diff options
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch | 91 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch | 54 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch | 54 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch | 65 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch | 206 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch | 49 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.9.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.0.8.bb) | 10 |
7 files changed, 2 insertions, 527 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch deleted file mode 100644 index b0db96949f..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch +++ /dev/null | |||
@@ -1,91 +0,0 @@ | |||
1 | From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Fri, 30 Jun 2017 17:29:44 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_dirwrite.c: in | ||
5 | TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8 | ||
6 | data type, replace assertion that the file is BigTIFF, by a non-fatal error. | ||
7 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team | ||
8 | OWL337 | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | [https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1] | ||
12 | |||
13 | CVE: CVE-2017-10688 | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | ChangeLog | 8 ++++++++ | ||
18 | libtiff/tif_dirwrite.c | 20 ++++++++++++++++---- | ||
19 | 2 files changed, 24 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/ChangeLog b/ChangeLog | ||
22 | index 0240f0b..42eaeb7 100644 | ||
23 | --- a/ChangeLog | ||
24 | +++ b/ChangeLog | ||
25 | @@ -1,3 +1,11 @@ | ||
26 | +2017-06-30 Even Rouault <even.rouault at spatialys.com> | ||
27 | + | ||
28 | + * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() | ||
29 | + functions associated with LONG8/SLONG8 data type, replace assertion that | ||
30 | + the file is BigTIFF, by a non-fatal error. | ||
31 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 | ||
32 | + Reported by team OWL337 | ||
33 | + | ||
34 | 2017-06-26 Even Rouault <even.rouault at spatialys.com> | ||
35 | |||
36 | * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() | ||
37 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
38 | index 2967da5..8d6686b 100644 | ||
39 | --- a/libtiff/tif_dirwrite.c | ||
40 | +++ b/libtiff/tif_dirwrite.c | ||
41 | @@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui | ||
42 | { | ||
43 | uint64 m; | ||
44 | assert(sizeof(uint64)==8); | ||
45 | - assert(tif->tif_flags&TIFF_BIGTIFF); | ||
46 | + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { | ||
47 | + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); | ||
48 | + return(0); | ||
49 | + } | ||
50 | m=value; | ||
51 | if (tif->tif_flags&TIFF_SWAB) | ||
52 | TIFFSwabLong8(&m); | ||
53 | @@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di | ||
54 | { | ||
55 | assert(count<0x20000000); | ||
56 | assert(sizeof(uint64)==8); | ||
57 | - assert(tif->tif_flags&TIFF_BIGTIFF); | ||
58 | + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { | ||
59 | + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); | ||
60 | + return(0); | ||
61 | + } | ||
62 | if (tif->tif_flags&TIFF_SWAB) | ||
63 | TIFFSwabArrayOfLong8(value,count); | ||
64 | return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); | ||
65 | @@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u | ||
66 | { | ||
67 | int64 m; | ||
68 | assert(sizeof(int64)==8); | ||
69 | - assert(tif->tif_flags&TIFF_BIGTIFF); | ||
70 | + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { | ||
71 | + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); | ||
72 | + return(0); | ||
73 | + } | ||
74 | m=value; | ||
75 | if (tif->tif_flags&TIFF_SWAB) | ||
76 | TIFFSwabLong8((uint64*)(&m)); | ||
77 | @@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d | ||
78 | { | ||
79 | assert(count<0x20000000); | ||
80 | assert(sizeof(int64)==8); | ||
81 | - assert(tif->tif_flags&TIFF_BIGTIFF); | ||
82 | + if( !(tif->tif_flags&TIFF_BIGTIFF) ) { | ||
83 | + TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); | ||
84 | + return(0); | ||
85 | + } | ||
86 | if (tif->tif_flags&TIFF_SWAB) | ||
87 | TIFFSwabArrayOfLong8((uint64*)value,count); | ||
88 | return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); | ||
89 | -- | ||
90 | 2.7.4 | ||
91 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch deleted file mode 100644 index d08e7612b7..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 15 Jul 2017 11:13:46 +0000 | ||
4 | Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in | ||
5 | "Raw" mode on PlanarConfig=Contig input images. Fixes | ||
6 | http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | [https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556] | ||
10 | |||
11 | CVE: CVE-2017-11355 | ||
12 | |||
13 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
14 | --- | ||
15 | ChangeLog | 7 +++++++ | ||
16 | tools/tiff2pdf.c | 7 ++++++- | ||
17 | 2 files changed, 13 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/ChangeLog b/ChangeLog | ||
20 | index 42eaeb7..6980da8 100644 | ||
21 | --- a/ChangeLog | ||
22 | +++ b/ChangeLog | ||
23 | @@ -1,3 +1,10 @@ | ||
24 | +2017-07-15 Even Rouault <even.rouault at spatialys.com> | ||
25 | + | ||
26 | + * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" | ||
27 | + mode on PlanarConfig=Contig input images. | ||
28 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 | ||
29 | + Reported by team OWL337 | ||
30 | + | ||
31 | 2017-06-30 Even Rouault <even.rouault at spatialys.com> | ||
32 | |||
33 | * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() | ||
34 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c | ||
35 | index db196e0..cd1e235 100644 | ||
36 | --- a/tools/tiff2pdf.c | ||
37 | +++ b/tools/tiff2pdf.c | ||
38 | @@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ | ||
39 | return; | ||
40 | |||
41 | t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; | ||
42 | - if(t2p->pdf_nopassthrough==0){ | ||
43 | + /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ | ||
44 | + /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ | ||
45 | + /* do not take into account the number of samples, and thus */ | ||
46 | + /* that can cause heap buffer overflows such as in */ | ||
47 | + /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ | ||
48 | + if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ | ||
49 | #ifdef CCITT_SUPPORT | ||
50 | if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 | ||
51 | ){ | ||
52 | -- | ||
53 | 2.7.4 | ||
54 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch deleted file mode 100644 index c60ffa698d..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Wed, 23 Aug 2017 13:21:41 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not | ||
5 | finding the SubIFD tag by runtime check. Fixes | ||
6 | http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | [https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e] | ||
10 | |||
11 | CVE: CVE-2017-13726 | ||
12 | |||
13 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
14 | --- | ||
15 | ChangeLog | 7 +++++++ | ||
16 | libtiff/tif_dirwrite.c | 7 ++++++- | ||
17 | 2 files changed, 13 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/ChangeLog b/ChangeLog | ||
20 | index 6980da8..3e299d9 100644 | ||
21 | --- a/ChangeLog | ||
22 | +++ b/ChangeLog | ||
23 | @@ -1,3 +1,10 @@ | ||
24 | +2017-08-23 Even Rouault <even.rouault at spatialys.com> | ||
25 | + | ||
26 | + * libtiff/tif_dirwrite.c: replace assertion related to not finding the | ||
27 | + SubIFD tag by runtime check. | ||
28 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 | ||
29 | + Reported by team OWL337 | ||
30 | + | ||
31 | 2017-07-15 Even Rouault <even.rouault at spatialys.com> | ||
32 | |||
33 | * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" | ||
34 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
35 | index 8d6686b..14090ae 100644 | ||
36 | --- a/libtiff/tif_dirwrite.c | ||
37 | +++ b/libtiff/tif_dirwrite.c | ||
38 | @@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) | ||
39 | TIFFDirEntry* nb; | ||
40 | for (na=0, nb=dir; ; na++, nb++) | ||
41 | { | ||
42 | - assert(na<ndir); | ||
43 | + if( na == ndir ) | ||
44 | + { | ||
45 | + TIFFErrorExt(tif->tif_clientdata,module, | ||
46 | + "Cannot find SubIFD tag"); | ||
47 | + goto bad; | ||
48 | + } | ||
49 | if (nb->tdir_tag==TIFFTAG_SUBIFD) | ||
50 | break; | ||
51 | } | ||
52 | -- | ||
53 | 2.7.4 | ||
54 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch deleted file mode 100644 index e228c2f17c..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch +++ /dev/null | |||
@@ -1,65 +0,0 @@ | |||
1 | From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Wed, 23 Aug 2017 13:33:42 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not | ||
5 | fitting on uint32 when selecting the value of SubIFD tag by runtime check (in | ||
6 | TIFFWriteDirectoryTagSubifd()). Fixes | ||
7 | http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337 | ||
8 | |||
9 | SubIFD tag by runtime check (in TIFFWriteDirectorySec()) | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | [https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc] | ||
13 | |||
14 | CVE: CVE-2017-13727 | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | ChangeLog | 10 +++++++++- | ||
19 | libtiff/tif_dirwrite.c | 9 ++++++++- | ||
20 | 2 files changed, 17 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/ChangeLog b/ChangeLog | ||
23 | index 3e299d9..8f5efe9 100644 | ||
24 | --- a/ChangeLog | ||
25 | +++ b/ChangeLog | ||
26 | @@ -1,7 +1,15 @@ | ||
27 | 2017-08-23 Even Rouault <even.rouault at spatialys.com> | ||
28 | |||
29 | + * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting | ||
30 | + on uint32 when selecting the value of SubIFD tag by runtime check | ||
31 | + (in TIFFWriteDirectoryTagSubifd()). | ||
32 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 | ||
33 | + Reported by team OWL337 | ||
34 | + | ||
35 | +2017-08-23 Even Rouault <even.rouault at spatialys.com> | ||
36 | + | ||
37 | * libtiff/tif_dirwrite.c: replace assertion related to not finding the | ||
38 | - SubIFD tag by runtime check. | ||
39 | + SubIFD tag by runtime check (in TIFFWriteDirectorySec()) | ||
40 | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 | ||
41 | Reported by team OWL337 | ||
42 | |||
43 | diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c | ||
44 | index 14090ae..f0a4baa 100644 | ||
45 | --- a/libtiff/tif_dirwrite.c | ||
46 | +++ b/libtiff/tif_dirwrite.c | ||
47 | @@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) | ||
48 | for (p=0; p < tif->tif_dir.td_nsubifd; p++) | ||
49 | { | ||
50 | assert(pa != 0); | ||
51 | - assert(*pa <= 0xFFFFFFFFUL); | ||
52 | + | ||
53 | + /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ | ||
54 | + if( *pa > 0xFFFFFFFFUL) | ||
55 | + { | ||
56 | + TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); | ||
57 | + _TIFFfree(o); | ||
58 | + return(0); | ||
59 | + } | ||
60 | *pb++=(uint32)(*pa++); | ||
61 | } | ||
62 | n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); | ||
63 | -- | ||
64 | 2.7.4 | ||
65 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch deleted file mode 100644 index 3392285901..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch +++ /dev/null | |||
@@ -1,206 +0,0 @@ | |||
1 | From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001 | ||
2 | From: erouault <erouault> | ||
3 | Date: Thu, 1 Jun 2017 12:44:04 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), | ||
5 | and use it in TIFFReadDirectory() so as to ignore fields whose tag is a | ||
6 | codec-specified tag but this codec is not enabled. This avoids TIFFGetField() | ||
7 | to behave differently depending on whether the codec is enabled or not, and | ||
8 | thus can avoid stack based buffer overflows in a number of TIFF utilities | ||
9 | such as tiffsplit, tiffcmp, thumbnail, etc. | ||
10 | Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch | ||
11 | (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. | ||
12 | Fixes: | ||
13 | http://bugzilla.maptools.org/show_bug.cgi?id=2580 | ||
14 | http://bugzilla.maptools.org/show_bug.cgi?id=2693 | ||
15 | http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) | ||
16 | http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) | ||
17 | http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) | ||
18 | http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) | ||
19 | http://bugzilla.maptools.org/show_bug.cgi?id=2441 | ||
20 | http://bugzilla.maptools.org/show_bug.cgi?id=2433 | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | [https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06] | ||
24 | |||
25 | CVE: CVE-2017-9147 | ||
26 | |||
27 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
28 | --- | ||
29 | ChangeLog | 20 ++++++++++ | ||
30 | libtiff/tif_dir.h | 1 + | ||
31 | libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
32 | libtiff/tif_dirread.c | 4 ++ | ||
33 | 4 files changed, 128 insertions(+) | ||
34 | |||
35 | diff --git a/ChangeLog b/ChangeLog | ||
36 | index ee8d9d0..5739292 100644 | ||
37 | --- a/ChangeLog | ||
38 | +++ b/ChangeLog | ||
39 | @@ -1,3 +1,23 @@ | ||
40 | +2017-06-01 Even Rouault <even.rouault at spatialys.com> | ||
41 | + | ||
42 | + * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), | ||
43 | + and use it in TIFFReadDirectory() so as to ignore fields whose tag is a | ||
44 | + codec-specified tag but this codec is not enabled. This avoids TIFFGetField() | ||
45 | + to behave differently depending on whether the codec is enabled or not, and | ||
46 | + thus can avoid stack based buffer overflows in a number of TIFF utilities | ||
47 | + such as tiffsplit, tiffcmp, thumbnail, etc. | ||
48 | + Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch | ||
49 | + (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. | ||
50 | + Fixes: | ||
51 | + http://bugzilla.maptools.org/show_bug.cgi?id=2580 | ||
52 | + http://bugzilla.maptools.org/show_bug.cgi?id=2693 | ||
53 | + http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) | ||
54 | + http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) | ||
55 | + http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) | ||
56 | + http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) | ||
57 | + http://bugzilla.maptools.org/show_bug.cgi?id=2441 | ||
58 | + http://bugzilla.maptools.org/show_bug.cgi?id=2433 | ||
59 | + | ||
60 | 2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> | ||
61 | |||
62 | * configure.ac: libtiff 4.0.8 released. | ||
63 | diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h | ||
64 | index e12b44b..5206be4 100644 | ||
65 | --- a/libtiff/tif_dir.h | ||
66 | +++ b/libtiff/tif_dir.h | ||
67 | @@ -291,6 +291,7 @@ struct _TIFFField { | ||
68 | extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32); | ||
69 | extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); | ||
70 | extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); | ||
71 | +extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); | ||
72 | |||
73 | #if defined(__cplusplus) | ||
74 | } | ||
75 | diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c | ||
76 | index 0c8ef42..97c0df0 100644 | ||
77 | --- a/libtiff/tif_dirinfo.c | ||
78 | +++ b/libtiff/tif_dirinfo.c | ||
79 | @@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n) | ||
80 | return 0; | ||
81 | } | ||
82 | |||
83 | +int | ||
84 | +_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) | ||
85 | +{ | ||
86 | + /* Filter out non-codec specific tags */ | ||
87 | + switch (tag) { | ||
88 | + /* Shared tags */ | ||
89 | + case TIFFTAG_PREDICTOR: | ||
90 | + /* JPEG tags */ | ||
91 | + case TIFFTAG_JPEGTABLES: | ||
92 | + /* OJPEG tags */ | ||
93 | + case TIFFTAG_JPEGIFOFFSET: | ||
94 | + case TIFFTAG_JPEGIFBYTECOUNT: | ||
95 | + case TIFFTAG_JPEGQTABLES: | ||
96 | + case TIFFTAG_JPEGDCTABLES: | ||
97 | + case TIFFTAG_JPEGACTABLES: | ||
98 | + case TIFFTAG_JPEGPROC: | ||
99 | + case TIFFTAG_JPEGRESTARTINTERVAL: | ||
100 | + /* CCITT* */ | ||
101 | + case TIFFTAG_BADFAXLINES: | ||
102 | + case TIFFTAG_CLEANFAXDATA: | ||
103 | + case TIFFTAG_CONSECUTIVEBADFAXLINES: | ||
104 | + case TIFFTAG_GROUP3OPTIONS: | ||
105 | + case TIFFTAG_GROUP4OPTIONS: | ||
106 | + break; | ||
107 | + default: | ||
108 | + return 1; | ||
109 | + } | ||
110 | + /* Check if codec specific tags are allowed for the current | ||
111 | + * compression scheme (codec) */ | ||
112 | + switch (tif->tif_dir.td_compression) { | ||
113 | + case COMPRESSION_LZW: | ||
114 | + if (tag == TIFFTAG_PREDICTOR) | ||
115 | + return 1; | ||
116 | + break; | ||
117 | + case COMPRESSION_PACKBITS: | ||
118 | + /* No codec-specific tags */ | ||
119 | + break; | ||
120 | + case COMPRESSION_THUNDERSCAN: | ||
121 | + /* No codec-specific tags */ | ||
122 | + break; | ||
123 | + case COMPRESSION_NEXT: | ||
124 | + /* No codec-specific tags */ | ||
125 | + break; | ||
126 | + case COMPRESSION_JPEG: | ||
127 | + if (tag == TIFFTAG_JPEGTABLES) | ||
128 | + return 1; | ||
129 | + break; | ||
130 | + case COMPRESSION_OJPEG: | ||
131 | + switch (tag) { | ||
132 | + case TIFFTAG_JPEGIFOFFSET: | ||
133 | + case TIFFTAG_JPEGIFBYTECOUNT: | ||
134 | + case TIFFTAG_JPEGQTABLES: | ||
135 | + case TIFFTAG_JPEGDCTABLES: | ||
136 | + case TIFFTAG_JPEGACTABLES: | ||
137 | + case TIFFTAG_JPEGPROC: | ||
138 | + case TIFFTAG_JPEGRESTARTINTERVAL: | ||
139 | + return 1; | ||
140 | + } | ||
141 | + break; | ||
142 | + case COMPRESSION_CCITTRLE: | ||
143 | + case COMPRESSION_CCITTRLEW: | ||
144 | + case COMPRESSION_CCITTFAX3: | ||
145 | + case COMPRESSION_CCITTFAX4: | ||
146 | + switch (tag) { | ||
147 | + case TIFFTAG_BADFAXLINES: | ||
148 | + case TIFFTAG_CLEANFAXDATA: | ||
149 | + case TIFFTAG_CONSECUTIVEBADFAXLINES: | ||
150 | + return 1; | ||
151 | + case TIFFTAG_GROUP3OPTIONS: | ||
152 | + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) | ||
153 | + return 1; | ||
154 | + break; | ||
155 | + case TIFFTAG_GROUP4OPTIONS: | ||
156 | + if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) | ||
157 | + return 1; | ||
158 | + break; | ||
159 | + } | ||
160 | + break; | ||
161 | + case COMPRESSION_JBIG: | ||
162 | + /* No codec-specific tags */ | ||
163 | + break; | ||
164 | + case COMPRESSION_DEFLATE: | ||
165 | + case COMPRESSION_ADOBE_DEFLATE: | ||
166 | + if (tag == TIFFTAG_PREDICTOR) | ||
167 | + return 1; | ||
168 | + break; | ||
169 | + case COMPRESSION_PIXARLOG: | ||
170 | + if (tag == TIFFTAG_PREDICTOR) | ||
171 | + return 1; | ||
172 | + break; | ||
173 | + case COMPRESSION_SGILOG: | ||
174 | + case COMPRESSION_SGILOG24: | ||
175 | + /* No codec-specific tags */ | ||
176 | + break; | ||
177 | + case COMPRESSION_LZMA: | ||
178 | + if (tag == TIFFTAG_PREDICTOR) | ||
179 | + return 1; | ||
180 | + break; | ||
181 | + | ||
182 | + } | ||
183 | + return 0; | ||
184 | +} | ||
185 | + | ||
186 | /* vim: set ts=8 sts=8 sw=8 noet: */ | ||
187 | |||
188 | /* | ||
189 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
190 | index 1d4f0b9..f1dc3d7 100644 | ||
191 | --- a/libtiff/tif_dirread.c | ||
192 | +++ b/libtiff/tif_dirread.c | ||
193 | @@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif) | ||
194 | goto bad; | ||
195 | dp->tdir_tag=IGNORE; | ||
196 | break; | ||
197 | + default: | ||
198 | + if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) | ||
199 | + dp->tdir_tag=IGNORE; | ||
200 | + break; | ||
201 | } | ||
202 | } | ||
203 | } | ||
204 | -- | ||
205 | 2.7.4 | ||
206 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch deleted file mode 100644 index fc99363284..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Mon, 26 Jun 2017 15:19:59 +0000 | ||
4 | Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of | ||
5 | JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported | ||
6 | by team OWL337 | ||
7 | |||
8 | * libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | [https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a] | ||
12 | |||
13 | CVE: CVE-2017-9936 | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | ChangeLog | 6 ++++++ | ||
18 | libtiff/tif_jbig.c | 1 + | ||
19 | 2 files changed, 7 insertions(+) | ||
20 | |||
21 | diff --git a/ChangeLog b/ChangeLog | ||
22 | index 5739292..0240f0b 100644 | ||
23 | --- a/ChangeLog | ||
24 | +++ b/ChangeLog | ||
25 | @@ -1,3 +1,9 @@ | ||
26 | +2017-06-26 Even Rouault <even.rouault at spatialys.com> | ||
27 | + | ||
28 | + * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() | ||
29 | + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 | ||
30 | + Reported by team OWL337 | ||
31 | + | ||
32 | 2017-06-01 Even Rouault <even.rouault at spatialys.com> | ||
33 | |||
34 | * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), | ||
35 | diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c | ||
36 | index 5f5f75e..c75f31d 100644 | ||
37 | --- a/libtiff/tif_jbig.c | ||
38 | +++ b/libtiff/tif_jbig.c | ||
39 | @@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) | ||
40 | jbg_strerror(decodeStatus) | ||
41 | #endif | ||
42 | ); | ||
43 | + jbg_dec_free(&decoder); | ||
44 | return 0; | ||
45 | } | ||
46 | |||
47 | -- | ||
48 | 2.7.4 | ||
49 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb index cb91baa607..57bf7408d0 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | |||
@@ -6,16 +6,10 @@ CVE_PRODUCT = "libtiff" | |||
6 | 6 | ||
7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 7 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ |
8 | file://libtool2.patch \ | 8 | file://libtool2.patch \ |
9 | file://CVE-2017-9147.patch \ | ||
10 | file://CVE-2017-9936.patch \ | ||
11 | file://CVE-2017-10688.patch \ | ||
12 | file://CVE-2017-11335.patch \ | ||
13 | file://CVE-2017-13726.patch \ | ||
14 | file://CVE-2017-13727.patch \ | ||
15 | " | 9 | " |
16 | 10 | ||
17 | SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b" | 11 | SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" |
18 | SRC_URI[sha256sum] = "59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910" | 12 | SRC_URI[sha256sum] = "6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd" |
19 | 13 | ||
20 | # exclude betas | 14 | # exclude betas |
21 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" | 15 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |