From 5c89539edb17d01ffe82a1b2e7d092816003ecf3 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 22 Aug 2017 08:58:35 +0800 Subject: tiff: Security fixes Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9147 https://nvd.nist.gov/vuln/detail/CVE-2017-9936 https://nvd.nist.gov/vuln/detail/CVE-2017-10668 https://nvd.nist.gov/vuln/detail/CVE-2017-11335 Patches from: CVE-2017-9147: https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 CVE-2017-9936: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-10688: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-11355: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 Signed-off-by: Yi Zhao Signed-off-by: Richard Purdie --- .../libtiff/files/CVE-2017-9147.patch | 206 +++++++++++++++++++++ 1 file changed, 206 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch') diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch new file mode 100644 index 0000000000..3392285901 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch @@ -0,0 +1,206 @@ +From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Thu, 1 Jun 2017 12:44:04 +0000 +Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), +and use it in TIFFReadDirectory() so as to ignore fields whose tag is a +codec-specified tag but this codec is not enabled. This avoids TIFFGetField() +to behave differently depending on whether the codec is enabled or not, and +thus can avoid stack based buffer overflows in a number of TIFF utilities +such as tiffsplit, tiffcmp, thumbnail, etc. +Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch +(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. +Fixes: +http://bugzilla.maptools.org/show_bug.cgi?id=2580 +http://bugzilla.maptools.org/show_bug.cgi?id=2693 +http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) +http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) +http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) +http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) +http://bugzilla.maptools.org/show_bug.cgi?id=2441 +http://bugzilla.maptools.org/show_bug.cgi?id=2433 + +Upstream-Status: Backport +[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06] + +CVE: CVE-2017-9147 + +Signed-off-by: Yi Zhao +--- + ChangeLog | 20 ++++++++++ + libtiff/tif_dir.h | 1 + + libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++ + libtiff/tif_dirread.c | 4 ++ + 4 files changed, 128 insertions(+) + +diff --git a/ChangeLog b/ChangeLog +index ee8d9d0..5739292 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,23 @@ ++2017-06-01 Even Rouault ++ ++ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), ++ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a ++ codec-specified tag but this codec is not enabled. This avoids TIFFGetField() ++ to behave differently depending on whether the codec is enabled or not, and ++ thus can avoid stack based buffer overflows in a number of TIFF utilities ++ such as tiffsplit, tiffcmp, thumbnail, etc. ++ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch ++ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. ++ Fixes: ++ http://bugzilla.maptools.org/show_bug.cgi?id=2580 ++ http://bugzilla.maptools.org/show_bug.cgi?id=2693 ++ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) ++ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) ++ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) ++ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) ++ http://bugzilla.maptools.org/show_bug.cgi?id=2441 ++ http://bugzilla.maptools.org/show_bug.cgi?id=2433 ++ + 2017-05-21 Bob Friesenhahn + + * configure.ac: libtiff 4.0.8 released. +diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h +index e12b44b..5206be4 100644 +--- a/libtiff/tif_dir.h ++++ b/libtiff/tif_dir.h +@@ -291,6 +291,7 @@ struct _TIFFField { + extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32); + extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); + extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); ++extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); + + #if defined(__cplusplus) + } +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 0c8ef42..97c0df0 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n) + return 0; + } + ++int ++_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) ++{ ++ /* Filter out non-codec specific tags */ ++ switch (tag) { ++ /* Shared tags */ ++ case TIFFTAG_PREDICTOR: ++ /* JPEG tags */ ++ case TIFFTAG_JPEGTABLES: ++ /* OJPEG tags */ ++ case TIFFTAG_JPEGIFOFFSET: ++ case TIFFTAG_JPEGIFBYTECOUNT: ++ case TIFFTAG_JPEGQTABLES: ++ case TIFFTAG_JPEGDCTABLES: ++ case TIFFTAG_JPEGACTABLES: ++ case TIFFTAG_JPEGPROC: ++ case TIFFTAG_JPEGRESTARTINTERVAL: ++ /* CCITT* */ ++ case TIFFTAG_BADFAXLINES: ++ case TIFFTAG_CLEANFAXDATA: ++ case TIFFTAG_CONSECUTIVEBADFAXLINES: ++ case TIFFTAG_GROUP3OPTIONS: ++ case TIFFTAG_GROUP4OPTIONS: ++ break; ++ default: ++ return 1; ++ } ++ /* Check if codec specific tags are allowed for the current ++ * compression scheme (codec) */ ++ switch (tif->tif_dir.td_compression) { ++ case COMPRESSION_LZW: ++ if (tag == TIFFTAG_PREDICTOR) ++ return 1; ++ break; ++ case COMPRESSION_PACKBITS: ++ /* No codec-specific tags */ ++ break; ++ case COMPRESSION_THUNDERSCAN: ++ /* No codec-specific tags */ ++ break; ++ case COMPRESSION_NEXT: ++ /* No codec-specific tags */ ++ break; ++ case COMPRESSION_JPEG: ++ if (tag == TIFFTAG_JPEGTABLES) ++ return 1; ++ break; ++ case COMPRESSION_OJPEG: ++ switch (tag) { ++ case TIFFTAG_JPEGIFOFFSET: ++ case TIFFTAG_JPEGIFBYTECOUNT: ++ case TIFFTAG_JPEGQTABLES: ++ case TIFFTAG_JPEGDCTABLES: ++ case TIFFTAG_JPEGACTABLES: ++ case TIFFTAG_JPEGPROC: ++ case TIFFTAG_JPEGRESTARTINTERVAL: ++ return 1; ++ } ++ break; ++ case COMPRESSION_CCITTRLE: ++ case COMPRESSION_CCITTRLEW: ++ case COMPRESSION_CCITTFAX3: ++ case COMPRESSION_CCITTFAX4: ++ switch (tag) { ++ case TIFFTAG_BADFAXLINES: ++ case TIFFTAG_CLEANFAXDATA: ++ case TIFFTAG_CONSECUTIVEBADFAXLINES: ++ return 1; ++ case TIFFTAG_GROUP3OPTIONS: ++ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) ++ return 1; ++ break; ++ case TIFFTAG_GROUP4OPTIONS: ++ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) ++ return 1; ++ break; ++ } ++ break; ++ case COMPRESSION_JBIG: ++ /* No codec-specific tags */ ++ break; ++ case COMPRESSION_DEFLATE: ++ case COMPRESSION_ADOBE_DEFLATE: ++ if (tag == TIFFTAG_PREDICTOR) ++ return 1; ++ break; ++ case COMPRESSION_PIXARLOG: ++ if (tag == TIFFTAG_PREDICTOR) ++ return 1; ++ break; ++ case COMPRESSION_SGILOG: ++ case COMPRESSION_SGILOG24: ++ /* No codec-specific tags */ ++ break; ++ case COMPRESSION_LZMA: ++ if (tag == TIFFTAG_PREDICTOR) ++ return 1; ++ break; ++ ++ } ++ return 0; ++} ++ + /* vim: set ts=8 sts=8 sw=8 noet: */ + + /* +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 1d4f0b9..f1dc3d7 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif) + goto bad; + dp->tdir_tag=IGNORE; + break; ++ default: ++ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) ++ dp->tdir_tag=IGNORE; ++ break; + } + } + } +-- +2.7.4 + -- cgit 1.2.3-korg