libtiff: Security fix CVE-2015-8664 and 8683

CVE-2015-8665 CVE-2015-8683 (From OE-Core rev: 49008750ece710201701a6f413537c857190798a) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-04-26 13:19:44 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-05-14 09:40:16 +0100
commit: 2ef5feeb3d50203a5754308c2e1c16a9388802bf (patch)
tree: 70194332e4894620933e3ff2107ea4f77834f9e1 /meta/recipes-multimedia/libtiff
parent: a201edefaecaa87eaf7e5f265c2317f7d12202a9 (diff)
download: poky-2ef5feeb3d50203a5754308c2e1c16a9388802bf.tar.gz
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
new file mode 100644
index 0000000000..9814d24137
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
@@ -0,0 +1,137 @@
+From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 26 Dec 2015 17:32:03 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
+ TIFFRGBAImage interface in case of unsupported values of
+ SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
+ TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
+ limingxing and CVE-2015-8683 reported by zzf of Alibaba.
+Upstream-Status: Backport
+CVE: CVE-2015-8665
+CVE: CVE-2015-8683
+https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog              |  8 ++++++++
+ libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
+ 2 files changed, 30 insertions(+), 13 deletions(-)
+Index: tiff-4.0.4/libtiff/tif_getimage.c
+===================================================================
+--- tiff-4.0.4.orig/libtiff/tif_getimage.c
+++ tiff-4.0.4/libtiff/tif_getimage.c
+@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
+                                    "Planarconfiguration", td->td_planarconfig);
+                                return (0);
+                        }
+-                       if( td->td_samplesperpixel != 3 )
+                       if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel);
+                        "Sorry, can not handle image with %s=%d, %s=%d",
+                        "Samples/pixel", td->td_samplesperpixel,
+                        "colorchannels", colorchannels);
+                 return 0;
+             }
+                        break;
+                case PHOTOMETRIC_CIELAB:
+-            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
+            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d and %s=%d",
+                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+                         "Samples/pixel", td->td_samplesperpixel,
+                        "colorchannels", colorchannels,
+                         "Bits/sample", td->td_bitspersample);
+                 return 0;
+             }
+@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
+        int colorchannels;
+        uint16 *red_orig, *green_orig, *blue_orig;
+        int n_color;
+       
+       if( !TIFFRGBAImageOK(tif, emsg) )
+               return 0;
+ 
+        /* Initialize to normal values */
+        img->row_offset = 0;
+@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
+                case PHOTOMETRIC_RGB:
+                        switch (img->bitspersample) {
+                                case 8:
+-                                       if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+                                       if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+                                               img->samplesperpixel >= 4)
+                                                img->put.contig = putRGBAAcontig8bittile;
+-                                       else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+                                       else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+                                                        img->samplesperpixel >= 4)
+                                        {
+                                                if (BuildMapUaToAa(img))
+                                                        img->put.contig = putRGBUAcontig8bittile;
+                                        }
+-                                       else
+                                       else if( img->samplesperpixel >= 3 )
+                                                img->put.contig = putRGBcontig8bittile;
+                                        break;
+                                case 16:
+-                                       if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+                                       if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+                                               img->samplesperpixel >=4 )
+                                        {
+                                                if (BuildMapBitdepth16To8(img))
+                                                        img->put.contig = putRGBAAcontig16bittile;
+                                        }
+-                                       else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+                                       else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+                                                        img->samplesperpixel >=4 )
+                                        {
+                                                if (BuildMapBitdepth16To8(img) &&
+                                                    BuildMapUaToAa(img))
+                                                        img->put.contig = putRGBUAcontig16bittile;
+                                        }
+-                                       else
+                                       else if( img->samplesperpixel >=3 )
+                                        {
+                                                if (BuildMapBitdepth16To8(img))
+                                                        img->put.contig = putRGBcontig16bittile;
+@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
+                        }
+                        break;
+                case PHOTOMETRIC_SEPARATED:
+-                       if (buildMap(img)) {
+                       if (img->samplesperpixel >=4 && buildMap(img)) {
+                                if (img->bitspersample == 8) {
+                                        if (!img->Map)
+                                                img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
+                        }
+                        break;
+                case PHOTOMETRIC_CIELAB:
+-                       if (buildMap(img)) {
+                       if (img->samplesperpixel == 3 && buildMap(img)) {
+                                if (img->bitspersample == 8)
+                                        img->put.contig = initCIELabConversion(img);
+                                break;
+Index: tiff-4.0.4/ChangeLog
+===================================================================
+--- tiff-4.0.4.orig/ChangeLog
+++ tiff-4.0.4/ChangeLog
+@@ -1,3 +1,11 @@
+2015-12-26  Even Rouault <even.rouault at spatialys.com>
+
+   * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+   interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+   for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+   TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+   CVE-2015-8683 reported by zzf of Alibaba.
+
+ 2015-12-27  Even Rouault <even.rouault at spatialys.com>
+ 
+    * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
index f1f5a7e8e0..69bcb2c930 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
@@ -7,6 +7,7 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
           file://libtool2.patch \
           file://CVE-2015-8781.patch \
           file://CVE-2015-8784.patch \
+           file://CVE-2015-8665_8683.patch \
          "
 SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900"
author	Armin Kuster <akuster@mvista.com>	2016-04-26 13:19:44 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-05-14 09:40:16 +0100
commit	2ef5feeb3d50203a5754308c2e1c16a9388802bf (patch)
tree	70194332e4894620933e3ff2107ea4f77834f9e1 /meta/recipes-multimedia/libtiff
parent	a201edefaecaa87eaf7e5f265c2317f7d12202a9 (diff)
download	poky-2ef5feeb3d50203a5754308c2e1c16a9388802bf.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch new file mode 100644 index 0000000000..9814d24137 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
@@ -0,0 +1,137 @@
		1	From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Sat, 26 Dec 2015 17:32:03 +0000
		4	Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
		5	TIFFRGBAImage interface in case of unsupported values of
		6	SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
		7	TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
		8	limingxing and CVE-2015-8683 reported by zzf of Alibaba.
		9
		10	Upstream-Status: Backport
		11	CVE: CVE-2015-8665
		12	CVE: CVE-2015-8683
		13	https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
		14
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	ChangeLog \| 8 ++++++++
		19	libtiff/tif_getimage.c \| 35 ++++++++++++++++++++++-------------
		20	2 files changed, 30 insertions(+), 13 deletions(-)
		21
		22	Index: tiff-4.0.4/libtiff/tif_getimage.c
		23	===================================================================
		24	--- tiff-4.0.4.orig/libtiff/tif_getimage.c
		25	+++ tiff-4.0.4/libtiff/tif_getimage.c
		26	@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
		27	"Planarconfiguration", td->td_planarconfig);
		28	return (0);
		29	}
		30	- if( td->td_samplesperpixel != 3 )
		31	+ if( td->td_samplesperpixel != 3 \|\| colorchannels != 3 )
		32	{
		33	sprintf(emsg,
		34	- "Sorry, can not handle image with %s=%d",
		35	- "Samples/pixel", td->td_samplesperpixel);
		36	+ "Sorry, can not handle image with %s=%d, %s=%d",
		37	+ "Samples/pixel", td->td_samplesperpixel,
		38	+ "colorchannels", colorchannels);
		39	return 0;
		40	}
		41	break;
		42	case PHOTOMETRIC_CIELAB:
		43	- if( td->td_samplesperpixel != 3 \|\| td->td_bitspersample != 8 )
		44	+ if( td->td_samplesperpixel != 3 \|\| colorchannels != 3 \|\| td->td_bitspersample != 8 )
		45	{
		46	sprintf(emsg,
		47	- "Sorry, can not handle image with %s=%d and %s=%d",
		48	+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
		49	"Samples/pixel", td->td_samplesperpixel,
		50	+ "colorchannels", colorchannels,
		51	"Bits/sample", td->td_bitspersample);
		52	return 0;
		53	}
		54	@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
		55	int colorchannels;
		56	uint16 red_orig, green_orig, *blue_orig;
		57	int n_color;
		58	+
		59	+ if( !TIFFRGBAImageOK(tif, emsg) )
		60	+ return 0;
		61
		62	/* Initialize to normal values */
		63	img->row_offset = 0;
		64	@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
		65	case PHOTOMETRIC_RGB:
		66	switch (img->bitspersample) {
		67	case 8:
		68	- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
		69	+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
		70	+ img->samplesperpixel >= 4)
		71	img->put.contig = putRGBAAcontig8bittile;
		72	- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
		73	+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
		74	+ img->samplesperpixel >= 4)
		75	{
		76	if (BuildMapUaToAa(img))
		77	img->put.contig = putRGBUAcontig8bittile;
		78	}
		79	- else
		80	+ else if( img->samplesperpixel >= 3 )
		81	img->put.contig = putRGBcontig8bittile;
		82	break;
		83	case 16:
		84	- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
		85	+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
		86	+ img->samplesperpixel >=4 )
		87	{
		88	if (BuildMapBitdepth16To8(img))
		89	img->put.contig = putRGBAAcontig16bittile;
		90	}
		91	- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
		92	+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
		93	+ img->samplesperpixel >=4 )
		94	{
		95	if (BuildMapBitdepth16To8(img) &&
		96	BuildMapUaToAa(img))
		97	img->put.contig = putRGBUAcontig16bittile;
		98	}
		99	- else
		100	+ else if( img->samplesperpixel >=3 )
		101	{
		102	if (BuildMapBitdepth16To8(img))
		103	img->put.contig = putRGBcontig16bittile;
		104	@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
		105	}
		106	break;
		107	case PHOTOMETRIC_SEPARATED:
		108	- if (buildMap(img)) {
		109	+ if (img->samplesperpixel >=4 && buildMap(img)) {
		110	if (img->bitspersample == 8) {
		111	if (!img->Map)
		112	img->put.contig = putRGBcontig8bitCMYKtile;
		113	@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
		114	}
		115	break;
		116	case PHOTOMETRIC_CIELAB:
		117	- if (buildMap(img)) {
		118	+ if (img->samplesperpixel == 3 && buildMap(img)) {
		119	if (img->bitspersample == 8)
		120	img->put.contig = initCIELabConversion(img);
		121	break;
		122	Index: tiff-4.0.4/ChangeLog
		123	===================================================================
		124	--- tiff-4.0.4.orig/ChangeLog
		125	+++ tiff-4.0.4/ChangeLog
		126	@@ -1,3 +1,11 @@
		127	+2015-12-26 Even Rouault <even.rouault at spatialys.com>
		128	+
		129	+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
		130	+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
		131	+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
		132	+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
		133	+ CVE-2015-8683 reported by zzf of Alibaba.
		134	+
		135	2015-12-27 Even Rouault <even.rouault at spatialys.com>
		136
		137	* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb index f1f5a7e8e0..69bcb2c930 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.4.bb
@@ -7,6 +7,7 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
7	file://libtool2.patch \	7	file://libtool2.patch \
8	file://CVE-2015-8781.patch \	8	file://CVE-2015-8781.patch \
9	file://CVE-2015-8784.patch \	9	file://CVE-2015-8784.patch \
		10	file://CVE-2015-8665_8683.patch \
10	"	11	"
11		12
12	SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900"	13	SRC_URI[md5sum] = "9aee7107408a128c0c7b24286c0db900"