* [PATCH 0/5] tiff: fix CVEs
@ 2016-10-26 8:26 Yi Zhao
2016-10-26 8:26 ` [PATCH 1/5] tiff: Security fix CVE-2016-3945 Yi Zhao
` (4 more replies)
0 siblings, 5 replies; 8+ messages in thread
From: Yi Zhao @ 2016-10-26 8:26 UTC (permalink / raw)
To: openembedded-core
The following changes since commit 30d1af89ce2a2fb30f32a898ec12c9a51db57013:
image_types: Use softer setting of WKS_FILE (2016-10-25 17:58:59 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib yzhao/tiff-cves
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=yzhao/tiff-cves
Yi Zhao (5):
tiff: Security fix CVE-2016-3945
tiff: Security fix CVE-2016-3990
tiff: Security fix CVE-2016-3991
tiff: Security fix CVE-2016-3623
tiff: Security fix CVE-2016-3622
.../libtiff/files/CVE-2016-3622.patch | 129 ++++++++++++++++++
.../libtiff/files/CVE-2016-3623.patch | 52 ++++++++
.../libtiff/files/CVE-2016-3945.patch | 118 +++++++++++++++++
.../libtiff/files/CVE-2016-3990.patch | 66 +++++++++
.../libtiff/files/CVE-2016-3991.patch | 147 +++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 5 +
6 files changed, 517 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
--
2.7.4
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/5] tiff: Security fix CVE-2016-3945
2016-10-26 8:26 [PATCH 0/5] tiff: fix CVEs Yi Zhao
@ 2016-10-26 8:26 ` Yi Zhao
2016-10-26 9:09 ` Jussi Kukkonen
2016-10-26 8:26 ` [PATCH 2/5] tiff: Security fix CVE-2016-3990 Yi Zhao
` (3 subsequent siblings)
4 siblings, 1 reply; 8+ messages in thread
From: Yi Zhao @ 2016-10-26 8:26 UTC (permalink / raw)
To: openembedded-core
CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
attackers to cause a denial of service (crash) or execute arbitrary code
via a crafted TIFF image, which triggers an out-of-bounds write.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945
http://bugzilla.maptools.org/show_bug.cgi?id=2545
Patch from:
https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../libtiff/files/CVE-2016-3945.patch | 118 +++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 +
2 files changed, 119 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
new file mode 100644
index 0000000..4d965be
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
@@ -0,0 +1,118 @@
+From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 20:06:40 +0000
+Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
+ allocated buffer, when -b mode is enabled, that could result in out-of-bounds
+ write. Based initially on patch tiff-CVE-2016-3945.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
+ tests that rejected valid files.
+
+CVE: CVE-2016-3945
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
+
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ ChangeLog | 8 ++++++++
+ tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
+ 2 files changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 62dc1b5..9c0ab29 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,11 @@
++2016-08-15 Even Rouault <even.rouault at spatialys.com>
++
++ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
++ buffer, when -b mode is enabled, that could result in out-of-bounds
++ write. Based initially on patch tiff-CVE-2016-3945.patch from
++ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
++ invalid tests that rejected valid files.
++
+ 2016-07-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: Avoid access outside of stack allocated array
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index b7a81eb..16e3dc4 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ uint32 row, col;
+ uint32 *wrk_line;
+ int ok = 1;
++ uint32 rastersize, wrk_linesize;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ /*
+ * Allocate tile buffer
+ */
+- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++ rastersize = tile_width * tile_height * sizeof (uint32);
++ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++ exit(-1);
++ }
++ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ * Allocate a scanline buffer for swapping during the vertical
+ * mirroring pass.
+ */
+- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
++ wrk_linesize = tile_width * sizeof (uint32);
++ if (tile_width != wrk_linesize / sizeof (uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++ exit(-1);
++ }
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+ ok = 0;
+@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ uint32 row;
+ uint32 *wrk_line;
+ int ok = 1;
++ uint32 rastersize, wrk_linesize;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ /*
+ * Allocate strip buffer
+ */
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++ rastersize = width * rowsperstrip * sizeof (uint32);
++ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++ exit(-1);
++ }
++ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ * Allocate a scanline buffer for swapping during the vertical
+ * mirroring pass.
+ */
+- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
++ wrk_linesize = width * sizeof (uint32);
++ if (width != wrk_linesize / sizeof (uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++ exit(-1);
++ }
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+ ok = 0;
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 8147bc4..b978528 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2016-3186.patch \
file://CVE-2016-5321.patch \
file://CVE-2016-5323.patch \
+ file://CVE-2016-3945.patch \
"
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/5] tiff: Security fix CVE-2016-3990
2016-10-26 8:26 [PATCH 0/5] tiff: fix CVEs Yi Zhao
2016-10-26 8:26 ` [PATCH 1/5] tiff: Security fix CVE-2016-3945 Yi Zhao
@ 2016-10-26 8:26 ` Yi Zhao
2016-10-26 8:26 ` [PATCH 3/5] tiff: Security fix CVE-2016-3991 Yi Zhao
` (2 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: Yi Zhao @ 2016-10-26 8:26 UTC (permalink / raw)
To: openembedded-core
CVE-2016-3990 libtiff: Heap-based buffer overflow in the
horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and
earlier allows remote attackers to cause a denial of service (crash) or
execute arbitrary code via a crafted TIFF image to tiffcp.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3990
http://bugzilla.maptools.org/show_bug.cgi?id=2544
Patch from:
https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../libtiff/files/CVE-2016-3990.patch | 66 ++++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 +
2 files changed, 67 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
new file mode 100644
index 0000000..7bf52ee
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
@@ -0,0 +1,66 @@
+From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 20:49:48 +0000
+Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
+ PixarLogEncode if more input samples are provided than expected by
+ PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
+ simpler check. (bugzilla #2544)
+
+invalid tests that rejected valid files. (bugzilla #2545)
+
+CVE: CVE-2016-3990
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1
+
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ ChangeLog | 10 +++++++++-
+ libtiff/tif_pixarlog.c | 7 +++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 9c0ab29..db4ea18 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,10 +1,18 @@
+ 2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
++ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
++ if more input samples are provided than expected by PixarLogSetupEncode.
++ Idea based on libtiff-CVE-2016-3990.patch from
++ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
++ simpler check. (bugzilla #2544)
++
++2016-08-15 Even Rouault <even.rouault at spatialys.com>
++
+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
+ buffer, when -b mode is enabled, that could result in out-of-bounds
+ write. Based initially on patch tiff-CVE-2016-3945.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
+- invalid tests that rejected valid files.
++ invalid tests that rejected valid files. (bugzilla #2545)
+
+ 2016-07-11 Even Rouault <even.rouault at spatialys.com>
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index e78f788..28329d1 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ }
+
+ llen = sp->stride * td->td_imagewidth;
++ /* Check against the number of elements (of size uint16) of sp->tbuf */
++ if( n > td->td_rowsperstrip * llen )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Too many input bytes provided");
++ return 0;
++ }
+
+ for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
+ switch (sp->user_datafmt) {
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index b978528..dfb2996 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2016-5321.patch \
file://CVE-2016-5323.patch \
file://CVE-2016-3945.patch \
+ file://CVE-2016-3990.patch \
"
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/5] tiff: Security fix CVE-2016-3991
2016-10-26 8:26 [PATCH 0/5] tiff: fix CVEs Yi Zhao
2016-10-26 8:26 ` [PATCH 1/5] tiff: Security fix CVE-2016-3945 Yi Zhao
2016-10-26 8:26 ` [PATCH 2/5] tiff: Security fix CVE-2016-3990 Yi Zhao
@ 2016-10-26 8:26 ` Yi Zhao
2016-10-26 8:26 ` [PATCH 4/5] tiff: Security fix CVE-2016-3623 Yi Zhao
2016-10-26 8:26 ` [PATCH 5/5] tiff: Security fix CVE-2016-3622 Yi Zhao
4 siblings, 0 replies; 8+ messages in thread
From: Yi Zhao @ 2016-10-26 8:26 UTC (permalink / raw)
To: openembedded-core
CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage
function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote
attackers to cause a denial of service (out-of-bounds write) or execute
arbitrary code via a crafted TIFF image with zero tiles.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3991
http://bugzilla.maptools.org/show_bug.cgi?id=2543
Patch from:
https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../libtiff/files/CVE-2016-3991.patch | 147 +++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 +
2 files changed, 148 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
new file mode 100644
index 0000000..27dfd37
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
@@ -0,0 +1,147 @@
+From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 21:05:40 +0000
+Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
+ loadImage(). From patch libtiff-CVE-2016-3991.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
+
+CVE: CVE-2016-3991
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba
+
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ ChangeLog | 6 ++++++
+ tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 62 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index db4ea18..5d60608 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,11 @@
+ 2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
++ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
++ From patch libtiff-CVE-2016-3991.patch from
++ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
++
++2016-08-15 Even Rouault <even.rouault at spatialys.com>
++
+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
+ if more input samples are provided than expected by PixarLogSetupEncode.
+ Idea based on libtiff-CVE-2016-3990.patch from
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 27abc0b..ddba7b9 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+ }
+
+ tile_buffsize = tilesize;
++ if (tilesize == 0 || tile_rowsize == 0)
++ {
++ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
++ exit(-1);
++ }
+
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
+ {
+@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+ tilesize, tl * tile_rowsize);
+ #endif
+ tile_buffsize = tl * tile_rowsize;
+- }
++ if (tl != (tile_buffsize / tile_rowsize))
++ {
++ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
++ exit(-1);
++ }
++ }
+
+ tilebuf = _TIFFmalloc(tile_buffsize);
+ if (tilebuf == 0)
+@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
+ return 1;
+
++ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
++ {
++ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
++ exit(-1);
++ }
++
+ tile_buffsize = tilesize;
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
+ {
+@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ tilesize, tl * tile_rowsize);
+ #endif
+ tile_buffsize = tl * tile_rowsize;
++ if (tl != tile_buffsize / tile_rowsize)
++ {
++ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
+ }
+
+ tilebuf = _TIFFmalloc(tile_buffsize);
+@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
+
+ tile_rowsize = TIFFTileRowSize(in);
++ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
++ {
++ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
++ exit(-1);
++ }
+ buffsize = tlsize * ntiles;
++ if (tlsize != (buffsize / ntiles))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
+
+-
+ if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
+ {
+ buffsize = ntiles * tl * tile_rowsize;
++ if (ntiles != (buffsize / tl / tile_rowsize))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
++
+ #ifdef DEBUG2
+ TIFFError("loadImage",
+ "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
+@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+ stsize = TIFFStripSize(in);
+ nstrips = TIFFNumberOfStrips(in);
++ if (nstrips == 0 || stsize == 0)
++ {
++ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
++ exit(-1);
++ }
++
+ buffsize = stsize * nstrips;
+-
++ if (stsize != (buffsize / nstrips))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
++ uint32 buffsize_check;
++ buffsize_check = ((length * width * spp * bps) + 7);
++ if (length != ((buffsize_check - 7) / width / spp / bps))
++ {
++ TIFFError("loadImage", "Integer overflow detected.");
++ exit(-1);
++ }
+ if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
+ {
+ buffsize = ((length * width * spp * bps) + 7) / 8;
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index dfb2996..713cf24 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2016-5323.patch \
file://CVE-2016-3945.patch \
file://CVE-2016-3990.patch \
+ file://CVE-2016-3991.patch \
"
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/5] tiff: Security fix CVE-2016-3623
2016-10-26 8:26 [PATCH 0/5] tiff: fix CVEs Yi Zhao
` (2 preceding siblings ...)
2016-10-26 8:26 ` [PATCH 3/5] tiff: Security fix CVE-2016-3991 Yi Zhao
@ 2016-10-26 8:26 ` Yi Zhao
2016-10-26 8:26 ` [PATCH 5/5] tiff: Security fix CVE-2016-3622 Yi Zhao
4 siblings, 0 replies; 8+ messages in thread
From: Yi Zhao @ 2016-10-26 8:26 UTC (permalink / raw)
To: openembedded-core
CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier
allows remote attackers to cause a denial of service (divide-by-zero) by
setting the (1) v or (2) h parameter to 0.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623
http://bugzilla.maptools.org/show_bug.cgi?id=2569
Patch from:
https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../libtiff/files/CVE-2016-3623.patch | 52 ++++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 +
2 files changed, 53 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
new file mode 100644
index 0000000..f554ac5
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
@@ -0,0 +1,52 @@
+From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 15 Aug 2016 21:26:56 +0000
+Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters
+ to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
+
+CVE: CVE-2016-3623
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
+
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ ChangeLog | 5 +++++
+ tools/rgb2ycbcr.c | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/ChangeLog b/ChangeLog
+index 5d60608..3e6642a 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,10 @@
+ 2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
++ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
++ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
++
++2016-08-15 Even Rouault <even.rouault at spatialys.com>
++
+ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
+ From patch libtiff-CVE-2016-3991.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
+diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
+index 3829d6b..51f4259 100644
+--- a/tools/rgb2ycbcr.c
++++ b/tools/rgb2ycbcr.c
+@@ -95,9 +95,13 @@ main(int argc, char* argv[])
+ break;
+ case 'h':
+ horizSubSampling = atoi(optarg);
++ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
++ usage(-1);
+ break;
+ case 'v':
+ vertSubSampling = atoi(optarg);
++ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
++ usage(-1);
+ break;
+ case 'r':
+ rowsperstrip = atoi(optarg);
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 713cf24..466dfbb 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2016-3945.patch \
file://CVE-2016-3990.patch \
file://CVE-2016-3991.patch \
+ file://CVE-2016-3623.patch \
"
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/5] tiff: Security fix CVE-2016-3622
2016-10-26 8:26 [PATCH 0/5] tiff: fix CVEs Yi Zhao
` (3 preceding siblings ...)
2016-10-26 8:26 ` [PATCH 4/5] tiff: Security fix CVE-2016-3623 Yi Zhao
@ 2016-10-26 8:26 ` Yi Zhao
4 siblings, 0 replies; 8+ messages in thread
From: Yi Zhao @ 2016-10-26 8:26 UTC (permalink / raw)
To: openembedded-core
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (divide-by-zero error) via a crafted TIFF
image.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622
http://www.openwall.com/lists/oss-security/2016/04/07/4
Patch from:
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../libtiff/files/CVE-2016-3622.patch | 129 +++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 +
2 files changed, 130 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
new file mode 100644
index 0000000..0c8b716
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
@@ -0,0 +1,129 @@
+From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
+From: bfriesen <bfriesen>
+Date: Sat, 24 Sep 2016 23:11:55 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
+ to read floating point images.
+
+* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+requirements of floating point predictor (3). Fixes CVE-2016-3622
+"Divide By Zero in the tiff2rgba tool."
+
+CVE: CVE-2016-3622
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
+
+Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
+---
+ ChangeLog | 11 ++++++++++-
+ libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
+ libtiff/tif_predict.c | 11 ++++++++++-
+ 3 files changed, 40 insertions(+), 20 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 26d6f47..a628277 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
++
++ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
++ read floating point images.
++
++ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
++ requirements of floating point predictor (3). Fixes CVE-2016-3622
++ "Divide By Zero in the tiff2rgba tool."
++
+ 2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 386cee0..3e689ee 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ td->td_bitspersample);
+ return (0);
+ }
++ if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
++ sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
++ return (0);
++ }
+ colorchannels = td->td_samplesperpixel - td->td_extrasamples;
+ if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
+ switch (colorchannels) {
+@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
+- if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+- {
+- sprintf(emsg,
+- "Sorry, can not handle image with %s=%d, %s=%d",
+- "Samples/pixel", td->td_samplesperpixel,
+- "colorchannels", colorchannels);
+- return 0;
+- }
++ if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d, %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels);
++ return 0;
++ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+- {
+- sprintf(emsg,
+- "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+- "Samples/pixel", td->td_samplesperpixel,
+- "colorchannels", colorchannels,
+- "Bits/sample", td->td_bitspersample);
+- return 0;
+- }
++ if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels,
++ "Bits/sample", td->td_bitspersample);
++ return 0;
++ }
+ break;
+- default:
++ default:
+ sprintf(emsg, "Sorry, can not handle image with %s=%d",
+ photoTag, photometric);
+ return (0);
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index 081eb11..555f2f9 100644
+--- a/libtiff/tif_predict.c
++++ b/libtiff/tif_predict.c
+@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
+ td->td_sampleformat);
+ return 0;
+ }
++ if (td->td_bitspersample != 16
++ && td->td_bitspersample != 24
++ && td->td_bitspersample != 32
++ && td->td_bitspersample != 64) { /* Should 64 be allowed? */
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Floating point \"Predictor\" not supported with %d-bit samples",
++ td->td_bitspersample);
++ return 0;
++ }
+ break;
+ default:
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
+ }
+ /*
+ * Allocate buffer to keep the decoded bytes before
+- * rearranging in the ight order
++ * rearranging in the right order
+ */
+ }
+
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 466dfbb..796d86e 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2016-3990.patch \
file://CVE-2016-3991.patch \
file://CVE-2016-3623.patch \
+ file://CVE-2016-3622.patch \
"
SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/5] tiff: Security fix CVE-2016-3945
2016-10-26 8:26 ` [PATCH 1/5] tiff: Security fix CVE-2016-3945 Yi Zhao
@ 2016-10-26 9:09 ` Jussi Kukkonen
2016-10-27 9:41 ` Yi Zhao
0 siblings, 1 reply; 8+ messages in thread
From: Jussi Kukkonen @ 2016-10-26 9:09 UTC (permalink / raw)
To: Yi Zhao; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 7525 bytes --]
On 26 October 2016 at 11:26, Yi Zhao <yi.zhao@windriver.com> wrote:
> CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
> cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
> LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
> attackers to cause a denial of service (crash) or execute arbitrary code
> via a crafted TIFF image, which triggers an out-of-bounds write.
>
> External References:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945
> http://bugzilla.maptools.org/show_bug.cgi?id=2545
>
> Patch from:
> https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc0
> 0133a160e6
>
> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> .../libtiff/files/CVE-2016-3945.patch | 118
> +++++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 +
> 2 files changed, 119 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3945.
> patch
>
> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> new file mode 100644
> index 0000000..4d965be
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> @@ -0,0 +1,118 @@
> +From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
> +From: erouault <erouault>
> +Date: Mon, 15 Aug 2016 20:06:40 +0000
> +Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
> + allocated buffer, when -b mode is enabled, that could result in
> out-of-bounds
> + write. Based initially on patch tiff-CVE-2016-3945.patch from
> + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
> invalid
> + tests that rejected valid files.
> +
> +CVE: CVE-2016-3945
> +Upstream-Status: Backport
> +https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc0
> 0133a160e6
>
It would be appropriate to point out that this is not the real upstream,
just a nameless github user who maintains a git mirror of the libtiff
repository. It's probably a reasonable choice -- the current libtiff
situation with no real homepage, no real tarball hosting and a half-hidden
cvs server for source control is pretty sad -- but should still be openly
mentioned.
Jussi
> +
> +Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
> +---
> + ChangeLog | 8 ++++++++
> + tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
> + 2 files changed, 38 insertions(+), 4 deletions(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index 62dc1b5..9c0ab29 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,3 +1,11 @@
> ++2016-08-15 Even Rouault <even.rouault at spatialys.com>
> ++
> ++ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
> ++ buffer, when -b mode is enabled, that could result in out-of-bounds
> ++ write. Based initially on patch tiff-CVE-2016-3945.patch from
> ++ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
> ++ invalid tests that rejected valid files.
> ++
> + 2016-07-11 Even Rouault <even.rouault at spatialys.com>
> +
> + * tools/tiffcrop.c: Avoid access outside of stack allocated array
> +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
> +index b7a81eb..16e3dc4 100644
> +--- a/tools/tiff2rgba.c
> ++++ b/tools/tiff2rgba.c
> +@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + uint32 row, col;
> + uint32 *wrk_line;
> + int ok = 1;
> ++ uint32 rastersize, wrk_linesize;
> +
> + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
> + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
> +@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + /*
> + * Allocate tile buffer
> + */
> +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof
> (uint32));
> ++ rastersize = tile_width * tile_height * sizeof (uint32);
> ++ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating
> raster buffer");
> ++ exit(-1);
> ++ }
> ++ raster = (uint32*)_TIFFmalloc(rastersize);
> + if (raster == 0) {
> + TIFFError(TIFFFileName(in), "No space for raster buffer");
> + return (0);
> +@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + * Allocate a scanline buffer for swapping during the vertical
> + * mirroring pass.
> + */
> +- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
> ++ wrk_linesize = tile_width * sizeof (uint32);
> ++ if (tile_width != wrk_linesize / sizeof (uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating
> wrk_line buffer");
> ++ exit(-1);
> ++ }
> ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
> + if (!wrk_line) {
> + TIFFError(TIFFFileName(in), "No space for raster scanline
> buffer");
> + ok = 0;
> +@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + uint32 row;
> + uint32 *wrk_line;
> + int ok = 1;
> ++ uint32 rastersize, wrk_linesize;
> +
> + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
> + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
> +@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + /*
> + * Allocate strip buffer
> + */
> +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof
> (uint32));
> ++ rastersize = width * rowsperstrip * sizeof (uint32);
> ++ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating
> raster buffer");
> ++ exit(-1);
> ++ }
> ++ raster = (uint32*)_TIFFmalloc(rastersize);
> + if (raster == 0) {
> + TIFFError(TIFFFileName(in), "No space for raster buffer");
> + return (0);
> +@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + * Allocate a scanline buffer for swapping during the vertical
> + * mirroring pass.
> + */
> +- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
> ++ wrk_linesize = width * sizeof (uint32);
> ++ if (width != wrk_linesize / sizeof (uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when calculating
> wrk_line buffer");
> ++ exit(-1);
> ++ }
> ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
> + if (!wrk_line) {
> + TIFFError(TIFFFileName(in), "No space for raster scanline
> buffer");
> + ok = 0;
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> index 8147bc4..b978528 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> @@ -10,6 +10,7 @@ SRC_URI = "http://download.osgeo.org/
> libtiff/tiff-${PV}.tar.gz \
> file://CVE-2016-3186.patch \
> file://CVE-2016-5321.patch \
> file://CVE-2016-5323.patch \
> + file://CVE-2016-3945.patch \
> "
>
> SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 10232 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/5] tiff: Security fix CVE-2016-3945
2016-10-26 9:09 ` Jussi Kukkonen
@ 2016-10-27 9:41 ` Yi Zhao
0 siblings, 0 replies; 8+ messages in thread
From: Yi Zhao @ 2016-10-27 9:41 UTC (permalink / raw)
To: Jussi Kukkonen; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 9349 bytes --]
Hi Jussi,
在 2016年10月26日 17:09, Jussi Kukkonen 写道:
> On 26 October 2016 at 11:26, Yi Zhao <yi.zhao@windriver.com
> <mailto:yi.zhao@windriver.com>> wrote:
>
> CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
> cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
> LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
> attackers to cause a denial of service (crash) or execute
> arbitrary code
> via a crafted TIFF image, which triggers an out-of-bounds write.
>
> External References:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945
> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945>
> http://bugzilla.maptools.org/show_bug.cgi?id=2545
> <http://bugzilla.maptools.org/show_bug.cgi?id=2545>
>
> Patch from:
> https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
> <https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6>
>
> Signed-off-by: Yi Zhao <yi.zhao@windriver.com
> <mailto:yi.zhao@windriver.com>>
> ---
> .../libtiff/files/CVE-2016-3945.patch | 118
> +++++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> <http://tiff_4.0.6.bb> | 1 +
> 2 files changed, 119 insertions(+)
> create mode 100644
> meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
>
> diff --git
> a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> new file mode 100644
> index 0000000..4d965be
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> @@ -0,0 +1,118 @@
> +From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00
> 2001
> +From: erouault <erouault>
> +Date: Mon, 15 Aug 2016 20:06:40 +0000
> +Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
> + allocated buffer, when -b mode is enabled, that could result in
> out-of-bounds
> + write. Based initially on patch tiff-CVE-2016-3945.patch from
> + libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction
> for invalid
> + tests that rejected valid files.
> +
> +CVE: CVE-2016-3945
> +Upstream-Status: Backport
> +https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
> <https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6>
>
>
> It would be appropriate to point out that this is not the real
> upstream, just a nameless github user who maintains a git mirror of
> the libtiff repository. It's probably a reasonable choice -- the
> current libtiff situation with no real homepage, no real tarball
> hosting and a half-hidden cvs server for source control is pretty sad
> -- but should still be openly mentioned.
Thank you for your suggestion. This github is a mirror for libtiff cvs
repository in cvs.maptools.org. If the cvs repository is official, take
the patches from it is better.
Yi
>
> Jussi
>
> +
> +Signed-off-by: Yi Zhao <yi.zhao@windirver.com
> <mailto:yi.zhao@windirver.com>>
> +---
> + ChangeLog | 8 ++++++++
> + tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
> + 2 files changed, 38 insertions(+), 4 deletions(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index 62dc1b5..9c0ab29 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,3 +1,11 @@
> ++2016-08-15 Even Rouault <even.rouault at spatialys.com
> <http://spatialys.com>>
> ++
> ++ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
> ++ buffer, when -b mode is enabled, that could result in
> out-of-bounds
> ++ write. Based initially on patch tiff-CVE-2016-3945.patch from
> ++ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with
> correction for
> ++ invalid tests that rejected valid files.
> ++
> + 2016-07-11 Even Rouault <even.rouault at spatialys.com
> <http://spatialys.com>>
> +
> + * tools/tiffcrop.c: Avoid access outside of stack
> allocated array
> +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
> +index b7a81eb..16e3dc4 100644
> +--- a/tools/tiff2rgba.c
> ++++ b/tools/tiff2rgba.c
> +@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + uint32 row, col;
> + uint32 *wrk_line;
> + int ok = 1;
> ++ uint32 rastersize, wrk_linesize;
> +
> + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
> + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
> +@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + /*
> + * Allocate tile buffer
> + */
> +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height *
> sizeof (uint32));
> ++ rastersize = tile_width * tile_height * sizeof (uint32);
> ++ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when
> calculating raster buffer");
> ++ exit(-1);
> ++ }
> ++ raster = (uint32*)_TIFFmalloc(rastersize);
> + if (raster == 0) {
> + TIFFError(TIFFFileName(in), "No space for raster buffer");
> + return (0);
> +@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
> + * Allocate a scanline buffer for swapping during the vertical
> + * mirroring pass.
> + */
> +- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
> ++ wrk_linesize = tile_width * sizeof (uint32);
> ++ if (tile_width != wrk_linesize / sizeof (uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when
> calculating wrk_line buffer");
> ++ exit(-1);
> ++ }
> ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
> + if (!wrk_line) {
> + TIFFError(TIFFFileName(in), "No space for raster
> scanline buffer");
> + ok = 0;
> +@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + uint32 row;
> + uint32 *wrk_line;
> + int ok = 1;
> ++ uint32 rastersize, wrk_linesize;
> +
> + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
> + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
> +@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + /*
> + * Allocate strip buffer
> + */
> +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof
> (uint32));
> ++ rastersize = width * rowsperstrip * sizeof (uint32);
> ++ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when
> calculating raster buffer");
> ++ exit(-1);
> ++ }
> ++ raster = (uint32*)_TIFFmalloc(rastersize);
> + if (raster == 0) {
> + TIFFError(TIFFFileName(in), "No space for raster buffer");
> + return (0);
> +@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
> + * Allocate a scanline buffer for swapping during the vertical
> + * mirroring pass.
> + */
> +- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
> ++ wrk_linesize = width * sizeof (uint32);
> ++ if (width != wrk_linesize / sizeof (uint32))
> ++ {
> ++ TIFFError(TIFFFileName(in), "Integer overflow when
> calculating wrk_line buffer");
> ++ exit(-1);
> ++ }
> ++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
> + if (!wrk_line) {
> + TIFFError(TIFFFileName(in), "No space for raster
> scanline buffer");
> + ok = 0;
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> <http://tiff_4.0.6.bb>
> b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb <http://tiff_4.0.6.bb>
> index 8147bc4..b978528 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> <http://tiff_4.0.6.bb>
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
> <http://tiff_4.0.6.bb>
> @@ -10,6 +10,7 @@ SRC_URI =
> "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz
> <http://download.osgeo.org/libtiff/tiff-$%7BPV%7D.tar.gz> \
> file://CVE-2016-3186.patch \
> file://CVE-2016-5321.patch \
> file://CVE-2016-5323.patch \
> + file://CVE-2016-3945.patch \
> "
>
> SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> <mailto:Openembedded-core@lists.openembedded.org>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>
[-- Attachment #2: Type: text/html, Size: 15585 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-10-27 9:41 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-26 8:26 [PATCH 0/5] tiff: fix CVEs Yi Zhao
2016-10-26 8:26 ` [PATCH 1/5] tiff: Security fix CVE-2016-3945 Yi Zhao
2016-10-26 9:09 ` Jussi Kukkonen
2016-10-27 9:41 ` Yi Zhao
2016-10-26 8:26 ` [PATCH 2/5] tiff: Security fix CVE-2016-3990 Yi Zhao
2016-10-26 8:26 ` [PATCH 3/5] tiff: Security fix CVE-2016-3991 Yi Zhao
2016-10-26 8:26 ` [PATCH 4/5] tiff: Security fix CVE-2016-3623 Yi Zhao
2016-10-26 8:26 ` [PATCH 5/5] tiff: Security fix CVE-2016-3622 Yi Zhao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.