diff options
author | Joe Slater <joe.slater@windriver.com> | 2018-07-18 11:24:59 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-07-26 13:16:40 +0100 |
commit | d85feee51c76ee7b530a26272ccdf68a8120cbb3 (patch) | |
tree | 7e6b62c54dcda89435da6adedbc317e3e0344b8f /meta/recipes-multimedia | |
parent | b55f69e9806ceec8072eb8f9e4932acce6ede538 (diff) | |
download | poky-d85feee51c76ee7b530a26272ccdf68a8120cbb3.tar.gz |
tiff: security fix CVE-2018-8905
Buffer overflow described at nvd.nits.gov/vuln/detail/CVE-2018-8905.
(From OE-Core rev: 3f6f2a0619b4e243e6a9e52cee2cdd625ebf6769)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch | 61 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | 1 |
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch b/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch new file mode 100644 index 0000000000..962646dbe0 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 12 May 2018 15:32:31 +0200 | ||
4 | Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. | ||
5 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / | ||
6 | CVE-2018-8905 | ||
7 | |||
8 | The fix consists in using the similar code LZWDecode() to validate we | ||
9 | don't write outside of the output buffer. | ||
10 | |||
11 | --- | ||
12 | CVE: CVE-2018-8905 | ||
13 | |||
14 | Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/58a898...] | ||
15 | |||
16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
17 | |||
18 | --- | ||
19 | libtiff/tif_lzw.c | 18 ++++++++++++------ | ||
20 | 1 file changed, 12 insertions(+), 6 deletions(-) | ||
21 | |||
22 | diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c | ||
23 | index 4ccb443..94d85e3 100644 | ||
24 | --- a/libtiff/tif_lzw.c | ||
25 | +++ b/libtiff/tif_lzw.c | ||
26 | @@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
27 | char *tp; | ||
28 | unsigned char *bp; | ||
29 | int code, nbits; | ||
30 | + int len; | ||
31 | long nextbits, nextdata, nbitsmask; | ||
32 | code_t *codep, *free_entp, *maxcodep, *oldcodep; | ||
33 | |||
34 | @@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) | ||
35 | } while (--occ); | ||
36 | break; | ||
37 | } | ||
38 | - assert(occ >= codep->length); | ||
39 | - op += codep->length; | ||
40 | - occ -= codep->length; | ||
41 | - tp = op; | ||
42 | + len = codep->length; | ||
43 | + tp = op + len; | ||
44 | do { | ||
45 | - *--tp = codep->value; | ||
46 | - } while( (codep = codep->next) != NULL ); | ||
47 | + int t; | ||
48 | + --tp; | ||
49 | + t = codep->value; | ||
50 | + codep = codep->next; | ||
51 | + *tp = (char)t; | ||
52 | + } while (codep && tp > op); | ||
53 | + assert(occ >= len); | ||
54 | + op += len; | ||
55 | + occ -= len; | ||
56 | } else { | ||
57 | *op++ = (char)code; | ||
58 | occ--; | ||
59 | -- | ||
60 | 1.7.9.5 | ||
61 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb index e8e2a119f1..53b2b81ec2 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | |||
@@ -10,6 +10,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
10 | file://CVE-2017-18013.patch \ | 10 | file://CVE-2017-18013.patch \ |
11 | file://CVE-2018-5784.patch \ | 11 | file://CVE-2018-5784.patch \ |
12 | file://CVE-2018-10963.patch \ | 12 | file://CVE-2018-10963.patch \ |
13 | file://CVE-2018-8905.patch \ | ||
13 | " | 14 | " |
14 | 15 | ||
15 | SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" | 16 | SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" |