diff options
author | Armin Kuster <akuster808@gmail.com> | 2016-12-10 09:38:43 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-01-11 11:46:52 +0000 |
commit | 009b330591b27bd14d4c8ceb767c78fd7eb924fd (patch) | |
tree | 6398be266c7c5fad81a81c691141db811aa9c305 /meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch | |
parent | a4888a63620fa05e1399355d9e20c2da586efb4c (diff) | |
download | openembedded-core-009b330591b27bd14d4c8ceb767c78fd7eb924fd.tar.gz openembedded-core-009b330591b27bd14d4c8ceb767c78fd7eb924fd.tar.bz2 openembedded-core-009b330591b27bd14d4c8ceb767c78fd7eb924fd.zip |
libtiff: Update to 4.0.7
Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.
CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632
plus more that are not identified in the changelog.
removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html
(From OE-Core rev: 9945cbccc4c737c84ad441773061acbf90c7baed)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch | 66 |
1 files changed, 0 insertions, 66 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch deleted file mode 100644 index 7bf52ee5dc..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 15 Aug 2016 20:49:48 +0000 -Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in - PixarLogEncode if more input samples are provided than expected by - PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and - simpler check. (bugzilla #2544) - -invalid tests that rejected valid files. (bugzilla #2545) - -CVE: CVE-2016-3990 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 - -Signed-off-by: Yi Zhao <yi.zhao@windirver.com> ---- - ChangeLog | 10 +++++++++- - libtiff/tif_pixarlog.c | 7 +++++++ - 2 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index 9c0ab29..db4ea18 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,10 +1,18 @@ - 2016-08-15 Even Rouault <even.rouault at spatialys.com> - -+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode -+ if more input samples are provided than expected by PixarLogSetupEncode. -+ Idea based on libtiff-CVE-2016-3990.patch from -+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and -+ simpler check. (bugzilla #2544) -+ -+2016-08-15 Even Rouault <even.rouault at spatialys.com> -+ - * tools/tiff2rgba.c: Fix integer overflow in size of allocated - buffer, when -b mode is enabled, that could result in out-of-bounds - write. Based initially on patch tiff-CVE-2016-3945.patch from - libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for -- invalid tests that rejected valid files. -+ invalid tests that rejected valid files. (bugzilla #2545) - - 2016-07-11 Even Rouault <even.rouault at spatialys.com> - -diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c -index e78f788..28329d1 100644 ---- a/libtiff/tif_pixarlog.c -+++ b/libtiff/tif_pixarlog.c -@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - } - - llen = sp->stride * td->td_imagewidth; -+ /* Check against the number of elements (of size uint16) of sp->tbuf */ -+ if( n > td->td_rowsperstrip * llen ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Too many input bytes provided"); -+ return 0; -+ } - - for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { - switch (sp->user_datafmt) { --- -2.7.4 - |