tiff: Security fixes

Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9147 https://nvd.nist.gov/vuln/detail/CVE-2017-9936 https://nvd.nist.gov/vuln/detail/CVE-2017-10668 https://nvd.nist.gov/vuln/detail/CVE-2017-11335 Patches from: CVE-2017-9147: https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 CVE-2017-9936: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-10688: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-11355: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 (From OE-Core rev: 5c89539edb17d01ffe82a1b2e7d092816003ecf3) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2017-08-22 08:58:35 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-08-23 08:47:03 +0100
commit: 1a73074d75b8aa12427a3c20f7f40223127e43dd (patch)
tree: 857d5b8689a77b41edc4c97ae1cb643ad91eb1ee
parent: 0e029f75c60d68c643024487f540cde6a0fc345f (diff)
download: poky-1a73074d75b8aa12427a3c20f7f40223127e43dd.tar.gz
5 files changed, 404 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
new file mode 100644
index 0000000000..b0db96949f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
@@ -0,0 +1,91 @@
+From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Fri, 30 Jun 2017 17:29:44 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: in
+ TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
+ data type, replace assertion that the file is BigTIFF, by a non-fatal error.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
+ OWL337
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
+CVE: CVE-2017-10688
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog              |  8 ++++++++
+ libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 0240f0b..42eaeb7 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,11 @@
+2017-06-30  Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
+       functions associated with LONG8/SLONG8 data type, replace assertion that
+       the file is BigTIFF, by a non-fatal error.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
+       Reported by team OWL337
+
+ 2017-06-26  Even Rouault <even.rouault at spatialys.com>
+ 
+        * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 2967da5..8d6686b 100644
+--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
+@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
+ {
+        uint64 m;
+        assert(sizeof(uint64)==8);
+-       assert(tif->tif_flags&TIFF_BIGTIFF);
+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+               return(0);
+       }
+        m=value;
+        if (tif->tif_flags&TIFF_SWAB)
+                TIFFSwabLong8(&m);
+@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
+ {
+        assert(count<0x20000000);
+        assert(sizeof(uint64)==8);
+-       assert(tif->tif_flags&TIFF_BIGTIFF);
+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
+               return(0);
+       }
+        if (tif->tif_flags&TIFF_SWAB)
+                TIFFSwabArrayOfLong8(value,count);
+        return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
+@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
+ {
+        int64 m;
+        assert(sizeof(int64)==8);
+-       assert(tif->tif_flags&TIFF_BIGTIFF);
+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+               return(0);
+       }
+        m=value;
+        if (tif->tif_flags&TIFF_SWAB)
+                TIFFSwabLong8((uint64*)(&m));
+@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
+ {
+        assert(count<0x20000000);
+        assert(sizeof(int64)==8);
+-       assert(tif->tif_flags&TIFF_BIGTIFF);
+       if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
+               TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
+               return(0);
+       }
+        if (tif->tif_flags&TIFF_SWAB)
+                TIFFSwabArrayOfLong8((uint64*)value,count);
+        return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
new file mode 100644
index 0000000000..d08e7612b7
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
@@ -0,0 +1,54 @@
+From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 15 Jul 2017 11:13:46 +0000
+Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
+ "Raw" mode on PlanarConfig=Contig input images. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]
+CVE: CVE-2017-11355
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog        | 7 +++++++
+ tools/tiff2pdf.c | 7 ++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+diff --git a/ChangeLog b/ChangeLog
+index 42eaeb7..6980da8 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,10 @@
+2017-07-15  Even Rouault <even.rouault at spatialys.com>
+
+       * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
+       mode on PlanarConfig=Contig input images.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
+       Reported by team OWL337
+
+ 2017-06-30  Even Rouault <even.rouault at spatialys.com>
+ 
+        * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index db196e0..cd1e235 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+            return;
+ 
+        t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
+-       if(t2p->pdf_nopassthrough==0){
+        /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
+        /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
+        /* do not take into account the number of samples, and thus */
+        /* that can cause heap buffer overflows such as in */
+        /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
+       if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
+ #ifdef CCITT_SUPPORT
+                if(t2p->tiff_compression==COMPRESSION_CCITTFAX4  
+                        ){
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
new file mode 100644
index 0000000000..3392285901
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
@@ -0,0 +1,206 @@
+From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Thu, 1 Jun 2017 12:44:04 +0000
+Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+to behave differently depending on whether the codec is enabled or not, and
+thus can avoid stack based buffer overflows in a number of TIFF utilities
+such as tiffsplit, tiffcmp, thumbnail, etc.
+Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+Fixes:
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+http://bugzilla.maptools.org/show_bug.cgi?id=2693
+http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+http://bugzilla.maptools.org/show_bug.cgi?id=2441
+http://bugzilla.maptools.org/show_bug.cgi?id=2433
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
+CVE: CVE-2017-9147
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog             |  20 ++++++++++
+ libtiff/tif_dir.h     |   1 +
+ libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_dirread.c |   4 ++
+ 4 files changed, 128 insertions(+)
+diff --git a/ChangeLog b/ChangeLog
+index ee8d9d0..5739292 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,23 @@
+2017-06-01  Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+       and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+       codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+       to behave differently depending on whether the codec is enabled or not, and
+       thus can avoid stack based buffer overflows in a number of TIFF utilities
+       such as tiffsplit, tiffcmp, thumbnail, etc.
+       Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+       (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+       Fixes:
+       http://bugzilla.maptools.org/show_bug.cgi?id=2580
+       http://bugzilla.maptools.org/show_bug.cgi?id=2693
+       http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+       http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+       http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+       http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+       http://bugzilla.maptools.org/show_bug.cgi?id=2441
+       http://bugzilla.maptools.org/show_bug.cgi?id=2433
+
+ 2017-05-21  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+ 
+        * configure.ac: libtiff 4.0.8 released.
+diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
+index e12b44b..5206be4 100644
+--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
+@@ -291,6 +291,7 @@ struct _TIFFField {
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+ 
+ #if defined(__cplusplus)
+ }
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index 0c8ef42..97c0df0 100644
+--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
+@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
+        return 0;
+ }
+ 
+int
+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+{
+       /* Filter out non-codec specific tags */
+       switch (tag) {
+           /* Shared tags */
+           case TIFFTAG_PREDICTOR:
+           /* JPEG tags */
+           case TIFFTAG_JPEGTABLES:
+           /* OJPEG tags */
+           case TIFFTAG_JPEGIFOFFSET:
+           case TIFFTAG_JPEGIFBYTECOUNT:
+           case TIFFTAG_JPEGQTABLES:
+           case TIFFTAG_JPEGDCTABLES:
+           case TIFFTAG_JPEGACTABLES:
+           case TIFFTAG_JPEGPROC:
+           case TIFFTAG_JPEGRESTARTINTERVAL:
+           /* CCITT* */
+           case TIFFTAG_BADFAXLINES:
+           case TIFFTAG_CLEANFAXDATA:
+           case TIFFTAG_CONSECUTIVEBADFAXLINES:
+           case TIFFTAG_GROUP3OPTIONS:
+           case TIFFTAG_GROUP4OPTIONS:
+               break;
+           default:
+               return 1;
+       }
+       /* Check if codec specific tags are allowed for the current
+        * compression scheme (codec) */
+       switch (tif->tif_dir.td_compression) {
+           case COMPRESSION_LZW:
+               if (tag == TIFFTAG_PREDICTOR)
+                   return 1;
+               break;
+           case COMPRESSION_PACKBITS:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_THUNDERSCAN:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_NEXT:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_JPEG:
+               if (tag == TIFFTAG_JPEGTABLES)
+                   return 1;
+               break;
+           case COMPRESSION_OJPEG:
+               switch (tag) {
+                   case TIFFTAG_JPEGIFOFFSET:
+                   case TIFFTAG_JPEGIFBYTECOUNT:
+                   case TIFFTAG_JPEGQTABLES:
+                   case TIFFTAG_JPEGDCTABLES:
+                   case TIFFTAG_JPEGACTABLES:
+                   case TIFFTAG_JPEGPROC:
+                   case TIFFTAG_JPEGRESTARTINTERVAL:
+                       return 1;
+               }
+               break;
+           case COMPRESSION_CCITTRLE:
+           case COMPRESSION_CCITTRLEW:
+           case COMPRESSION_CCITTFAX3:
+           case COMPRESSION_CCITTFAX4:
+               switch (tag) {
+                   case TIFFTAG_BADFAXLINES:
+                   case TIFFTAG_CLEANFAXDATA:
+                   case TIFFTAG_CONSECUTIVEBADFAXLINES:
+                       return 1;
+                   case TIFFTAG_GROUP3OPTIONS:
+                       if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
+                           return 1;
+                       break;
+                   case TIFFTAG_GROUP4OPTIONS:
+                       if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
+                           return 1;
+                       break;
+               }
+               break;
+           case COMPRESSION_JBIG:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_DEFLATE:
+           case COMPRESSION_ADOBE_DEFLATE:
+               if (tag == TIFFTAG_PREDICTOR)
+                   return 1;
+               break;
+          case COMPRESSION_PIXARLOG:
+               if (tag == TIFFTAG_PREDICTOR)
+                   return 1;
+               break;
+           case COMPRESSION_SGILOG:
+           case COMPRESSION_SGILOG24:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_LZMA:
+               if (tag == TIFFTAG_PREDICTOR)
+                   return 1;
+               break;
+
+       }
+       return 0;
+}
+
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+ 
+ /*
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 1d4f0b9..f1dc3d7 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
+                                                        goto bad;
+                                                dp->tdir_tag=IGNORE;
+                                                break;
+                                        default:
+                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
+                                                dp->tdir_tag=IGNORE;
+                                            break;
+                                }
+                        }
+                }
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
new file mode 100644
index 0000000000..fc99363284
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
@@ -0,0 +1,49 @@
+From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 26 Jun 2017 15:19:59 +0000
+Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of
+ JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
+ by team OWL337
+* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a]
+CVE: CVE-2017-9936
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog          | 6 ++++++
+ libtiff/tif_jbig.c | 1 +
+ 2 files changed, 7 insertions(+)
+diff --git a/ChangeLog b/ChangeLog
+index 5739292..0240f0b 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,9 @@
+2017-06-26  Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
+       Reported by team OWL337
+
+ 2017-06-01  Even Rouault <even.rouault at spatialys.com>
+ 
+        * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 5f5f75e..c75f31d 100644
+--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
+@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+                             jbg_strerror(decodeStatus)
+ #endif
+                             );
+               jbg_dec_free(&decoder);
+                return 0;
+        }
+ 
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
index 4a7aeccd23..c8ad5d5c06 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
@@ -6,6 +6,10 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://libtool2.patch \
+           file://CVE-2017-9147.patch \
+           file://CVE-2017-9936.patch \
+           file://CVE-2017-10688.patch \
+           file://CVE-2017-11335.patch \
          "
 SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b"
author	Yi Zhao <yi.zhao@windriver.com>	2017-08-22 08:58:35 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-08-23 08:47:03 +0100
commit	1a73074d75b8aa12427a3c20f7f40223127e43dd (patch)
tree	857d5b8689a77b41edc4c97ae1cb643ad91eb1ee
parent	0e029f75c60d68c643024487f540cde6a0fc345f (diff)
download	poky-1a73074d75b8aa12427a3c20f7f40223127e43dd.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch new file mode 100644 index 0000000000..b0db96949f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
@@ -0,0 +1,91 @@
		1	From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Fri, 30 Jun 2017 17:29:44 +0000
		4	Subject: [PATCH] * libtiff/tif_dirwrite.c: in
		5	TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
		6	data type, replace assertion that the file is BigTIFF, by a non-fatal error.
		7	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
		8	OWL337
		9
		10	Upstream-Status: Backport
		11	[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
		12
		13	CVE: CVE-2017-10688
		14
		15	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		16	---
		17	ChangeLog \| 8 ++++++++
		18	libtiff/tif_dirwrite.c \| 20 ++++++++++++++++----
		19	2 files changed, 24 insertions(+), 4 deletions(-)
		20
		21	diff --git a/ChangeLog b/ChangeLog
		22	index 0240f0b..42eaeb7 100644
		23	--- a/ChangeLog
		24	+++ b/ChangeLog
		25	@@ -1,3 +1,11 @@
		26	+2017-06-30 Even Rouault <even.rouault at spatialys.com>
		27	+
		28	+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
		29	+ functions associated with LONG8/SLONG8 data type, replace assertion that
		30	+ the file is BigTIFF, by a non-fatal error.
		31	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
		32	+ Reported by team OWL337
		33	+
		34	2017-06-26 Even Rouault <even.rouault at spatialys.com>
		35
		36	* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
		37	diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
		38	index 2967da5..8d6686b 100644
		39	--- a/libtiff/tif_dirwrite.c
		40	+++ b/libtiff/tif_dirwrite.c
		41	@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
		42	{
		43	uint64 m;
		44	assert(sizeof(uint64)==8);
		45	- assert(tif->tif_flags&TIFF_BIGTIFF);
		46	+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
		47	+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
		48	+ return(0);
		49	+ }
		50	m=value;
		51	if (tif->tif_flags&TIFF_SWAB)
		52	TIFFSwabLong8(&m);
		53	@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
		54	{
		55	assert(count<0x20000000);
		56	assert(sizeof(uint64)==8);
		57	- assert(tif->tif_flags&TIFF_BIGTIFF);
		58	+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
		59	+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
		60	+ return(0);
		61	+ }
		62	if (tif->tif_flags&TIFF_SWAB)
		63	TIFFSwabArrayOfLong8(value,count);
		64	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
		65	@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
		66	{
		67	int64 m;
		68	assert(sizeof(int64)==8);
		69	- assert(tif->tif_flags&TIFF_BIGTIFF);
		70	+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
		71	+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
		72	+ return(0);
		73	+ }
		74	m=value;
		75	if (tif->tif_flags&TIFF_SWAB)
		76	TIFFSwabLong8((uint64*)(&m));
		77	@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
		78	{
		79	assert(count<0x20000000);
		80	assert(sizeof(int64)==8);
		81	- assert(tif->tif_flags&TIFF_BIGTIFF);
		82	+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
		83	+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
		84	+ return(0);
		85	+ }
		86	if (tif->tif_flags&TIFF_SWAB)
		87	TIFFSwabArrayOfLong8((uint64*)value,count);
		88	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
		89	--
		90	2.7.4
		91


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch new file mode 100644 index 0000000000..d08e7612b7 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
@@ -0,0 +1,54 @@
		1	From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sat, 15 Jul 2017 11:13:46 +0000
		4	Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
		5	"Raw" mode on PlanarConfig=Contig input images. Fixes
		6	http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
		7
		8	Upstream-Status: Backport
		9	[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]
		10
		11	CVE: CVE-2017-11355
		12
		13	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		14	---
		15	ChangeLog \| 7 +++++++
		16	tools/tiff2pdf.c \| 7 ++++++-
		17	2 files changed, 13 insertions(+), 1 deletion(-)
		18
		19	diff --git a/ChangeLog b/ChangeLog
		20	index 42eaeb7..6980da8 100644
		21	--- a/ChangeLog
		22	+++ b/ChangeLog
		23	@@ -1,3 +1,10 @@
		24	+2017-07-15 Even Rouault <even.rouault at spatialys.com>
		25	+
		26	+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
		27	+ mode on PlanarConfig=Contig input images.
		28	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
		29	+ Reported by team OWL337
		30	+
		31	2017-06-30 Even Rouault <even.rouault at spatialys.com>
		32
		33	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
		34	diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
		35	index db196e0..cd1e235 100644
		36	--- a/tools/tiff2pdf.c
		37	+++ b/tools/tiff2pdf.c
		38	@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
		39	return;
		40
		41	t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
		42	- if(t2p->pdf_nopassthrough==0){
		43	+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
		44	+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
		45	+ /* do not take into account the number of samples, and thus */
		46	+ /* that can cause heap buffer overflows such as in */
		47	+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
		48	+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
		49	#ifdef CCITT_SUPPORT
		50	if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
		51	){
		52	--
		53	2.7.4
		54


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch new file mode 100644 index 0000000000..3392285901 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
@@ -0,0 +1,206 @@
		1	From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Thu, 1 Jun 2017 12:44:04 +0000
		4	Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
		5	and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
		6	codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
		7	to behave differently depending on whether the codec is enabled or not, and
		8	thus can avoid stack based buffer overflows in a number of TIFF utilities
		9	such as tiffsplit, tiffcmp, thumbnail, etc.
		10	Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
		11	(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
		12	Fixes:
		13	http://bugzilla.maptools.org/show_bug.cgi?id=2580
		14	http://bugzilla.maptools.org/show_bug.cgi?id=2693
		15	http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
		16	http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
		17	http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
		18	http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
		19	http://bugzilla.maptools.org/show_bug.cgi?id=2441
		20	http://bugzilla.maptools.org/show_bug.cgi?id=2433
		21
		22	Upstream-Status: Backport
		23	[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
		24
		25	CVE: CVE-2017-9147
		26
		27	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		28	---
		29	ChangeLog \| 20 ++++++++++
		30	libtiff/tif_dir.h \| 1 +
		31	libtiff/tif_dirinfo.c \| 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
		32	libtiff/tif_dirread.c \| 4 ++
		33	4 files changed, 128 insertions(+)
		34
		35	diff --git a/ChangeLog b/ChangeLog
		36	index ee8d9d0..5739292 100644
		37	--- a/ChangeLog
		38	+++ b/ChangeLog
		39	@@ -1,3 +1,23 @@
		40	+2017-06-01 Even Rouault <even.rouault at spatialys.com>
		41	+
		42	+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
		43	+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
		44	+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
		45	+ to behave differently depending on whether the codec is enabled or not, and
		46	+ thus can avoid stack based buffer overflows in a number of TIFF utilities
		47	+ such as tiffsplit, tiffcmp, thumbnail, etc.
		48	+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
		49	+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
		50	+ Fixes:
		51	+ http://bugzilla.maptools.org/show_bug.cgi?id=2580
		52	+ http://bugzilla.maptools.org/show_bug.cgi?id=2693
		53	+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
		54	+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
		55	+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
		56	+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
		57	+ http://bugzilla.maptools.org/show_bug.cgi?id=2441
		58	+ http://bugzilla.maptools.org/show_bug.cgi?id=2433
		59	+
		60	2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
		61
		62	* configure.ac: libtiff 4.0.8 released.
		63	diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
		64	index e12b44b..5206be4 100644
		65	--- a/libtiff/tif_dir.h
		66	+++ b/libtiff/tif_dir.h
		67	@@ -291,6 +291,7 @@ struct _TIFFField {
		68	extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
		69	extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
		70	extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
		71	+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
		72
		73	#if defined(__cplusplus)
		74	}
		75	diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
		76	index 0c8ef42..97c0df0 100644
		77	--- a/libtiff/tif_dirinfo.c
		78	+++ b/libtiff/tif_dirinfo.c
		79	@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
		80	return 0;
		81	}
		82
		83	+int
		84	+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
		85	+{
		86	+ /* Filter out non-codec specific tags */
		87	+ switch (tag) {
		88	+ /* Shared tags */
		89	+ case TIFFTAG_PREDICTOR:
		90	+ /* JPEG tags */
		91	+ case TIFFTAG_JPEGTABLES:
		92	+ /* OJPEG tags */
		93	+ case TIFFTAG_JPEGIFOFFSET:
		94	+ case TIFFTAG_JPEGIFBYTECOUNT:
		95	+ case TIFFTAG_JPEGQTABLES:
		96	+ case TIFFTAG_JPEGDCTABLES:
		97	+ case TIFFTAG_JPEGACTABLES:
		98	+ case TIFFTAG_JPEGPROC:
		99	+ case TIFFTAG_JPEGRESTARTINTERVAL:
		100	+ /* CCITT* */
		101	+ case TIFFTAG_BADFAXLINES:
		102	+ case TIFFTAG_CLEANFAXDATA:
		103	+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
		104	+ case TIFFTAG_GROUP3OPTIONS:
		105	+ case TIFFTAG_GROUP4OPTIONS:
		106	+ break;
		107	+ default:
		108	+ return 1;
		109	+ }
		110	+ /* Check if codec specific tags are allowed for the current
		111	+ * compression scheme (codec) */
		112	+ switch (tif->tif_dir.td_compression) {
		113	+ case COMPRESSION_LZW:
		114	+ if (tag == TIFFTAG_PREDICTOR)
		115	+ return 1;
		116	+ break;
		117	+ case COMPRESSION_PACKBITS:
		118	+ /* No codec-specific tags */
		119	+ break;
		120	+ case COMPRESSION_THUNDERSCAN:
		121	+ /* No codec-specific tags */
		122	+ break;
		123	+ case COMPRESSION_NEXT:
		124	+ /* No codec-specific tags */
		125	+ break;
		126	+ case COMPRESSION_JPEG:
		127	+ if (tag == TIFFTAG_JPEGTABLES)
		128	+ return 1;
		129	+ break;
		130	+ case COMPRESSION_OJPEG:
		131	+ switch (tag) {
		132	+ case TIFFTAG_JPEGIFOFFSET:
		133	+ case TIFFTAG_JPEGIFBYTECOUNT:
		134	+ case TIFFTAG_JPEGQTABLES:
		135	+ case TIFFTAG_JPEGDCTABLES:
		136	+ case TIFFTAG_JPEGACTABLES:
		137	+ case TIFFTAG_JPEGPROC:
		138	+ case TIFFTAG_JPEGRESTARTINTERVAL:
		139	+ return 1;
		140	+ }
		141	+ break;
		142	+ case COMPRESSION_CCITTRLE:
		143	+ case COMPRESSION_CCITTRLEW:
		144	+ case COMPRESSION_CCITTFAX3:
		145	+ case COMPRESSION_CCITTFAX4:
		146	+ switch (tag) {
		147	+ case TIFFTAG_BADFAXLINES:
		148	+ case TIFFTAG_CLEANFAXDATA:
		149	+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
		150	+ return 1;
		151	+ case TIFFTAG_GROUP3OPTIONS:
		152	+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
		153	+ return 1;
		154	+ break;
		155	+ case TIFFTAG_GROUP4OPTIONS:
		156	+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
		157	+ return 1;
		158	+ break;
		159	+ }
		160	+ break;
		161	+ case COMPRESSION_JBIG:
		162	+ /* No codec-specific tags */
		163	+ break;
		164	+ case COMPRESSION_DEFLATE:
		165	+ case COMPRESSION_ADOBE_DEFLATE:
		166	+ if (tag == TIFFTAG_PREDICTOR)
		167	+ return 1;
		168	+ break;
		169	+ case COMPRESSION_PIXARLOG:
		170	+ if (tag == TIFFTAG_PREDICTOR)
		171	+ return 1;
		172	+ break;
		173	+ case COMPRESSION_SGILOG:
		174	+ case COMPRESSION_SGILOG24:
		175	+ /* No codec-specific tags */
		176	+ break;
		177	+ case COMPRESSION_LZMA:
		178	+ if (tag == TIFFTAG_PREDICTOR)
		179	+ return 1;
		180	+ break;
		181	+
		182	+ }
		183	+ return 0;
		184	+}
		185	+
		186	/* vim: set ts=8 sts=8 sw=8 noet: */
		187
		188	/*
		189	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		190	index 1d4f0b9..f1dc3d7 100644
		191	--- a/libtiff/tif_dirread.c
		192	+++ b/libtiff/tif_dirread.c
		193	@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
		194	goto bad;
		195	dp->tdir_tag=IGNORE;
		196	break;
		197	+ default:
		198	+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
		199	+ dp->tdir_tag=IGNORE;
		200	+ break;
		201	}
		202	}
		203	}
		204	--
		205	2.7.4
		206


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch new file mode 100644 index 0000000000..fc99363284 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
@@ -0,0 +1,49 @@
		1	From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Mon, 26 Jun 2017 15:19:59 +0000
		4	Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of
		5	JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
		6	by team OWL337
		7
		8	* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
		9
		10	Upstream-Status: Backport
		11	[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a]
		12
		13	CVE: CVE-2017-9936
		14
		15	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		16	---
		17	ChangeLog \| 6 ++++++
		18	libtiff/tif_jbig.c \| 1 +
		19	2 files changed, 7 insertions(+)
		20
		21	diff --git a/ChangeLog b/ChangeLog
		22	index 5739292..0240f0b 100644
		23	--- a/ChangeLog
		24	+++ b/ChangeLog
		25	@@ -1,3 +1,9 @@
		26	+2017-06-26 Even Rouault <even.rouault at spatialys.com>
		27	+
		28	+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
		29	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
		30	+ Reported by team OWL337
		31	+
		32	2017-06-01 Even Rouault <even.rouault at spatialys.com>
		33
		34	* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
		35	diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
		36	index 5f5f75e..c75f31d 100644
		37	--- a/libtiff/tif_jbig.c
		38	+++ b/libtiff/tif_jbig.c
		39	@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
		40	jbg_strerror(decodeStatus)
		41	#endif
		42	);
		43	+ jbg_dec_free(&decoder);
		44	return 0;
		45	}
		46
		47	--
		48	2.7.4
		49


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb index 4a7aeccd23..c8ad5d5c06 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
@@ -6,6 +6,10 @@ CVE_PRODUCT = "libtiff"
6		6
7	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	7	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
8	file://libtool2.patch \	8	file://libtool2.patch \
		9	file://CVE-2017-9147.patch \
		10	file://CVE-2017-9936.patch \
		11	file://CVE-2017-10688.patch \
		12	file://CVE-2017-11335.patch \
9	"	13	"
10		14
11	SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b"	15	SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b"