summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2017-09-21 11:21:39 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-22 17:15:30 +0100
commit89c81eedcaf45eecad9e5b20214d89e15db310c7 (patch)
tree932a300156e1be7994c0b1aa6d05ed4c205287e9 /meta/recipes-multimedia/libtiff
parent141bfb844ed3d36a873a6514ba28964d42fec70c (diff)
downloadpoky-89c81eedcaf45eecad9e5b20214d89e15db310c7.tar.gz
tiff: Security fix CVE-2017-13726 and CVE-2017-13727
References: https://nvd.nist.gov/vuln/detail/CVE-2017-13726 https://nvd.nist.gov/vuln/detail/CVE-2017-13727 Patches from: CVE-2017-13726: https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e CVE-2017-13727: https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc (From OE-Core rev: 8dc9d74b7e6816f59eb61dcda6a93c0753a5e4ab) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch54
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch65
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.8.bb2
3 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
new file mode 100644
index 0000000000..c60ffa698d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
@@ -0,0 +1,54 @@
1From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Wed, 23 Aug 2017 13:21:41 +0000
4Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not
5 finding the SubIFD tag by runtime check. Fixes
6 http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337
7
8Upstream-Status: Backport
9[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e]
10
11CVE: CVE-2017-13726
12
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14---
15 ChangeLog | 7 +++++++
16 libtiff/tif_dirwrite.c | 7 ++++++-
17 2 files changed, 13 insertions(+), 1 deletion(-)
18
19diff --git a/ChangeLog b/ChangeLog
20index 6980da8..3e299d9 100644
21--- a/ChangeLog
22+++ b/ChangeLog
23@@ -1,3 +1,10 @@
24+2017-08-23 Even Rouault <even.rouault at spatialys.com>
25+
26+ * libtiff/tif_dirwrite.c: replace assertion related to not finding the
27+ SubIFD tag by runtime check.
28+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
29+ Reported by team OWL337
30+
31 2017-07-15 Even Rouault <even.rouault at spatialys.com>
32
33 * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
34diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
35index 8d6686b..14090ae 100644
36--- a/libtiff/tif_dirwrite.c
37+++ b/libtiff/tif_dirwrite.c
38@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
39 TIFFDirEntry* nb;
40 for (na=0, nb=dir; ; na++, nb++)
41 {
42- assert(na<ndir);
43+ if( na == ndir )
44+ {
45+ TIFFErrorExt(tif->tif_clientdata,module,
46+ "Cannot find SubIFD tag");
47+ goto bad;
48+ }
49 if (nb->tdir_tag==TIFFTAG_SUBIFD)
50 break;
51 }
52--
532.7.4
54
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
new file mode 100644
index 0000000000..e228c2f17c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
@@ -0,0 +1,65 @@
1From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Wed, 23 Aug 2017 13:33:42 +0000
4Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
5 fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
6 TIFFWriteDirectoryTagSubifd()). Fixes
7 http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
8
9SubIFD tag by runtime check (in TIFFWriteDirectorySec())
10
11Upstream-Status: Backport
12[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
13
14CVE: CVE-2017-13727
15
16Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
17---
18 ChangeLog | 10 +++++++++-
19 libtiff/tif_dirwrite.c | 9 ++++++++-
20 2 files changed, 17 insertions(+), 2 deletions(-)
21
22diff --git a/ChangeLog b/ChangeLog
23index 3e299d9..8f5efe9 100644
24--- a/ChangeLog
25+++ b/ChangeLog
26@@ -1,7 +1,15 @@
27 2017-08-23 Even Rouault <even.rouault at spatialys.com>
28
29+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
30+ on uint32 when selecting the value of SubIFD tag by runtime check
31+ (in TIFFWriteDirectoryTagSubifd()).
32+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
33+ Reported by team OWL337
34+
35+2017-08-23 Even Rouault <even.rouault at spatialys.com>
36+
37 * libtiff/tif_dirwrite.c: replace assertion related to not finding the
38- SubIFD tag by runtime check.
39+ SubIFD tag by runtime check (in TIFFWriteDirectorySec())
40 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
41 Reported by team OWL337
42
43diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
44index 14090ae..f0a4baa 100644
45--- a/libtiff/tif_dirwrite.c
46+++ b/libtiff/tif_dirwrite.c
47@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
48 for (p=0; p < tif->tif_dir.td_nsubifd; p++)
49 {
50 assert(pa != 0);
51- assert(*pa <= 0xFFFFFFFFUL);
52+
53+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
54+ if( *pa > 0xFFFFFFFFUL)
55+ {
56+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
57+ _TIFFfree(o);
58+ return(0);
59+ }
60 *pb++=(uint32)(*pa++);
61 }
62 n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
63--
642.7.4
65
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
index c8ad5d5c06..cb91baa607 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
@@ -10,6 +10,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
10 file://CVE-2017-9936.patch \ 10 file://CVE-2017-9936.patch \
11 file://CVE-2017-10688.patch \ 11 file://CVE-2017-10688.patch \
12 file://CVE-2017-11335.patch \ 12 file://CVE-2017-11335.patch \
13 file://CVE-2017-13726.patch \
14 file://CVE-2017-13727.patch \
13 " 15 "
14 16
15SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b" 17SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b"