From f8db77f490f1c75770621c497549a00c5b8183cd Mon Sep 17 00:00:00 2001 From: Rajkumar Veer Date: Fri, 3 Nov 2017 22:25:08 -0700 Subject: tiff: Security fix for CVE-2017-7594 (From OE-Core rev: 7bdb52d06a46ad659fc85db1992f9c6ab2fcf065) Signed-off-by: Rajkumar Veer Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../libtiff/files/CVE-2017-7594-p1.patch | 43 +++++++++++++++++++ .../libtiff/files/CVE-2017-7594-p2.patch | 50 ++++++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch (limited to 'meta/recipes-multimedia/libtiff/files') diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch new file mode 100644 index 0000000000..5c7e4603cc --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p1.patch @@ -0,0 +1,43 @@ +rom 8283e4d1b7e53340684d12932880cbcbaf23a8c1 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Thu, 12 Jan 2017 17:43:25 +0000 + +* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable + when read fails. + Patch by Nicolas Pena. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 + +Upstream-Status: Backport + +CVE: CVE-2017-7594 #patch1 +Signed-off-by: Rajkumar Veer +Index: tiff-4.0.7/ChangeLog +=================================================================== +--- tiff-4.0.7.orig/ChangeLog 2017-04-24 16:13:15.000000000 +0530 ++++ tiff-4.0.7/ChangeLog 2017-04-24 16:50:26.465897646 +0530 +@@ -1,3 +1,10 @@ ++2017-01-12 Even Rouault ++ ++ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable ++ when read fails. ++ Patch by Nicolás Peña. ++ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 ++ + 2017-01-11 Even Rouault + + * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to +Index: tiff-4.0.7/libtiff/tif_ojpeg.c +=================================================================== +--- tiff-4.0.7.orig/libtiff/tif_ojpeg.c 2017-04-24 16:02:29.817973051 +0530 ++++ tiff-4.0.7/libtiff/tif_ojpeg.c 2017-04-24 16:52:27.349894477 +0530 +@@ -1918,7 +1918,10 @@ + rb[sizeof(uint32)+5+n]=o[n]; + p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); + if (p!=q) ++ { ++ _TIFFfree(rb); + return(0); ++ } + sp->actable[m]=rb; + sp->sos_tda[m]=(sp->sos_tda[m]|m); + } diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch new file mode 100644 index 0000000000..82a19c6810 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7594-p2.patch @@ -0,0 +1,50 @@ +From 2ea32f7372b65c24b2816f11c04bf59b5090d05b Mon Sep 17 00:00:00 2001 +From: erouault +Date: Thu, 12 Jan 2017 19:23:20 +0000 +Subject: [PATCH 2/2] * libtiff/tif_ojpeg.c: fix leak in + OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and + OJPEGReadHeaderInfoSecTablesAcTable + +Upstream-status: Backport + +CVE: CVE-2017-7594 #patch2 +Signed-off-by: Rajkumar Veer +Index: tiff-4.0.7/ChangeLog +=================================================================== +--- tiff-4.0.7.orig/ChangeLog 2017-04-24 16:50:26.465897646 +0530 ++++ tiff-4.0.7/ChangeLog 2017-04-24 16:56:20.685888360 +0530 +@@ -1,6 +1,7 @@ + 2017-01-12 Even Rouault + +- * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable ++ * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable, ++ OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable + when read fails. + Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 +Index: tiff-4.0.7/libtiff/tif_ojpeg.c +=================================================================== +--- tiff-4.0.7.orig/libtiff/tif_ojpeg.c 2017-04-24 16:52:27.349894477 +0530 ++++ tiff-4.0.7/libtiff/tif_ojpeg.c 2017-04-24 16:59:20.001883660 +0530 +@@ -1790,7 +1790,10 @@ + TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); + p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); + if (p!=64) ++ { ++ _TIFFfree(ob); + return(0); ++ } + sp->qtable[m]=ob; + sp->sof_tq[m]=m; + } +@@ -1854,7 +1857,10 @@ + rb[sizeof(uint32)+5+n]=o[n]; + p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); + if (p!=q) ++ { ++ _TIFFfree(rb); + return(0); ++ } + sp->dctable[m]=rb; + sp->sos_tda[m]=(m<<4); + } -- cgit v1.2.3-54-g00ecf