From 3f75a6478b6b6a62ddd9e086770efc84f8666928 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Mon, 25 Apr 2016 17:29:41 -0700 Subject: tiff: Security fixes CVE-2015-8665 and CVE-2015-8683 same fix for both CVE's tiff <= 4.0.6 (From OE-Core rev: b7a38a45bf404b8f9b419bf7c054102d68cf2673) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../libtiff/files/CVE-2015-8665_8683.patch | 137 +++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 + 2 files changed, 138 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch (limited to 'meta/recipes-multimedia') diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch new file mode 100644 index 0000000000..39c5059c75 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch @@ -0,0 +1,137 @@ +From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sat, 26 Dec 2015 17:32:03 +0000 +Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in + TIFFRGBAImage interface in case of unsupported values of + SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to + TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by + limingxing and CVE-2015-8683 reported by zzf of Alibaba. + +Upstream-Status: Backport +CVE: CVE-2015-8665 +CVE: CVE-2015-8683 +https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 + +Signed-off-by: Armin Kuster + +--- + ChangeLog | 8 ++++++++ + libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- + 2 files changed, 30 insertions(+), 13 deletions(-) + +Index: tiff-4.0.6/libtiff/tif_getimage.c +=================================================================== +--- tiff-4.0.6.orig/libtiff/tif_getimage.c ++++ tiff-4.0.6/libtiff/tif_getimage.c +@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 + "Planarconfiguration", td->td_planarconfig); + return (0); + } +- if( td->td_samplesperpixel != 3 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d", +- "Samples/pixel", td->td_samplesperpixel); ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels); + return 0; + } + break; + case PHOTOMETRIC_CIELAB: +- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) + { + sprintf(emsg, +- "Sorry, can not handle image with %s=%d and %s=%d", ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", + "Samples/pixel", td->td_samplesperpixel, ++ "colorchannels", colorchannels, + "Bits/sample", td->td_bitspersample); + return 0; + } +@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T + int colorchannels; + uint16 *red_orig, *green_orig, *blue_orig; + int n_color; ++ ++ if( !TIFFRGBAImageOK(tif, emsg) ) ++ return 0; + + /* Initialize to normal values */ + img->row_offset = 0; +@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) + case PHOTOMETRIC_RGB: + switch (img->bitspersample) { + case 8: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >= 4) + img->put.contig = putRGBAAcontig8bittile; +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >= 4) + { + if (BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig8bittile; + } +- else ++ else if( img->samplesperpixel >= 3 ) + img->put.contig = putRGBcontig8bittile; + break; + case 16: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBAAcontig16bittile; + } +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >=4 ) + { + if (BuildMapBitdepth16To8(img) && + BuildMapUaToAa(img)) + img->put.contig = putRGBUAcontig16bittile; + } +- else ++ else if( img->samplesperpixel >=3 ) + { + if (BuildMapBitdepth16To8(img)) + img->put.contig = putRGBcontig16bittile; +@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_SEPARATED: +- if (buildMap(img)) { ++ if (img->samplesperpixel >=4 && buildMap(img)) { + if (img->bitspersample == 8) { + if (!img->Map) + img->put.contig = putRGBcontig8bitCMYKtile; +@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) + } + break; + case PHOTOMETRIC_CIELAB: +- if (buildMap(img)) { ++ if (img->samplesperpixel == 3 && buildMap(img)) { + if (img->bitspersample == 8) + img->put.contig = initCIELabConversion(img); + break; +Index: tiff-4.0.6/ChangeLog +=================================================================== +--- tiff-4.0.6.orig/ChangeLog ++++ tiff-4.0.6/ChangeLog +@@ -1,3 +1,11 @@ ++2015-12-26 Even Rouault ++ ++ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage ++ interface in case of unsupported values of SamplesPerPixel/ExtraSamples ++ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in ++ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and ++ CVE-2015-8683 reported by zzf of Alibaba. ++ + 2015-09-12 Bob Friesenhahn + + * libtiff 4.0.6 released. diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb index e2e24e0fb2..810a5e4c7d 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb @@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/" SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ + file://CVE-2015-8665_8683.patch \ " SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" -- cgit 1.2.3-korg