diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2016-10-26 16:26:48 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-11-06 23:35:33 +0000 |
commit | 3a6612a81197d2e1ebefcfd5cd9576d91d2ea08b (patch) | |
tree | 39c4db8da6b496349bc12e9aa694820b1660fe2b /meta | |
parent | 28c8e12e300a37e186ed65cd27048dd9ecc706f5 (diff) | |
download | poky-3a6612a81197d2e1ebefcfd5cd9576d91d2ea08b.tar.gz |
tiff: Security fix CVE-2016-3622
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (divide-by-zero error) via a crafted TIFF
image.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622
http://www.openwall.com/lists/oss-security/2016/04/07/4
Patch from:
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
(From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch | 129 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 |
2 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch new file mode 100644 index 0000000000..0c8b7164e5 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch | |||
@@ -0,0 +1,129 @@ | |||
1 | From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001 | ||
2 | From: bfriesen <bfriesen> | ||
3 | Date: Sat, 24 Sep 2016 23:11:55 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts | ||
5 | to read floating point images. | ||
6 | |||
7 | * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample | ||
8 | requirements of floating point predictor (3). Fixes CVE-2016-3622 | ||
9 | "Divide By Zero in the tiff2rgba tool." | ||
10 | |||
11 | CVE: CVE-2016-3622 | ||
12 | Upstream-Status: Backport | ||
13 | https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
16 | --- | ||
17 | ChangeLog | 11 ++++++++++- | ||
18 | libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------ | ||
19 | libtiff/tif_predict.c | 11 ++++++++++- | ||
20 | 3 files changed, 40 insertions(+), 20 deletions(-) | ||
21 | |||
22 | diff --git a/ChangeLog b/ChangeLog | ||
23 | index 26d6f47..a628277 100644 | ||
24 | --- a/ChangeLog | ||
25 | +++ b/ChangeLog | ||
26 | @@ -1,3 +1,12 @@ | ||
27 | +2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
28 | + | ||
29 | + * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to | ||
30 | + read floating point images. | ||
31 | + | ||
32 | + * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample | ||
33 | + requirements of floating point predictor (3). Fixes CVE-2016-3622 | ||
34 | + "Divide By Zero in the tiff2rgba tool." | ||
35 | + | ||
36 | 2016-08-15 Even Rouault <even.rouault at spatialys.com> | ||
37 | |||
38 | * tools/rgb2ycbcr.c: validate values of -v and -h parameters to | ||
39 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
40 | index 386cee0..3e689ee 100644 | ||
41 | --- a/libtiff/tif_getimage.c | ||
42 | +++ b/libtiff/tif_getimage.c | ||
43 | @@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) | ||
44 | td->td_bitspersample); | ||
45 | return (0); | ||
46 | } | ||
47 | + if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { | ||
48 | + sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); | ||
49 | + return (0); | ||
50 | + } | ||
51 | colorchannels = td->td_samplesperpixel - td->td_extrasamples; | ||
52 | if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { | ||
53 | switch (colorchannels) { | ||
54 | @@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) | ||
55 | "Planarconfiguration", td->td_planarconfig); | ||
56 | return (0); | ||
57 | } | ||
58 | - if( td->td_samplesperpixel != 3 || colorchannels != 3 ) | ||
59 | - { | ||
60 | - sprintf(emsg, | ||
61 | - "Sorry, can not handle image with %s=%d, %s=%d", | ||
62 | - "Samples/pixel", td->td_samplesperpixel, | ||
63 | - "colorchannels", colorchannels); | ||
64 | - return 0; | ||
65 | - } | ||
66 | + if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) { | ||
67 | + sprintf(emsg, | ||
68 | + "Sorry, can not handle image with %s=%d, %s=%d", | ||
69 | + "Samples/pixel", td->td_samplesperpixel, | ||
70 | + "colorchannels", colorchannels); | ||
71 | + return 0; | ||
72 | + } | ||
73 | break; | ||
74 | case PHOTOMETRIC_CIELAB: | ||
75 | - if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) | ||
76 | - { | ||
77 | - sprintf(emsg, | ||
78 | - "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", | ||
79 | - "Samples/pixel", td->td_samplesperpixel, | ||
80 | - "colorchannels", colorchannels, | ||
81 | - "Bits/sample", td->td_bitspersample); | ||
82 | - return 0; | ||
83 | - } | ||
84 | + if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { | ||
85 | + sprintf(emsg, | ||
86 | + "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", | ||
87 | + "Samples/pixel", td->td_samplesperpixel, | ||
88 | + "colorchannels", colorchannels, | ||
89 | + "Bits/sample", td->td_bitspersample); | ||
90 | + return 0; | ||
91 | + } | ||
92 | break; | ||
93 | - default: | ||
94 | + default: | ||
95 | sprintf(emsg, "Sorry, can not handle image with %s=%d", | ||
96 | photoTag, photometric); | ||
97 | return (0); | ||
98 | diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c | ||
99 | index 081eb11..555f2f9 100644 | ||
100 | --- a/libtiff/tif_predict.c | ||
101 | +++ b/libtiff/tif_predict.c | ||
102 | @@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif) | ||
103 | td->td_sampleformat); | ||
104 | return 0; | ||
105 | } | ||
106 | + if (td->td_bitspersample != 16 | ||
107 | + && td->td_bitspersample != 24 | ||
108 | + && td->td_bitspersample != 32 | ||
109 | + && td->td_bitspersample != 64) { /* Should 64 be allowed? */ | ||
110 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
111 | + "Floating point \"Predictor\" not supported with %d-bit samples", | ||
112 | + td->td_bitspersample); | ||
113 | + return 0; | ||
114 | + } | ||
115 | break; | ||
116 | default: | ||
117 | TIFFErrorExt(tif->tif_clientdata, module, | ||
118 | @@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif) | ||
119 | } | ||
120 | /* | ||
121 | * Allocate buffer to keep the decoded bytes before | ||
122 | - * rearranging in the ight order | ||
123 | + * rearranging in the right order | ||
124 | */ | ||
125 | } | ||
126 | |||
127 | -- | ||
128 | 2.7.4 | ||
129 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 466dfbb50d..796d86e8f8 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | |||
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
14 | file://CVE-2016-3990.patch \ | 14 | file://CVE-2016-3990.patch \ |
15 | file://CVE-2016-3991.patch \ | 15 | file://CVE-2016-3991.patch \ |
16 | file://CVE-2016-3623.patch \ | 16 | file://CVE-2016-3623.patch \ |
17 | file://CVE-2016-3622.patch \ | ||
17 | " | 18 | " |
18 | 19 | ||
19 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" | 20 | SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |