diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-multimedia/libtiff')
11 files changed, 346 insertions, 531 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch deleted file mode 100644 index b0db96949..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Fri, 30 Jun 2017 17:29:44 +0000 -Subject: [PATCH] * libtiff/tif_dirwrite.c: in - TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8 - data type, replace assertion that the file is BigTIFF, by a non-fatal error. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team - OWL337 - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1] - -CVE: CVE-2017-10688 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - ChangeLog | 8 ++++++++ - libtiff/tif_dirwrite.c | 20 ++++++++++++++++---- - 2 files changed, 24 insertions(+), 4 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 0240f0b..42eaeb7 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,11 @@ -+2017-06-30 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() -+ functions associated with LONG8/SLONG8 data type, replace assertion that -+ the file is BigTIFF, by a non-fatal error. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 -+ Reported by team OWL337 -+ - 2017-06-26 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 2967da5..8d6686b 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui - { - uint64 m; - assert(sizeof(uint64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - m=value; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8(&m); -@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di - { - assert(count<0x20000000); - assert(sizeof(uint64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong8(value,count); - return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); -@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u - { - int64 m; - assert(sizeof(int64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - m=value; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabLong8((uint64*)(&m)); -@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d - { - assert(count<0x20000000); - assert(sizeof(int64)==8); -- assert(tif->tif_flags&TIFF_BIGTIFF); -+ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { -+ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); -+ return(0); -+ } - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong8((uint64*)value,count); - return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); --- -2.7.4 - diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch deleted file mode 100644 index d08e7612b..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch +++ /dev/null @@ -1,54 +0,0 @@ -From e8b15ccf8c9c593000f8202cf34cc6c4b936d01e Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Sat, 15 Jul 2017 11:13:46 +0000 -Subject: [PATCH] * tools/tiff2pdf.c: prevent heap buffer overflow write in - "Raw" mode on PlanarConfig=Contig input images. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337 - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556] - -CVE: CVE-2017-11355 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - ChangeLog | 7 +++++++ - tools/tiff2pdf.c | 7 ++++++- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index 42eaeb7..6980da8 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2017-07-15 Even Rouault <even.rouault at spatialys.com> -+ -+ * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" -+ mode on PlanarConfig=Contig input images. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 -+ Reported by team OWL337 -+ - 2017-06-30 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() -diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c -index db196e0..cd1e235 100644 ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ - return; - - t2p->pdf_transcode = T2P_TRANSCODE_ENCODE; -- if(t2p->pdf_nopassthrough==0){ -+ /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */ -+ /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */ -+ /* do not take into account the number of samples, and thus */ -+ /* that can cause heap buffer overflows such as in */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */ -+ if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){ - #ifdef CCITT_SUPPORT - if(t2p->tiff_compression==COMPRESSION_CCITTFAX4 - ){ --- -2.7.4 - diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch deleted file mode 100644 index c60ffa698..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Wed, 23 Aug 2017 13:21:41 +0000 -Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not - finding the SubIFD tag by runtime check. Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337 - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e] - -CVE: CVE-2017-13726 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - ChangeLog | 7 +++++++ - libtiff/tif_dirwrite.c | 7 ++++++- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index 6980da8..3e299d9 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2017-08-23 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_dirwrite.c: replace assertion related to not finding the -+ SubIFD tag by runtime check. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 -+ Reported by team OWL337 -+ - 2017-07-15 Even Rouault <even.rouault at spatialys.com> - - * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 8d6686b..14090ae 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) - TIFFDirEntry* nb; - for (na=0, nb=dir; ; na++, nb++) - { -- assert(na<ndir); -+ if( na == ndir ) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module, -+ "Cannot find SubIFD tag"); -+ goto bad; -+ } - if (nb->tdir_tag==TIFFTAG_SUBIFD) - break; - } --- -2.7.4 - diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch deleted file mode 100644 index e228c2f17..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch +++ /dev/null @@ -1,65 +0,0 @@ -From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Wed, 23 Aug 2017 13:33:42 +0000 -Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not - fitting on uint32 when selecting the value of SubIFD tag by runtime check (in - TIFFWriteDirectoryTagSubifd()). Fixes - http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337 - -SubIFD tag by runtime check (in TIFFWriteDirectorySec()) - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc] - -CVE: CVE-2017-13727 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - ChangeLog | 10 +++++++++- - libtiff/tif_dirwrite.c | 9 ++++++++- - 2 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 3e299d9..8f5efe9 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,7 +1,15 @@ - 2017-08-23 Even Rouault <even.rouault at spatialys.com> - -+ * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting -+ on uint32 when selecting the value of SubIFD tag by runtime check -+ (in TIFFWriteDirectoryTagSubifd()). -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 -+ Reported by team OWL337 -+ -+2017-08-23 Even Rouault <even.rouault at spatialys.com> -+ - * libtiff/tif_dirwrite.c: replace assertion related to not finding the -- SubIFD tag by runtime check. -+ SubIFD tag by runtime check (in TIFFWriteDirectorySec()) - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 - Reported by team OWL337 - -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 14090ae..f0a4baa 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir) - for (p=0; p < tif->tif_dir.td_nsubifd; p++) - { - assert(pa != 0); -- assert(*pa <= 0xFFFFFFFFUL); -+ -+ /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */ -+ if( *pa > 0xFFFFFFFFUL) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag"); -+ _TIFFfree(o); -+ return(0); -+ } - *pb++=(uint32)(*pa++); - } - n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o); --- -2.7.4 - diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch new file mode 100644 index 000000000..878e0de95 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch @@ -0,0 +1,42 @@ +From 293c8b0298e91d20ba51291e2351ab7d110671d0 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer + dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01] + +CVE: CVE-2017-18013 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 24d4b98..f494cfb 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch deleted file mode 100644 index 339228590..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 0acf01fea714af573b814e10cf105c3359a236c3 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Thu, 1 Jun 2017 12:44:04 +0000 -Subject: [PATCH] * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -and use it in TIFFReadDirectory() so as to ignore fields whose tag is a -codec-specified tag but this codec is not enabled. This avoids TIFFGetField() -to behave differently depending on whether the codec is enabled or not, and -thus can avoid stack based buffer overflows in a number of TIFF utilities -such as tiffsplit, tiffcmp, thumbnail, etc. -Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch -(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. -Fixes: -http://bugzilla.maptools.org/show_bug.cgi?id=2580 -http://bugzilla.maptools.org/show_bug.cgi?id=2693 -http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) -http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) -http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) -http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) -http://bugzilla.maptools.org/show_bug.cgi?id=2441 -http://bugzilla.maptools.org/show_bug.cgi?id=2433 - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06] - -CVE: CVE-2017-9147 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - ChangeLog | 20 ++++++++++ - libtiff/tif_dir.h | 1 + - libtiff/tif_dirinfo.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++ - libtiff/tif_dirread.c | 4 ++ - 4 files changed, 128 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index ee8d9d0..5739292 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,23 @@ -+2017-06-01 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -+ and use it in TIFFReadDirectory() so as to ignore fields whose tag is a -+ codec-specified tag but this codec is not enabled. This avoids TIFFGetField() -+ to behave differently depending on whether the codec is enabled or not, and -+ thus can avoid stack based buffer overflows in a number of TIFF utilities -+ such as tiffsplit, tiffcmp, thumbnail, etc. -+ Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch -+ (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. -+ Fixes: -+ http://bugzilla.maptools.org/show_bug.cgi?id=2580 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2693 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) -+ http://bugzilla.maptools.org/show_bug.cgi?id=2441 -+ http://bugzilla.maptools.org/show_bug.cgi?id=2433 -+ - 2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> - - * configure.ac: libtiff 4.0.8 released. -diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h -index e12b44b..5206be4 100644 ---- a/libtiff/tif_dir.h -+++ b/libtiff/tif_dir.h -@@ -291,6 +291,7 @@ struct _TIFFField { - extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32); - extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); - extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); -+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); - - #if defined(__cplusplus) - } -diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c -index 0c8ef42..97c0df0 100644 ---- a/libtiff/tif_dirinfo.c -+++ b/libtiff/tif_dirinfo.c -@@ -956,6 +956,109 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], uint32 n) - return 0; - } - -+int -+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) -+{ -+ /* Filter out non-codec specific tags */ -+ switch (tag) { -+ /* Shared tags */ -+ case TIFFTAG_PREDICTOR: -+ /* JPEG tags */ -+ case TIFFTAG_JPEGTABLES: -+ /* OJPEG tags */ -+ case TIFFTAG_JPEGIFOFFSET: -+ case TIFFTAG_JPEGIFBYTECOUNT: -+ case TIFFTAG_JPEGQTABLES: -+ case TIFFTAG_JPEGDCTABLES: -+ case TIFFTAG_JPEGACTABLES: -+ case TIFFTAG_JPEGPROC: -+ case TIFFTAG_JPEGRESTARTINTERVAL: -+ /* CCITT* */ -+ case TIFFTAG_BADFAXLINES: -+ case TIFFTAG_CLEANFAXDATA: -+ case TIFFTAG_CONSECUTIVEBADFAXLINES: -+ case TIFFTAG_GROUP3OPTIONS: -+ case TIFFTAG_GROUP4OPTIONS: -+ break; -+ default: -+ return 1; -+ } -+ /* Check if codec specific tags are allowed for the current -+ * compression scheme (codec) */ -+ switch (tif->tif_dir.td_compression) { -+ case COMPRESSION_LZW: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_PACKBITS: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_THUNDERSCAN: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_NEXT: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_JPEG: -+ if (tag == TIFFTAG_JPEGTABLES) -+ return 1; -+ break; -+ case COMPRESSION_OJPEG: -+ switch (tag) { -+ case TIFFTAG_JPEGIFOFFSET: -+ case TIFFTAG_JPEGIFBYTECOUNT: -+ case TIFFTAG_JPEGQTABLES: -+ case TIFFTAG_JPEGDCTABLES: -+ case TIFFTAG_JPEGACTABLES: -+ case TIFFTAG_JPEGPROC: -+ case TIFFTAG_JPEGRESTARTINTERVAL: -+ return 1; -+ } -+ break; -+ case COMPRESSION_CCITTRLE: -+ case COMPRESSION_CCITTRLEW: -+ case COMPRESSION_CCITTFAX3: -+ case COMPRESSION_CCITTFAX4: -+ switch (tag) { -+ case TIFFTAG_BADFAXLINES: -+ case TIFFTAG_CLEANFAXDATA: -+ case TIFFTAG_CONSECUTIVEBADFAXLINES: -+ return 1; -+ case TIFFTAG_GROUP3OPTIONS: -+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3) -+ return 1; -+ break; -+ case TIFFTAG_GROUP4OPTIONS: -+ if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4) -+ return 1; -+ break; -+ } -+ break; -+ case COMPRESSION_JBIG: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_DEFLATE: -+ case COMPRESSION_ADOBE_DEFLATE: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_PIXARLOG: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ case COMPRESSION_SGILOG: -+ case COMPRESSION_SGILOG24: -+ /* No codec-specific tags */ -+ break; -+ case COMPRESSION_LZMA: -+ if (tag == TIFFTAG_PREDICTOR) -+ return 1; -+ break; -+ -+ } -+ return 0; -+} -+ - /* vim: set ts=8 sts=8 sw=8 noet: */ - - /* -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 1d4f0b9..f1dc3d7 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -3580,6 +3580,10 @@ TIFFReadDirectory(TIFF* tif) - goto bad; - dp->tdir_tag=IGNORE; - break; -+ default: -+ if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) ) -+ dp->tdir_tag=IGNORE; -+ break; - } - } - } --- -2.7.4 - diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch new file mode 100644 index 000000000..60684dd2a --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch @@ -0,0 +1,160 @@ +From abb0055d21c52a9925314d5b0628fb2b6307619c Mon Sep 17 00:00:00 2001 +From: Brian May <brian@linuxpenguins.xyz> +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940] + +CVE: CVE-2017-9935 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------ + 2 files changed, 47 insertions(+), 21 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index f00f808..c36a5f3 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 454befb..0b5973e 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (float*) NULL) && ++ (tiff_transferfunction[2] != (float*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { + if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ (t2p->tiff_transferfunction[2] != (float*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch deleted file mode 100644 index fc9936328..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 62efea76592647426deec5592fd7274d5c950646 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Mon, 26 Jun 2017 15:19:59 +0000 -Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path of - JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported - by team OWL337 - -* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg - -Upstream-Status: Backport -[https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a] - -CVE: CVE-2017-9936 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - ChangeLog | 6 ++++++ - libtiff/tif_jbig.c | 1 + - 2 files changed, 7 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index 5739292..0240f0b 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,9 @@ -+2017-06-26 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 -+ Reported by team OWL337 -+ - 2017-06-01 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 5f5f75e..c75f31d 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s) - jbg_strerror(decodeStatus) - #endif - ); -+ jbg_dec_free(&decoder); - return 0; - } - --- -2.7.4 - diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch new file mode 100644 index 000000000..406001d57 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch @@ -0,0 +1,135 @@ +From 6cdea15213be6b67d9f8380c7bb40e325d3adace Mon Sep 17 00:00:00 2001 +From: Nathan Baker <nathanb@lenovo-chrome.com> +Date: Tue, 6 Feb 2018 10:13:57 -0500 +Subject: [PATCH] Fix for bug 2772 + +It is possible to craft a TIFF document where the IFD list is circular, +leading to an infinite loop while traversing the chain. The libtiff +directory reader has a failsafe that will break out of this loop after +reading 65535 directory entries, but it will continue processing, +consuming time and resources to process what is essentially a bogus TIFF +document. + +This change fixes the above behavior by breaking out of processing when +a TIFF document has >= 65535 directories and terminating with an error. + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef] + +CVE: CVE-2018-5784 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + contrib/addtiffo/tif_overview.c | 14 +++++++++++++- + tools/tiff2pdf.c | 10 ++++++++++ + tools/tiffcrop.c | 13 +++++++++++-- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c +index c61ffbb..03b3573 100644 +--- a/contrib/addtiffo/tif_overview.c ++++ b/contrib/addtiffo/tif_overview.c +@@ -65,6 +65,8 @@ + # define MAX(a,b) ((a>b) ? a : b) + #endif + ++#define TIFF_DIR_MAX 65534 ++ + void TIFFBuildOverviews( TIFF *, int, int *, int, const char *, + int (*)(double,void*), void * ); + +@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + { + toff_t nBaseDirOffset; + toff_t nOffset; ++ tdir_t iNumDir; + + (void) bUseSubIFDs; + +@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize, + return 0; + + TIFFWriteDirectory( hTIFF ); +- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) ); ++ iNumDir = TIFFNumberOfDirectories(hTIFF); ++ if( iNumDir > TIFF_DIR_MAX ) ++ { ++ TIFFErrorExt( TIFFClientdata(hTIFF), ++ "TIFF_WriteOverview", ++ "File `%s' has too many directories.\n", ++ TIFFFileName(hTIFF) ); ++ exit(-1); ++ } ++ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) ); + + nOffset = TIFFCurrentDirOffset( hTIFF ); + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 0b5973e..ef5d6a0 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*); + + #define PS_UNIT_SIZE 72.0F + ++#define TIFF_DIR_MAX 65534 ++ + /* This type is of PDF color spaces. */ + typedef enum { + T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */ +@@ -1051,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); ++ if(directorycount > TIFF_DIR_MAX) { ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "TIFF contains too many directories, %s", ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); + if(t2p->tiff_pages==NULL){ + TIFFError( +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c69177e..c60cb38 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + #define DUMP_TEXT 1 + #define DUMP_RAW 2 + ++#define TIFF_DIR_MAX 65534 ++ + /* Offsets into buffer for margins and fixed width and length segments */ + struct offset { + uint32 tmargin; +@@ -2233,7 +2235,7 @@ main(int argc, char* argv[]) + pageNum = -1; + else + total_images = 0; +- /* read multiple input files and write to output file(s) */ ++ /* Read multiple input files and write to output file(s) */ + while (optind < argc - 1) + { + in = TIFFOpen (argv[optind], "r"); +@@ -2241,7 +2243,14 @@ main(int argc, char* argv[]) + return (-3); + + /* If only one input file is specified, we can use directory count */ +- total_images = TIFFNumberOfDirectories(in); ++ total_images = TIFFNumberOfDirectories(in); ++ if (total_images > TIFF_DIR_MAX) ++ { ++ TIFFError (TIFFFileName(in), "File contains too many directories"); ++ if (out != NULL) ++ (void) TIFFClose(out); ++ return (1); ++ } + if (image_count == 0) + { + dirnum = 0; +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/libtool2.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/libtool2.patch index 457202eae..a84c68896 100644 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/libtool2.patch +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/libtool2.patch @@ -4,13 +4,13 @@ Upstream-Status: Inappropriate [configuration] configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: tiff-3.9.5/configure.ac +Index: tiff-4.0.9/configure.ac =================================================================== ---- tiff-3.9.5.orig/configure.ac -+++ tiff-3.9.5/configure.ac +--- tiff-4.0.9.orig/configure.ac ++++ tiff-4.0.9/configure.ac @@ -27,7 +27,7 @@ dnl Process this file with autoconf to p AC_PREREQ(2.64) - AC_INIT([LibTIFF Software],[3.9.5],[tiff@lists.maptools.org],[tiff]) + AC_INIT([LibTIFF Software],[4.0.9],[tiff@lists.maptools.org],[tiff]) AC_CONFIG_AUX_DIR(config) -AC_CONFIG_MACRO_DIR(m4) +dnl AC_CONFIG_MACRO_DIR(m4) diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb index ebee6f808..8c3bba5c6 100644 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb @@ -6,16 +6,13 @@ CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ - file://CVE-2017-9147.patch \ - file://CVE-2017-9936.patch \ - file://CVE-2017-10688.patch \ - file://CVE-2017-11335.patch \ - file://CVE-2017-13726.patch \ - file://CVE-2017-13727.patch \ + file://CVE-2017-9935.patch \ + file://CVE-2017-18013.patch \ + file://CVE-2018-5784.patch \ " -SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b" -SRC_URI[sha256sum] = "59d7a5a8ccd92059913f246877db95a2918e6c04fb9d43fd74e5c3390dac2910" +SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79" +SRC_URI[sha256sum] = "6e7bdeec2c310734e734d19aae3a71ebe37a4d842e0e23dbb1b8921c0026cfcd" # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |