summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2017-08-22 08:58:35 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-08-23 08:47:03 +0100
commit1a73074d75b8aa12427a3c20f7f40223127e43dd (patch)
tree857d5b8689a77b41edc4c97ae1cb643ad91eb1ee /meta/recipes-multimedia/libtiff/files
parent0e029f75c60d68c643024487f540cde6a0fc345f (diff)
downloadpoky-1a73074d75b8aa12427a3c20f7f40223127e43dd.tar.gz
tiff: Security fixes
Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9147 https://nvd.nist.gov/vuln/detail/CVE-2017-9936 https://nvd.nist.gov/vuln/detail/CVE-2017-10668 https://nvd.nist.gov/vuln/detail/CVE-2017-11335 Patches from: CVE-2017-9147: https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 CVE-2017-9936: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-10688: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-11355: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 (From OE-Core rev: 5c89539edb17d01ffe82a1b2e7d092816003ecf3) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch91
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch54
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch206
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch49
4 files changed, 400 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
new file mode 100644
index 0000000000..b0db96949f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
@@ -0,0 +1,91 @@
1From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Fri, 30 Jun 2017 17:29:44 +0000
4Subject: [PATCH] * libtiff/tif_dirwrite.c: in
5 TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
6 data type, replace assertion that the file is BigTIFF, by a non-fatal error.
7 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
8 OWL337
9
10Upstream-Status: Backport
11[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
12
13CVE: CVE-2017-10688
14
15Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16---
17 ChangeLog | 8 ++++++++
18 libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
19 2 files changed, 24 insertions(+), 4 deletions(-)
20
21diff --git a/ChangeLog b/ChangeLog
22index 0240f0b..42eaeb7 100644
23--- a/ChangeLog
24+++ b/ChangeLog
25@@ -1,3 +1,11 @@
26+2017-06-30 Even Rouault <even.rouault at spatialys.com>
27+
28+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
29+ functions associated with LONG8/SLONG8 data type, replace assertion that
30+ the file is BigTIFF, by a non-fatal error.
31+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
32+ Reported by team OWL337
33+
34 2017-06-26 Even Rouault <even.rouault at spatialys.com>
35
36 * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
37diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
38index 2967da5..8d6686b 100644
39--- a/libtiff/tif_dirwrite.c
40+++ b/libtiff/tif_dirwrite.c
41@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
42 {
43 uint64 m;
44 assert(sizeof(uint64)==8);
45- assert(tif->tif_flags&TIFF_BIGTIFF);
46+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
47+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
48+ return(0);
49+ }
50 m=value;
51 if (tif->tif_flags&TIFF_SWAB)
52 TIFFSwabLong8(&m);
53@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
54 {
55 assert(count<0x20000000);
56 assert(sizeof(uint64)==8);
57- assert(tif->tif_flags&TIFF_BIGTIFF);
58+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
59+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
60+ return(0);
61+ }
62 if (tif->tif_flags&TIFF_SWAB)
63 TIFFSwabArrayOfLong8(value,count);
64 return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
65@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
66 {
67 int64 m;
68 assert(sizeof(int64)==8);
69- assert(tif->tif_flags&TIFF_BIGTIFF);
70+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
71+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
72+ return(0);
73+ }
74 m=value;
75 if (tif->tif_flags&TIFF_SWAB)
76 TIFFSwabLong8((uint64*)(&m));
77@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
78 {
79 assert(count<0x20000000);
80 assert(sizeof(int64)==8);
81- assert(tif->tif_flags&TIFF_BIGTIFF);
82+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
83+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
84+ return(0);
85+ }
86 if (tif->tif_flags&TIFF_SWAB)
87 TIFFSwabArrayOfLong8((uint64*)value,count);
88 return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
89--
902.7.4
91
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
new file mode 100644
index 0000000000..d08e7612b7
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
@@ -0,0 +1,54 @@
1From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 15 Jul 2017 11:13:46 +0000
4Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
5 "Raw" mode on PlanarConfig=Contig input images. Fixes
6 http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
7
8Upstream-Status: Backport
9[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]
10
11CVE: CVE-2017-11355
12
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14---
15 ChangeLog | 7 +++++++
16 tools/tiff2pdf.c | 7 ++++++-
17 2 files changed, 13 insertions(+), 1 deletion(-)
18
19diff --git a/ChangeLog b/ChangeLog
20index 42eaeb7..6980da8 100644
21--- a/ChangeLog
22+++ b/ChangeLog
23@@ -1,3 +1,10 @@
24+2017-07-15 Even Rouault <even.rouault at spatialys.com>
25+
26+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
27+ mode on PlanarConfig=Contig input images.
28+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
29+ Reported by team OWL337
30+
31 2017-06-30 Even Rouault <even.rouault at spatialys.com>
32
33 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
34diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
35index db196e0..cd1e235 100644
36--- a/tools/tiff2pdf.c
37+++ b/tools/tiff2pdf.c
38@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
39 return;
40
41 t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
42- if(t2p->pdf_nopassthrough==0){
43+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
44+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
45+ /* do not take into account the number of samples, and thus */
46+ /* that can cause heap buffer overflows such as in */
47+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
48+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
49 #ifdef CCITT_SUPPORT
50 if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
51 ){
52--
532.7.4
54
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
new file mode 100644
index 0000000000..3392285901
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
@@ -0,0 +1,206 @@
1From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Thu, 1 Jun 2017 12:44:04 +0000
4Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
5and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
6codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
7to behave differently depending on whether the codec is enabled or not, and
8thus can avoid stack based buffer overflows in a number of TIFF utilities
9such as tiffsplit, tiffcmp, thumbnail, etc.
10Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
11(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
12Fixes:
13http://bugzilla.maptools.org/show_bug.cgi?id=2580
14http://bugzilla.maptools.org/show_bug.cgi?id=2693
15http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
16http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
17http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
18http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
19http://bugzilla.maptools.org/show_bug.cgi?id=2441
20http://bugzilla.maptools.org/show_bug.cgi?id=2433
21
22Upstream-Status: Backport
23[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
24
25CVE: CVE-2017-9147
26
27Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
28---
29 ChangeLog | 20 ++++++++++
30 libtiff/tif_dir.h | 1 +
31 libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
32 libtiff/tif_dirread.c | 4 ++
33 4 files changed, 128 insertions(+)
34
35diff --git a/ChangeLog b/ChangeLog
36index ee8d9d0..5739292 100644
37--- a/ChangeLog
38+++ b/ChangeLog
39@@ -1,3 +1,23 @@
40+2017-06-01 Even Rouault <even.rouault at spatialys.com>
41+
42+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
43+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
44+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
45+ to behave differently depending on whether the codec is enabled or not, and
46+ thus can avoid stack based buffer overflows in a number of TIFF utilities
47+ such as tiffsplit, tiffcmp, thumbnail, etc.
48+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
49+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
50+ Fixes:
51+ http://bugzilla.maptools.org/show_bug.cgi?id=2580
52+ http://bugzilla.maptools.org/show_bug.cgi?id=2693
53+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
54+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
55+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
56+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
57+ http://bugzilla.maptools.org/show_bug.cgi?id=2441
58+ http://bugzilla.maptools.org/show_bug.cgi?id=2433
59+
60 2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
61
62 * configure.ac: libtiff 4.0.8 released.
63diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
64index e12b44b..5206be4 100644
65--- a/libtiff/tif_dir.h
66+++ b/libtiff/tif_dir.h
67@@ -291,6 +291,7 @@ struct _TIFFField {
68 extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
69 extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
70 extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
71+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
72
73 #if defined(__cplusplus)
74 }
75diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
76index 0c8ef42..97c0df0 100644
77--- a/libtiff/tif_dirinfo.c
78+++ b/libtiff/tif_dirinfo.c
79@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
80 return 0;
81 }
82
83+int
84+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
85+{
86+ /* Filter out non-codec specific tags */
87+ switch (tag) {
88+ /* Shared tags */
89+ case TIFFTAG_PREDICTOR:
90+ /* JPEG tags */
91+ case TIFFTAG_JPEGTABLES:
92+ /* OJPEG tags */
93+ case TIFFTAG_JPEGIFOFFSET:
94+ case TIFFTAG_JPEGIFBYTECOUNT:
95+ case TIFFTAG_JPEGQTABLES:
96+ case TIFFTAG_JPEGDCTABLES:
97+ case TIFFTAG_JPEGACTABLES:
98+ case TIFFTAG_JPEGPROC:
99+ case TIFFTAG_JPEGRESTARTINTERVAL:
100+ /* CCITT* */
101+ case TIFFTAG_BADFAXLINES:
102+ case TIFFTAG_CLEANFAXDATA:
103+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
104+ case TIFFTAG_GROUP3OPTIONS:
105+ case TIFFTAG_GROUP4OPTIONS:
106+ break;
107+ default:
108+ return 1;
109+ }
110+ /* Check if codec specific tags are allowed for the current
111+ * compression scheme (codec) */
112+ switch (tif->tif_dir.td_compression) {
113+ case COMPRESSION_LZW:
114+ if (tag == TIFFTAG_PREDICTOR)
115+ return 1;
116+ break;
117+ case COMPRESSION_PACKBITS:
118+ /* No codec-specific tags */
119+ break;
120+ case COMPRESSION_THUNDERSCAN:
121+ /* No codec-specific tags */
122+ break;
123+ case COMPRESSION_NEXT:
124+ /* No codec-specific tags */
125+ break;
126+ case COMPRESSION_JPEG:
127+ if (tag == TIFFTAG_JPEGTABLES)
128+ return 1;
129+ break;
130+ case COMPRESSION_OJPEG:
131+ switch (tag) {
132+ case TIFFTAG_JPEGIFOFFSET:
133+ case TIFFTAG_JPEGIFBYTECOUNT:
134+ case TIFFTAG_JPEGQTABLES:
135+ case TIFFTAG_JPEGDCTABLES:
136+ case TIFFTAG_JPEGACTABLES:
137+ case TIFFTAG_JPEGPROC:
138+ case TIFFTAG_JPEGRESTARTINTERVAL:
139+ return 1;
140+ }
141+ break;
142+ case COMPRESSION_CCITTRLE:
143+ case COMPRESSION_CCITTRLEW:
144+ case COMPRESSION_CCITTFAX3:
145+ case COMPRESSION_CCITTFAX4:
146+ switch (tag) {
147+ case TIFFTAG_BADFAXLINES:
148+ case TIFFTAG_CLEANFAXDATA:
149+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
150+ return 1;
151+ case TIFFTAG_GROUP3OPTIONS:
152+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
153+ return 1;
154+ break;
155+ case TIFFTAG_GROUP4OPTIONS:
156+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
157+ return 1;
158+ break;
159+ }
160+ break;
161+ case COMPRESSION_JBIG:
162+ /* No codec-specific tags */
163+ break;
164+ case COMPRESSION_DEFLATE:
165+ case COMPRESSION_ADOBE_DEFLATE:
166+ if (tag == TIFFTAG_PREDICTOR)
167+ return 1;
168+ break;
169+ case COMPRESSION_PIXARLOG:
170+ if (tag == TIFFTAG_PREDICTOR)
171+ return 1;
172+ break;
173+ case COMPRESSION_SGILOG:
174+ case COMPRESSION_SGILOG24:
175+ /* No codec-specific tags */
176+ break;
177+ case COMPRESSION_LZMA:
178+ if (tag == TIFFTAG_PREDICTOR)
179+ return 1;
180+ break;
181+
182+ }
183+ return 0;
184+}
185+
186 /* vim: set ts=8 sts=8 sw=8 noet: */
187
188 /*
189diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
190index 1d4f0b9..f1dc3d7 100644
191--- a/libtiff/tif_dirread.c
192+++ b/libtiff/tif_dirread.c
193@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
194 goto bad;
195 dp->tdir_tag=IGNORE;
196 break;
197+ default:
198+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
199+ dp->tdir_tag=IGNORE;
200+ break;
201 }
202 }
203 }
204--
2052.7.4
206
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
new file mode 100644
index 0000000000..fc99363284
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
@@ -0,0 +1,49 @@
1From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Mon, 26 Jun 2017 15:19:59 +0000
4Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of
5 JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
6 by team OWL337
7
8* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
9
10Upstream-Status: Backport
11[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a]
12
13CVE: CVE-2017-9936
14
15Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16---
17 ChangeLog | 6 ++++++
18 libtiff/tif_jbig.c | 1 +
19 2 files changed, 7 insertions(+)
20
21diff --git a/ChangeLog b/ChangeLog
22index 5739292..0240f0b 100644
23--- a/ChangeLog
24+++ b/ChangeLog
25@@ -1,3 +1,9 @@
26+2017-06-26 Even Rouault <even.rouault at spatialys.com>
27+
28+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
29+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
30+ Reported by team OWL337
31+
32 2017-06-01 Even Rouault <even.rouault at spatialys.com>
33
34 * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
35diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
36index 5f5f75e..c75f31d 100644
37--- a/libtiff/tif_jbig.c
38+++ b/libtiff/tif_jbig.c
39@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
40 jbg_strerror(decodeStatus)
41 #endif
42 );
43+ jbg_dec_free(&decoder);
44 return 0;
45 }
46
47--
482.7.4
49