openembedded-core.git/meta/recipes-multimedia/libtiff/files, branch master-next2 Mirror of openembedded-core libtiff: Security Advisory - libtiff - CVE-2017-5225 2017-01-31T14:40:17+00:00 Li Zhou li.zhou@windriver.com 2017-01-25T09:28:22+00:00 434990304bdfb70441b399ff8998dbe3fe1b1e1f Libtiff is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. Porting patch from <https://github.com/vadz/libtiff/commit/ 5c080298d59efa53264d7248bbe3a04660db6ef7> to solve CVE-2017-5225. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Libtiff is vulnerable to a heap buffer overflow in the tools/tiffcp
resulting in DoS or code execution via a crafted BitsPerSample value.

Porting patch from <https://github.com/vadz/libtiff/commit/
5c080298d59efa53264d7248bbe3a04660db6ef7> to solve CVE-2017-5225.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libtiff: Update to 4.0.7 2016-12-13T22:47:33+00:00 Armin Kuster akuster808@gmail.com 2016-12-10T17:38:43+00:00 9945cbccc4c737c84ad441773061acbf90c7baed Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.

CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632

plus more that are not identified in the changelog.

removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
tiff: Fix several CVE issues 2016-12-08T10:26:11+00:00 Mingli Yu Mingli.Yu@windriver.com 2016-12-07T08:01:13+00:00 f75ecefee21ef89b147fff9afae01a6f09c93198 Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537 External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9533 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9534 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9536 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9537 Patch from: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and
CVE-2016-9537

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9533
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9534
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9536
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9537

Patch from:
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
tiff: Security fix CVE-2016-9538 2016-12-08T10:26:11+00:00 Mingli Yu Mingli.Yu@windriver.com 2016-12-07T08:01:12+00:00 9af5d5ea882c853e4cb15006f990d3814eeea9ae * tools/tiffcrop.c: fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538 Patch from: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow.

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538

Patch from:
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
tiff: Security fix CVE-2016-9535 2016-12-08T10:26:11+00:00 Mingli Yu Mingli.Yu@windriver.com 2016-12-07T08:01:11+00:00 61d3feb9cad9f61f6551b43f4f19bfa33cadd275 * libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
* libtiff/tif_predict.h, libtiff/tif_predict.c:
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile size like YCbCr with subsampling.

External References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535

Patch from:
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
tiff: Security fix CVE-2016-9539 2016-11-30T15:47:15+00:00 Zhixiong Chi zhixiong.chi@windriver.com 2016-11-28T09:52:13+00:00 58bf0a237ca28459eb8c3afa030c0054f5bc1f16 tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9539 Patch from: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in
readContigTilesIntoBuffer(). Reported as MSVR 35092.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9539

Patch from:
https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
tiff: Security fix CVE-2016-9540 2016-11-30T15:47:15+00:00 Zhixiong Chi zhixiong.chi@windriver.com 2016-11-28T08:12:04+00:00 cc97dc66006c7892473e3b4790d05e12445bb927 tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9540 Patch from: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled
images with odd tile width versus image width. Reported as MSVR 35103,
aka "cpStripToTile heap-buffer-overflow."

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9540

Patch from:
https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
tiff: Security fix CVE-2016-3632 2016-11-23T11:02:32+00:00 Yi Zhao yi.zhao@windriver.com 2016-11-17T08:08:10+00:00 9206c86239717718be840a32724fd1c190929370 CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632 http://bugzilla.maptools.org/show_bug.cgi?id=2549 https://bugzilla.redhat.com/show_bug.cgi?id=1325095 The patch is from RHEL7. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of
service (out-of-bounds write) or execute arbitrary code via a crafted
TIFF image.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632
http://bugzilla.maptools.org/show_bug.cgi?id=2549
https://bugzilla.redhat.com/show_bug.cgi?id=1325095

The patch is from RHEL7.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
tiff: Security fix CVE-2016-3658 2016-11-23T11:02:26+00:00 Zhixiong Chi zhixiong.chi@windriver.com 2016-11-14T09:46:52+00:00 c060e91d2838f976774d074ef07c9e7cf709f70a The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658 http://bugzilla.maptools.org/show_bug.cgi?id=2546 Patch from: https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool
allows remote attackers to cause a denial of service (out-of-bounds read) via vectors
involving the ma variable.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658
http://bugzilla.maptools.org/show_bug.cgi?id=2546

Patch from:
https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
tiff: Security fix CVE-2016-3622 2016-11-06T23:35:16+00:00 Yi Zhao yi.zhao@windriver.com 2016-10-26T08:26:48+00:00 0af0466f0381a72b560f4f2852e1d19be7b6a7fb CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622 http://www.openwall.com/lists/oss-security/2016/04/07/4 Patch from: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (divide-by-zero error) via a crafted TIFF
image.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622
http://www.openwall.com/lists/oss-security/2016/04/07/4

Patch from:
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>