tiff: Security fix for CVE-2017-7594

(From OE-Core rev: ac828e5620430cff207ac5dc14dc5e2dbf99f9de) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Rajkumar Veer <rveer@mvista.com> 2017-11-03 22:25:08 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-05 22:39:49 +0000
commit: 2e37f285521d69cf351481498518f9c5e721493d (patch)
tree: b773a1699dbf400572da8bbced62c383845d7ebc /meta
parent: 9f2bab84935fdd0785ab9e59e908a9694b2e61af (diff)
download: poky-2e37f285521d69cf351481498518f9c5e721493d.tar.gz
3 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch
new file mode 100644
index 0000000000..5c7e4603cc
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch
@@ -0,0 +1,43 @@
+rom 8283e4d1b7e53340684d12932880cbcbaf23a8c1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Thu, 12 Jan 2017 17:43:25 +0000
+* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
+  when read fails.
+  Patch by Nicolas Pena.
+  Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+Upstream-Status: Backport
+CVE: CVE-2017-7594 #patch1
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog   2017-04-24 16:13:15.000000000 +0530
+++ tiff-4.0.7/ChangeLog        2017-04-24 16:50:26.465897646 +0530
+@@ -1,3 +1,10 @@
+2017-01-12 Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
+       when read fails.
+       Patch by Nicolás Peña.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+
+ 2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ 
+        * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
+Index: tiff-4.0.7/libtiff/tif_ojpeg.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_ojpeg.c 2017-04-24 16:02:29.817973051 +0530
+++ tiff-4.0.7/libtiff/tif_ojpeg.c      2017-04-24 16:52:27.349894477 +0530
+@@ -1918,7 +1918,10 @@
+                                rb[sizeof(uint32)+5+n]=o[n];
+                        p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+                        if (p!=q)
+                        {
+                                _TIFFfree(rb);
+                                return(0);
+                        }
+                        sp->actable[m]=rb;
+                        sp->sos_tda[m]=(sp->sos_tda[m]|m);
+                }
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch
new file mode 100644
index 0000000000..82a19c6810
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch
@@ -0,0 +1,50 @@
+From 2ea32f7372b65c24b2816f11c04bf59b5090d05b Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Thu, 12 Jan 2017 19:23:20 +0000
+Subject: [PATCH 2/2] * libtiff/tif_ojpeg.c: fix leak in
+ OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and
+ OJPEGReadHeaderInfoSecTablesAcTable
+Upstream-status: Backport
+CVE: CVE-2017-7594 #patch2
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog   2017-04-24 16:50:26.465897646 +0530
+++ tiff-4.0.7/ChangeLog        2017-04-24 16:56:20.685888360 +0530
+@@ -1,6 +1,7 @@
+ 2017-01-12 Even Rouault <even.rouault at spatialys.com>
+ 
+-       * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
+       * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
+       OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
+        when read fails.
+        Patch by Nicolás Peña.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
+Index: tiff-4.0.7/libtiff/tif_ojpeg.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_ojpeg.c 2017-04-24 16:52:27.349894477 +0530
+++ tiff-4.0.7/libtiff/tif_ojpeg.c      2017-04-24 16:59:20.001883660 +0530
+@@ -1790,7 +1790,10 @@
+                        TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); 
+                        p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+                        if (p!=64)
+                        {
+                                _TIFFfree(ob);
+                                return(0);
+                        }
+                        sp->qtable[m]=ob;
+                        sp->sof_tq[m]=m;
+                }
+@@ -1854,7 +1857,10 @@
+                                rb[sizeof(uint32)+5+n]=o[n];
+                        p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+                        if (p!=q)
+                        {
+                                _TIFFfree(rb);
+                                return(0);
+                        }
+                        sp->dctable[m]=rb;
+                        sp->sos_tda[m]=(m<<4);
+                }
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 303eff088b..12ab9360a7 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -19,6 +19,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2016-10269.patch \
           file://CVE-2016-10270.patch \
           file://CVE-2017-7592.patch \
+           file://CVE-2017-7594-p1.patch \
+           file://CVE-2017-7594-p2.patch \
        "
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
author	Rajkumar Veer <rveer@mvista.com>	2017-11-03 22:25:08 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-05 22:39:49 +0000
commit	2e37f285521d69cf351481498518f9c5e721493d (patch)
tree	b773a1699dbf400572da8bbced62c383845d7ebc /meta
parent	9f2bab84935fdd0785ab9e59e908a9694b2e61af (diff)
download	poky-2e37f285521d69cf351481498518f9c5e721493d.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch new file mode 100644 index 0000000000..5c7e4603cc --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch
@@ -0,0 +1,43 @@
		1	rom 8283e4d1b7e53340684d12932880cbcbaf23a8c1 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Thu, 12 Jan 2017 17:43:25 +0000
		4
		5	* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
		6	when read fails.
		7	Patch by Nicolas Pena.
		8	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
		9
		10	Upstream-Status: Backport
		11
		12	CVE: CVE-2017-7594 #patch1
		13	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
		14	Index: tiff-4.0.7/ChangeLog
		15	===================================================================
		16	--- tiff-4.0.7.orig/ChangeLog 2017-04-24 16:13:15.000000000 +0530
		17	+++ tiff-4.0.7/ChangeLog 2017-04-24 16:50:26.465897646 +0530
		18	@@ -1,3 +1,10 @@
		19	+2017-01-12 Even Rouault <even.rouault at spatialys.com>
		20	+
		21	+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
		22	+ when read fails.
		23	+ Patch by Nicolás Peña.
		24	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
		25	+
		26	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		27
		28	* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
		29	Index: tiff-4.0.7/libtiff/tif_ojpeg.c
		30	===================================================================
		31	--- tiff-4.0.7.orig/libtiff/tif_ojpeg.c 2017-04-24 16:02:29.817973051 +0530
		32	+++ tiff-4.0.7/libtiff/tif_ojpeg.c 2017-04-24 16:52:27.349894477 +0530
		33	@@ -1918,7 +1918,10 @@
		34	rb[sizeof(uint32)+5+n]=o[n];
		35	p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
		36	if (p!=q)
		37	+ {
		38	+ _TIFFfree(rb);
		39	return(0);
		40	+ }
		41	sp->actable[m]=rb;
		42	sp->sos_tda[m]=(sp->sos_tda[m]\|m);
		43	}


diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch new file mode 100644 index 0000000000..82a19c6810 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch
@@ -0,0 +1,50 @@
		1	From 2ea32f7372b65c24b2816f11c04bf59b5090d05b Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Thu, 12 Jan 2017 19:23:20 +0000
		4	Subject: [PATCH 2/2] * libtiff/tif_ojpeg.c: fix leak in
		5	OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and
		6	OJPEGReadHeaderInfoSecTablesAcTable
		7
		8	Upstream-status: Backport
		9
		10	CVE: CVE-2017-7594 #patch2
		11	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
		12	Index: tiff-4.0.7/ChangeLog
		13	===================================================================
		14	--- tiff-4.0.7.orig/ChangeLog 2017-04-24 16:50:26.465897646 +0530
		15	+++ tiff-4.0.7/ChangeLog 2017-04-24 16:56:20.685888360 +0530
		16	@@ -1,6 +1,7 @@
		17	2017-01-12 Even Rouault <even.rouault at spatialys.com>
		18
		19	- * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
		20	+ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
		21	+ OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
		22	when read fails.
		23	Patch by Nicolás Peña.
		24	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
		25	Index: tiff-4.0.7/libtiff/tif_ojpeg.c
		26	===================================================================
		27	--- tiff-4.0.7.orig/libtiff/tif_ojpeg.c 2017-04-24 16:52:27.349894477 +0530
		28	+++ tiff-4.0.7/libtiff/tif_ojpeg.c 2017-04-24 16:59:20.001883660 +0530
		29	@@ -1790,7 +1790,10 @@
		30	TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
		31	p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
		32	if (p!=64)
		33	+ {
		34	+ _TIFFfree(ob);
		35	return(0);
		36	+ }
		37	sp->qtable[m]=ob;
		38	sp->sof_tq[m]=m;
		39	}
		40	@@ -1854,7 +1857,10 @@
		41	rb[sizeof(uint32)+5+n]=o[n];
		42	p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
		43	if (p!=q)
		44	+ {
		45	+ _TIFFfree(rb);
		46	return(0);
		47	+ }
		48	sp->dctable[m]=rb;
		49	sp->sos_tda[m]=(m<<4);
		50	}


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 303eff088b..12ab9360a7 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -19,6 +19,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
19	file://CVE-2016-10269.patch \	19	file://CVE-2016-10269.patch \
20	file://CVE-2016-10270.patch \	20	file://CVE-2016-10270.patch \
21	file://CVE-2017-7592.patch \	21	file://CVE-2017-7592.patch \
		22	file://CVE-2017-7594-p1.patch \
		23	file://CVE-2017-7594-p2.patch \
22	"	24	"
23		25
24	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"	26	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"