From 9945cbccc4c737c84ad441773061acbf90c7baed Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 10 Dec 2016 09:38:43 -0800 Subject: libtiff: Update to 4.0.7 Major changes: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos. CVEs fixed: CVE-2016-9297 CVE-2016-9448 CVE-2016-9273 CVE-2014-8127 CVE-2016-3658 CVE-2016-5875 CVE-2016-5652 CVE-2016-3632 plus more that are not identified in the changelog. removed patches integrated into update. more info: http://libtiff.maptools.org/v4.0.7.html Signed-off-by: Armin Kuster Signed-off-by: Ross Burton --- .../libtiff/files/CVE-2016-3658.patch | 111 --------------------- 1 file changed, 111 deletions(-) delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch') diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch deleted file mode 100644 index 6cb12f2907..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: 45c68450bef8ad876f310b495165c513cad8b67d -From: Even Rouault - -* libtiff/tif_dir.c: discard values of SMinSampleValue and -SMaxSampleValue when they have been read and the value of -SamplesPerPixel is changed afterwards (like when reading a -OJPEG compressed image with a missing SamplesPerPixel tag, -and whose photometric is RGB or YCbCr, forcing SamplesPerPixel -being 3). Otherwise when rewriting the directory (for example -with tiffset, we will expect 3 values whereas the array had been -allocated with just one), thus causing a out of bound read access. -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -(CVE-2014-8127, duplicate: CVE-2016-3658) - -* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset -when writing directory, if FIELD_STRIPOFFSETS was artificially set -for a hack case in OJPEG case. -Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -(CVE-2014-8127, duplicate: CVE-2016-3658) - -CVE: CVE-2016-3658 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d - -Signed-off-by: Zhixiong.Chi - -Index: tiff-4.0.6/ChangeLog -=================================================================== ---- tiff-4.0.6.orig/ChangeLog 2016-11-14 10:52:10.008748230 +0800 -+++ tiff-4.0.6/ChangeLog 2016-11-14 16:17:46.140884438 +0800 -@@ -1,3 +1,22 @@ -+2016-10-25 Even Rouault -+ -+ * libtiff/tif_dir.c: discard values of SMinSampleValue and -+ SMaxSampleValue when they have been read and the value of -+ SamplesPerPixel is changed afterwards (like when reading a -+ OJPEG compressed image with a missing SamplesPerPixel tag, -+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel -+ being 3). Otherwise when rewriting the directory (for example -+ with tiffset, we will expect 3 values whereas the array had been -+ allocated with just one), thus causing a out of bound read access. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ (CVE-2014-8127, duplicate: CVE-2016-3658) -+ -+ * libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset -+ when writing directory, if FIELD_STRIPOFFSETS was artificially set -+ for a hack case in OJPEG case. -+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ (CVE-2014-8127, duplicate: CVE-2016-3658) -+ - 2016-09-24 Bob Friesenhahn - - * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to -Index: tiff-4.0.6/libtiff/tif_dir.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_dir.c 2015-06-01 07:11:43.000000000 +0800 -+++ tiff-4.0.6/libtiff/tif_dir.c 2016-11-14 16:20:17.800885495 +0800 -@@ -254,6 +254,28 @@ - v = (uint16) va_arg(ap, uint16_vap); - if (v == 0) - goto badvalue; -+ if( v != td->td_samplesperpixel ) -+ { -+ /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */ -+ if( td->td_sminsamplevalue != NULL ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "SamplesPerPixel tag value is changing, " -+ "but SMinSampleValue tag was read with a different value. Cancelling it"); -+ TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE); -+ _TIFFfree(td->td_sminsamplevalue); -+ td->td_sminsamplevalue = NULL; -+ } -+ if( td->td_smaxsamplevalue != NULL ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,module, -+ "SamplesPerPixel tag value is changing, " -+ "but SMaxSampleValue tag was read with a different value. Cancelling it"); -+ TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE); -+ _TIFFfree(td->td_smaxsamplevalue); -+ td->td_smaxsamplevalue = NULL; -+ } -+ } - td->td_samplesperpixel = (uint16) v; - break; - case TIFFTAG_ROWSPERSTRIP: -Index: tiff-4.0.6/libtiff/tif_dirwrite.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_dirwrite.c 2015-05-31 08:38:46.000000000 +0800 -+++ tiff-4.0.6/libtiff/tif_dirwrite.c 2016-11-14 16:23:54.688887007 +0800 -@@ -542,7 +542,19 @@ - { - if (!isTiled(tif)) - { -- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) -+ /* td_stripoffset might be NULL in an odd OJPEG case. See -+ * tif_dirread.c around line 3634. -+ * XXX: OJPEG hack. -+ * If a) compression is OJPEG, b) it's not a tiled TIFF, -+ * and c) the number of strips is 1, -+ * then we tolerate the absence of stripoffsets tag, -+ * because, presumably, all required data is in the -+ * JpegInterchangeFormat stream. -+ * We can get here when using tiffset on such a file. -+ * See http://bugzilla.maptools.org/show_bug.cgi?id=2500 -+ */ -+ if (tif->tif_dir.td_stripoffset != NULL && -+ !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) - goto bad; - } - else -- cgit 1.2.3-korg