[OE-core] [PATCH 1/5] tiff: Security fix CVE-2016-3945
Yi Zhao
yi.zhao at windriver.com
Thu Oct 27 09:41:02 UTC 2016
Hi Jussi,
在 2016年10月26日 17:09, Jussi Kukkonen 写道:
> On 26 October 2016 at 11:26, Yi Zhao <yi.zhao at windriver.com
> <mailto:yi.zhao at windriver.com>> wrote:
>
> CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
> cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
> LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
> attackers to cause a denial of service (crash) or execute
> arbitrary code
> via a crafted TIFF image, which triggers an out-of-bounds write.
>
> External References:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945
> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945>
> http://bugzilla.maptools.org/show_bug.cgi?id=2545
> <http://bugzilla.maptools.org/show_bug.cgi?id=2545>
>
> Patch from:
> https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
> <https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6>
>
> Signed-off-by: Yi Zhao <yi.zhao at windriver.com
> <mailto:yi.zhao at windriver.com>>
> ---
> .../libtiff/files/CVE-2016-3945.patch | 118
> +++++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> <http://tiff_4.0.6.bb> | 1 +
> 2 files changed, 119 insertions(+)
> create mode 100644
> meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
>
> diff --git
> a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> new file mode 100644
> index 0000000..4d965be
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> @@ -0,0 +1,118 @@
> +From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00
> 2001
> +From: erouault <erouault>
> +Date: Mon, 15 Aug 2016 20:06:40 +0000
> +Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
> + allocated buffer, when -b mode is enabled, that could result in
> out-of-bounds
> + write. Based initially on patch tiff-CVE-2016-3945.patch from
> + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction
> for invalid
> + tests that rejected valid files.
> +
> +CVE: CVE-2016-3945
> +Upstream-Status: Backport
> +https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
> <https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6>
>
>
> It would be appropriate to point out that this is not the real
> upstream, just a nameless github user who maintains a git mirror of
> the libtiff repository. It's probably a reasonable choice -- the
> current libtiff situation with no real homepage, no real tarball
> hosting and a half-hidden cvs server for source control is pretty sad
> -- but should still be openly mentioned.
Thank you for your suggestion. This github is a mirror for libtiff cvs
repository in cvs.maptools.org. If the cvs repository is official, take
the patches from it is better.
Yi
>
> Jussi
>
> +
> +Signed-off-by: Yi Zhao <yi.zhao at windirver.com
> <mailto:yi.zhao at windirver.com>>
> +---
> + ChangeLog | 8 ++++++++
> + tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
> + 2 files changed, 38 insertions(+), 4 deletions(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index 62dc1b5..9c0ab29 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,3 +1,11 @@
> ++2016-08-15 Even Rouault <even.rouault at spatialys.com
> <http://spatialys.com>>
> ++
> ++ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
> ++ buffer, when -b mode is enabled, that could result in
> out-of-bounds
> ++ write. Based initially on patch tiff-CVE-2016-3945.patch from
> ++ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with
> correction for
> ++ invalid tests that rejected valid files.
> ++
> + 2016-07-11 Even Rouault <even.rouault at spatialys.com
> <http://spatialys.com>>
> +
> + * tools/tiffcrop.c: Avoid access outside of stack
> allocated array
> +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
> +index b7a81eb..16e3dc4 100644
> +--- a/tools/tiff2rgba.c
> ++++ b/tools/tiff2rgba.c
> +@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + uint32 row, col;
> + uint32 *wrk_line;
> + int ok = 1;
> ++ uint32 rastersize, wrk_linesize;
> +
> + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
> + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
> +@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + /*
> + * Allocate tile buffer
> + */
> +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height *
> sizeof (uint32));
> ++ rastersize = tile_width * tile_height * sizeof (uint32);
> ++ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when
> calculating raster buffer");
> ++ exit(-1);
> ++ }
> ++ raster = (uint32*)_TIFFmalloc(rastersize);
> + if (raster == 0) {
> + TIFFError(TIFFFileName(in), "No space for raster buffer");
> + return (0);
> +@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + * Allocate a scanline buffer for swapping during the vertical
> + * mirroring pass.
> + */
> +- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
> ++ wrk_linesize = tile_width * sizeof (uint32);
> ++ if (tile_width != wrk_linesize / sizeof (uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when
> calculating wrk_line buffer");
> ++ exit(-1);
> ++ }
> ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
> + if (!wrk_line) {
> + TIFFError(TIFFFileName(in), "No space for raster
> scanline buffer");
> + ok = 0;
> +@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + uint32 row;
> + uint32 *wrk_line;
> + int ok = 1;
> ++ uint32 rastersize, wrk_linesize;
> +
> + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
> + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
> +@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + /*
> + * Allocate strip buffer
> + */
> +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof
> (uint32));
> ++ rastersize = width * rowsperstrip * sizeof (uint32);
> ++ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when
> calculating raster buffer");
> ++ exit(-1);
> ++ }
> ++ raster = (uint32*)_TIFFmalloc(rastersize);
> + if (raster == 0) {
> + TIFFError(TIFFFileName(in), "No space for raster buffer");
> + return (0);
> +@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + * Allocate a scanline buffer for swapping during the vertical
> + * mirroring pass.
> + */
> +- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
> ++ wrk_linesize = width * sizeof (uint32);
> ++ if (width != wrk_linesize / sizeof (uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when
> calculating wrk_line buffer");
> ++ exit(-1);
> ++ }
> ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
> + if (!wrk_line) {
> + TIFFError(TIFFFileName(in), "No space for raster
> scanline buffer");
> + ok = 0;
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> <http://tiff_4.0.6.bb>
> b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb <http://tiff_4.0.6.bb>
> index 8147bc4..b978528 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> <http://tiff_4.0.6.bb>
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> <http://tiff_4.0.6.bb>
> @@ -10,6 +10,7 @@ SRC_URI =
> "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz
> <http://download.osgeo.org/libtiff/tiff-$%7BPV%7D.tar.gz> \
> file://CVE-2016-3186.patch \
> file://CVE-2016-5321.patch \
> file://CVE-2016-5323.patch \
> + file://CVE-2016-3945.patch \
> "
>
> SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> <mailto:Openembedded-core at lists.openembedded.org>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20161027/9f5dfb8c/attachment-0002.html>
More information about the Openembedded-core
mailing list