diff options
author | Zhixiong Chi <zhixiong.chi@windriver.com> | 2016-11-14 17:46:52 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-01-11 11:46:40 +0000 |
commit | cc266584158c8dfc8583d21534665b6152a4f7ee (patch) | |
tree | a217e9793563e9bd929effbe36adf1f86057baf0 | |
parent | aece2afafbd304adee30978537b9404a9344dd4e (diff) | |
download | openembedded-core-cc266584158c8dfc8583d21534665b6152a4f7ee.tar.gz openembedded-core-cc266584158c8dfc8583d21534665b6152a4f7ee.tar.bz2 openembedded-core-cc266584158c8dfc8583d21534665b6152a4f7ee.zip |
tiff: Security fix CVE-2016-3658
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool
allows remote attackers to cause a denial of service (out-of-bounds read) via vectors
involving the ma variable.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658
http://bugzilla.maptools.org/show_bug.cgi?id=2546
Patch from:
https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
(From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch | 111 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 |
2 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch new file mode 100644 index 0000000000..6cb12f2907 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch @@ -0,0 +1,111 @@ +From: 45c68450bef8ad876f310b495165c513cad8b67d +From: Even Rouault <even.rouault@spatialys.com> + +* libtiff/tif_dir.c: discard values of SMinSampleValue and +SMaxSampleValue when they have been read and the value of +SamplesPerPixel is changed afterwards (like when reading a +OJPEG compressed image with a missing SamplesPerPixel tag, +and whose photometric is RGB or YCbCr, forcing SamplesPerPixel +being 3). Otherwise when rewriting the directory (for example +with tiffset, we will expect 3 values whereas the array had been +allocated with just one), thus causing a out of bound read access. +Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 +(CVE-2014-8127, duplicate: CVE-2016-3658) + +* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset +when writing directory, if FIELD_STRIPOFFSETS was artificially set +for a hack case in OJPEG case. +Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 +(CVE-2014-8127, duplicate: CVE-2016-3658) + +CVE: CVE-2016-3658 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d + +Signed-off-by: Zhixiong.Chi <zhixiong.chi@windriver.com> + +Index: tiff-4.0.6/ChangeLog +=================================================================== +--- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800 ++++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800 +@@ -1,3 +1,22 @@ ++2016-10-25 Even Rouault <even.rouault at spatialys.com> ++ ++ * libtiff/tif_dir.c: discard values of SMinSampleValue and ++ SMaxSampleValue when they have been read and the value of ++ SamplesPerPixel is changed afterwards (like when reading a ++ OJPEG compressed image with a missing SamplesPerPixel tag, ++ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel ++ being 3). Otherwise when rewriting the directory (for example ++ with tiffset, we will expect 3 values whereas the array had been ++ allocated with just one), thus causing a out of bound read access. ++ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 ++ (CVE-2014-8127, duplicate: CVE-2016-3658) ++ ++ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset ++ when writing directory, if FIELD_STRIPOFFSETS was artificially set ++ for a hack case in OJPEG case. ++ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 ++ (CVE-2014-8127, duplicate: CVE-2016-3658) ++ + 2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> + + * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to +Index: tiff-4.0.6/libtiff/tif_dir.c +=================================================================== +--- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800 ++++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800 +@@ -254,6 +254,28 @@ + v = (uint16) va_arg(ap, uint16_vap); + if (v == 0) + goto badvalue; ++ if( v != td->td_samplesperpixel ) ++ { ++ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */ ++ if( td->td_sminsamplevalue != NULL ) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "SamplesPerPixel tag value is changing, " ++ "but SMinSampleValue tag was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE); ++ _TIFFfree(td->td_sminsamplevalue); ++ td->td_sminsamplevalue = NULL; ++ } ++ if( td->td_smaxsamplevalue != NULL ) ++ { ++ TIFFWarningExt(tif->tif_clientdata,module, ++ "SamplesPerPixel tag value is changing, " ++ "but SMaxSampleValue tag was read with a different value. Cancelling it"); ++ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE); ++ _TIFFfree(td->td_smaxsamplevalue); ++ td->td_smaxsamplevalue = NULL; ++ } ++ } + td->td_samplesperpixel = (uint16) v; + break; + case TIFFTAG_ROWSPERSTRIP: +Index: tiff-4.0.6/libtiff/tif_dirwrite.c +=================================================================== +--- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800 ++++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800 +@@ -542,7 +542,19 @@ + { + if (!isTiled(tif)) + { +- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) ++ /* td_stripoffset might be NULL in an odd OJPEG case. See ++ * tif_dirread.c around line 3634. ++ * XXX: OJPEG hack. ++ * If a) compression is OJPEG, b) it's not a tiled TIFF, ++ * and c) the number of strips is 1, ++ * then we tolerate the absence of stripoffsets tag, ++ * because, presumably, all required data is in the ++ * JpegInterchangeFormat stream. ++ * We can get here when using tiffset on such a file. ++ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500 ++ */ ++ if (tif->tif_dir.td_stripoffset != NULL && ++ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) + goto bad; + } + else diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 796d86e8f8..edd560fa08 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb @@ -15,6 +15,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2016-3991.patch \ file://CVE-2016-3623.patch \ file://CVE-2016-3622.patch \ + file://CVE-2016-3658.patch \ " SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" |