From 0af0466f0381a72b560f4f2852e1d19be7b6a7fb Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 26 Oct 2016 16:26:48 +0800 Subject: tiff: Security fix CVE-2016-3622 CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622 http://www.openwall.com/lists/oss-security/2016/04/07/4 Patch from: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 Signed-off-by: Yi Zhao Signed-off-by: Ross Burton --- .../libtiff/files/CVE-2016-3622.patch | 129 +++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 + 2 files changed, 130 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch new file mode 100644 index 0000000000..0c8b7164e5 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch @@ -0,0 +1,129 @@ +From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001 +From: bfriesen +Date: Sat, 24 Sep 2016 23:11:55 +0000 +Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts + to read floating point images. + +* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample +requirements of floating point predictor (3). Fixes CVE-2016-3622 +"Divide By Zero in the tiff2rgba tool." + +CVE: CVE-2016-3622 +Upstream-Status: Backport +https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 + +Signed-off-by: Yi Zhao +--- + ChangeLog | 11 ++++++++++- + libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------ + libtiff/tif_predict.c | 11 ++++++++++- + 3 files changed, 40 insertions(+), 20 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 26d6f47..a628277 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,12 @@ ++2016-09-24 Bob Friesenhahn ++ ++ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to ++ read floating point images. ++ ++ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample ++ requirements of floating point predictor (3). Fixes CVE-2016-3622 ++ "Divide By Zero in the tiff2rgba tool." ++ + 2016-08-15 Even Rouault + + * tools/rgb2ycbcr.c: validate values of -v and -h parameters to +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 386cee0..3e689ee 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + td->td_bitspersample); + return (0); + } ++ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) { ++ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples"); ++ return (0); ++ } + colorchannels = td->td_samplesperpixel - td->td_extrasamples; + if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) { + switch (colorchannels) { +@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024]) + "Planarconfiguration", td->td_planarconfig); + return (0); + } +- if( td->td_samplesperpixel != 3 || colorchannels != 3 ) +- { +- sprintf(emsg, +- "Sorry, can not handle image with %s=%d, %s=%d", +- "Samples/pixel", td->td_samplesperpixel, +- "colorchannels", colorchannels); +- return 0; +- } ++ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels); ++ return 0; ++ } + break; + case PHOTOMETRIC_CIELAB: +- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) +- { +- sprintf(emsg, +- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", +- "Samples/pixel", td->td_samplesperpixel, +- "colorchannels", colorchannels, +- "Bits/sample", td->td_bitspersample); +- return 0; +- } ++ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels, ++ "Bits/sample", td->td_bitspersample); ++ return 0; ++ } + break; +- default: ++ default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", + photoTag, photometric); + return (0); +diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c +index 081eb11..555f2f9 100644 +--- a/libtiff/tif_predict.c ++++ b/libtiff/tif_predict.c +@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif) + td->td_sampleformat); + return 0; + } ++ if (td->td_bitspersample != 16 ++ && td->td_bitspersample != 24 ++ && td->td_bitspersample != 32 ++ && td->td_bitspersample != 64) { /* Should 64 be allowed? */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Floating point \"Predictor\" not supported with %d-bit samples", ++ td->td_bitspersample); ++ return 0; ++ } + break; + default: + TIFFErrorExt(tif->tif_clientdata, module, +@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif) + } + /* + * Allocate buffer to keep the decoded bytes before +- * rearranging in the ight order ++ * rearranging in the right order + */ + } + +-- +2.7.4 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index 466dfbb50d..796d86e8f8 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb @@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2016-3990.patch \ file://CVE-2016-3991.patch \ file://CVE-2016-3623.patch \ + file://CVE-2016-3622.patch \ " SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" -- cgit 1.2.3-korg