[OE-core] [master][kergoth][PATCH] tiff: Security fixes CVE-2015-8665 and CVE-2015-8683
Denys Dmytriyenko
denis at denix.org
Tue Apr 26 00:59:24 UTC 2016
It was meant to happen eventually - someone had to confuse krogoth for kergoth
sooner or later... :)
On Mon, Apr 25, 2016 at 05:29:41PM -0700, Armin Kuster wrote:
> From: Armin Kuster <akuster at mvista.com>
>
> same fix for both CVE's
>
> tiff <= 4.0.6
>
> Signed-off-by: Armin Kuster <akuster at mvista.com>
> ---
> .../libtiff/files/CVE-2015-8665_8683.patch | 137 +++++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 +
> 2 files changed, 138 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
> new file mode 100644
> index 0000000..39c5059
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
> @@ -0,0 +1,137 @@
> +From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
> +From: erouault <erouault>
> +Date: Sat, 26 Dec 2015 17:32:03 +0000
> +Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
> + TIFFRGBAImage interface in case of unsupported values of
> + SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
> + TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
> + limingxing and CVE-2015-8683 reported by zzf of Alibaba.
> +
> +Upstream-Status: Backport
> +CVE: CVE-2015-8665
> +CVE: CVE-2015-8683
> +https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
> +
> +Signed-off-by: Armin Kuster <akuster at mvista.com>
> +
> +---
> + ChangeLog | 8 ++++++++
> + libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
> + 2 files changed, 30 insertions(+), 13 deletions(-)
> +
> +Index: tiff-4.0.6/libtiff/tif_getimage.c
> +===================================================================
> +--- tiff-4.0.6.orig/libtiff/tif_getimage.c
> ++++ tiff-4.0.6/libtiff/tif_getimage.c
> +@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
> + "Planarconfiguration", td->td_planarconfig);
> + return (0);
> + }
> +- if( td->td_samplesperpixel != 3 )
> ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
> + {
> + sprintf(emsg,
> +- "Sorry, can not handle image with %s=%d",
> +- "Samples/pixel", td->td_samplesperpixel);
> ++ "Sorry, can not handle image with %s=%d, %s=%d",
> ++ "Samples/pixel", td->td_samplesperpixel,
> ++ "colorchannels", colorchannels);
> + return 0;
> + }
> + break;
> + case PHOTOMETRIC_CIELAB:
> +- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
> ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
> + {
> + sprintf(emsg,
> +- "Sorry, can not handle image with %s=%d and %s=%d",
> ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
> + "Samples/pixel", td->td_samplesperpixel,
> ++ "colorchannels", colorchannels,
> + "Bits/sample", td->td_bitspersample);
> + return 0;
> + }
> +@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
> + int colorchannels;
> + uint16 *red_orig, *green_orig, *blue_orig;
> + int n_color;
> ++
> ++ if( !TIFFRGBAImageOK(tif, emsg) )
> ++ return 0;
> +
> + /* Initialize to normal values */
> + img->row_offset = 0;
> +@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
> + case PHOTOMETRIC_RGB:
> + switch (img->bitspersample) {
> + case 8:
> +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
> ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
> ++ img->samplesperpixel >= 4)
> + img->put.contig = putRGBAAcontig8bittile;
> +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
> ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
> ++ img->samplesperpixel >= 4)
> + {
> + if (BuildMapUaToAa(img))
> + img->put.contig = putRGBUAcontig8bittile;
> + }
> +- else
> ++ else if( img->samplesperpixel >= 3 )
> + img->put.contig = putRGBcontig8bittile;
> + break;
> + case 16:
> +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
> ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
> ++ img->samplesperpixel >=4 )
> + {
> + if (BuildMapBitdepth16To8(img))
> + img->put.contig = putRGBAAcontig16bittile;
> + }
> +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
> ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
> ++ img->samplesperpixel >=4 )
> + {
> + if (BuildMapBitdepth16To8(img) &&
> + BuildMapUaToAa(img))
> + img->put.contig = putRGBUAcontig16bittile;
> + }
> +- else
> ++ else if( img->samplesperpixel >=3 )
> + {
> + if (BuildMapBitdepth16To8(img))
> + img->put.contig = putRGBcontig16bittile;
> +@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
> + }
> + break;
> + case PHOTOMETRIC_SEPARATED:
> +- if (buildMap(img)) {
> ++ if (img->samplesperpixel >=4 && buildMap(img)) {
> + if (img->bitspersample == 8) {
> + if (!img->Map)
> + img->put.contig = putRGBcontig8bitCMYKtile;
> +@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
> + }
> + break;
> + case PHOTOMETRIC_CIELAB:
> +- if (buildMap(img)) {
> ++ if (img->samplesperpixel == 3 && buildMap(img)) {
> + if (img->bitspersample == 8)
> + img->put.contig = initCIELabConversion(img);
> + break;
> +Index: tiff-4.0.6/ChangeLog
> +===================================================================
> +--- tiff-4.0.6.orig/ChangeLog
> ++++ tiff-4.0.6/ChangeLog
> +@@ -1,3 +1,11 @@
> ++2015-12-26 Even Rouault <even.rouault at spatialys.com>
> ++
> ++ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
> ++ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
> ++ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
> ++ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
> ++ CVE-2015-8683 reported by zzf of Alibaba.
> ++
> + 2015-09-12 Bob Friesenhahn <bfriesen at simple.dallas.tx.us>
> +
> + * libtiff 4.0.6 released.
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> index e2e24e0..810a5e4 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> @@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"
>
> SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
> file://libtool2.patch \
> + file://CVE-2015-8665_8683.patch \
> "
>
> SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
> --
> 2.3.5
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list