summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorakash hadke <akash.hadke@kpit.com>2021-05-24 13:06:57 +0530
committerSteve Sakoman <steve@sakoman.com>2021-05-24 07:07:39 -1000
commit03a65159093e0b2df4bc867c873b5c43721b9a9c (patch)
treed151066b0d525d39322461413d5771993c450239
parent68ee8fd1ec0f09c6477578de40e1adfc7ba35027 (diff)
downloadopenembedded-core-contrib-03a65159093e0b2df4bc867c873b5c43721b9a9c.tar.gz
tiff: Add fix for CVE-2020-35521 and CVE-2020-35522
Added fix for CVE-2020-35521 and CVE-2020-35522 Link: https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch Added below support patches for CVE-2020-35521 and CVE-2020-35522 1. 001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch Link: https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch 2. 002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch Link: https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch Signed-off-by: akash hadke <akash.hadke@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch148
-rw-r--r--meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch27
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch119
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.1.0.bb3
4 files changed, 297 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..9b4724a325
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,148 @@
+From 02875964eba5c4a2ea98c41562835428214adfe7 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 7 Mar 2020 13:21:56 +0100
+Subject: [PATCH] tiff2rgba: output usage to stdout when using -h
+
+also uses std C EXIT_FAILURE / EXIT_SUCCESS
+see #17
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 39 ++++++++++++++++++++++++---------------
+ 1 file changed, 24 insertions(+), 15 deletions(-)
+---
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 2eb6f6c4..ef643653 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -39,6 +39,13 @@
+ #include "tiffiop.h"
+ #include "tiffio.h"
+
++#ifndef EXIT_SUCCESS
++#define EXIT_SUCCESS 0
++#endif
++#ifndef EXIT_FAILURE
++#define EXIT_FAILURE 1
++#endif
++
+ #define streq(a,b) (strcmp(a,b) == 0)
+ #define CopyField(tag, v) \
+ if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v)
+@@ -68,7 +75,7 @@ main(int argc, char* argv[])
+ extern char *optarg;
+ #endif
+
+- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
++ while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
+ switch (c) {
+ case 'b':
+ process_by_block = 1;
+@@ -86,7 +93,7 @@ main(int argc, char* argv[])
+ else if (streq(optarg, "zip"))
+ compression = COMPRESSION_DEFLATE;
+ else
+- usage(-1);
++ usage(EXIT_FAILURE);
+ break;
+
+ case 'r':
+@@ -105,17 +112,20 @@ main(int argc, char* argv[])
+ bigtiff_output = 1;
+ break;
+
++ case 'h':
++ usage(EXIT_SUCCESS);
++ /*NOTREACHED*/
+ case '?':
+- usage(0);
++ usage(EXIT_FAILURE);
+ /*NOTREACHED*/
+ }
+
+ if (argc - optind < 2)
+- usage(-1);
++ usage(EXIT_FAILURE);
+
+ out = TIFFOpen(argv[argc-1], bigtiff_output?"w8":"w");
+ if (out == NULL)
+- return (-2);
++ return (EXIT_FAILURE);
+
+ for (; optind < argc-1; optind++) {
+ in = TIFFOpen(argv[optind], "r");
+@@ -132,7 +142,7 @@ main(int argc, char* argv[])
+ }
+ }
+ (void) TIFFClose(out);
+- return (0);
++ return (EXIT_SUCCESS);
+ }
+
+ static int
+@@ -166,7 +176,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+- exit(-1);
++ exit(EXIT_FAILURE);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+@@ -182,7 +192,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ if (tile_width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+- exit(-1);
++ exit(EXIT_FAILURE);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+@@ -279,7 +289,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+- exit(-1);
++ exit(EXIT_FAILURE);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+@@ -295,7 +305,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ if (width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+- exit(-1);
++ exit(EXIT_FAILURE);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+@@ -528,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ return( cvt_whole_image( in, out ) );
+ }
+
+-static char* stuff[] = {
++const static char* stuff[] = {
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+ "where comp is one of the following compression algorithms:",
+ " jpeg\t\tJPEG encoding",
+@@ -547,13 +557,12 @@ static char* stuff[] = {
+ static void
+ usage(int code)
+ {
+- char buf[BUFSIZ];
+ int i;
++ FILE * out = (code == EXIT_SUCCESS) ? stdout : stderr;
+
+- setbuf(stderr, buf);
+- fprintf(stderr, "%s\n\n", TIFFGetVersion());
++ fprintf(out, "%s\n\n", TIFFGetVersion());
+ for (i = 0; stuff[i] != NULL; i++)
+- fprintf(stderr, "%s\n", stuff[i]);
++ fprintf(out, "%s\n", stuff[i]);
+ exit(code);
+ }
+
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..b6e1842a54
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,27 @@
+From ca70b5e702b9f503333344b2d46691de9feae84e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 3 Oct 2020 18:16:27 +0200
+Subject: [PATCH] tiff2rgba.c: fix -Wold-style-declaration warning
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+---
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index ef643653..fbc383aa 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -538,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ return( cvt_whole_image( in, out ) );
+ }
+
+-const static char* stuff[] = {
++static const char* stuff[] = {
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+ "where comp is one of the following compression algorithms:",
+ " jpeg\t\tJPEG encoding",
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..129721ff3e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,119 @@
+From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
+
+fixes #207
+fixes #209
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+---
+CVE: CVE-2020-35521
+CVE: CVE-2020-35522
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index fbc383aa..764395f6 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
++/* malloc size limit (in bytes)
++ * disabled when set to 0 */
++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+
+
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -75,8 +79,11 @@ main(int argc, char* argv[])
+ extern char *optarg;
+ #endif
+
+- while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
++ while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
+ switch (c) {
++ case 'M':
++ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
++ break;
+ case 'b':
+ process_by_block = 1;
+ break;
+@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+ (unsigned long)width, (unsigned long)height);
+ return 0;
+ }
++ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
++ TIFFError(TIFFFileName(in),
++ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
++ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
++ return 0;
++ }
+
+ rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out)
+ TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+ CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+
++ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
++ {
++ TIFFError(TIFFFileName(in),
++ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
++ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
++ return 0;
++ }
+ if( process_by_block && TIFFIsTiled( in ) )
+ return( cvt_by_tile( in, out ) );
+ else if( process_by_block )
+@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+
+ static const char* stuff[] = {
+- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
++ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+ "where comp is one of the following compression algorithms:",
+ " jpeg\t\tJPEG encoding",
+ " zip\t\tZip/Deflate encoding",
+@@ -551,6 +571,7 @@ static const char* stuff[] = {
+ " -b (progress by block rather than as a whole image)",
+ " -n don't emit alpha component.",
+ " -8 write BigTIFF file instead of ClassicTIFF",
++ " -M set the memory allocation limit in MiB. 0 to disable limit",
+ NULL
+ };
+
+--
+GitLab
+
+
+From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:08:42 +0100
+Subject: [PATCH 2/2] tiff2rgba.1: -M option
+
+---
+ man/tiff2rgba.1 | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
+index d9c9baae..fe9ebb2c 100644
+--- a/man/tiff2rgba.1
++++ b/man/tiff2rgba.1
+@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
+ Currently this does not work if the
+ .B \-b
+ flag is also in effect.
++.TP
++.BI \-M " size"
++Set maximum memory allocation size (in MiB). The default is 256MiB.
++Set to 0 to disable the limit.
+ .SH "SEE ALSO"
+ .BR tiff2bw (1),
+ .BR TIFFReadRGBAImage (3t),
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index cfea18ed29..43f210111d 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -12,6 +12,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2020-35523.patch \
file://CVE-2020-35524-1.patch \
file://CVE-2020-35524-2.patch \
+ file://001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
+ file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
+ file://CVE-2020-35521_and_CVE-2020-35522.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"