diff options
author | Zhixiong Chi <zhixiong.chi@windriver.com> | 2016-11-14 17:46:52 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-23 11:10:12 +0000 |
commit | bfbed355df55ca55ea9cf952aad8afc088e7f094 (patch) | |
tree | b0efaf10647b0c6a1eb14557221eaf5301d716e1 /meta/recipes-multimedia | |
parent | 69a8784b7922f6d7bca3c462d61f8c8c289a0526 (diff) | |
download | poky-bfbed355df55ca55ea9cf952aad8afc088e7f094.tar.gz |
tiff: Security fix CVE-2016-3658
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool
allows remote attackers to cause a denial of service (out-of-bounds read) via vectors
involving the ma variable.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658
http://bugzilla.maptools.org/show_bug.cgi?id=2546
Patch from:
https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
(From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch | 111 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 |
2 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch new file mode 100644 index 0000000000..6cb12f2907 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch | |||
@@ -0,0 +1,111 @@ | |||
1 | From: 45c68450bef8ad876f310b495165c513cad8b67d | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | |||
4 | * libtiff/tif_dir.c: discard values of SMinSampleValue and | ||
5 | SMaxSampleValue when they have been read and the value of | ||
6 | SamplesPerPixel is changed afterwards (like when reading a | ||
7 | OJPEG compressed image with a missing SamplesPerPixel tag, | ||
8 | and whose photometric is RGB or YCbCr, forcing SamplesPerPixel | ||
9 | being 3). Otherwise when rewriting the directory (for example | ||
10 | with tiffset, we will expect 3 values whereas the array had been | ||
11 | allocated with just one), thus causing a out of bound read access. | ||
12 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
13 | (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
14 | |||
15 | * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset | ||
16 | when writing directory, if FIELD_STRIPOFFSETS was artificially set | ||
17 | for a hack case in OJPEG case. | ||
18 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
19 | (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
20 | |||
21 | CVE: CVE-2016-3658 | ||
22 | Upstream-Status: Backport | ||
23 | https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d | ||
24 | |||
25 | Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com> | ||
26 | |||
27 | Index: tiff-4.0.6/ChangeLog | ||
28 | =================================================================== | ||
29 | --- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800 | ||
30 | +++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800 | ||
31 | @@ -1,3 +1,22 @@ | ||
32 | +2016-10-25 Even Rouault <even.rouault at spatialys.com> | ||
33 | + | ||
34 | + * libtiff/tif_dir.c: discard values of SMinSampleValue and | ||
35 | + SMaxSampleValue when they have been read and the value of | ||
36 | + SamplesPerPixel is changed afterwards (like when reading a | ||
37 | + OJPEG compressed image with a missing SamplesPerPixel tag, | ||
38 | + and whose photometric is RGB or YCbCr, forcing SamplesPerPixel | ||
39 | + being 3). Otherwise when rewriting the directory (for example | ||
40 | + with tiffset, we will expect 3 values whereas the array had been | ||
41 | + allocated with just one), thus causing a out of bound read access. | ||
42 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
43 | + (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
44 | + | ||
45 | + * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset | ||
46 | + when writing directory, if FIELD_STRIPOFFSETS was artificially set | ||
47 | + for a hack case in OJPEG case. | ||
48 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
49 | + (CVE-2014-8127, duplicate: CVE-2016-3658) | ||
50 | + | ||
51 | 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
52 | |||
53 | * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to | ||
54 | Index: tiff-4.0.6/libtiff/tif_dir.c | ||
55 | =================================================================== | ||
56 | --- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800 | ||
57 | +++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800 | ||
58 | @@ -254,6 +254,28 @@ | ||
59 | v = (uint16) va_arg(ap, uint16_vap); | ||
60 | if (v == 0) | ||
61 | goto badvalue; | ||
62 | + if( v != td->td_samplesperpixel ) | ||
63 | + { | ||
64 | + /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */ | ||
65 | + if( td->td_sminsamplevalue != NULL ) | ||
66 | + { | ||
67 | + TIFFWarningExt(tif->tif_clientdata,module, | ||
68 | + "SamplesPerPixel tag value is changing, " | ||
69 | + "but SMinSampleValue tag was read with a different value. Cancelling it"); | ||
70 | + TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE); | ||
71 | + _TIFFfree(td->td_sminsamplevalue); | ||
72 | + td->td_sminsamplevalue = NULL; | ||
73 | + } | ||
74 | + if( td->td_smaxsamplevalue != NULL ) | ||
75 | + { | ||
76 | + TIFFWarningExt(tif->tif_clientdata,module, | ||
77 | + "SamplesPerPixel tag value is changing, " | ||
78 | + "but SMaxSampleValue tag was read with a different value. Cancelling it"); | ||
79 | + TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE); | ||
80 | + _TIFFfree(td->td_smaxsamplevalue); | ||
81 | + td->td_smaxsamplevalue = NULL; | ||
82 | + } | ||
83 | + } | ||
84 | td->td_samplesperpixel = (uint16) v; | ||
85 | break; | ||
86 | case TIFFTAG_ROWSPERSTRIP: | ||
87 | Index: tiff-4.0.6/libtiff/tif_dirwrite.c | ||
88 | =================================================================== | ||
89 | --- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800 | ||
90 | +++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800 | ||
91 | @@ -542,7 +542,19 @@ | ||
92 | { | ||
93 | if (!isTiled(tif)) | ||
94 | { | ||
95 | - if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) | ||
96 | + /* td_stripoffset might be NULL in an odd OJPEG case. See | ||
97 | + * tif_dirread.c around line 3634. | ||
98 | + * XXX: OJPEG hack. | ||
99 | + * If a) compression is OJPEG, b) it's not a tiled TIFF, | ||
100 | + * and c) the number of strips is 1, | ||
101 | + * then we tolerate the absence of stripoffsets tag, | ||
102 | + * because, presumably, all required data is in the | ||
103 | + * JpegInterchangeFormat stream. | ||
104 | + * We can get here when using tiffset on such a file. | ||
105 | + * See http://bugzilla.maptools.org/show_bug.cgi?id=2500 | ||
106 | + */ | ||
107 | + if (tif->tif_dir.td_stripoffset != NULL && | ||
108 | + !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) | ||
109 | goto bad; | ||
110 | } | ||
111 | else | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 796d86e8f8..edd560fa08 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | |||
@@ -15,6 +15,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
15 | file://CVE-2016-3991.patch \ | 15 | file://CVE-2016-3991.patch \ |
16 | file://CVE-2016-3623.patch \ | 16 | file://CVE-2016-3623.patch \ |
17 | file://CVE-2016-3622.patch \ | 17 | file://CVE-2016-3622.patch \ |
18 | file://CVE-2016-3658.patch \ | ||
18 | " | 19 | " |
19 | 20 | ||
20 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" | 21 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |