diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2017-04-26 23:58:14 +0200 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2017-04-27 14:12:24 +0200 |
| commit | 030fe340af365b834c15142f862e0de6d5f95737 (patch) | |
| tree | ff02d78f9fb7a70be7d91d94087b5038c2172979 /package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch | |
| parent | 0135204868e4888cf162755a90087b10b40093ed (diff) | |
| download | buildroot-030fe340af365b834c15142f862e0de6d5f95737.tar.gz buildroot-030fe340af365b834c15142f862e0de6d5f95737.zip | |
tiff: add upstream security fixes
Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing
the following security issues:
CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted TIFF
image, related to libtiff/tif_read.c:351:22.
CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted TIFF
image, related to libtiff/tif_ojpeg.c:816:8.
CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (heap-based buffer over-read) or possibly have unspecified other
impact via a crafted TIFF image, related to "READ of size 512" and
libtiff/tif_unix.c:340:2.
CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (heap-based buffer over-read) or possibly have unspecified other
impact via a crafted TIFF image, related to "READ of size 8" and
libtiff/tif_read.c:523:22.
CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer
overflow in the tools/tiffcp resulting in DoS or code execution via a
crafted BitsPerSample value.
CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7
has a left-shift undefined behavior issue, which might allow remote
attackers to cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted image.
CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata
is properly initialized, which might allow remote attackers to obtain
sensitive information from process memory via a crafted image.
CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in
tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (memory leak) via a crafted image.
CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7
allows remote attackers to cause a denial of service (divide-by-zero error
and application crash) via a crafted image.
CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers
to cause a denial of service (divide-by-zero error and application crash)
via a crafted image.
CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit
type long" undefined behavior issue, which might allow remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact via a crafted image.
CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might
allow remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted image.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch')
| -rw-r--r-- | package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch b/package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch new file mode 100644 index 0000000000..862aae2a5a --- /dev/null +++ b/package/tiff/0010-libtiff-tif_jpeg.c-avoid-integer-division-by-zero-in.patch @@ -0,0 +1,35 @@ +From 47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Mon Sep 17 00:00:00 2001 +From: erouault <erouault> +Date: Wed, 11 Jan 2017 12:15:01 +0000 +Subject: [PATCH] * libtiff/tif_jpeg.c: avoid integer division by zero in + JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2653 + +Fixes CVE-2017-7595 + +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + libtiff/tif_jpeg.c | 7 +++++++ + 1 file changed, 13 insertions(+) + +diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c +index 38595f98..6c17c388 100644 +--- a/libtiff/tif_jpeg.c ++++ b/libtiff/tif_jpeg.c +@@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif) + case PHOTOMETRIC_YCBCR: + sp->h_sampling = td->td_ycbcrsubsampling[0]; + sp->v_sampling = td->td_ycbcrsubsampling[1]; ++ if( sp->h_sampling == 0 || sp->v_sampling == 0 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Invalig horizontal/vertical sampling value"); ++ return (0); ++ } ++ + /* + * A ReferenceBlackWhite field *must* be present since the + * default value is inappropriate for YCbCr. Fill in the +-- +2.11.0 + |
