From df894b523d74f8fd723d1c8fb03f55e46c6af0f5 Mon Sep 17 00:00:00 2001 From: Huang Qiyu Date: Thu, 18 Jan 2018 10:29:37 +0800 Subject: tiff: 4.0.8 -> 4.0.9 1.Upgrade tiff from 4.0.8 to 4.0.9. 2.Delete CVE-2017-10688.patch, CVE-2017-11335.patch, CVE-2017-13726.patch, CVE-2017-13727.patch, CVE-2017-9147.patch, CVE-2017-9936.patch, since it is integrated upstream. Signed-off-by: Huang Qiyu Signed-off-by: Ross Burton --- .../libtiff/files/CVE-2017-10688.patch | 91 --------- .../libtiff/files/CVE-2017-11335.patch | 54 ------ .../libtiff/files/CVE-2017-13726.patch | 54 ------ .../libtiff/files/CVE-2017-13727.patch | 65 ------- .../libtiff/files/CVE-2017-9147.patch | 206 --------------------- .../libtiff/files/CVE-2017-9936.patch | 49 ----- meta/recipes-multimedia/libtiff/tiff_4.0.8.bb | 54 ------ meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | 48 +++++ 8 files changed, 48 insertions(+), 573 deletions(-) delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch delete mode 100644 meta/recipes-multimedia/libtiff/tiff_4.0.8.bb create mode 100644 meta/recipes-multimedia/libtiff/tiff_4.0.9.bb diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch deleted file mode 100644 index b0db96949f..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Fri, 30 Jun 2017 17:29:44 +0000 -Subject: [PATCH] * libtiff/tif_dirwrite.c: in - TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8 - data type, replace assertion that the file is BigTIFF, by a non-fatal error. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team - OWL337 - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1] - -CVE: CVE-2017-10688 - -Signed-off-by: Yi Zhao ---- - ChangeLog | 8 ++++++++ - libtiff/tif_dirwrite.c | 20 ++++++++++++++++---- - 2 files changed, 24 insertions(+), 4 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 0240f0b..42eaeb7 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,11 @@ -+2017-06-30 Even Rouault -+ -+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() -+ functions associated with LONG8/SLONG8 data type, replace assertion that -+ the file is BigTIFF, by a non-fatal error. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 -+ Reported by team OWL337 -+ - 2017-06-26 Even Rouault - - * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 2967da5..8d6686b 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui - { - uint64 m; - assert(sizeof(uint64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - m=value; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8(&m); -@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di - { - assert(count<0x20000000); - assert(sizeof(uint64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong8(value,count); - return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); -@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u - { - int64 m; - assert(sizeof(int64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - m=value; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8((uint64*)(&m)); -@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d - { - assert(count<0x20000000); - assert(sizeof(int64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong8((uint64*)value,count); - return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch deleted file mode 100644 index d08e7612b7..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch +++ /dev/null @@ -1,54 +0,0 @@ -From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 15 Jul 2017 11:13:46 +0000 -Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in - "Raw" mode on PlanarConfig=Contig input images. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337 - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556] - -CVE: CVE-2017-11355 - -Signed-off-by: Yi Zhao ---- - ChangeLog | 7 +++++++ - tools/tiff2pdf.c | 7 ++++++- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index 42eaeb7..6980da8 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2017-07-15 Even Rouault -+ -+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" -+ mode on PlanarConfig=Contig input images. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 -+ Reported by team OWL337 -+ - 2017-06-30 Even Rouault - - * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index db196e0..cd1e235 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - return; - - t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; -- if(t2p->pdf_nopassthrough==0){ -+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ -+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ -+ /* do not take into account the number of samples, and thus */ -+ /* that can cause heap buffer overflows such as in */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ -+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ - #ifdef CCITT_SUPPORT - if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 - ){ --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch deleted file mode 100644 index c60ffa698d..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Wed, 23 Aug 2017 13:21:41 +0000 -Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not - finding the SubIFD tag by runtime check. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337 - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e] - -CVE: CVE-2017-13726 - -Signed-off-by: Yi Zhao ---- - ChangeLog | 7 +++++++ - libtiff/tif_dirwrite.c | 7 ++++++- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index 6980da8..3e299d9 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2017-08-23 Even Rouault -+ -+ * libtiff/tif_dirwrite.c: replace assertion related to not finding the -+ SubIFD tag by runtime check. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 -+ Reported by team OWL337 -+ - 2017-07-15 Even Rouault - - * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 8d6686b..14090ae 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) - TIFFDirEntry* nb; - for (na=0, nb=dir; ; na++, nb++) - { -- assert(natif_clientdata,module, -+ "Cannot find SubIFD tag"); -+ goto bad; -+ } - if (nb->tdir_tag==TIFFTAG_SUBIFD) - break; - } --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch deleted file mode 100644 index e228c2f17c..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch +++ /dev/null @@ -1,65 +0,0 @@ -From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Wed, 23 Aug 2017 13:33:42 +0000 -Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not - fitting on uint32 when selecting the value of SubIFD tag by runtime check (in - TIFFWriteDirectoryTagSubifd()). Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337 - -SubIFD tag by runtime check (in TIFFWriteDirectorySec()) - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc] - -CVE: CVE-2017-13727 - -Signed-off-by: Yi Zhao ---- - ChangeLog | 10 +++++++++- - libtiff/tif_dirwrite.c | 9 ++++++++- - 2 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 3e299d9..8f5efe9 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,7 +1,15 @@ - 2017-08-23 Even Rouault - -+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting -+ on uint32 when selecting the value of SubIFD tag by runtime check -+ (in TIFFWriteDirectoryTagSubifd()). -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 -+ Reported by team OWL337 -+ -+2017-08-23 Even Rouault -+ - * libtiff/tif_dirwrite.c: replace assertion related to not finding the -- SubIFD tag by runtime check. -+ SubIFD tag by runtime check (in TIFFWriteDirectorySec()) - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 - Reported by team OWL337 - -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 14090ae..f0a4baa 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) - for (p=0; p < tif->tif_dir.td_nsubifd; p++) - { - assert(pa != 0); -- assert(*pa <= 0xFFFFFFFFUL); -+ -+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ -+ if( *pa > 0xFFFFFFFFUL) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); -+ _TIFFfree(o); -+ return(0); -+ } - *pb++=(uint32)(*pa++); - } - n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch deleted file mode 100644 index 3392285901..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001 -From: erouault -Date: Thu, 1 Jun 2017 12:44:04 +0000 -Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -and use it in TIFFReadDirectory() so as to ignore fields whose tag is a -codec-specified tag but this codec is not enabled. This avoids TIFFGetField() -to behave differently depending on whether the codec is enabled or not, and -thus can avoid stack based buffer overflows in a number of TIFF utilities -such as tiffsplit, tiffcmp, thumbnail, etc. -Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch -(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. -Fixes: -http://bugzilla.maptools.org/show_bug.cgi?id=2580 -http://bugzilla.maptools.org/show_bug.cgi?id=2693 -http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) -http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) -http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) -http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) -http://bugzilla.maptools.org/show_bug.cgi?id=2441 -http://bugzilla.maptools.org/show_bug.cgi?id=2433 - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06] - -CVE: CVE-2017-9147 - -Signed-off-by: Yi Zhao ---- - ChangeLog | 20 ++++++++++ - libtiff/tif_dir.h | 1 + - libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++ - libtiff/tif_dirread.c | 4 ++ - 4 files changed, 128 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index ee8d9d0..5739292 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,23 @@ -+2017-06-01 Even Rouault -+ -+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a -+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField() -+ to behave differently depending on whether the codec is enabled or not, and -+ thus can avoid stack based buffer overflows in a number of TIFF utilities -+ such as tiffsplit, tiffcmp, thumbnail, etc. -+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch -+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. -+ Fixes: -+ http://bugzilla.maptools.org/show_bug.cgi?id=2580 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2693 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2441 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2433 -+ - 2017-05-21 Bob Friesenhahn - - * configure.ac: libtiff 4.0.8 released. -diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h -index e12b44b..5206be4 100644 ---- a/libtiff/tif_dir.h -+++ b/libtiff/tif_dir.h -@@ -291,6 +291,7 @@ struct _TIFFField { - extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32); - extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); - extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); -+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); - - #if defined(__cplusplus) - } -diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c -index 0c8ef42..97c0df0 100644 ---- a/libtiff/tif_dirinfo.c -+++ b/libtiff/tif_dirinfo.c -@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n) - return 0; - } - -+int -+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) -+{ -+ /* Filter out non-codec specific tags */ -+ switch (tag) { -+ /* Shared tags */ -+ case TIFFTAG_PREDICTOR: -+ /* JPEG tags */ -+ case TIFFTAG_JPEGTABLES: -+ /* OJPEG tags */ -+ case TIFFTAG_JPEGIFOFFSET: -+ case TIFFTAG_JPEGIFBYTECOUNT: -+ case TIFFTAG_JPEGQTABLES: -+ case TIFFTAG_JPEGDCTABLES: -+ case TIFFTAG_JPEGACTABLES: -+ case TIFFTAG_JPEGPROC: -+ case TIFFTAG_JPEGRESTARTINTERVAL: -+ /* CCITT* */ -+ case TIFFTAG_BADFAXLINES: -+ case TIFFTAG_CLEANFAXDATA: -+ case TIFFTAG_CONSECUTIVEBADFAXLINES: -+ case TIFFTAG_GROUP3OPTIONS: -+ case TIFFTAG_GROUP4OPTIONS: -+ break; -+ default: -+ return 1; -+ } -+ /* Check if codec specific tags are allowed for the current -+ * compression scheme (codec) */ -+ switch (tif->tif_dir.td_compression) { -+ case COMPRESSION_LZW: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_PACKBITS: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_THUNDERSCAN: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_NEXT: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_JPEG: -+ if (tag == TIFFTAG_JPEGTABLES) -+ return 1; -+ break; -+ case COMPRESSION_OJPEG: -+ switch (tag) { -+ case TIFFTAG_JPEGIFOFFSET: -+ case TIFFTAG_JPEGIFBYTECOUNT: -+ case TIFFTAG_JPEGQTABLES: -+ case TIFFTAG_JPEGDCTABLES: -+ case TIFFTAG_JPEGACTABLES: -+ case TIFFTAG_JPEGPROC: -+ case TIFFTAG_JPEGRESTARTINTERVAL: -+ return 1; -+ } -+ break; -+ case COMPRESSION_CCITTRLE: -+ case COMPRESSION_CCITTRLEW: -+ case COMPRESSION_CCITTFAX3: -+ case COMPRESSION_CCITTFAX4: -+ switch (tag) { -+ case TIFFTAG_BADFAXLINES: -+ case TIFFTAG_CLEANFAXDATA: -+ case TIFFTAG_CONSECUTIVEBADFAXLINES: -+ return 1; -+ case TIFFTAG_GROUP3OPTIONS: -+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) -+ return 1; -+ break; -+ case TIFFTAG_GROUP4OPTIONS: -+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) -+ return 1; -+ break; -+ } -+ break; -+ case COMPRESSION_JBIG: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_DEFLATE: -+ case COMPRESSION_ADOBE_DEFLATE: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_PIXARLOG: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_SGILOG: -+ case COMPRESSION_SGILOG24: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_LZMA: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ -+ } -+ return 0; -+} -+ - /* vim: set ts=8 sts=8 sw=8 noet: */ - - /* -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 1d4f0b9..f1dc3d7 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif) - goto bad; - dp->tdir_tag=IGNORE; - break; -+ default: -+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) -+ dp->tdir_tag=IGNORE; -+ break; - } - } - } --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch deleted file mode 100644 index fc99363284..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 26 Jun 2017 15:19:59 +0000 -Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of - JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported - by team OWL337 - -* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a] - -CVE: CVE-2017-9936 - -Signed-off-by: Yi Zhao ---- - ChangeLog | 6 ++++++ - libtiff/tif_jbig.c | 1 + - 2 files changed, 7 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index 5739292..0240f0b 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,9 @@ -+2017-06-26 Even Rouault -+ -+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 -+ Reported by team OWL337 -+ - 2017-06-01 Even Rouault - - * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 5f5f75e..c75f31d 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - jbg_strerror(decodeStatus) - #endif - ); -+ jbg_dec_free(&decoder); - return 0; - } - --- -2.7.4 - diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb deleted file mode 100644 index cb91baa607..0000000000 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb +++ /dev/null @@ -1,54 +0,0 @@ -SUMMARY = "Provides support for the Tag Image File Format (TIFF)" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" - -CVE_PRODUCT = "libtiff" - -SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ - file://libtool2.patch \ - file://CVE-2017-9147.patch \ - file://CVE-2017-9936.patch \ - file://CVE-2017-10688.patch \ - file://CVE-2017-11335.patch \ - file://CVE-2017-13726.patch \ - file://CVE-2017-13727.patch \ - " - -SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b" -SRC_URI[sha256sum] = "59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910" - -# exclude betas -UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" - -inherit autotools - -CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" - -PACKAGECONFIG ?= "cxx jpeg zlib lzma \ - strip-chopping extrasample-as-alpha check-ycbcr-subsampling" - -PACKAGECONFIG[cxx] = "--enable-cxx,--disable-cxx,," -PACKAGECONFIG[jpeg] = "--enable-jpeg,--disable-jpeg,jpeg," -PACKAGECONFIG[zlib] = "--enable-zlib,--disable-zlib,zlib," -PACKAGECONFIG[lzma] = "--enable-lzma,--disable-lzma,xz," - -# Convert single-strip uncompressed images to multiple strips of specified -# size (default: 8192) to reduce memory usage -PACKAGECONFIG[strip-chopping] = "--enable-strip-chopping,--disable-strip-chopping,," - -# Treat a fourth sample with no EXTRASAMPLE_ value as being ASSOCALPHA -PACKAGECONFIG[extrasample-as-alpha] = "--enable-extrasample-as-alpha,--disable-extrasample-as-alpha,," - -# Control picking up YCbCr subsample info. Disable to support files lacking -# the tag -PACKAGECONFIG[check-ycbcr-subsampling] = "--enable-check-ycbcr-subsampling,--disable-check-ycbcr-subsampling,," - -# Support a mechanism allowing reading large strips (usually one strip files) -# in chunks when using TIFFReadScanline. Experimental 4.0+ feature -PACKAGECONFIG[chunky-strip-read] = "--enable-chunky-strip-read,--disable-chunky-strip-read,," - -PACKAGES =+ "tiffxx tiff-utils" -FILES_tiffxx = "${libdir}/libtiffxx.so.*" -FILES_tiff-utils = "${bindir}/*" - -BBCLASSEXTEND = "native" diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb new file mode 100644 index 0000000000..57bf7408d0 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb @@ -0,0 +1,48 @@ +SUMMARY = "Provides support for the Tag Image File Format (TIFF)" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" + +CVE_PRODUCT = "libtiff" + +SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ + file://libtool2.patch \ + " + +SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" +SRC_URI[sha256sum] = "6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd" + +# exclude betas +UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" + +inherit autotools + +CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" + +PACKAGECONFIG ?= "cxx jpeg zlib lzma \ + strip-chopping extrasample-as-alpha check-ycbcr-subsampling" + +PACKAGECONFIG[cxx] = "--enable-cxx,--disable-cxx,," +PACKAGECONFIG[jpeg] = "--enable-jpeg,--disable-jpeg,jpeg," +PACKAGECONFIG[zlib] = "--enable-zlib,--disable-zlib,zlib," +PACKAGECONFIG[lzma] = "--enable-lzma,--disable-lzma,xz," + +# Convert single-strip uncompressed images to multiple strips of specified +# size (default: 8192) to reduce memory usage +PACKAGECONFIG[strip-chopping] = "--enable-strip-chopping,--disable-strip-chopping,," + +# Treat a fourth sample with no EXTRASAMPLE_ value as being ASSOCALPHA +PACKAGECONFIG[extrasample-as-alpha] = "--enable-extrasample-as-alpha,--disable-extrasample-as-alpha,," + +# Control picking up YCbCr subsample info. Disable to support files lacking +# the tag +PACKAGECONFIG[check-ycbcr-subsampling] = "--enable-check-ycbcr-subsampling,--disable-check-ycbcr-subsampling,," + +# Support a mechanism allowing reading large strips (usually one strip files) +# in chunks when using TIFFReadScanline. Experimental 4.0+ feature +PACKAGECONFIG[chunky-strip-read] = "--enable-chunky-strip-read,--disable-chunky-strip-read,," + +PACKAGES =+ "tiffxx tiff-utils" +FILES_tiffxx = "${libdir}/libtiffxx.so.*" +FILES_tiff-utils = "${bindir}/*" + +BBCLASSEXTEND = "native" -- cgit 1.2.3-korg