1 files changed, 206 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
new file mode 100644
index 0000000000..3392285901
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
@@ -0,0 +1,206 @@
+From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Thu, 1 Jun 2017 12:44:04 +0000
+Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+to behave differently depending on whether the codec is enabled or not, and
+thus can avoid stack based buffer overflows in a number of TIFF utilities
+such as tiffsplit, tiffcmp, thumbnail, etc.
+Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+Fixes:
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+http://bugzilla.maptools.org/show_bug.cgi?id=2693
+http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+http://bugzilla.maptools.org/show_bug.cgi?id=2441
+http://bugzilla.maptools.org/show_bug.cgi?id=2433
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
+CVE: CVE-2017-9147
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog             |  20 ++++++++++
+ libtiff/tif_dir.h     |   1 +
+ libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_dirread.c |   4 ++
+ 4 files changed, 128 insertions(+)
+diff --git a/ChangeLog b/ChangeLog
+index ee8d9d0..5739292 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,23 @@
+2017-06-01  Even Rouault <even.rouault at spatialys.com>
+
+       * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+       and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+       codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+       to behave differently depending on whether the codec is enabled or not, and
+       thus can avoid stack based buffer overflows in a number of TIFF utilities
+       such as tiffsplit, tiffcmp, thumbnail, etc.
+       Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+       (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+       Fixes:
+       http://bugzilla.maptools.org/show_bug.cgi?id=2580
+       http://bugzilla.maptools.org/show_bug.cgi?id=2693
+       http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+       http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+       http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+       http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+       http://bugzilla.maptools.org/show_bug.cgi?id=2441
+       http://bugzilla.maptools.org/show_bug.cgi?id=2433
+
+ 2017-05-21  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+ 
+        * configure.ac: libtiff 4.0.8 released.
+diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
+index e12b44b..5206be4 100644
+--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
+@@ -291,6 +291,7 @@ struct _TIFFField {
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+ 
+ #if defined(__cplusplus)
+ }
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index 0c8ef42..97c0df0 100644
+--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
+@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
+        return 0;
+ }
+ 
+int
+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+{
+       /* Filter out non-codec specific tags */
+       switch (tag) {
+           /* Shared tags */
+           case TIFFTAG_PREDICTOR:
+           /* JPEG tags */
+           case TIFFTAG_JPEGTABLES:
+           /* OJPEG tags */
+           case TIFFTAG_JPEGIFOFFSET:
+           case TIFFTAG_JPEGIFBYTECOUNT:
+           case TIFFTAG_JPEGQTABLES:
+           case TIFFTAG_JPEGDCTABLES:
+           case TIFFTAG_JPEGACTABLES:
+           case TIFFTAG_JPEGPROC:
+           case TIFFTAG_JPEGRESTARTINTERVAL:
+           /* CCITT* */
+           case TIFFTAG_BADFAXLINES:
+           case TIFFTAG_CLEANFAXDATA:
+           case TIFFTAG_CONSECUTIVEBADFAXLINES:
+           case TIFFTAG_GROUP3OPTIONS:
+           case TIFFTAG_GROUP4OPTIONS:
+               break;
+           default:
+               return 1;
+       }
+       /* Check if codec specific tags are allowed for the current
+        * compression scheme (codec) */
+       switch (tif->tif_dir.td_compression) {
+           case COMPRESSION_LZW:
+               if (tag == TIFFTAG_PREDICTOR)
+                   return 1;
+               break;
+           case COMPRESSION_PACKBITS:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_THUNDERSCAN:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_NEXT:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_JPEG:
+               if (tag == TIFFTAG_JPEGTABLES)
+                   return 1;
+               break;
+           case COMPRESSION_OJPEG:
+               switch (tag) {
+                   case TIFFTAG_JPEGIFOFFSET:
+                   case TIFFTAG_JPEGIFBYTECOUNT:
+                   case TIFFTAG_JPEGQTABLES:
+                   case TIFFTAG_JPEGDCTABLES:
+                   case TIFFTAG_JPEGACTABLES:
+                   case TIFFTAG_JPEGPROC:
+                   case TIFFTAG_JPEGRESTARTINTERVAL:
+                       return 1;
+               }
+               break;
+           case COMPRESSION_CCITTRLE:
+           case COMPRESSION_CCITTRLEW:
+           case COMPRESSION_CCITTFAX3:
+           case COMPRESSION_CCITTFAX4:
+               switch (tag) {
+                   case TIFFTAG_BADFAXLINES:
+                   case TIFFTAG_CLEANFAXDATA:
+                   case TIFFTAG_CONSECUTIVEBADFAXLINES:
+                       return 1;
+                   case TIFFTAG_GROUP3OPTIONS:
+                       if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
+                           return 1;
+                       break;
+                   case TIFFTAG_GROUP4OPTIONS:
+                       if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
+                           return 1;
+                       break;
+               }
+               break;
+           case COMPRESSION_JBIG:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_DEFLATE:
+           case COMPRESSION_ADOBE_DEFLATE:
+               if (tag == TIFFTAG_PREDICTOR)
+                   return 1;
+               break;
+          case COMPRESSION_PIXARLOG:
+               if (tag == TIFFTAG_PREDICTOR)
+                   return 1;
+               break;
+           case COMPRESSION_SGILOG:
+           case COMPRESSION_SGILOG24:
+               /* No codec-specific tags */
+               break;
+           case COMPRESSION_LZMA:
+               if (tag == TIFFTAG_PREDICTOR)
+                   return 1;
+               break;
+
+       }
+       return 0;
+}
+
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+ 
+ /*
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 1d4f0b9..f1dc3d7 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
+                                                        goto bad;
+                                                dp->tdir_tag=IGNORE;
+                                                break;
+                                        default:
+                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
+                                                dp->tdir_tag=IGNORE;
+                                            break;
+                                }
+                        }
+                }
+-- 
+2.7.4

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch new file mode 100644 index 0000000000..3392285901 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
@@ -0,0 +1,206 @@
	1	From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
	2	From: erouault <erouault>
	3	Date: Thu, 1 Jun 2017 12:44:04 +0000
	4	Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
	5	and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
	6	codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
	7	to behave differently depending on whether the codec is enabled or not, and
	8	thus can avoid stack based buffer overflows in a number of TIFF utilities
	9	such as tiffsplit, tiffcmp, thumbnail, etc.
	10	Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
	11	(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
	12	Fixes:
	13	http://bugzilla.maptools.org/show_bug.cgi?id=2580
	14	http://bugzilla.maptools.org/show_bug.cgi?id=2693
	15	http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
	16	http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
	17	http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
	18	http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
	19	http://bugzilla.maptools.org/show_bug.cgi?id=2441
	20	http://bugzilla.maptools.org/show_bug.cgi?id=2433
	21
	22	Upstream-Status: Backport
	23	[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
	24
	25	CVE: CVE-2017-9147
	26
	27	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	28	---
	29	ChangeLog \| 20 ++++++++++
	30	libtiff/tif_dir.h \| 1 +
	31	libtiff/tif_dirinfo.c \| 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
	32	libtiff/tif_dirread.c \| 4 ++
	33	4 files changed, 128 insertions(+)
	34
	35	diff --git a/ChangeLog b/ChangeLog
	36	index ee8d9d0..5739292 100644
	37	--- a/ChangeLog
	38	+++ b/ChangeLog
	39	@@ -1,3 +1,23 @@
	40	+2017-06-01 Even Rouault <even.rouault at spatialys.com>
	41	+
	42	+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
	43	+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
	44	+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
	45	+ to behave differently depending on whether the codec is enabled or not, and
	46	+ thus can avoid stack based buffer overflows in a number of TIFF utilities
	47	+ such as tiffsplit, tiffcmp, thumbnail, etc.
	48	+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
	49	+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
	50	+ Fixes:
	51	+ http://bugzilla.maptools.org/show_bug.cgi?id=2580
	52	+ http://bugzilla.maptools.org/show_bug.cgi?id=2693
	53	+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
	54	+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
	55	+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
	56	+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
	57	+ http://bugzilla.maptools.org/show_bug.cgi?id=2441
	58	+ http://bugzilla.maptools.org/show_bug.cgi?id=2433
	59	+
	60	2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
	61
	62	* configure.ac: libtiff 4.0.8 released.
	63	diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
	64	index e12b44b..5206be4 100644
	65	--- a/libtiff/tif_dir.h
	66	+++ b/libtiff/tif_dir.h
	67	@@ -291,6 +291,7 @@ struct _TIFFField {
	68	extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
	69	extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
	70	extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
	71	+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
	72
	73	#if defined(__cplusplus)
	74	}
	75	diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
	76	index 0c8ef42..97c0df0 100644
	77	--- a/libtiff/tif_dirinfo.c
	78	+++ b/libtiff/tif_dirinfo.c
	79	@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
	80	return 0;
	81	}
	82
	83	+int
	84	+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
	85	+{
	86	+ /* Filter out non-codec specific tags */
	87	+ switch (tag) {
	88	+ /* Shared tags */
	89	+ case TIFFTAG_PREDICTOR:
	90	+ /* JPEG tags */
	91	+ case TIFFTAG_JPEGTABLES:
	92	+ /* OJPEG tags */
	93	+ case TIFFTAG_JPEGIFOFFSET:
	94	+ case TIFFTAG_JPEGIFBYTECOUNT:
	95	+ case TIFFTAG_JPEGQTABLES:
	96	+ case TIFFTAG_JPEGDCTABLES:
	97	+ case TIFFTAG_JPEGACTABLES:
	98	+ case TIFFTAG_JPEGPROC:
	99	+ case TIFFTAG_JPEGRESTARTINTERVAL:
	100	+ /* CCITT* */
	101	+ case TIFFTAG_BADFAXLINES:
	102	+ case TIFFTAG_CLEANFAXDATA:
	103	+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
	104	+ case TIFFTAG_GROUP3OPTIONS:
	105	+ case TIFFTAG_GROUP4OPTIONS:
	106	+ break;
	107	+ default:
	108	+ return 1;
	109	+ }
	110	+ /* Check if codec specific tags are allowed for the current
	111	+ * compression scheme (codec) */
	112	+ switch (tif->tif_dir.td_compression) {
	113	+ case COMPRESSION_LZW:
	114	+ if (tag == TIFFTAG_PREDICTOR)
	115	+ return 1;
	116	+ break;
	117	+ case COMPRESSION_PACKBITS:
	118	+ /* No codec-specific tags */
	119	+ break;
	120	+ case COMPRESSION_THUNDERSCAN:
	121	+ /* No codec-specific tags */
	122	+ break;
	123	+ case COMPRESSION_NEXT:
	124	+ /* No codec-specific tags */
	125	+ break;
	126	+ case COMPRESSION_JPEG:
	127	+ if (tag == TIFFTAG_JPEGTABLES)
	128	+ return 1;
	129	+ break;
	130	+ case COMPRESSION_OJPEG:
	131	+ switch (tag) {
	132	+ case TIFFTAG_JPEGIFOFFSET:
	133	+ case TIFFTAG_JPEGIFBYTECOUNT:
	134	+ case TIFFTAG_JPEGQTABLES:
	135	+ case TIFFTAG_JPEGDCTABLES:
	136	+ case TIFFTAG_JPEGACTABLES:
	137	+ case TIFFTAG_JPEGPROC:
	138	+ case TIFFTAG_JPEGRESTARTINTERVAL:
	139	+ return 1;
	140	+ }
	141	+ break;
	142	+ case COMPRESSION_CCITTRLE:
	143	+ case COMPRESSION_CCITTRLEW:
	144	+ case COMPRESSION_CCITTFAX3:
	145	+ case COMPRESSION_CCITTFAX4:
	146	+ switch (tag) {
	147	+ case TIFFTAG_BADFAXLINES:
	148	+ case TIFFTAG_CLEANFAXDATA:
	149	+ case TIFFTAG_CONSECUTIVEBADFAXLINES:
	150	+ return 1;
	151	+ case TIFFTAG_GROUP3OPTIONS:
	152	+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
	153	+ return 1;
	154	+ break;
	155	+ case TIFFTAG_GROUP4OPTIONS:
	156	+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
	157	+ return 1;
	158	+ break;
	159	+ }
	160	+ break;
	161	+ case COMPRESSION_JBIG:
	162	+ /* No codec-specific tags */
	163	+ break;
	164	+ case COMPRESSION_DEFLATE:
	165	+ case COMPRESSION_ADOBE_DEFLATE:
	166	+ if (tag == TIFFTAG_PREDICTOR)
	167	+ return 1;
	168	+ break;
	169	+ case COMPRESSION_PIXARLOG:
	170	+ if (tag == TIFFTAG_PREDICTOR)
	171	+ return 1;
	172	+ break;
	173	+ case COMPRESSION_SGILOG:
	174	+ case COMPRESSION_SGILOG24:
	175	+ /* No codec-specific tags */
	176	+ break;
	177	+ case COMPRESSION_LZMA:
	178	+ if (tag == TIFFTAG_PREDICTOR)
	179	+ return 1;
	180	+ break;
	181	+
	182	+ }
	183	+ return 0;
	184	+}
	185	+
	186	/* vim: set ts=8 sts=8 sw=8 noet: */
	187
	188	/*
	189	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
	190	index 1d4f0b9..f1dc3d7 100644
	191	--- a/libtiff/tif_dirread.c
	192	+++ b/libtiff/tif_dirread.c
	193	@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
	194	goto bad;
	195	dp->tdir_tag=IGNORE;
	196	break;
	197	+ default:
	198	+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
	199	+ dp->tdir_tag=IGNORE;
	200	+ break;
	201	}
	202	}
	203	}
	204	--
	205	2.7.4
	206