tiff: Security fix CVE-2016-3622

CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622 http://www.openwall.com/lists/oss-security/2016/04/07/4 Patch from: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 (From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Yi Zhao <yi.zhao@windriver.com> 2016-10-26 16:26:48 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-11-16 10:33:34 +0000
commit: 928eadf8442cf87fb2d4159602bd732336d74bb7 (patch)
tree: 96b9e22fcad8baee962a30ccf1aa7fcf838e9885 /meta/recipes-multimedia
parent: f0e77ffa6bbc3adc61a2abd5dbc9228e830c055d (diff)
download: openembedded-core-928eadf8442cf87fb2d4159602bd732336d74bb7.tar.gz
openembedded-core-928eadf8442cf87fb2d4159602bd732336d74bb7.tar.bz2
openembedded-core-928eadf8442cf87fb2d4159602bd732336d74bb7.zip
2 files changed, 130 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
new file mode 100644
index 0000000000..0c8b7164e5
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
@@ -0,0 +1,129 @@
+From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
+From: bfriesen <bfriesen>
+Date: Sat, 24 Sep 2016 23:11:55 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
+ to read floating point images.
+
+* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+requirements of floating point predictor (3).  Fixes CVE-2016-3622
+"Divide By Zero in the tiff2rgba tool."
+
+CVE: CVE-2016-3622
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
+
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ ChangeLog              | 11 ++++++++++-
+ libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
+ libtiff/tif_predict.c  | 11 ++++++++++-
+ 3 files changed, 40 insertions(+), 20 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 26d6f47..a628277 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++2016-09-24  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
++
++	* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
++	read floating point images.
++
++	* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
++	requirements of floating point predictor (3).  Fixes CVE-2016-3622
++	"Divide By Zero in the tiff2rgba tool."
++
+ 2016-08-15 Even Rouault <even.rouault at spatialys.com>
+ 
+ 	* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 386cee0..3e689ee 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ 			    td->td_bitspersample);
+ 			return (0);
+ 	}
++        if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
++                sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
++                return (0);
++        }
+ 	colorchannels = td->td_samplesperpixel - td->td_extrasamples;
+ 	if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
+ 		switch (colorchannels) {
+@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ 				    "Planarconfiguration", td->td_planarconfig);
+ 				return (0);
+ 			}
+-			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+-            {
+-                sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d, %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel,
+-                        "colorchannels", colorchannels);
+-                return 0;
+-            }
++			if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
++                                sprintf(emsg,
++                                        "Sorry, can not handle image with %s=%d, %s=%d",
++                                        "Samples/pixel", td->td_samplesperpixel,
++                                        "colorchannels", colorchannels);
++                                return 0;
++                        }
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+-            {
+-                sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel,
+-                        "colorchannels", colorchannels,
+-                        "Bits/sample", td->td_bitspersample);
+-                return 0;
+-            }
++                        if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
++                                sprintf(emsg,
++                                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
++                                        "Samples/pixel", td->td_samplesperpixel,
++                                        "colorchannels", colorchannels,
++                                        "Bits/sample", td->td_bitspersample);
++                                return 0;
++                        }
+ 			break;
+-		default:
++                default:
+ 			sprintf(emsg, "Sorry, can not handle image with %s=%d",
+ 			    photoTag, photometric);
+ 			return (0);
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index 081eb11..555f2f9 100644
+--- a/libtiff/tif_predict.c
++++ b/libtiff/tif_predict.c
+@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
+ 				    td->td_sampleformat);
+ 				return 0;
+ 			}
++                        if (td->td_bitspersample != 16
++                            && td->td_bitspersample != 24
++                            && td->td_bitspersample != 32
++                            && td->td_bitspersample != 64) { /* Should 64 be allowed? */
++                                TIFFErrorExt(tif->tif_clientdata, module,
++                                             "Floating point \"Predictor\" not supported with %d-bit samples",
++                                             td->td_bitspersample);
++				return 0;
++                            }
+ 			break;
+ 		default:
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
+ 		}
+ 		/*
+ 		 * Allocate buffer to keep the decoded bytes before
+-		 * rearranging in the ight order
++		 * rearranging in the right order
+ 		 */
+ 	}
+ 
+-- 
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 466dfbb50d..796d86e8f8 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2016-3990.patch \
            file://CVE-2016-3991.patch \
            file://CVE-2016-3623.patch \
+           file://CVE-2016-3622.patch \
           "
 
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
author	Yi Zhao <yi.zhao@windriver.com>	2016-10-26 16:26:48 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-11-16 10:33:34 +0000
commit	928eadf8442cf87fb2d4159602bd732336d74bb7 (patch)
tree	96b9e22fcad8baee962a30ccf1aa7fcf838e9885 /meta/recipes-multimedia
parent	f0e77ffa6bbc3adc61a2abd5dbc9228e830c055d (diff)
download	openembedded-core-928eadf8442cf87fb2d4159602bd732336d74bb7.tar.gz openembedded-core-928eadf8442cf87fb2d4159602bd732336d74bb7.tar.bz2 openembedded-core-928eadf8442cf87fb2d4159602bd732336d74bb7.zip