[OE-core] [dora][PATCH 1/2] libtiff: fix CVE-2013-1960
Saul Wold
sgw at linux.intel.com
Thu Dec 5 21:48:50 UTC 2013
On 12/05/2013 12:51 PM, Mark Hatle wrote:
> On 11/22/13, 12:43 PM, Saul Wold wrote:
>> On 11/20/2013 11:05 PM, Mark Hatle wrote:
>>> From: Ming Liu <ming.liu at windriver.com>
>>>
>>> Heap-based buffer overflow in the tp_process_jpeg_strip function in
>>> tiff2pdf
>>> in libtiff 4.0.3 and earlier allows remote attackers to cause a
>>> denial of
>>> service (crash) and possibly execute arbitrary code via a crafted
>>> TIFF image
>>> file.
>>>
>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
>>>
>>> Signed-off-by: Ming Liu <ming.liu at windriver.com>
>>> Signed-off-by: Jeff Polk <jeff.polk at windriver.com>
>>> ---
>>> .../libtiff/files/libtiff-CVE-2013-1960.patch | 151
>>> +++++++++++++++++++++
>>> meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
>>> 2 files changed, 153 insertions(+), 1 deletion(-)
>>> create mode 100644
>>> meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>>
>>
>> For some reason this patch is not applying cleanly.
>
> It applies to dora. I just retried it using the latest version. (Note,
> it does NOT apply to master.)
>
> I don't know if it's needed for master.
>
Yes, it would be needed for master since master is still using 4.0.3,
and then backported to dora.
Sau!
> --Mark
>
>> Sau!
>>
>>> diff --git
>>> a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>> b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>> new file mode 100644
>>> index 0000000..e4348f1
>>> --- /dev/null
>>> +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>> @@ -0,0 +1,151 @@
>>> +This patch comes from:
>>> http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
>>>
>>> +
>>> +Upstream-Status: Pending
>>> +
>>> +Signed-off-by: Ming Liu <ming.liu at windriver.com>
>>> +
>>> +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
>>> +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
>>> ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
>>> +@@ -3341,33 +3341,56 @@
>>> + uint32 height){
>>> +
>>> + tsize_t i=0;
>>> +- uint16 ri =0;
>>> +- uint16 v_samp=1;
>>> +- uint16 h_samp=1;
>>> +- int j=0;
>>> +-
>>> +- i++;
>>> +-
>>> +- while(i<(*striplength)){
>>> ++
>>> ++ while (i < *striplength) {
>>> ++ tsize_t datalen;
>>> ++ uint16 ri;
>>> ++ uint16 v_samp;
>>> ++ uint16 h_samp;
>>> ++ int j;
>>> ++ int ncomp;
>>> ++
>>> ++ /* marker header: one or more FFs */
>>> ++ if (strip[i] != 0xff)
>>> ++ return(0);
>>> ++ i++;
>>> ++ while (i < *striplength && strip[i] == 0xff)
>>> ++ i++;
>>> ++ if (i >= *striplength)
>>> ++ return(0);
>>> ++ /* SOI is the only pre-SOS marker without a length word */
>>> ++ if (strip[i] == 0xd8)
>>> ++ datalen = 0;
>>> ++ else {
>>> ++ if ((*striplength - i) <= 2)
>>> ++ return(0);
>>> ++ datalen = (strip[i+1] << 8) | strip[i+2];
>>> ++ if (datalen < 2 || datalen >= (*striplength - i))
>>> ++ return(0);
>>> ++ }
>>> + switch( strip[i] ){
>>> +- case 0xd8:
>>> +- /* SOI - start of image */
>>> ++ case 0xd8: /* SOI - start of image */
>>> + _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), 2);
>>> + *bufferoffset+=2;
>>> +- i+=2;
>>> + break;
>>> +- case 0xc0:
>>> +- case 0xc1:
>>> +- case 0xc3:
>>> +- case 0xc9:
>>> +- case 0xca:
>>> ++ case 0xc0: /* SOF0 */
>>> ++ case 0xc1: /* SOF1 */
>>> ++ case 0xc3: /* SOF3 */
>>> ++ case 0xc9: /* SOF9 */
>>> ++ case 0xca: /* SOF10 */
>>> + if(no==0){
>>> +- _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), strip[i+2]+2);
>>> +- for(j=0;j<buffer[*bufferoffset+9];j++){
>>> +- if( (buffer[*bufferoffset+11+(2*j)]>>4) >
>>> h_samp)
>>> +- h_samp =
>>> (buffer[*bufferoffset+11+(2*j)]>>4);
>>> +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f)
>>> > v_samp)
>>> +- v_samp =
>>> (buffer[*bufferoffset+11+(2*j)] & 0x0f);
>>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), datalen+2);
>>> ++ ncomp = buffer[*bufferoffset+9];
>>> ++ if (ncomp < 1 || ncomp > 4)
>>> ++ return(0);
>>> ++ v_samp=1;
>>> ++ h_samp=1;
>>> ++ for(j=0;j<ncomp;j++){
>>> ++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
>>> ++ if( (samp>>4) > h_samp)
>>> ++ h_samp = (samp>>4);
>>> ++ if( (samp & 0x0f) > v_samp)
>>> ++ v_samp = (samp & 0x0f);
>>> + }
>>> + v_samp*=8;
>>> + h_samp*=8;
>>> +@@ -3381,45 +3404,43 @@
>>> + (unsigned char)
>>> ((height>>8) & 0xff);
>>> + buffer[*bufferoffset+6]=
>>> + (unsigned char) (height
>>> & 0xff);
>>> +- *bufferoffset+=strip[i+2]+2;
>>> +- i+=strip[i+2]+2;
>>> +-
>>> ++ *bufferoffset+=datalen+2;
>>> ++ /* insert a DRI marker */
>>> + buffer[(*bufferoffset)++]=0xff;
>>> + buffer[(*bufferoffset)++]=0xdd;
>>> + buffer[(*bufferoffset)++]=0x00;
>>> + buffer[(*bufferoffset)++]=0x04;
>>> + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
>>> + buffer[(*bufferoffset)++]= ri & 0xff;
>>> +- } else {
>>> +- i+=strip[i+2]+2;
>>> + }
>>> + break;
>>> +- case 0xc4:
>>> +- case 0xdb:
>>> +- _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), strip[i+2]+2);
>>> +- *bufferoffset+=strip[i+2]+2;
>>> +- i+=strip[i+2]+2;
>>> ++ case 0xc4: /* DHT */
>>> ++ case 0xdb: /* DQT */
>>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), datalen+2);
>>> ++ *bufferoffset+=datalen+2;
>>> + break;
>>> +- case 0xda:
>>> ++ case 0xda: /* SOS */
>>> + if(no==0){
>>> +- _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), strip[i+2]+2);
>>> +- *bufferoffset+=strip[i+2]+2;
>>> +- i+=strip[i+2]+2;
>>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), datalen+2);
>>> ++ *bufferoffset+=datalen+2;
>>> + } else {
>>> + buffer[(*bufferoffset)++]=0xff;
>>> + buffer[(*bufferoffset)++]=
>>> + (unsigned char)(0xd0 |
>>> ((no-1)%8));
>>> +- i+=strip[i+2]+2;
>>> + }
>>> +- _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), (*striplength)-i-1);
>>> +- *bufferoffset+=(*striplength)-i-1;
>>> ++ i += datalen + 1;
>>> ++ /* copy remainder of strip */
>>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]),
>>> *striplength - i);
>>> ++ *bufferoffset+= *striplength - i;
>>> + return(1);
>>> + default:
>>> +- i+=strip[i+2]+2;
>>> ++ /* ignore any other marker */
>>> ++ break;
>>> + }
>>> ++ i += datalen + 1;
>>> + }
>>> +-
>>> +
>>> ++ /* failed to find SOS marker */
>>> + return(0);
>>> + }
>>> + #endif
>>> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>>> b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>>> index 256e75e..8e450df 100644
>>> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>>> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>>> @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz"
>>> PR = "r0"
>>>
>>> SRC_URI =
>>> "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
>>> - file://libtool2.patch"
>>> + file://libtool2.patch \
>>> + file://libtiff-CVE-2013-1960.patch"
>>>
>>> SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
>>> SRC_URI[sha256sum] =
>>> "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
>>>
>>
>
>
>
More information about the Openembedded-core
mailing list