FIELD_STRIPOFFSETS was artificially set
17for a hack case in OJPEG case.
18Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
19(CVE-2014-8127, duplicate: CVE-2016-3658)
20
21CVE: CVE-2016-3658
22Upstream-Status: Backport
23https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
24
25Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com>
26
27Index: tiff-4.0.6/ChangeLog
28===================================================================
29--- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800
30+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800
31@@ -1,3 +1,22 @@
32+2016-10-25 Even Rouault <even.rouault at spatialys.com>
33+
34+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
35+ SMaxSampleValue when they have been read and the value of
36+ SamplesPerPixel is changed afterwards (like when reading a
37+ OJPEG compressed image with a missing SamplesPerPixel tag,
38+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
39+ being 3). Otherwise when rewriting the directory (for example
40+ with tiffset, we will expect 3 values whereas the array had been
41+ allocated with just one), thus causing a out of bound read access.
42+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
43+ (CVE-2014-8127, duplicate: CVE-2016-3658)
44+
45+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
46+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
47+ for a hack case in OJPEG case.
48+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
49+ (CVE-2014-8127, duplicate: CVE-2016-3658)
50+
51 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
52
53 * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
54Index: tiff-4.0.6/libtiff/tif_dir.c
55===================================================================
56--- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800
57+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800
58@@ -254,6 +254,28 @@
59 v = (uint16) va_arg(ap, uint16_vap);
60 if (v == 0)
61 goto badvalue;
62+ if( v != td->td_samplesperpixel )
63+ {
64+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
65+ if( td->td_sminsamplevalue != NULL )
66+ {
67+ TIFFWarningExt(tif->tif_clientdata,module,
68+ "SamplesPerPixel tag value is changing, "
69+ "but SMinSampleValue tag was read with a different value. Cancelling it");
70+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
71+ _TIFFfree(td->td_sminsamplevalue);
72+ td->td_sminsamplevalue = NULL;
73+ }
74+ if( td->td_smaxsamplevalue != NULL )
75+ {
76+ TIFFWarningExt(tif->tif_clientdata,module,
77+ "SamplesPerPixel tag value is changing, "
78+ "but SMaxSampleValue tag was read with a different value. Cancelling it");
79+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
80+ _TIFFfree(td->td_smaxsamplevalue);
81+ td->td_smaxsamplevalue = NULL;
82+ }
83+ }
84 td->td_samplesperpixel = (uint16) v;
85 break;
86 case TIFFTAG_ROWSPERSTRIP:
87Index: tiff-4.0.6/libtiff/tif_dirwrite.c
88===================================================================
89--- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800
90+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800
91@@ -542,7 +542,19 @@
92 {
93 if (!isTiled(tif))
94 {
95- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
96+ /* td_stripoffset might be NULL in an odd OJPEG case. See
97+ * tif_dirread.c around line 3634.
98+ * XXX: OJPEG hack.
99+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
100+ * and c) the number of strips is 1,
101+ * then we tolerate the absence of stripoffsets tag,
102+ * because, presumably, all required data is in the
103+ * JpegInterchangeFormat stream.
104+ * We can get here when using tiffset on such a file.
105+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
106+ */
107+ if (tif->tif_dir.td_stripoffset != NULL &&
108+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
109 goto bad;
110 }
111 else
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 796d86e..edd560f 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
15 file://CVE-2016-3991.patch \ 15 file://CVE-2016-3991.patch \
16 file://CVE-2016-3623.patch \ 16 file://CVE-2016-3623.patch \
17 file://CVE-2016-3622.patch \ 17 file://CVE-2016-3622.patch \
18 file://CVE-2016-3658.patch \
18 " 19 "
19 20
20SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" 21SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"