summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2017-08-22 08:58:35 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-08-23 08:44:41 +0100
commit5c89539edb17d01ffe82a1b2e7d092816003ecf3 (patch)
tree5e459df5c228ea38985c14cb81d2f94008c86d6b /meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
parent0724896f7a2092abf2f3bafa9fac96c5210d39a5 (diff)
downloadopenembedded-core-5c89539edb17d01ffe82a1b2e7d092816003ecf3.tar.gz
openembedded-core-5c89539edb17d01ffe82a1b2e7d092816003ecf3.tar.bz2
openembedded-core-5c89539edb17d01ffe82a1b2e7d092816003ecf3.zip
tiff: Security fixes
Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9147 https://nvd.nist.gov/vuln/detail/CVE-2017-9936 https://nvd.nist.gov/vuln/detail/CVE-2017-10668 https://nvd.nist.gov/vuln/detail/CVE-2017-11335 Patches from: CVE-2017-9147: https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 CVE-2017-9936: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-10688: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-11355: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch')
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch206
1 files changed, 206 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
new file mode 100644
index 0000000000..3392285901
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
@@ -0,0 +1,206 @@
+From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Thu, 1 Jun 2017 12:44:04 +0000
+Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+to behave differently depending on whether the codec is enabled or not, and
+thus can avoid stack based buffer overflows in a number of TIFF utilities
+such as tiffsplit, tiffcmp, thumbnail, etc.
+Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+Fixes:
+http://bugzilla.maptools.org/show_bug.cgi?id=2580
+http://bugzilla.maptools.org/show_bug.cgi?id=2693
+http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+http://bugzilla.maptools.org/show_bug.cgi?id=2441
+http://bugzilla.maptools.org/show_bug.cgi?id=2433
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06]
+
+CVE: CVE-2017-9147
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog | 20 ++++++++++
+ libtiff/tif_dir.h | 1 +
+ libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_dirread.c | 4 ++
+ 4 files changed, 128 insertions(+)
+
+diff --git a/ChangeLog b/ChangeLog
+index ee8d9d0..5739292 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,23 @@
++2017-06-01 Even Rouault <even.rouault at spatialys.com>
++
++ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
++ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
++ codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
++ to behave differently depending on whether the codec is enabled or not, and
++ thus can avoid stack based buffer overflows in a number of TIFF utilities
++ such as tiffsplit, tiffcmp, thumbnail, etc.
++ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
++ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
++ Fixes:
++ http://bugzilla.maptools.org/show_bug.cgi?id=2580
++ http://bugzilla.maptools.org/show_bug.cgi?id=2693
++ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
++ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
++ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
++ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
++ http://bugzilla.maptools.org/show_bug.cgi?id=2441
++ http://bugzilla.maptools.org/show_bug.cgi?id=2433
++
+ 2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * configure.ac: libtiff 4.0.8 released.
+diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
+index e12b44b..5206be4 100644
+--- a/libtiff/tif_dir.h
++++ b/libtiff/tif_dir.h
+@@ -291,6 +291,7 @@ struct _TIFFField {
+ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
++extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+
+ #if defined(__cplusplus)
+ }
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index 0c8ef42..97c0df0 100644
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n)
+ return 0;
+ }
+
++int
++_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
++{
++ /* Filter out non-codec specific tags */
++ switch (tag) {
++ /* Shared tags */
++ case TIFFTAG_PREDICTOR:
++ /* JPEG tags */
++ case TIFFTAG_JPEGTABLES:
++ /* OJPEG tags */
++ case TIFFTAG_JPEGIFOFFSET:
++ case TIFFTAG_JPEGIFBYTECOUNT:
++ case TIFFTAG_JPEGQTABLES:
++ case TIFFTAG_JPEGDCTABLES:
++ case TIFFTAG_JPEGACTABLES:
++ case TIFFTAG_JPEGPROC:
++ case TIFFTAG_JPEGRESTARTINTERVAL:
++ /* CCITT* */
++ case TIFFTAG_BADFAXLINES:
++ case TIFFTAG_CLEANFAXDATA:
++ case TIFFTAG_CONSECUTIVEBADFAXLINES:
++ case TIFFTAG_GROUP3OPTIONS:
++ case TIFFTAG_GROUP4OPTIONS:
++ break;
++ default:
++ return 1;
++ }
++ /* Check if codec specific tags are allowed for the current
++ * compression scheme (codec) */
++ switch (tif->tif_dir.td_compression) {
++ case COMPRESSION_LZW:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_PACKBITS:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_THUNDERSCAN:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_NEXT:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_JPEG:
++ if (tag == TIFFTAG_JPEGTABLES)
++ return 1;
++ break;
++ case COMPRESSION_OJPEG:
++ switch (tag) {
++ case TIFFTAG_JPEGIFOFFSET:
++ case TIFFTAG_JPEGIFBYTECOUNT:
++ case TIFFTAG_JPEGQTABLES:
++ case TIFFTAG_JPEGDCTABLES:
++ case TIFFTAG_JPEGACTABLES:
++ case TIFFTAG_JPEGPROC:
++ case TIFFTAG_JPEGRESTARTINTERVAL:
++ return 1;
++ }
++ break;
++ case COMPRESSION_CCITTRLE:
++ case COMPRESSION_CCITTRLEW:
++ case COMPRESSION_CCITTFAX3:
++ case COMPRESSION_CCITTFAX4:
++ switch (tag) {
++ case TIFFTAG_BADFAXLINES:
++ case TIFFTAG_CLEANFAXDATA:
++ case TIFFTAG_CONSECUTIVEBADFAXLINES:
++ return 1;
++ case TIFFTAG_GROUP3OPTIONS:
++ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
++ return 1;
++ break;
++ case TIFFTAG_GROUP4OPTIONS:
++ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
++ return 1;
++ break;
++ }
++ break;
++ case COMPRESSION_JBIG:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_DEFLATE:
++ case COMPRESSION_ADOBE_DEFLATE:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_PIXARLOG:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++ case COMPRESSION_SGILOG:
++ case COMPRESSION_SGILOG24:
++ /* No codec-specific tags */
++ break;
++ case COMPRESSION_LZMA:
++ if (tag == TIFFTAG_PREDICTOR)
++ return 1;
++ break;
++
++ }
++ return 0;
++}
++
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+
+ /*
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 1d4f0b9..f1dc3d7 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif)
+ goto bad;
+ dp->tdir_tag=IGNORE;
+ break;
++ default:
++ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
++ dp->tdir_tag=IGNORE;
++ break;
+ }
+ }
+ }
+--
+2.7.4
+