tiff: Security fix for CVE-2017-7593

(From OE-Core rev: b6ec8ab42befaa07c859a5c5cc14611b821a1304) Signed-off-by: Rajkumar Veer <rveer@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Rajkumar Veer <rveer@mvista.com> 2017-11-03 22:35:09 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-05 22:39:49 +0000
commit: a2ad903fa96790a7a529b4bee7c1bb3da0234cdc (patch)
tree: c3cfea1a4686f9832ac35581e3b1143a72d2b603 /meta/recipes-multimedia/libtiff
parent: 2aed68963f5c73985d02f3d378a7614169e09602 (diff)
download: poky-a2ad903fa96790a7a529b4bee7c1bb3da0234cdc.tar.gz
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
new file mode 100644
index 0000000000..380dfcbbba
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
@@ -0,0 +1,98 @@
+From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Wed, 11 Jan 2017 19:02:49 +0000
+Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+ _TIFFcalloc()
+* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+initialize tif_rawdata.
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+Upstream-Status: Backport
+CVE: CVE-2017-7593
+Signed-off-by: Rajkumar Veer <rveer@mvista.com>
+Index: tiff-4.0.7/ChangeLog
+===================================================================
+--- tiff-4.0.7.orig/ChangeLog   2017-04-25 19:03:20.584155452 +0530
+++ tiff-4.0.7/ChangeLog        2017-04-26 12:09:41.986866896 +0530
+@@ -44,6 +44,14 @@
+ 
+ 2017-01-11 Even Rouault <even.rouault at spatialys.com>
+ 
+       * libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc()
+
+       * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
+       initialize tif_rawdata.
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
+        avoid UndefinedBehaviorSanitizer warning.
+        Patch by Nicolas Pena.
+Index: tiff-4.0.7/libtiff/tif_read.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_read.c  2017-04-25 19:03:20.584155452 +0530
+++ tiff-4.0.7/libtiff/tif_read.c       2017-04-26 12:11:42.814863729 +0530
+@@ -986,7 +986,9 @@
+                                 "Invalid buffer size");
+                    return (0);
+                }
+-               tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
+                /* Initialize to zero to avoid uninitialized buffers in case of */
+                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
+                tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+                tif->tif_flags |= TIFF_MYBUFFER;
+        }
+        if (tif->tif_rawdata == NULL) {
+Index: tiff-4.0.7/libtiff/tif_unix.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_unix.c  2015-08-29 03:46:22.707817041 +0530
+++ tiff-4.0.7/libtiff/tif_unix.c       2017-04-26 12:13:07.442861510 +0530
+@@ -316,6 +316,14 @@
+        return (malloc((size_t) s));
+ }
+ 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
+ void
+ _TIFFfree(void* p)
+ {
+Index: tiff-4.0.7/libtiff/tif_win32.c
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tif_win32.c 2015-08-29 03:46:22.730570169 +0530
+++ tiff-4.0.7/libtiff/tif_win32.c      2017-04-26 12:14:12.918859794 +0530
+@@ -360,6 +360,14 @@
+        return (malloc((size_t) s));
+ }
+ 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
+ void
+ _TIFFfree(void* p)
+ {
+Index: tiff-4.0.7/libtiff/tiffio.h
+===================================================================
+--- tiff-4.0.7.orig/libtiff/tiffio.h    2016-01-24 21:09:51.894442042 +0530
+++ tiff-4.0.7/libtiff/tiffio.h 2017-04-26 12:15:55.034857117 +0530
+@@ -293,6 +293,7 @@
+  */
+ 
+ extern void* _TIFFmalloc(tmsize_t s);
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 126cad13fd..866e8526ec 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2017-7598.patch \
           file://CVE-2017-7601.patch \
           file://CVE-2017-7602.patch \
+           file://CVE-2017-7593.patch \
        "
 SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
author	Rajkumar Veer <rveer@mvista.com>	2017-11-03 22:35:09 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-05 22:39:49 +0000
commit	a2ad903fa96790a7a529b4bee7c1bb3da0234cdc (patch)
tree	c3cfea1a4686f9832ac35581e3b1143a72d2b603 /meta/recipes-multimedia/libtiff
parent	2aed68963f5c73985d02f3d378a7614169e09602 (diff)
download	poky-a2ad903fa96790a7a529b4bee7c1bb3da0234cdc.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch new file mode 100644 index 0000000000..380dfcbbba --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-7593.patch
@@ -0,0 +1,98 @@
		1	From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
		2	From: erouault <erouault>
		3	Date: Wed, 11 Jan 2017 19:02:49 +0000
		4	Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
		5	_TIFFcalloc()
		6
		7	* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
		8	initialize tif_rawdata.
		9	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
		10
		11	Upstream-Status: Backport
		12
		13	CVE: CVE-2017-7593
		14	Signed-off-by: Rajkumar Veer <rveer@mvista.com>
		15	Index: tiff-4.0.7/ChangeLog
		16	===================================================================
		17	--- tiff-4.0.7.orig/ChangeLog 2017-04-25 19:03:20.584155452 +0530
		18	+++ tiff-4.0.7/ChangeLog 2017-04-26 12:09:41.986866896 +0530
		19	@@ -44,6 +44,14 @@
		20
		21	2017-01-11 Even Rouault <even.rouault at spatialys.com>
		22
		23	+ * libtiff/tiffiop.h, tif_unix.c, tif_win32.c : add _TIFFcalloc()
		24	+
		25	+ * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
		26	+ initialize tif_rawdata.
		27	+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
		28	+
		29	+2017-01-11 Even Rouault <even.rouault at spatialys.com>
		30	+
		31	* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
		32	avoid UndefinedBehaviorSanitizer warning.
		33	Patch by Nicolas Pena.
		34	Index: tiff-4.0.7/libtiff/tif_read.c
		35	===================================================================
		36	--- tiff-4.0.7.orig/libtiff/tif_read.c 2017-04-25 19:03:20.584155452 +0530
		37	+++ tiff-4.0.7/libtiff/tif_read.c 2017-04-26 12:11:42.814863729 +0530
		38	@@ -986,7 +986,9 @@
		39	"Invalid buffer size");
		40	return (0);
		41	}
		42	- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
		43	+ /* Initialize to zero to avoid uninitialized buffers in case of */
		44	+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
		45	+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
		46	tif->tif_flags \|= TIFF_MYBUFFER;
		47	}
		48	if (tif->tif_rawdata == NULL) {
		49	Index: tiff-4.0.7/libtiff/tif_unix.c
		50	===================================================================
		51	--- tiff-4.0.7.orig/libtiff/tif_unix.c 2015-08-29 03:46:22.707817041 +0530
		52	+++ tiff-4.0.7/libtiff/tif_unix.c 2017-04-26 12:13:07.442861510 +0530
		53	@@ -316,6 +316,14 @@
		54	return (malloc((size_t) s));
		55	}
		56
		57	+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
		58	+{
		59	+ if( nmemb == 0 \|\| siz == 0 )
		60	+ return ((void *) NULL);
		61	+
		62	+ return calloc((size_t) nmemb, (size_t)siz);
		63	+}
		64	+
		65	void
		66	_TIFFfree(void* p)
		67	{
		68	Index: tiff-4.0.7/libtiff/tif_win32.c
		69	===================================================================
		70	--- tiff-4.0.7.orig/libtiff/tif_win32.c 2015-08-29 03:46:22.730570169 +0530
		71	+++ tiff-4.0.7/libtiff/tif_win32.c 2017-04-26 12:14:12.918859794 +0530
		72	@@ -360,6 +360,14 @@
		73	return (malloc((size_t) s));
		74	}
		75
		76	+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
		77	+{
		78	+ if( nmemb == 0 \|\| siz == 0 )
		79	+ return ((void *) NULL);
		80	+
		81	+ return calloc((size_t) nmemb, (size_t)siz);
		82	+}
		83	+
		84	void
		85	_TIFFfree(void* p)
		86	{
		87	Index: tiff-4.0.7/libtiff/tiffio.h
		88	===================================================================
		89	--- tiff-4.0.7.orig/libtiff/tiffio.h 2016-01-24 21:09:51.894442042 +0530
		90	+++ tiff-4.0.7/libtiff/tiffio.h 2017-04-26 12:15:55.034857117 +0530
		91	@@ -293,6 +293,7 @@
		92	*/
		93
		94	extern void* _TIFFmalloc(tmsize_t s);
		95	+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
		96	extern void* _TIFFrealloc(void* p, tmsize_t s);
		97	extern void _TIFFmemset(void* p, int v, tmsize_t c);
		98	extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 126cad13fd..866e8526ec 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
26	file://CVE-2017-7598.patch \	26	file://CVE-2017-7598.patch \
27	file://CVE-2017-7601.patch \	27	file://CVE-2017-7601.patch \
28	file://CVE-2017-7602.patch \	28	file://CVE-2017-7602.patch \
		29	file://CVE-2017-7593.patch \
29	"	30	"
30		31
31	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"	32	SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"