tiff: Security fix CVE-2016-3658

The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658 http://bugzilla.maptools.org/show_bug.cgi?id=2546 Patch from: https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d (From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a) (From OE-Core rev: cc266584158c8dfc8583d21534665b6152a4f7ee) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2016-11-14 17:46:52 +0800
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2017-02-10 12:21:39 +0100
commit: ca6d95959976c2804d82641c5eb55cfc003f09bc (patch)
tree: 8ccea0bb8a3096b41118aa6711f8f975145c3f0e
parent: 88246c60937b662064cc10b3771faf6b73466a5b (diff)
download: poky-ca6d95959976c2804d82641c5eb55cfc003f09bc.tar.gz
2 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
new file mode 100644
index 0000000000..6cb12f2907
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
@@ -0,0 +1,111 @@
+From: 45c68450bef8ad876f310b495165c513cad8b67d
+From: Even Rouault <even.rouault@spatialys.com>
+* libtiff/tif_dir.c: discard values of SMinSampleValue and
+SMaxSampleValue when they have been read and the value of
+SamplesPerPixel is changed afterwards (like when reading a
+OJPEG compressed image with a missing SamplesPerPixel tag,
+and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
+being 3). Otherwise when rewriting the directory (for example
+with tiffset, we will expect 3 values whereas the array had been
+allocated with just one), thus causing a out of bound read access.
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+(CVE-2014-8127, duplicate: CVE-2016-3658)
+* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
+when writing directory, if FIELD_STRIPOFFSETS was artificially set
+for a hack case in OJPEG case.
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+(CVE-2014-8127, duplicate: CVE-2016-3658)
+CVE: CVE-2016-3658
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
+Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com>
+Index: tiff-4.0.6/ChangeLog
+===================================================================
+--- tiff-4.0.6.orig/ChangeLog   2016-11-14 10:52:10.008748230 +0800
+++ tiff-4.0.6/ChangeLog        2016-11-14 16:17:46.140884438 +0800
+@@ -1,3 +1,22 @@
+2016-10-25 Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_dir.c: discard values of SMinSampleValue and
+       SMaxSampleValue when they have been read and the value of
+       SamplesPerPixel is changed afterwards (like when reading a
+       OJPEG compressed image with a missing SamplesPerPixel tag,
+       and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
+       being 3). Otherwise when rewriting the directory (for example
+       with tiffset, we will expect 3 values whereas the array had been
+       allocated with just one), thus causing a out of bound read access.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+       (CVE-2014-8127, duplicate: CVE-2016-3658)
+
+       * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
+       when writing directory, if FIELD_STRIPOFFSETS was artificially set
+       for a hack case in OJPEG case.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+       (CVE-2014-8127, duplicate: CVE-2016-3658)
+
+ 2016-09-24  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+ 
+        * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
+Index: tiff-4.0.6/libtiff/tif_dir.c
+===================================================================
+--- tiff-4.0.6.orig/libtiff/tif_dir.c   2015-06-01 07:11:43.000000000 +0800
+++ tiff-4.0.6/libtiff/tif_dir.c        2016-11-14 16:20:17.800885495 +0800
+@@ -254,6 +254,28 @@
+                v = (uint16) va_arg(ap, uint16_vap);
+                if (v == 0)
+                        goto badvalue;
+               if( v != td->td_samplesperpixel )
+               {
+                   /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
+                   if( td->td_sminsamplevalue != NULL )
+                   {
+                       TIFFWarningExt(tif->tif_clientdata,module,
+                           "SamplesPerPixel tag value is changing, "
+                           "but SMinSampleValue tag was read with a different value. Cancelling it");
+                       TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
+                       _TIFFfree(td->td_sminsamplevalue);
+                       td->td_sminsamplevalue = NULL;
+                   }
+                   if( td->td_smaxsamplevalue != NULL )
+                   {
+                       TIFFWarningExt(tif->tif_clientdata,module,
+                           "SamplesPerPixel tag value is changing, "
+                           "but SMaxSampleValue tag was read with a different value. Cancelling it");
+                       TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
+                       _TIFFfree(td->td_smaxsamplevalue);
+                       td->td_smaxsamplevalue = NULL;
+                   }
+               }
+                td->td_samplesperpixel = (uint16) v;
+                break;
+        case TIFFTAG_ROWSPERSTRIP:
+Index: tiff-4.0.6/libtiff/tif_dirwrite.c
+===================================================================
+--- tiff-4.0.6.orig/libtiff/tif_dirwrite.c      2015-05-31 08:38:46.000000000 +0800
+++ tiff-4.0.6/libtiff/tif_dirwrite.c   2016-11-14 16:23:54.688887007 +0800
+@@ -542,7 +542,19 @@
+                        {
+                                if (!isTiled(tif))
+                                {
+-                                       if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+                                       /* td_stripoffset might be NULL in an odd OJPEG case. See
+                                        *  tif_dirread.c around line 3634.
+                                        * XXX: OJPEG hack.
+                                        * If a) compression is OJPEG, b) it's not a tiled TIFF,
+                                        * and c) the number of strips is 1,
+                                        * then we tolerate the absence of stripoffsets tag,
+                                        * because, presumably, all required data is in the
+                                        * JpegInterchangeFormat stream.
+                                        * We can get here when using tiffset on such a file.
+                                        * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
+                                       */
+                                       if (tif->tif_dir.td_stripoffset != NULL &&
+                                           !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+                                                goto bad;
+                                }
+                                else
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 796d86e8f8..edd560fa08 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2016-3991.patch \
           file://CVE-2016-3623.patch \
           file://CVE-2016-3622.patch \
+           file://CVE-2016-3658.patch \
          "
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2016-11-14 17:46:52 +0800
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2017-02-10 12:21:39 +0100
commit	ca6d95959976c2804d82641c5eb55cfc003f09bc (patch)
tree	8ccea0bb8a3096b41118aa6711f8f975145c3f0e
parent	88246c60937b662064cc10b3771faf6b73466a5b (diff)
download	poky-ca6d95959976c2804d82641c5eb55cfc003f09bc.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch new file mode 100644 index 0000000000..6cb12f2907 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
@@ -0,0 +1,111 @@
		1	From: 45c68450bef8ad876f310b495165c513cad8b67d
		2	From: Even Rouault <even.rouault@spatialys.com>
		3
		4	* libtiff/tif_dir.c: discard values of SMinSampleValue and
		5	SMaxSampleValue when they have been read and the value of
		6	SamplesPerPixel is changed afterwards (like when reading a
		7	OJPEG compressed image with a missing SamplesPerPixel tag,
		8	and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
		9	being 3). Otherwise when rewriting the directory (for example
		10	with tiffset, we will expect 3 values whereas the array had been
		11	allocated with just one), thus causing a out of bound read access.
		12	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
		13	(CVE-2014-8127, duplicate: CVE-2016-3658)
		14
		15	* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
		16	when writing directory, if FIELD_STRIPOFFSETS was artificially set
		17	for a hack case in OJPEG case.
		18	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
		19	(CVE-2014-8127, duplicate: CVE-2016-3658)
		20
		21	CVE: CVE-2016-3658
		22	Upstream-Status: Backport
		23	https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
		24
		25	Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com>
		26
		27	Index: tiff-4.0.6/ChangeLog
		28	===================================================================
		29	--- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800
		30	+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800
		31	@@ -1,3 +1,22 @@
		32	+2016-10-25 Even Rouault <even.rouault at spatialys.com>
		33	+
		34	+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
		35	+ SMaxSampleValue when they have been read and the value of
		36	+ SamplesPerPixel is changed afterwards (like when reading a
		37	+ OJPEG compressed image with a missing SamplesPerPixel tag,
		38	+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
		39	+ being 3). Otherwise when rewriting the directory (for example
		40	+ with tiffset, we will expect 3 values whereas the array had been
		41	+ allocated with just one), thus causing a out of bound read access.
		42	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
		43	+ (CVE-2014-8127, duplicate: CVE-2016-3658)
		44	+
		45	+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
		46	+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
		47	+ for a hack case in OJPEG case.
		48	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
		49	+ (CVE-2014-8127, duplicate: CVE-2016-3658)
		50	+
		51	2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
		52
		53	* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
		54	Index: tiff-4.0.6/libtiff/tif_dir.c
		55	===================================================================
		56	--- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800
		57	+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800
		58	@@ -254,6 +254,28 @@
		59	v = (uint16) va_arg(ap, uint16_vap);
		60	if (v == 0)
		61	goto badvalue;
		62	+ if( v != td->td_samplesperpixel )
		63	+ {
		64	+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
		65	+ if( td->td_sminsamplevalue != NULL )
		66	+ {
		67	+ TIFFWarningExt(tif->tif_clientdata,module,
		68	+ "SamplesPerPixel tag value is changing, "
		69	+ "but SMinSampleValue tag was read with a different value. Cancelling it");
		70	+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
		71	+ _TIFFfree(td->td_sminsamplevalue);
		72	+ td->td_sminsamplevalue = NULL;
		73	+ }
		74	+ if( td->td_smaxsamplevalue != NULL )
		75	+ {
		76	+ TIFFWarningExt(tif->tif_clientdata,module,
		77	+ "SamplesPerPixel tag value is changing, "
		78	+ "but SMaxSampleValue tag was read with a different value. Cancelling it");
		79	+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
		80	+ _TIFFfree(td->td_smaxsamplevalue);
		81	+ td->td_smaxsamplevalue = NULL;
		82	+ }
		83	+ }
		84	td->td_samplesperpixel = (uint16) v;
		85	break;
		86	case TIFFTAG_ROWSPERSTRIP:
		87	Index: tiff-4.0.6/libtiff/tif_dirwrite.c
		88	===================================================================
		89	--- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800
		90	+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800
		91	@@ -542,7 +542,19 @@
		92	{
		93	if (!isTiled(tif))
		94	{
		95	- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
		96	+ /* td_stripoffset might be NULL in an odd OJPEG case. See
		97	+ * tif_dirread.c around line 3634.
		98	+ * XXX: OJPEG hack.
		99	+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
		100	+ * and c) the number of strips is 1,
		101	+ * then we tolerate the absence of stripoffsets tag,
		102	+ * because, presumably, all required data is in the
		103	+ * JpegInterchangeFormat stream.
		104	+ * We can get here when using tiffset on such a file.
		105	+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
		106	+ */
		107	+ if (tif->tif_dir.td_stripoffset != NULL &&
		108	+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
		109	goto bad;
		110	}
		111	else


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 796d86e8f8..edd560fa08 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
15	file://CVE-2016-3991.patch \	15	file://CVE-2016-3991.patch \
16	file://CVE-2016-3623.patch \	16	file://CVE-2016-3623.patch \
17	file://CVE-2016-3622.patch \	17	file://CVE-2016-3622.patch \
		18	file://CVE-2016-3658.patch \
18	"	19	"
19		20
20	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"	21	SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"