* [dora][PATCH 0/2] Two CVE patches... @ 2013-11-21 7:05 Mark Hatle 2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle 2013-11-21 7:05 ` [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674 Mark Hatle 0 siblings, 2 replies; 6+ messages in thread From: Mark Hatle @ 2013-11-21 7:05 UTC (permalink / raw) To: openembedded-core Ming Liu (2): libtiff: fix CVE-2013-1960 gst-ffmpeg: fix CVE-2013-3674 .../gst-ffmpeg-CVE-2013-3674.patch | 26 ++++ .../gstreamer/gst-ffmpeg_0.10.13.bb | 3 +- .../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +- 4 files changed, 181 insertions(+), 2 deletions(-) create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch -- 1.8.1.2.545.g2f19ada ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 2013-11-21 7:05 [dora][PATCH 0/2] Two CVE patches Mark Hatle @ 2013-11-21 7:05 ` Mark Hatle 2013-11-22 18:43 ` Saul Wold 2013-11-21 7:05 ` [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674 Mark Hatle 1 sibling, 1 reply; 6+ messages in thread From: Mark Hatle @ 2013-11-21 7:05 UTC (permalink / raw) To: openembedded-core From: Ming Liu <ming.liu@windriver.com> Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960 Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> --- .../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +- 2 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch new file mode 100644 index 0000000..e4348f1 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch @@ -0,0 +1,151 @@ +This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch + +Upstream-Status: Pending + +Signed-off-by: Ming Liu <ming.liu@windriver.com> + +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 +@@ -3341,33 +3341,56 @@ + uint32 height){ + + tsize_t i=0; +- uint16 ri =0; +- uint16 v_samp=1; +- uint16 h_samp=1; +- int j=0; +- +- i++; +- +- while(i<(*striplength)){ ++ ++ while (i < *striplength) { ++ tsize_t datalen; ++ uint16 ri; ++ uint16 v_samp; ++ uint16 h_samp; ++ int j; ++ int ncomp; ++ ++ /* marker header: one or more FFs */ ++ if (strip[i] != 0xff) ++ return(0); ++ i++; ++ while (i < *striplength && strip[i] == 0xff) ++ i++; ++ if (i >= *striplength) ++ return(0); ++ /* SOI is the only pre-SOS marker without a length word */ ++ if (strip[i] == 0xd8) ++ datalen = 0; ++ else { ++ if ((*striplength - i) <= 2) ++ return(0); ++ datalen = (strip[i+1] << 8) | strip[i+2]; ++ if (datalen < 2 || datalen >= (*striplength - i)) ++ return(0); ++ } + switch( strip[i] ){ +- case 0xd8: +- /* SOI - start of image */ ++ case 0xd8: /* SOI - start of image */ + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); + *bufferoffset+=2; +- i+=2; + break; +- case 0xc0: +- case 0xc1: +- case 0xc3: +- case 0xc9: +- case 0xca: ++ case 0xc0: /* SOF0 */ ++ case 0xc1: /* SOF1 */ ++ case 0xc3: /* SOF3 */ ++ case 0xc9: /* SOF9 */ ++ case 0xca: /* SOF10 */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- for(j=0;j<buffer[*bufferoffset+9];j++){ +- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ ncomp = buffer[*bufferoffset+9]; ++ if (ncomp < 1 || ncomp > 4) ++ return(0); ++ v_samp=1; ++ h_samp=1; ++ for(j=0;j<ncomp;j++){ ++ uint16 samp = buffer[*bufferoffset+11+(3*j)]; ++ if( (samp>>4) > h_samp) ++ h_samp = (samp>>4); ++ if( (samp & 0x0f) > v_samp) ++ v_samp = (samp & 0x0f); + } + v_samp*=8; + h_samp*=8; +@@ -3381,45 +3404,43 @@ + (unsigned char) ((height>>8) & 0xff); + buffer[*bufferoffset+6]= + (unsigned char) (height & 0xff); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; +- ++ *bufferoffset+=datalen+2; ++ /* insert a DRI marker */ + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]=0xdd; + buffer[(*bufferoffset)++]=0x00; + buffer[(*bufferoffset)++]=0x04; + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; + buffer[(*bufferoffset)++]= ri & 0xff; +- } else { +- i+=strip[i+2]+2; + } + break; +- case 0xc4: +- case 0xdb: +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ case 0xc4: /* DHT */ ++ case 0xdb: /* DQT */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + break; +- case 0xda: ++ case 0xda: /* SOS */ + if(no==0){ +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); +- *bufferoffset+=strip[i+2]+2; +- i+=strip[i+2]+2; ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); ++ *bufferoffset+=datalen+2; + } else { + buffer[(*bufferoffset)++]=0xff; + buffer[(*bufferoffset)++]= + (unsigned char)(0xd0 | ((no-1)%8)); +- i+=strip[i+2]+2; + } +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); +- *bufferoffset+=(*striplength)-i-1; ++ i += datalen + 1; ++ /* copy remainder of strip */ ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); ++ *bufferoffset+= *striplength - i; + return(1); + default: +- i+=strip[i+2]+2; ++ /* ignore any other marker */ ++ break; + } ++ i += datalen + 1; + } +- + ++ /* failed to find SOS marker */ + return(0); + } + #endif diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb index 256e75e..8e450df 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz" PR = "r0" SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ - file://libtool2.patch" + file://libtool2.patch \ + file://libtiff-CVE-2013-1960.patch" SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle @ 2013-11-22 18:43 ` Saul Wold 2013-12-05 20:51 ` Mark Hatle 0 siblings, 1 reply; 6+ messages in thread From: Saul Wold @ 2013-11-22 18:43 UTC (permalink / raw) To: Mark Hatle, openembedded-core On 11/20/2013 11:05 PM, Mark Hatle wrote: > From: Ming Liu <ming.liu@windriver.com> > > Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf > in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of > service (crash) and possibly execute arbitrary code via a crafted TIFF image > file. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960 > > Signed-off-by: Ming Liu <ming.liu@windriver.com> > Signed-off-by: Jeff Polk <jeff.polk@windriver.com> > --- > .../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++ > meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +- > 2 files changed, 153 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch > For some reason this patch is not applying cleanly. Sau! > diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch > new file mode 100644 > index 0000000..e4348f1 > --- /dev/null > +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch > @@ -0,0 +1,151 @@ > +This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch > + > +Upstream-Status: Pending > + > +Signed-off-by: Ming Liu <ming.liu@windriver.com> > + > +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c > +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 > ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 > +@@ -3341,33 +3341,56 @@ > + uint32 height){ > + > + tsize_t i=0; > +- uint16 ri =0; > +- uint16 v_samp=1; > +- uint16 h_samp=1; > +- int j=0; > +- > +- i++; > +- > +- while(i<(*striplength)){ > ++ > ++ while (i < *striplength) { > ++ tsize_t datalen; > ++ uint16 ri; > ++ uint16 v_samp; > ++ uint16 h_samp; > ++ int j; > ++ int ncomp; > ++ > ++ /* marker header: one or more FFs */ > ++ if (strip[i] != 0xff) > ++ return(0); > ++ i++; > ++ while (i < *striplength && strip[i] == 0xff) > ++ i++; > ++ if (i >= *striplength) > ++ return(0); > ++ /* SOI is the only pre-SOS marker without a length word */ > ++ if (strip[i] == 0xd8) > ++ datalen = 0; > ++ else { > ++ if ((*striplength - i) <= 2) > ++ return(0); > ++ datalen = (strip[i+1] << 8) | strip[i+2]; > ++ if (datalen < 2 || datalen >= (*striplength - i)) > ++ return(0); > ++ } > + switch( strip[i] ){ > +- case 0xd8: > +- /* SOI - start of image */ > ++ case 0xd8: /* SOI - start of image */ > + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); > + *bufferoffset+=2; > +- i+=2; > + break; > +- case 0xc0: > +- case 0xc1: > +- case 0xc3: > +- case 0xc9: > +- case 0xca: > ++ case 0xc0: /* SOF0 */ > ++ case 0xc1: /* SOF1 */ > ++ case 0xc3: /* SOF3 */ > ++ case 0xc9: /* SOF9 */ > ++ case 0xca: /* SOF10 */ > + if(no==0){ > +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); > +- for(j=0;j<buffer[*bufferoffset+9];j++){ > +- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) > +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); > +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) > +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); > ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); > ++ ncomp = buffer[*bufferoffset+9]; > ++ if (ncomp < 1 || ncomp > 4) > ++ return(0); > ++ v_samp=1; > ++ h_samp=1; > ++ for(j=0;j<ncomp;j++){ > ++ uint16 samp = buffer[*bufferoffset+11+(3*j)]; > ++ if( (samp>>4) > h_samp) > ++ h_samp = (samp>>4); > ++ if( (samp & 0x0f) > v_samp) > ++ v_samp = (samp & 0x0f); > + } > + v_samp*=8; > + h_samp*=8; > +@@ -3381,45 +3404,43 @@ > + (unsigned char) ((height>>8) & 0xff); > + buffer[*bufferoffset+6]= > + (unsigned char) (height & 0xff); > +- *bufferoffset+=strip[i+2]+2; > +- i+=strip[i+2]+2; > +- > ++ *bufferoffset+=datalen+2; > ++ /* insert a DRI marker */ > + buffer[(*bufferoffset)++]=0xff; > + buffer[(*bufferoffset)++]=0xdd; > + buffer[(*bufferoffset)++]=0x00; > + buffer[(*bufferoffset)++]=0x04; > + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; > + buffer[(*bufferoffset)++]= ri & 0xff; > +- } else { > +- i+=strip[i+2]+2; > + } > + break; > +- case 0xc4: > +- case 0xdb: > +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); > +- *bufferoffset+=strip[i+2]+2; > +- i+=strip[i+2]+2; > ++ case 0xc4: /* DHT */ > ++ case 0xdb: /* DQT */ > ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); > ++ *bufferoffset+=datalen+2; > + break; > +- case 0xda: > ++ case 0xda: /* SOS */ > + if(no==0){ > +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); > +- *bufferoffset+=strip[i+2]+2; > +- i+=strip[i+2]+2; > ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); > ++ *bufferoffset+=datalen+2; > + } else { > + buffer[(*bufferoffset)++]=0xff; > + buffer[(*bufferoffset)++]= > + (unsigned char)(0xd0 | ((no-1)%8)); > +- i+=strip[i+2]+2; > + } > +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); > +- *bufferoffset+=(*striplength)-i-1; > ++ i += datalen + 1; > ++ /* copy remainder of strip */ > ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); > ++ *bufferoffset+= *striplength - i; > + return(1); > + default: > +- i+=strip[i+2]+2; > ++ /* ignore any other marker */ > ++ break; > + } > ++ i += datalen + 1; > + } > +- > + > ++ /* failed to find SOS marker */ > + return(0); > + } > + #endif > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb > index 256e75e..8e450df 100644 > --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb > +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb > @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz" > PR = "r0" > > SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ > - file://libtool2.patch" > + file://libtool2.patch \ > + file://libtiff-CVE-2013-1960.patch" > > SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" > SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 2013-11-22 18:43 ` Saul Wold @ 2013-12-05 20:51 ` Mark Hatle 2013-12-05 21:48 ` Saul Wold 0 siblings, 1 reply; 6+ messages in thread From: Mark Hatle @ 2013-12-05 20:51 UTC (permalink / raw) To: Saul Wold, openembedded-core On 11/22/13, 12:43 PM, Saul Wold wrote: > On 11/20/2013 11:05 PM, Mark Hatle wrote: >> From: Ming Liu <ming.liu@windriver.com> >> >> Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf >> in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of >> service (crash) and possibly execute arbitrary code via a crafted TIFF image >> file. >> >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960 >> >> Signed-off-by: Ming Liu <ming.liu@windriver.com> >> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> >> --- >> .../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++ >> meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +- >> 2 files changed, 153 insertions(+), 1 deletion(-) >> create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch >> > > For some reason this patch is not applying cleanly. It applies to dora. I just retried it using the latest version. (Note, it does NOT apply to master.) I don't know if it's needed for master. --Mark > Sau! > >> diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch >> new file mode 100644 >> index 0000000..e4348f1 >> --- /dev/null >> +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch >> @@ -0,0 +1,151 @@ >> +This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch >> + >> +Upstream-Status: Pending >> + >> +Signed-off-by: Ming Liu <ming.liu@windriver.com> >> + >> +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c >> +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 >> ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 >> +@@ -3341,33 +3341,56 @@ >> + uint32 height){ >> + >> + tsize_t i=0; >> +- uint16 ri =0; >> +- uint16 v_samp=1; >> +- uint16 h_samp=1; >> +- int j=0; >> +- >> +- i++; >> +- >> +- while(i<(*striplength)){ >> ++ >> ++ while (i < *striplength) { >> ++ tsize_t datalen; >> ++ uint16 ri; >> ++ uint16 v_samp; >> ++ uint16 h_samp; >> ++ int j; >> ++ int ncomp; >> ++ >> ++ /* marker header: one or more FFs */ >> ++ if (strip[i] != 0xff) >> ++ return(0); >> ++ i++; >> ++ while (i < *striplength && strip[i] == 0xff) >> ++ i++; >> ++ if (i >= *striplength) >> ++ return(0); >> ++ /* SOI is the only pre-SOS marker without a length word */ >> ++ if (strip[i] == 0xd8) >> ++ datalen = 0; >> ++ else { >> ++ if ((*striplength - i) <= 2) >> ++ return(0); >> ++ datalen = (strip[i+1] << 8) | strip[i+2]; >> ++ if (datalen < 2 || datalen >= (*striplength - i)) >> ++ return(0); >> ++ } >> + switch( strip[i] ){ >> +- case 0xd8: >> +- /* SOI - start of image */ >> ++ case 0xd8: /* SOI - start of image */ >> + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2); >> + *bufferoffset+=2; >> +- i+=2; >> + break; >> +- case 0xc0: >> +- case 0xc1: >> +- case 0xc3: >> +- case 0xc9: >> +- case 0xca: >> ++ case 0xc0: /* SOF0 */ >> ++ case 0xc1: /* SOF1 */ >> ++ case 0xc3: /* SOF3 */ >> ++ case 0xc9: /* SOF9 */ >> ++ case 0xca: /* SOF10 */ >> + if(no==0){ >> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); >> +- for(j=0;j<buffer[*bufferoffset+9];j++){ >> +- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) >> +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4); >> +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) >> +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f); >> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); >> ++ ncomp = buffer[*bufferoffset+9]; >> ++ if (ncomp < 1 || ncomp > 4) >> ++ return(0); >> ++ v_samp=1; >> ++ h_samp=1; >> ++ for(j=0;j<ncomp;j++){ >> ++ uint16 samp = buffer[*bufferoffset+11+(3*j)]; >> ++ if( (samp>>4) > h_samp) >> ++ h_samp = (samp>>4); >> ++ if( (samp & 0x0f) > v_samp) >> ++ v_samp = (samp & 0x0f); >> + } >> + v_samp*=8; >> + h_samp*=8; >> +@@ -3381,45 +3404,43 @@ >> + (unsigned char) ((height>>8) & 0xff); >> + buffer[*bufferoffset+6]= >> + (unsigned char) (height & 0xff); >> +- *bufferoffset+=strip[i+2]+2; >> +- i+=strip[i+2]+2; >> +- >> ++ *bufferoffset+=datalen+2; >> ++ /* insert a DRI marker */ >> + buffer[(*bufferoffset)++]=0xff; >> + buffer[(*bufferoffset)++]=0xdd; >> + buffer[(*bufferoffset)++]=0x00; >> + buffer[(*bufferoffset)++]=0x04; >> + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; >> + buffer[(*bufferoffset)++]= ri & 0xff; >> +- } else { >> +- i+=strip[i+2]+2; >> + } >> + break; >> +- case 0xc4: >> +- case 0xdb: >> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); >> +- *bufferoffset+=strip[i+2]+2; >> +- i+=strip[i+2]+2; >> ++ case 0xc4: /* DHT */ >> ++ case 0xdb: /* DQT */ >> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); >> ++ *bufferoffset+=datalen+2; >> + break; >> +- case 0xda: >> ++ case 0xda: /* SOS */ >> + if(no==0){ >> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2); >> +- *bufferoffset+=strip[i+2]+2; >> +- i+=strip[i+2]+2; >> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2); >> ++ *bufferoffset+=datalen+2; >> + } else { >> + buffer[(*bufferoffset)++]=0xff; >> + buffer[(*bufferoffset)++]= >> + (unsigned char)(0xd0 | ((no-1)%8)); >> +- i+=strip[i+2]+2; >> + } >> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1); >> +- *bufferoffset+=(*striplength)-i-1; >> ++ i += datalen + 1; >> ++ /* copy remainder of strip */ >> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i); >> ++ *bufferoffset+= *striplength - i; >> + return(1); >> + default: >> +- i+=strip[i+2]+2; >> ++ /* ignore any other marker */ >> ++ break; >> + } >> ++ i += datalen + 1; >> + } >> +- >> + >> ++ /* failed to find SOS marker */ >> + return(0); >> + } >> + #endif >> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb >> index 256e75e..8e450df 100644 >> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb >> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb >> @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz" >> PR = "r0" >> >> SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ >> - file://libtool2.patch" >> + file://libtool2.patch \ >> + file://libtiff-CVE-2013-1960.patch" >> >> SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" >> SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" >> > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 2013-12-05 20:51 ` Mark Hatle @ 2013-12-05 21:48 ` Saul Wold 0 siblings, 0 replies; 6+ messages in thread From: Saul Wold @ 2013-12-05 21:48 UTC (permalink / raw) To: Mark Hatle, openembedded-core On 12/05/2013 12:51 PM, Mark Hatle wrote: > On 11/22/13, 12:43 PM, Saul Wold wrote: >> On 11/20/2013 11:05 PM, Mark Hatle wrote: >>> From: Ming Liu <ming.liu@windriver.com> >>> >>> Heap-based buffer overflow in the tp_process_jpeg_strip function in >>> tiff2pdf >>> in libtiff 4.0.3 and earlier allows remote attackers to cause a >>> denial of >>> service (crash) and possibly execute arbitrary code via a crafted >>> TIFF image >>> file. >>> >>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960 >>> >>> Signed-off-by: Ming Liu <ming.liu@windriver.com> >>> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> >>> --- >>> .../libtiff/files/libtiff-CVE-2013-1960.patch | 151 >>> +++++++++++++++++++++ >>> meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +- >>> 2 files changed, 153 insertions(+), 1 deletion(-) >>> create mode 100644 >>> meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch >>> >> >> For some reason this patch is not applying cleanly. > > It applies to dora. I just retried it using the latest version. (Note, > it does NOT apply to master.) > > I don't know if it's needed for master. > Yes, it would be needed for master since master is still using 4.0.3, and then backported to dora. Sau! > --Mark > >> Sau! >> >>> diff --git >>> a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch >>> b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch >>> new file mode 100644 >>> index 0000000..e4348f1 >>> --- /dev/null >>> +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch >>> @@ -0,0 +1,151 @@ >>> +This patch comes from: >>> http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch >>> >>> + >>> +Upstream-Status: Pending >>> + >>> +Signed-off-by: Ming Liu <ming.liu@windriver.com> >>> + >>> +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c >>> +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400 >>> ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400 >>> +@@ -3341,33 +3341,56 @@ >>> + uint32 height){ >>> + >>> + tsize_t i=0; >>> +- uint16 ri =0; >>> +- uint16 v_samp=1; >>> +- uint16 h_samp=1; >>> +- int j=0; >>> +- >>> +- i++; >>> +- >>> +- while(i<(*striplength)){ >>> ++ >>> ++ while (i < *striplength) { >>> ++ tsize_t datalen; >>> ++ uint16 ri; >>> ++ uint16 v_samp; >>> ++ uint16 h_samp; >>> ++ int j; >>> ++ int ncomp; >>> ++ >>> ++ /* marker header: one or more FFs */ >>> ++ if (strip[i] != 0xff) >>> ++ return(0); >>> ++ i++; >>> ++ while (i < *striplength && strip[i] == 0xff) >>> ++ i++; >>> ++ if (i >= *striplength) >>> ++ return(0); >>> ++ /* SOI is the only pre-SOS marker without a length word */ >>> ++ if (strip[i] == 0xd8) >>> ++ datalen = 0; >>> ++ else { >>> ++ if ((*striplength - i) <= 2) >>> ++ return(0); >>> ++ datalen = (strip[i+1] << 8) | strip[i+2]; >>> ++ if (datalen < 2 || datalen >= (*striplength - i)) >>> ++ return(0); >>> ++ } >>> + switch( strip[i] ){ >>> +- case 0xd8: >>> +- /* SOI - start of image */ >>> ++ case 0xd8: /* SOI - start of image */ >>> + _TIFFmemcpy(&(buffer[*bufferoffset]), >>> &(strip[i-1]), 2); >>> + *bufferoffset+=2; >>> +- i+=2; >>> + break; >>> +- case 0xc0: >>> +- case 0xc1: >>> +- case 0xc3: >>> +- case 0xc9: >>> +- case 0xca: >>> ++ case 0xc0: /* SOF0 */ >>> ++ case 0xc1: /* SOF1 */ >>> ++ case 0xc3: /* SOF3 */ >>> ++ case 0xc9: /* SOF9 */ >>> ++ case 0xca: /* SOF10 */ >>> + if(no==0){ >>> +- _TIFFmemcpy(&(buffer[*bufferoffset]), >>> &(strip[i-1]), strip[i+2]+2); >>> +- for(j=0;j<buffer[*bufferoffset+9];j++){ >>> +- if( (buffer[*bufferoffset+11+(2*j)]>>4) > >>> h_samp) >>> +- h_samp = >>> (buffer[*bufferoffset+11+(2*j)]>>4); >>> +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) >>> > v_samp) >>> +- v_samp = >>> (buffer[*bufferoffset+11+(2*j)] & 0x0f); >>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), >>> &(strip[i-1]), datalen+2); >>> ++ ncomp = buffer[*bufferoffset+9]; >>> ++ if (ncomp < 1 || ncomp > 4) >>> ++ return(0); >>> ++ v_samp=1; >>> ++ h_samp=1; >>> ++ for(j=0;j<ncomp;j++){ >>> ++ uint16 samp = buffer[*bufferoffset+11+(3*j)]; >>> ++ if( (samp>>4) > h_samp) >>> ++ h_samp = (samp>>4); >>> ++ if( (samp & 0x0f) > v_samp) >>> ++ v_samp = (samp & 0x0f); >>> + } >>> + v_samp*=8; >>> + h_samp*=8; >>> +@@ -3381,45 +3404,43 @@ >>> + (unsigned char) >>> ((height>>8) & 0xff); >>> + buffer[*bufferoffset+6]= >>> + (unsigned char) (height >>> & 0xff); >>> +- *bufferoffset+=strip[i+2]+2; >>> +- i+=strip[i+2]+2; >>> +- >>> ++ *bufferoffset+=datalen+2; >>> ++ /* insert a DRI marker */ >>> + buffer[(*bufferoffset)++]=0xff; >>> + buffer[(*bufferoffset)++]=0xdd; >>> + buffer[(*bufferoffset)++]=0x00; >>> + buffer[(*bufferoffset)++]=0x04; >>> + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff; >>> + buffer[(*bufferoffset)++]= ri & 0xff; >>> +- } else { >>> +- i+=strip[i+2]+2; >>> + } >>> + break; >>> +- case 0xc4: >>> +- case 0xdb: >>> +- _TIFFmemcpy(&(buffer[*bufferoffset]), >>> &(strip[i-1]), strip[i+2]+2); >>> +- *bufferoffset+=strip[i+2]+2; >>> +- i+=strip[i+2]+2; >>> ++ case 0xc4: /* DHT */ >>> ++ case 0xdb: /* DQT */ >>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), >>> &(strip[i-1]), datalen+2); >>> ++ *bufferoffset+=datalen+2; >>> + break; >>> +- case 0xda: >>> ++ case 0xda: /* SOS */ >>> + if(no==0){ >>> +- _TIFFmemcpy(&(buffer[*bufferoffset]), >>> &(strip[i-1]), strip[i+2]+2); >>> +- *bufferoffset+=strip[i+2]+2; >>> +- i+=strip[i+2]+2; >>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), >>> &(strip[i-1]), datalen+2); >>> ++ *bufferoffset+=datalen+2; >>> + } else { >>> + buffer[(*bufferoffset)++]=0xff; >>> + buffer[(*bufferoffset)++]= >>> + (unsigned char)(0xd0 | >>> ((no-1)%8)); >>> +- i+=strip[i+2]+2; >>> + } >>> +- _TIFFmemcpy(&(buffer[*bufferoffset]), >>> &(strip[i-1]), (*striplength)-i-1); >>> +- *bufferoffset+=(*striplength)-i-1; >>> ++ i += datalen + 1; >>> ++ /* copy remainder of strip */ >>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), >>> *striplength - i); >>> ++ *bufferoffset+= *striplength - i; >>> + return(1); >>> + default: >>> +- i+=strip[i+2]+2; >>> ++ /* ignore any other marker */ >>> ++ break; >>> + } >>> ++ i += datalen + 1; >>> + } >>> +- >>> + >>> ++ /* failed to find SOS marker */ >>> + return(0); >>> + } >>> + #endif >>> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb >>> b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb >>> index 256e75e..8e450df 100644 >>> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb >>> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb >>> @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz" >>> PR = "r0" >>> >>> SRC_URI = >>> "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ >>> - file://libtool2.patch" >>> + file://libtool2.patch \ >>> + file://libtiff-CVE-2013-1960.patch" >>> >>> SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410" >>> SRC_URI[sha256sum] = >>> "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872" >>> >> > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674 2013-11-21 7:05 [dora][PATCH 0/2] Two CVE patches Mark Hatle 2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle @ 2013-11-21 7:05 ` Mark Hatle 1 sibling, 0 replies; 6+ messages in thread From: Mark Hatle @ 2013-11-21 7:05 UTC (permalink / raw) To: openembedded-core From: Ming Liu <ming.liu@windriver.com> The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg before 1.2.1 does not validate the presence of non-header data in a buffer, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted CD Graphics Video data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3674 Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> --- .../gst-ffmpeg-CVE-2013-3674.patch | 26 ++++++++++++++++++++++ .../gstreamer/gst-ffmpeg_0.10.13.bb | 3 ++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch new file mode 100644 index 0000000..a28404b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch @@ -0,0 +1,26 @@ +avcodec/cdgraphics: check buffer size before use + +Fixes out of array accesses + +Backported from:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ad002e1a13a8df934bd6cb2c84175a4780ab8942 + +Upstream-status: Backport + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer <michaelni@gmx.at> +Signed-off-by: Ming Liu <ming.liu@windriver.com> + +diff -urpN a/gst-libs/ext/libav/libavcodec/cdgraphics.c b/gst-libs/ext/libav/libavcodec/cdgraphics.c +--- a/gst-libs/ext/libav/libavcodec/cdgraphics.c 2013-07-18 13:17:08.399876575 +0800 ++++ b/gst-libs/ext/libav/libavcodec/cdgraphics.c 2013-07-18 13:18:05.880502267 +0800 +@@ -291,7 +291,9 @@ static int cdg_decode_frame(AVCodecConte + inst = bytestream_get_byte(&buf); + inst &= CDG_MASK; + buf += 2; /// skipping 2 unneeded bytes +- bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); ++ ++ if (buf_size > CDG_HEADER_SIZE) ++ bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); + + if ((command & CDG_MASK) == CDG_COMMAND) { + switch (inst) { diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index 8873105..e1257a2 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb @@ -22,12 +22,13 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \ file://h264_qpel_mmx.patch \ file://libav_e500mc.patch \ file://libav_e5500.patch \ + file://gst-ffmpeg-CVE-2013-3674.patch \ " SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" SRC_URI[sha256sum] = "76fca05b08e00134e3cb92fa347507f42cbd48ddb08ed3343a912def187fbb62" -PR = "r7" +PR = "r8" GSTREAMER_DEBUG ?= "--disable-debug" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-12-05 21:48 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-11-21 7:05 [dora][PATCH 0/2] Two CVE patches Mark Hatle 2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle 2013-11-22 18:43 ` Saul Wold 2013-12-05 20:51 ` Mark Hatle 2013-12-05 21:48 ` Saul Wold 2013-11-21 7:05 ` [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674 Mark Hatle
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox