[OE-core] [PATCH 1/2] tiff: Security fix CVE-2016-3658

Yi Zhao yi.zhao at windriver.com
Thu Nov 17 08:08:09 UTC 2016 

CVE-2016-3658 libtiff: The TIFFWriteDirectoryTagLongLong8Array function
in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier
allows remote attackers to cause a denial of service (out-of-bounds
read) via vectors involving the ma variable.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658
http://www.openwall.com/lists/oss-security/2016/04/08/12
http://bugzilla.maptools.org/show_bug.cgi?id=2546

Patch from:
https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d

This git repository is a mirror of libtiff cvs repository at cvs.maptools.org
created and updated using "git cvsimport".

Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
---
 .../libtiff/files/CVE-2016-3658.patch              | 120 +++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.6.bb      |   1 +
 2 files changed, 121 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
new file mode 100644
index 0000000..950c634
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
@@ -0,0 +1,120 @@
+From 45c68450bef8ad876f310b495165c513cad8b67d Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Tue, 25 Oct 2016 21:35:15 +0000
+Subject: [PATCH] * libtiff/tif_dir.c: discard values of SMinSampleValue and
+ SMaxSampleValue when they have been read and the value of SamplesPerPixel is
+ changed afterwards (like when reading a OJPEG compressed image with a missing
+ SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing
+ SamplesPerPixel being 3). Otherwise when rewriting the directory (for example
+ with tiffset, we will expect 3 values whereas the array had been allocated
+ with just one), thus causing a out of bound read access. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2500 (CVE-2014-8127, duplicate:
+ CVE-2016-3658)
+
+* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
+when writing directory, if FIELD_STRIPOFFSETS was artificially set
+for a hack case	in OJPEG case.
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+(CVE-2014-8127, duplicate: CVE-2016-3658)
+
+CVE: CVE-2016-3658
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
+
+Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
+---
+ ChangeLog              | 19 +++++++++++++++++++
+ libtiff/tif_dir.c      | 22 ++++++++++++++++++++++
+ libtiff/tif_dirwrite.c | 16 ++++++++++++++--
+ 3 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 375fe02..8027964 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,22 @@
++2016-10-25 Even Rouault <even.rouault at spatialys.com>
++
++	* libtiff/tif_dir.c: discard values of SMinSampleValue and
++	SMaxSampleValue when they have been read and the value of
++	SamplesPerPixel is changed afterwards (like when reading a
++	OJPEG compressed image with a missing SamplesPerPixel tag,
++	and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
++	being 3). Otherwise when rewriting the directory (for example
++	with tiffset, we will expect 3 values whereas the array had been
++	allocated with just one), thus causing a out of bound read access.
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
++	(CVE-2014-8127, duplicate: CVE-2016-3658)
++	
++	* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
++	when writing directory, if FIELD_STRIPOFFSETS was artificially set
++	for a hack case	in OJPEG case.
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
++	(CVE-2014-8127, duplicate: CVE-2016-3658)
++
+ 2016-09-24  Bob Friesenhahn  <bfriesen at simple.dallas.tx.us>
+ 
+ 	* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 8073480..160c5d4 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -256,6 +256,28 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 		v = (uint16) va_arg(ap, uint16_vap);
+ 		if (v == 0)
+ 			goto badvalue;
++        if( v != td->td_samplesperpixel )
++        {
++            /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
++            if( td->td_sminsamplevalue != NULL )
++            {
++                TIFFWarningExt(tif->tif_clientdata,module,
++                    "SamplesPerPixel tag value is changing, "
++                    "but SMinSampleValue tag was read with a different value. Cancelling it");
++                TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
++                _TIFFfree(td->td_sminsamplevalue);
++                td->td_sminsamplevalue = NULL;
++            }
++            if( td->td_smaxsamplevalue != NULL )
++            {
++                TIFFWarningExt(tif->tif_clientdata,module,
++                    "SamplesPerPixel tag value is changing, "
++                    "but SMaxSampleValue tag was read with a different value. Cancelling it");
++                TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
++                _TIFFfree(td->td_smaxsamplevalue);
++                td->td_smaxsamplevalue = NULL;
++            }
++        }
+ 		td->td_samplesperpixel = (uint16) v;
+ 		break;
+ 	case TIFFTAG_ROWSPERSTRIP:
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 7e71818..8a3341e 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -542,8 +542,20 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ 			{
+ 				if (!isTiled(tif))
+ 				{
+-					if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+-						goto bad;
++                    /* td_stripoffset might be NULL in an odd OJPEG case. See
++                     *  tif_dirread.c around line 3634.
++                     * XXX: OJPEG hack.
++                     * If a) compression is OJPEG, b) it's not a tiled TIFF,
++                     * and c) the number of strips is 1,
++                     * then we tolerate the absence of stripoffsets tag,
++                     * because, presumably, all required data is in the
++                     * JpegInterchangeFormat stream.
++                     * We can get here when using tiffset on such a file.
++                     * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
++                    */
++                    if (tif->tif_dir.td_stripoffset != NULL &&
++                        !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
++                        goto bad;
+ 				}
+ 				else
+ 				{
+-- 
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 796d86e..edd560f 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2016-3991.patch \
            file://CVE-2016-3623.patch \
            file://CVE-2016-3622.patch \
+           file://CVE-2016-3658.patch \
           "
 
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
-- 
2.7.4

More information about the Openembedded-core mailing list