tiff: Security fix CVE-2017-13726 and CVE-2017-13727

References: https://nvd.nist.gov/vuln/detail/CVE-2017-13726 https://nvd.nist.gov/vuln/detail/CVE-2017-13727 Patches from: CVE-2017-13726: https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e CVE-2017-13727: https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc (From OE-Core rev: 8dc9d74b7e6816f59eb61dcda6a93c0753a5e4ab) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2017-09-21 11:21:39 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-09-22 17:15:30 +0100
commit: 89c81eedcaf45eecad9e5b20214d89e15db310c7 (patch)
tree: 932a300156e1be7994c0b1aa6d05ed4c205287e9 /meta/recipes-multimedia/libtiff
parent: 141bfb844ed3d36a873a6514ba28964d42fec70c (diff)
download: poky-89c81eedcaf45eecad9e5b20214d89e15db310c7.tar.gz
3 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
new file mode 100644
index 0000000000..c60ffa698d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
@@ -0,0 +1,54 @@
+From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 23 Aug 2017 13:21:41 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not
+ finding the SubIFD tag by runtime check. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e]
+CVE: CVE-2017-13726
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog              | 7 +++++++
+ libtiff/tif_dirwrite.c | 7 ++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+diff --git a/ChangeLog b/ChangeLog
+index 6980da8..3e299d9 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,10 @@
+2017-08-23  Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_dirwrite.c: replace assertion related to not finding the
+       SubIFD tag by runtime check.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
+       Reported by team OWL337
+
+ 2017-07-15  Even Rouault <even.rouault at spatialys.com>
+ 
+        * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 8d6686b..14090ae 100644
+--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
+@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+                        TIFFDirEntry* nb;
+                        for (na=0, nb=dir; ; na++, nb++)
+                        {
+-                               assert(na<ndir);
+                               if( na == ndir )
+                                {
+                                    TIFFErrorExt(tif->tif_clientdata,module,
+                                                 "Cannot find SubIFD tag");
+                                    goto bad;
+                                }
+                                if (nb->tdir_tag==TIFFTAG_SUBIFD)
+                                        break;
+                        }
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
new file mode 100644
index 0000000000..e228c2f17c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
@@ -0,0 +1,65 @@
+From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 23 Aug 2017 13:33:42 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
+ fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
+ TIFFWriteDirectoryTagSubifd()). Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
+SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
+CVE: CVE-2017-13727
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog              | 10 +++++++++-
+ libtiff/tif_dirwrite.c |  9 ++++++++-
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 3e299d9..8f5efe9 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,7 +1,15 @@
+ 2017-08-23  Even Rouault <even.rouault at spatialys.com>
+ 
+       * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
+       on uint32 when selecting the value of SubIFD tag by runtime check
+       (in TIFFWriteDirectoryTagSubifd()).
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
+       Reported by team OWL337
+
+2017-08-23  Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_dirwrite.c: replace assertion related to not finding the
+-       SubIFD tag by runtime check.
+       SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
+        Reported by team OWL337
+ 
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 14090ae..f0a4baa 100644
+--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
+@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
+                for (p=0; p < tif->tif_dir.td_nsubifd; p++)
+                {
+                         assert(pa != 0);
+-                       assert(*pa <= 0xFFFFFFFFUL);
+
+                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
+                        if( *pa > 0xFFFFFFFFUL)
+                        {
+                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
+                            _TIFFfree(o);
+                            return(0);
+                        }
+                        *pb++=(uint32)(*pa++);
+                }
+                n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
index c8ad5d5c06..cb91baa607 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
@@ -10,6 +10,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2017-9936.patch \
           file://CVE-2017-10688.patch \
           file://CVE-2017-11335.patch \
+           file://CVE-2017-13726.patch \
+           file://CVE-2017-13727.patch \
          "
 SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b"
author	Yi Zhao <yi.zhao@windriver.com>	2017-09-21 11:21:39 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-09-22 17:15:30 +0100
commit	89c81eedcaf45eecad9e5b20214d89e15db310c7 (patch)
tree	932a300156e1be7994c0b1aa6d05ed4c205287e9 /meta/recipes-multimedia/libtiff
parent	141bfb844ed3d36a873a6514ba28964d42fec70c (diff)
download	poky-89c81eedcaf45eecad9e5b20214d89e15db310c7.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch new file mode 100644 index 0000000000..c60ffa698d --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
@@ -0,0 +1,54 @@
		1	From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Wed, 23 Aug 2017 13:21:41 +0000
		4	Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not
		5	finding the SubIFD tag by runtime check. Fixes
		6	http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337
		7
		8	Upstream-Status: Backport
		9	[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e]
		10
		11	CVE: CVE-2017-13726
		12
		13	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		14	---
		15	ChangeLog \| 7 +++++++
		16	libtiff/tif_dirwrite.c \| 7 ++++++-
		17	2 files changed, 13 insertions(+), 1 deletion(-)
		18
		19	diff --git a/ChangeLog b/ChangeLog
		20	index 6980da8..3e299d9 100644
		21	--- a/ChangeLog
		22	+++ b/ChangeLog
		23	@@ -1,3 +1,10 @@
		24	+2017-08-23 Even Rouault <even.rouault at spatialys.com>
		25	+
		26	+ * libtiff/tif_dirwrite.c: replace assertion related to not finding the
		27	+ SubIFD tag by runtime check.
		28	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
		29	+ Reported by team OWL337
		30	+
		31	2017-07-15 Even Rouault <even.rouault at spatialys.com>
		32
		33	* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
		34	diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
		35	index 8d6686b..14090ae 100644
		36	--- a/libtiff/tif_dirwrite.c
		37	+++ b/libtiff/tif_dirwrite.c
		38	@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
		39	TIFFDirEntry* nb;
		40	for (na=0, nb=dir; ; na++, nb++)
		41	{
		42	- assert(na<ndir);
		43	+ if( na == ndir )
		44	+ {
		45	+ TIFFErrorExt(tif->tif_clientdata,module,
		46	+ "Cannot find SubIFD tag");
		47	+ goto bad;
		48	+ }
		49	if (nb->tdir_tag==TIFFTAG_SUBIFD)
		50	break;
		51	}
		52	--
		53	2.7.4
		54


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch new file mode 100644 index 0000000000..e228c2f17c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
@@ -0,0 +1,65 @@
		1	From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Wed, 23 Aug 2017 13:33:42 +0000
		4	Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
		5	fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
		6	TIFFWriteDirectoryTagSubifd()). Fixes
		7	http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
		8
		9	SubIFD tag by runtime check (in TIFFWriteDirectorySec())
		10
		11	Upstream-Status: Backport
		12	[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
		13
		14	CVE: CVE-2017-13727
		15
		16	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		17	---
		18	ChangeLog \| 10 +++++++++-
		19	libtiff/tif_dirwrite.c \| 9 ++++++++-
		20	2 files changed, 17 insertions(+), 2 deletions(-)
		21
		22	diff --git a/ChangeLog b/ChangeLog
		23	index 3e299d9..8f5efe9 100644
		24	--- a/ChangeLog
		25	+++ b/ChangeLog
		26	@@ -1,7 +1,15 @@
		27	2017-08-23 Even Rouault <even.rouault at spatialys.com>
		28
		29	+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
		30	+ on uint32 when selecting the value of SubIFD tag by runtime check
		31	+ (in TIFFWriteDirectoryTagSubifd()).
		32	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
		33	+ Reported by team OWL337
		34	+
		35	+2017-08-23 Even Rouault <even.rouault at spatialys.com>
		36	+
		37	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
		38	- SubIFD tag by runtime check.
		39	+ SubIFD tag by runtime check (in TIFFWriteDirectorySec())
		40	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
		41	Reported by team OWL337
		42
		43	diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
		44	index 14090ae..f0a4baa 100644
		45	--- a/libtiff/tif_dirwrite.c
		46	+++ b/libtiff/tif_dirwrite.c
		47	@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
		48	for (p=0; p < tif->tif_dir.td_nsubifd; p++)
		49	{
		50	assert(pa != 0);
		51	- assert(*pa <= 0xFFFFFFFFUL);
		52	+
		53	+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
		54	+ if( *pa > 0xFFFFFFFFUL)
		55	+ {
		56	+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
		57	+ _TIFFfree(o);
		58	+ return(0);
		59	+ }
		60	pb++=(uint32)(pa++);
		61	}
		62	n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
		63	--
		64	2.7.4
		65


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb index c8ad5d5c06..cb91baa607 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
@@ -10,6 +10,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
10	file://CVE-2017-9936.patch \	10	file://CVE-2017-9936.patch \
11	file://CVE-2017-10688.patch \	11	file://CVE-2017-10688.patch \
12	file://CVE-2017-11335.patch \	12	file://CVE-2017-11335.patch \
		13	file://CVE-2017-13726.patch \
		14	file://CVE-2017-13727.patch \
13	"	15	"
14		16
15	SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b"	17	SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b"