summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorHuang Qiyu <huangqy.fnst@cn.fujitsu.com>2018-01-18 10:29:37 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-01-19 12:37:14 +0000
commit975591a8d6cbea068d52417df0dfdd20aa586175 (patch)
treea356cfaae66b4eff6569d6054acd8604964c9011 /meta
parent6d22e5395408a98d1908a73297f0d07cde7591c7 (diff)
downloadpoky-975591a8d6cbea068d52417df0dfdd20aa586175.tar.gz
tiff: 4.0.8 -> 4.0.9
1.Upgrade tiff from 4.0.8 to 4.0.9. 2.Delete CVE-2017-10688.patch, CVE-2017-11335.patch, CVE-2017-13726.patch, CVE-2017-13727.patch, CVE-2017-9147.patch, CVE-2017-9936.patch, since it is integrated upstream. (From OE-Core rev: df894b523d74f8fd723d1c8fb03f55e46c6af0f5) Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch91
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch54
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch54
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch65
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch206
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch49
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.0.9.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.0.8.bb)10
7 files changed, 2 insertions, 527 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
deleted file mode 100644
index b0db96949f..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
+++ /dev/null
@@ -1,91 +0,0 @@
1From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Fri, 30 Jun 2017 17:29:44 +0000
4Subject: [PATCH] * libtiff/tif_dirwrite.c: in
5 TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8
6 data type, replace assertion that the file is BigTIFF, by a non-fatal error.
7 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
8 OWL337
9
10Upstream-Status: Backport
11[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
12
13CVE: CVE-2017-10688
14
15Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16---
17 ChangeLog | 8 ++++++++
18 libtiff/tif_dirwrite.c | 20 ++++++++++++++++----
19 2 files changed, 24 insertions(+), 4 deletions(-)
20
21diff --git a/ChangeLog b/ChangeLog
22index 0240f0b..42eaeb7 100644
23--- a/ChangeLog
24+++ b/ChangeLog
25@@ -1,3 +1,11 @@
26+2017-06-30 Even Rouault <even.rouault at spatialys.com>
27+
28+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
29+ functions associated with LONG8/SLONG8 data type, replace assertion that
30+ the file is BigTIFF, by a non-fatal error.
31+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
32+ Reported by team OWL337
33+
34 2017-06-26 Even Rouault <even.rouault at spatialys.com>
35
36 * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
37diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
38index 2967da5..8d6686b 100644
39--- a/libtiff/tif_dirwrite.c
40+++ b/libtiff/tif_dirwrite.c
41@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui
42 {
43 uint64 m;
44 assert(sizeof(uint64)==8);
45- assert(tif->tif_flags&TIFF_BIGTIFF);
46+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
47+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
48+ return(0);
49+ }
50 m=value;
51 if (tif->tif_flags&TIFF_SWAB)
52 TIFFSwabLong8(&m);
53@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di
54 {
55 assert(count<0x20000000);
56 assert(sizeof(uint64)==8);
57- assert(tif->tif_flags&TIFF_BIGTIFF);
58+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
59+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
60+ return(0);
61+ }
62 if (tif->tif_flags&TIFF_SWAB)
63 TIFFSwabArrayOfLong8(value,count);
64 return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
65@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u
66 {
67 int64 m;
68 assert(sizeof(int64)==8);
69- assert(tif->tif_flags&TIFF_BIGTIFF);
70+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
71+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
72+ return(0);
73+ }
74 m=value;
75 if (tif->tif_flags&TIFF_SWAB)
76 TIFFSwabLong8((uint64*)(&m));
77@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
78 {
79 assert(count<0x20000000);
80 assert(sizeof(int64)==8);
81- assert(tif->tif_flags&TIFF_BIGTIFF);
82+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
83+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
84+ return(0);
85+ }
86 if (tif->tif_flags&TIFF_SWAB)
87 TIFFSwabArrayOfLong8((uint64*)value,count);
88 return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
89--
902.7.4
91
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
deleted file mode 100644
index d08e7612b7..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
+++ /dev/null
@@ -1,54 +0,0 @@
1From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 15 Jul 2017 11:13:46 +0000
4Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in
5 "Raw" mode on PlanarConfig=Contig input images. Fixes
6 http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337
7
8Upstream-Status: Backport
9[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556]
10
11CVE: CVE-2017-11355
12
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14---
15 ChangeLog | 7 +++++++
16 tools/tiff2pdf.c | 7 ++++++-
17 2 files changed, 13 insertions(+), 1 deletion(-)
18
19diff --git a/ChangeLog b/ChangeLog
20index 42eaeb7..6980da8 100644
21--- a/ChangeLog
22+++ b/ChangeLog
23@@ -1,3 +1,10 @@
24+2017-07-15 Even Rouault <even.rouault at spatialys.com>
25+
26+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
27+ mode on PlanarConfig=Contig input images.
28+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
29+ Reported by team OWL337
30+
31 2017-06-30 Even Rouault <even.rouault at spatialys.com>
32
33 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
34diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
35index db196e0..cd1e235 100644
36--- a/tools/tiff2pdf.c
37+++ b/tools/tiff2pdf.c
38@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
39 return;
40
41 t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;
42- if(t2p->pdf_nopassthrough==0){
43+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */
44+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */
45+ /* do not take into account the number of samples, and thus */
46+ /* that can cause heap buffer overflows such as in */
47+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */
48+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){
49 #ifdef CCITT_SUPPORT
50 if(t2p->tiff_compression==COMPRESSION_CCITTFAX4
51 ){
52--
532.7.4
54
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
deleted file mode 100644
index c60ffa698d..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
+++ /dev/null
@@ -1,54 +0,0 @@
1From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Wed, 23 Aug 2017 13:21:41 +0000
4Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not
5 finding the SubIFD tag by runtime check. Fixes
6 http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337
7
8Upstream-Status: Backport
9[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e]
10
11CVE: CVE-2017-13726
12
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14---
15 ChangeLog | 7 +++++++
16 libtiff/tif_dirwrite.c | 7 ++++++-
17 2 files changed, 13 insertions(+), 1 deletion(-)
18
19diff --git a/ChangeLog b/ChangeLog
20index 6980da8..3e299d9 100644
21--- a/ChangeLog
22+++ b/ChangeLog
23@@ -1,3 +1,10 @@
24+2017-08-23 Even Rouault <even.rouault at spatialys.com>
25+
26+ * libtiff/tif_dirwrite.c: replace assertion related to not finding the
27+ SubIFD tag by runtime check.
28+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
29+ Reported by team OWL337
30+
31 2017-07-15 Even Rouault <even.rouault at spatialys.com>
32
33 * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
34diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
35index 8d6686b..14090ae 100644
36--- a/libtiff/tif_dirwrite.c
37+++ b/libtiff/tif_dirwrite.c
38@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
39 TIFFDirEntry* nb;
40 for (na=0, nb=dir; ; na++, nb++)
41 {
42- assert(na<ndir);
43+ if( na == ndir )
44+ {
45+ TIFFErrorExt(tif->tif_clientdata,module,
46+ "Cannot find SubIFD tag");
47+ goto bad;
48+ }
49 if (nb->tdir_tag==TIFFTAG_SUBIFD)
50 break;
51 }
52--
532.7.4
54
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
deleted file mode 100644
index e228c2f17c..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
+++ /dev/null
@@ -1,65 +0,0 @@
1From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Wed, 23 Aug 2017 13:33:42 +0000
4Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
5 fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
6 TIFFWriteDirectoryTagSubifd()). Fixes
7 http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
8
9SubIFD tag by runtime check (in TIFFWriteDirectorySec())
10
11Upstream-Status: Backport
12[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
13
14CVE: CVE-2017-13727
15
16Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
17---
18 ChangeLog | 10 +++++++++-
19 libtiff/tif_dirwrite.c | 9 ++++++++-
20 2 files changed, 17 insertions(+), 2 deletions(-)
21
22diff --git a/ChangeLog b/ChangeLog
23index 3e299d9..8f5efe9 100644
24--- a/ChangeLog
25+++ b/ChangeLog
26@@ -1,7 +1,15 @@
27 2017-08-23 Even Rouault <even.rouault at spatialys.com>
28
29+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
30+ on uint32 when selecting the value of SubIFD tag by runtime check
31+ (in TIFFWriteDirectoryTagSubifd()).
32+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
33+ Reported by team OWL337
34+
35+2017-08-23 Even Rouault <even.rouault at spatialys.com>
36+
37 * libtiff/tif_dirwrite.c: replace assertion related to not finding the
38- SubIFD tag by runtime check.
39+ SubIFD tag by runtime check (in TIFFWriteDirectorySec())
40 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
41 Reported by team OWL337
42
43diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
44index 14090ae..f0a4baa 100644
45--- a/libtiff/tif_dirwrite.c
46+++ b/libtiff/tif_dirwrite.c
47@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
48 for (p=0; p < tif->tif_dir.td_nsubifd; p++)
49 {
50 assert(pa != 0);
51- assert(*pa <= 0xFFFFFFFFUL);
52+
53+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
54+ if( *pa > 0xFFFFFFFFUL)
55+ {
56+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
57+ _TIFFfree(o);
58+ return(0);
59+ }
60 *pb++=(uint32)(*pa++);
61 }
62 n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
63--
642.7.4
65
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
deleted file mode 100644
index 3392285901..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
+++ /dev/null
@@ -1,206 +0,0 @@
1From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
2From: erouault <erouault>
3Date: Thu, 1 Jun 2017 12:44:04 +0000
4Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
5and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
6codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
7to behave differently depending on whether the codec is enabled or not, and
8thus can avoid stack based buffer overflows in a number of TIFF utilities
9such as tiffsplit, tiffcmp, thumbnail, etc.
10Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
11(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
12Fixes:
13http://bugzilla.maptools.org/show_bug.cgi?id=2580
14http://bugzilla.maptools.org/show_bug.cgi?id=2693
15http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
16http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
17http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
18http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
19http://bugzilla.maptools.org/show_bug.cgi?id=2441
20http://bugzilla.maptools.org/show_bug.cgi?id=2433
21
22Upstream-Status: Backport
23[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
24
25CVE: CVE-2017-9147
26
27Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
28---
29 ChangeLog | 20 ++++++++++
30 libtiff/tif_dir.h | 1 +
31 libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
32 libtiff/tif_dirread.c | 4 ++
33 4 files changed, 128 insertions(+)
34
35diff --git a/ChangeLog b/ChangeLog
36index ee8d9d0..5739292 100644
37--- a/ChangeLog
38+++ b/ChangeLog
39@@ -1,3 +1,23 @@
40+2017-06-01 Even Rouault <even.rouault at spatialys.com>
41+
42+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
43+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
44+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
45+ to behave differently depending on whether the codec is enabled or not, and
46+ thus can avoid stack based buffer overflows in a number of TIFF utilities
47+ such as tiffsplit, tiffcmp, thumbnail, etc.
48+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
49+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
50+ Fixes:
51+ http://bugzilla.maptools.org/show_bug.cgi?id=2580
52+ http://bugzilla.maptools.org/show_bug.cgi?id=2693
53+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
54+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
55+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
56+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
57+ http://bugzilla.maptools.org/show_bug.cgi?id=2441
58+ http://bugzilla.maptools.org/show_bug.cgi?id=2433
59+
60 2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
61
62 * configure.ac: libtiff 4.0.8 released.
63diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
64index e12b44b..5206be4 100644
65--- a/libtiff/tif_dir.h
66+++ b/libtiff/tif_dir.h
67@@ -291,6 +291,7 @@ struct _TIFFField {
68 extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
69 extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
70 extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
71+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
72
73 #if defined(__cplusplus)
74 }
75diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
76index 0c8ef42..97c0df0 100644
77--- a/libtiff/tif_dirinfo.c
78+++ b/libtiff/tif_dirinfo.c
79@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
80 return 0;
81 }
82
83+int
84+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
85+{
86+ /* Filter out non-codec specific tags */
87+ switch (tag) {
88+ /* Shared tags */
89+ case TIFFTAG_PREDICTOR:
90+ /* JPEG tags */
91+ case TIFFTAG_JPEGTABLES:
92+ /* OJPEG tags */
93+ case TIFFTAG_JPEGIFOFFSET:
94+ case TIFFTAG_JPEGIFBYTECOUNT:
95+ case TIFFTAG_JPEGQTABLES:
96+ case TIFFTAG_JPEGDCTABLES:
97+ case TIFFTAG_JPEGACTABLES:
98+ case TIFFTAG_JPEGPROC:
99+ case TIFFTAG_JPEGRESTARTINTERVAL:
100+ /* CCITT* */
101+ case TIFFTAG_BADFAXLINES:
102+ case TIFFTAG_CLEANFAXDATA:
103+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
104+ case TIFFTAG_GROUP3OPTIONS:
105+ case TIFFTAG_GROUP4OPTIONS:
106+ break;
107+ default:
108+ return 1;
109+ }
110+ /* Check if codec specific tags are allowed for the current
111+ * compression scheme (codec) */
112+ switch (tif->tif_dir.td_compression) {
113+ case COMPRESSION_LZW:
114+ if (tag == TIFFTAG_PREDICTOR)
115+ return 1;
116+ break;
117+ case COMPRESSION_PACKBITS:
118+ /* No codec-specific tags */
119+ break;
120+ case COMPRESSION_THUNDERSCAN:
121+ /* No codec-specific tags */
122+ break;
123+ case COMPRESSION_NEXT:
124+ /* No codec-specific tags */
125+ break;
126+ case COMPRESSION_JPEG:
127+ if (tag == TIFFTAG_JPEGTABLES)
128+ return 1;
129+ break;
130+ case COMPRESSION_OJPEG:
131+ switch (tag) {
132+ case TIFFTAG_JPEGIFOFFSET:
133+ case TIFFTAG_JPEGIFBYTECOUNT:
134+ case TIFFTAG_JPEGQTABLES:
135+ case TIFFTAG_JPEGDCTABLES:
136+ case TIFFTAG_JPEGACTABLES:
137+ case TIFFTAG_JPEGPROC:
138+ case TIFFTAG_JPEGRESTARTINTERVAL:
139+ return 1;
140+ }
141+ break;
142+ case COMPRESSION_CCITTRLE:
143+ case COMPRESSION_CCITTRLEW:
144+ case COMPRESSION_CCITTFAX3:
145+ case COMPRESSION_CCITTFAX4:
146+ switch (tag) {
147+ case TIFFTAG_BADFAXLINES:
148+ case TIFFTAG_CLEANFAXDATA:
149+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
150+ return 1;
151+ case TIFFTAG_GROUP3OPTIONS:
152+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
153+ return 1;
154+ break;
155+ case TIFFTAG_GROUP4OPTIONS:
156+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
157+ return 1;
158+ break;
159+ }
160+ break;
161+ case COMPRESSION_JBIG:
162+ /* No codec-specific tags */
163+ break;
164+ case COMPRESSION_DEFLATE:
165+ case COMPRESSION_ADOBE_DEFLATE:
166+ if (tag == TIFFTAG_PREDICTOR)
167+ return 1;
168+ break;
169+ case COMPRESSION_PIXARLOG:
170+ if (tag == TIFFTAG_PREDICTOR)
171+ return 1;
172+ break;
173+ case COMPRESSION_SGILOG:
174+ case COMPRESSION_SGILOG24:
175+ /* No codec-specific tags */
176+ break;
177+ case COMPRESSION_LZMA:
178+ if (tag == TIFFTAG_PREDICTOR)
179+ return 1;
180+ break;
181+
182+ }
183+ return 0;
184+}
185+
186 /* vim: set ts=8 sts=8 sw=8 noet: */
187
188 /*
189diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
190index 1d4f0b9..f1dc3d7 100644
191--- a/libtiff/tif_dirread.c
192+++ b/libtiff/tif_dirread.c
193@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
194 goto bad;
195 dp->tdir_tag=IGNORE;
196 break;
197+ default:
198+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
199+ dp->tdir_tag=IGNORE;
200+ break;
201 }
202 }
203 }
204--
2052.7.4
206
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
deleted file mode 100644
index fc99363284..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch
+++ /dev/null
@@ -1,49 +0,0 @@
1From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Mon, 26 Jun 2017 15:19:59 +0000
4Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of
5 JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported
6 by team OWL337
7
8* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
9
10Upstream-Status: Backport
11[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a]
12
13CVE: CVE-2017-9936
14
15Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16---
17 ChangeLog | 6 ++++++
18 libtiff/tif_jbig.c | 1 +
19 2 files changed, 7 insertions(+)
20
21diff --git a/ChangeLog b/ChangeLog
22index 5739292..0240f0b 100644
23--- a/ChangeLog
24+++ b/ChangeLog
25@@ -1,3 +1,9 @@
26+2017-06-26 Even Rouault <even.rouault at spatialys.com>
27+
28+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
29+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
30+ Reported by team OWL337
31+
32 2017-06-01 Even Rouault <even.rouault at spatialys.com>
33
34 * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
35diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
36index 5f5f75e..c75f31d 100644
37--- a/libtiff/tif_jbig.c
38+++ b/libtiff/tif_jbig.c
39@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
40 jbg_strerror(decodeStatus)
41 #endif
42 );
43+ jbg_dec_free(&decoder);
44 return 0;
45 }
46
47--
482.7.4
49
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
index cb91baa607..57bf7408d0 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -6,16 +6,10 @@ CVE_PRODUCT = "libtiff"
6 6
7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ 7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
8 file://libtool2.patch \ 8 file://libtool2.patch \
9 file://CVE-2017-9147.patch \
10 file://CVE-2017-9936.patch \
11 file://CVE-2017-10688.patch \
12 file://CVE-2017-11335.patch \
13 file://CVE-2017-13726.patch \
14 file://CVE-2017-13727.patch \
15 " 9 "
16 10
17SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b" 11SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"
18SRC_URI[sha256sum] = "59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910" 12SRC_URI[sha256sum] = "6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd"
19 13
20# exclude betas 14# exclude betas
21UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" 15UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"