[OE-core] [master][kergoth][PATCH] tiff: Security fixes CVE-2015-8665 and CVE-2015-8683
Armin Kuster
akuster808 at gmail.com
Tue Apr 26 00:29:41 UTC 2016
From: Armin Kuster <akuster at mvista.com>
same fix for both CVE's
tiff <= 4.0.6
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../libtiff/files/CVE-2015-8665_8683.patch | 137 +++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 +
2 files changed, 138 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
new file mode 100644
index 0000000..39c5059
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
@@ -0,0 +1,137 @@
+From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 26 Dec 2015 17:32:03 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
+ TIFFRGBAImage interface in case of unsupported values of
+ SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
+ TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
+ limingxing and CVE-2015-8683 reported by zzf of Alibaba.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8665
+CVE: CVE-2015-8683
+https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ ChangeLog | 8 ++++++++
+ libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
+ 2 files changed, 30 insertions(+), 13 deletions(-)
+
+Index: tiff-4.0.6/libtiff/tif_getimage.c
+===================================================================
+--- tiff-4.0.6.orig/libtiff/tif_getimage.c
++++ tiff-4.0.6/libtiff/tif_getimage.c
+@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
+- if( td->td_samplesperpixel != 3 )
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+ {
+ sprintf(emsg,
+- "Sorry, can not handle image with %s=%d",
+- "Samples/pixel", td->td_samplesperpixel);
++ "Sorry, can not handle image with %s=%d, %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels);
+ return 0;
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+ {
+ sprintf(emsg,
+- "Sorry, can not handle image with %s=%d and %s=%d",
++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels,
+ "Bits/sample", td->td_bitspersample);
+ return 0;
+ }
+@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
+ int colorchannels;
+ uint16 *red_orig, *green_orig, *blue_orig;
+ int n_color;
++
++ if( !TIFFRGBAImageOK(tif, emsg) )
++ return 0;
+
+ /* Initialize to normal values */
+ img->row_offset = 0;
+@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
+ case PHOTOMETRIC_RGB:
+ switch (img->bitspersample) {
+ case 8:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >= 4)
+ img->put.contig = putRGBAAcontig8bittile;
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >= 4)
+ {
+ if (BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig8bittile;
+ }
+- else
++ else if( img->samplesperpixel >= 3 )
+ img->put.contig = putRGBcontig8bittile;
+ break;
+ case 16:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBAAcontig16bittile;
+ }
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img) &&
+ BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig16bittile;
+ }
+- else
++ else if( img->samplesperpixel >=3 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBcontig16bittile;
+@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
+ }
+ break;
+ case PHOTOMETRIC_SEPARATED:
+- if (buildMap(img)) {
++ if (img->samplesperpixel >=4 && buildMap(img)) {
+ if (img->bitspersample == 8) {
+ if (!img->Map)
+ img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if (buildMap(img)) {
++ if (img->samplesperpixel == 3 && buildMap(img)) {
+ if (img->bitspersample == 8)
+ img->put.contig = initCIELabConversion(img);
+ break;
+Index: tiff-4.0.6/ChangeLog
+===================================================================
+--- tiff-4.0.6.orig/ChangeLog
++++ tiff-4.0.6/ChangeLog
+@@ -1,3 +1,11 @@
++2015-12-26 Even Rouault <even.rouault at spatialys.com>
++
++ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
++ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
++ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
++ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
++ CVE-2015-8683 reported by zzf of Alibaba.
++
+ 2015-09-12 Bob Friesenhahn <bfriesen at simple.dallas.tx.us>
+
+ * libtiff 4.0.6 released.
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index e2e24e0..810a5e4 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
+ file://CVE-2015-8665_8683.patch \
"
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
--
2.3.5
More information about the Openembedded-core
mailing list