* [dora][PATCH 0/2] Two CVE patches...
@ 2013-11-21 7:05 Mark Hatle
2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle
2013-11-21 7:05 ` [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674 Mark Hatle
0 siblings, 2 replies; 6+ messages in thread
From: Mark Hatle @ 2013-11-21 7:05 UTC (permalink / raw)
To: openembedded-core
Ming Liu (2):
libtiff: fix CVE-2013-1960
gst-ffmpeg: fix CVE-2013-3674
.../gst-ffmpeg-CVE-2013-3674.patch | 26 ++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 3 +-
.../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
4 files changed, 181 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
--
1.8.1.2.545.g2f19ada
^ permalink raw reply [flat|nested] 6+ messages in thread
* [dora][PATCH 1/2] libtiff: fix CVE-2013-1960
2013-11-21 7:05 [dora][PATCH 0/2] Two CVE patches Mark Hatle
@ 2013-11-21 7:05 ` Mark Hatle
2013-11-22 18:43 ` Saul Wold
2013-11-21 7:05 ` [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674 Mark Hatle
1 sibling, 1 reply; 6+ messages in thread
From: Mark Hatle @ 2013-11-21 7:05 UTC (permalink / raw)
To: openembedded-core
From: Ming Liu <ming.liu@windriver.com>
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
---
.../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
2 files changed, 153 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
new file mode 100644
index 0000000..e4348f1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
@@ -0,0 +1,151 @@
+This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
+
+Upstream-Status: Pending
+
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+
+diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
+@@ -3341,33 +3341,56 @@
+ uint32 height){
+
+ tsize_t i=0;
+- uint16 ri =0;
+- uint16 v_samp=1;
+- uint16 h_samp=1;
+- int j=0;
+-
+- i++;
+-
+- while(i<(*striplength)){
++
++ while (i < *striplength) {
++ tsize_t datalen;
++ uint16 ri;
++ uint16 v_samp;
++ uint16 h_samp;
++ int j;
++ int ncomp;
++
++ /* marker header: one or more FFs */
++ if (strip[i] != 0xff)
++ return(0);
++ i++;
++ while (i < *striplength && strip[i] == 0xff)
++ i++;
++ if (i >= *striplength)
++ return(0);
++ /* SOI is the only pre-SOS marker without a length word */
++ if (strip[i] == 0xd8)
++ datalen = 0;
++ else {
++ if ((*striplength - i) <= 2)
++ return(0);
++ datalen = (strip[i+1] << 8) | strip[i+2];
++ if (datalen < 2 || datalen >= (*striplength - i))
++ return(0);
++ }
+ switch( strip[i] ){
+- case 0xd8:
+- /* SOI - start of image */
++ case 0xd8: /* SOI - start of image */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ *bufferoffset+=2;
+- i+=2;
+ break;
+- case 0xc0:
+- case 0xc1:
+- case 0xc3:
+- case 0xc9:
+- case 0xca:
++ case 0xc0: /* SOF0 */
++ case 0xc1: /* SOF1 */
++ case 0xc3: /* SOF3 */
++ case 0xc9: /* SOF9 */
++ case 0xca: /* SOF10 */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- for(j=0;j<buffer[*bufferoffset+9];j++){
+- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
+- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
+- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ ncomp = buffer[*bufferoffset+9];
++ if (ncomp < 1 || ncomp > 4)
++ return(0);
++ v_samp=1;
++ h_samp=1;
++ for(j=0;j<ncomp;j++){
++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
++ if( (samp>>4) > h_samp)
++ h_samp = (samp>>4);
++ if( (samp & 0x0f) > v_samp)
++ v_samp = (samp & 0x0f);
+ }
+ v_samp*=8;
+ h_samp*=8;
+@@ -3381,45 +3404,43 @@
+ (unsigned char) ((height>>8) & 0xff);
+ buffer[*bufferoffset+6]=
+ (unsigned char) (height & 0xff);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
+-
++ *bufferoffset+=datalen+2;
++ /* insert a DRI marker */
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=0xdd;
+ buffer[(*bufferoffset)++]=0x00;
+ buffer[(*bufferoffset)++]=0x04;
+ buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ buffer[(*bufferoffset)++]= ri & 0xff;
+- } else {
+- i+=strip[i+2]+2;
+ }
+ break;
+- case 0xc4:
+- case 0xdb:
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ case 0xc4: /* DHT */
++ case 0xdb: /* DQT */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ break;
+- case 0xda:
++ case 0xda: /* SOS */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ } else {
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=
+ (unsigned char)(0xd0 | ((no-1)%8));
+- i+=strip[i+2]+2;
+ }
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+- *bufferoffset+=(*striplength)-i-1;
++ i += datalen + 1;
++ /* copy remainder of strip */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
++ *bufferoffset+= *striplength - i;
+ return(1);
+ default:
+- i+=strip[i+2]+2;
++ /* ignore any other marker */
++ break;
+ }
++ i += datalen + 1;
+ }
+-
+
++ /* failed to find SOS marker */
+ return(0);
+ }
+ #endif
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index 256e75e..8e450df 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz"
PR = "r0"
SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
- file://libtool2.patch"
+ file://libtool2.patch \
+ file://libtiff-CVE-2013-1960.patch"
SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
--
1.8.1.2.545.g2f19ada
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674
2013-11-21 7:05 [dora][PATCH 0/2] Two CVE patches Mark Hatle
2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle
@ 2013-11-21 7:05 ` Mark Hatle
1 sibling, 0 replies; 6+ messages in thread
From: Mark Hatle @ 2013-11-21 7:05 UTC (permalink / raw)
To: openembedded-core
From: Ming Liu <ming.liu@windriver.com>
The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg before
1.2.1 does not validate the presence of non-header data in a buffer, which
allows remote attackers to cause a denial of service (out-of-bounds array
access and application crash) via crafted CD Graphics Video data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3674
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
---
.../gst-ffmpeg-CVE-2013-3674.patch | 26 ++++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 3 ++-
2 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch
new file mode 100644
index 0000000..a28404b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-3674.patch
@@ -0,0 +1,26 @@
+avcodec/cdgraphics: check buffer size before use
+
+Fixes out of array accesses
+
+Backported from:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ad002e1a13a8df934bd6cb2c84175a4780ab8942
+
+Upstream-status: Backport
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+
+diff -urpN a/gst-libs/ext/libav/libavcodec/cdgraphics.c b/gst-libs/ext/libav/libavcodec/cdgraphics.c
+--- a/gst-libs/ext/libav/libavcodec/cdgraphics.c 2013-07-18 13:17:08.399876575 +0800
++++ b/gst-libs/ext/libav/libavcodec/cdgraphics.c 2013-07-18 13:18:05.880502267 +0800
+@@ -291,7 +291,9 @@ static int cdg_decode_frame(AVCodecConte
+ inst = bytestream_get_byte(&buf);
+ inst &= CDG_MASK;
+ buf += 2; /// skipping 2 unneeded bytes
+- bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
++
++ if (buf_size > CDG_HEADER_SIZE)
++ bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+
+ if ((command & CDG_MASK) == CDG_COMMAND) {
+ switch (inst) {
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 8873105..e1257a2 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -22,12 +22,13 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://h264_qpel_mmx.patch \
file://libav_e500mc.patch \
file://libav_e5500.patch \
+ file://gst-ffmpeg-CVE-2013-3674.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
SRC_URI[sha256sum] = "76fca05b08e00134e3cb92fa347507f42cbd48ddb08ed3343a912def187fbb62"
-PR = "r7"
+PR = "r8"
GSTREAMER_DEBUG ?= "--disable-debug"
--
1.8.1.2.545.g2f19ada
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [dora][PATCH 1/2] libtiff: fix CVE-2013-1960
2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle
@ 2013-11-22 18:43 ` Saul Wold
2013-12-05 20:51 ` Mark Hatle
0 siblings, 1 reply; 6+ messages in thread
From: Saul Wold @ 2013-11-22 18:43 UTC (permalink / raw)
To: Mark Hatle, openembedded-core
On 11/20/2013 11:05 PM, Mark Hatle wrote:
> From: Ming Liu <ming.liu@windriver.com>
>
> Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
> in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
> service (crash) and possibly execute arbitrary code via a crafted TIFF image
> file.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
>
> Signed-off-by: Ming Liu <ming.liu@windriver.com>
> Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
> ---
> .../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
> 2 files changed, 153 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>
For some reason this patch is not applying cleanly.
Sau!
> diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
> new file mode 100644
> index 0000000..e4348f1
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
> @@ -0,0 +1,151 @@
> +This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
> +
> +Upstream-Status: Pending
> +
> +Signed-off-by: Ming Liu <ming.liu@windriver.com>
> +
> +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
> +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
> ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
> +@@ -3341,33 +3341,56 @@
> + uint32 height){
> +
> + tsize_t i=0;
> +- uint16 ri =0;
> +- uint16 v_samp=1;
> +- uint16 h_samp=1;
> +- int j=0;
> +-
> +- i++;
> +-
> +- while(i<(*striplength)){
> ++
> ++ while (i < *striplength) {
> ++ tsize_t datalen;
> ++ uint16 ri;
> ++ uint16 v_samp;
> ++ uint16 h_samp;
> ++ int j;
> ++ int ncomp;
> ++
> ++ /* marker header: one or more FFs */
> ++ if (strip[i] != 0xff)
> ++ return(0);
> ++ i++;
> ++ while (i < *striplength && strip[i] == 0xff)
> ++ i++;
> ++ if (i >= *striplength)
> ++ return(0);
> ++ /* SOI is the only pre-SOS marker without a length word */
> ++ if (strip[i] == 0xd8)
> ++ datalen = 0;
> ++ else {
> ++ if ((*striplength - i) <= 2)
> ++ return(0);
> ++ datalen = (strip[i+1] << 8) | strip[i+2];
> ++ if (datalen < 2 || datalen >= (*striplength - i))
> ++ return(0);
> ++ }
> + switch( strip[i] ){
> +- case 0xd8:
> +- /* SOI - start of image */
> ++ case 0xd8: /* SOI - start of image */
> + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
> + *bufferoffset+=2;
> +- i+=2;
> + break;
> +- case 0xc0:
> +- case 0xc1:
> +- case 0xc3:
> +- case 0xc9:
> +- case 0xca:
> ++ case 0xc0: /* SOF0 */
> ++ case 0xc1: /* SOF1 */
> ++ case 0xc3: /* SOF3 */
> ++ case 0xc9: /* SOF9 */
> ++ case 0xca: /* SOF10 */
> + if(no==0){
> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
> +- for(j=0;j<buffer[*bufferoffset+9];j++){
> +- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
> +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
> +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
> +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
> ++ ncomp = buffer[*bufferoffset+9];
> ++ if (ncomp < 1 || ncomp > 4)
> ++ return(0);
> ++ v_samp=1;
> ++ h_samp=1;
> ++ for(j=0;j<ncomp;j++){
> ++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
> ++ if( (samp>>4) > h_samp)
> ++ h_samp = (samp>>4);
> ++ if( (samp & 0x0f) > v_samp)
> ++ v_samp = (samp & 0x0f);
> + }
> + v_samp*=8;
> + h_samp*=8;
> +@@ -3381,45 +3404,43 @@
> + (unsigned char) ((height>>8) & 0xff);
> + buffer[*bufferoffset+6]=
> + (unsigned char) (height & 0xff);
> +- *bufferoffset+=strip[i+2]+2;
> +- i+=strip[i+2]+2;
> +-
> ++ *bufferoffset+=datalen+2;
> ++ /* insert a DRI marker */
> + buffer[(*bufferoffset)++]=0xff;
> + buffer[(*bufferoffset)++]=0xdd;
> + buffer[(*bufferoffset)++]=0x00;
> + buffer[(*bufferoffset)++]=0x04;
> + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
> + buffer[(*bufferoffset)++]= ri & 0xff;
> +- } else {
> +- i+=strip[i+2]+2;
> + }
> + break;
> +- case 0xc4:
> +- case 0xdb:
> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
> +- *bufferoffset+=strip[i+2]+2;
> +- i+=strip[i+2]+2;
> ++ case 0xc4: /* DHT */
> ++ case 0xdb: /* DQT */
> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
> ++ *bufferoffset+=datalen+2;
> + break;
> +- case 0xda:
> ++ case 0xda: /* SOS */
> + if(no==0){
> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
> +- *bufferoffset+=strip[i+2]+2;
> +- i+=strip[i+2]+2;
> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
> ++ *bufferoffset+=datalen+2;
> + } else {
> + buffer[(*bufferoffset)++]=0xff;
> + buffer[(*bufferoffset)++]=
> + (unsigned char)(0xd0 | ((no-1)%8));
> +- i+=strip[i+2]+2;
> + }
> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
> +- *bufferoffset+=(*striplength)-i-1;
> ++ i += datalen + 1;
> ++ /* copy remainder of strip */
> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
> ++ *bufferoffset+= *striplength - i;
> + return(1);
> + default:
> +- i+=strip[i+2]+2;
> ++ /* ignore any other marker */
> ++ break;
> + }
> ++ i += datalen + 1;
> + }
> +-
> +
> ++ /* failed to find SOS marker */
> + return(0);
> + }
> + #endif
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
> index 256e75e..8e450df 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
> @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz"
> PR = "r0"
>
> SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
> - file://libtool2.patch"
> + file://libtool2.patch \
> + file://libtiff-CVE-2013-1960.patch"
>
> SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
> SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dora][PATCH 1/2] libtiff: fix CVE-2013-1960
2013-11-22 18:43 ` Saul Wold
@ 2013-12-05 20:51 ` Mark Hatle
2013-12-05 21:48 ` Saul Wold
0 siblings, 1 reply; 6+ messages in thread
From: Mark Hatle @ 2013-12-05 20:51 UTC (permalink / raw)
To: Saul Wold, openembedded-core
On 11/22/13, 12:43 PM, Saul Wold wrote:
> On 11/20/2013 11:05 PM, Mark Hatle wrote:
>> From: Ming Liu <ming.liu@windriver.com>
>>
>> Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
>> in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
>> service (crash) and possibly execute arbitrary code via a crafted TIFF image
>> file.
>>
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
>>
>> Signed-off-by: Ming Liu <ming.liu@windriver.com>
>> Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
>> ---
>> .../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++
>> meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
>> 2 files changed, 153 insertions(+), 1 deletion(-)
>> create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>
>
> For some reason this patch is not applying cleanly.
It applies to dora. I just retried it using the latest version. (Note, it does
NOT apply to master.)
I don't know if it's needed for master.
--Mark
> Sau!
>
>> diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>> new file mode 100644
>> index 0000000..e4348f1
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>> @@ -0,0 +1,151 @@
>> +This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
>> +
>> +Upstream-Status: Pending
>> +
>> +Signed-off-by: Ming Liu <ming.liu@windriver.com>
>> +
>> +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
>> +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
>> ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
>> +@@ -3341,33 +3341,56 @@
>> + uint32 height){
>> +
>> + tsize_t i=0;
>> +- uint16 ri =0;
>> +- uint16 v_samp=1;
>> +- uint16 h_samp=1;
>> +- int j=0;
>> +-
>> +- i++;
>> +-
>> +- while(i<(*striplength)){
>> ++
>> ++ while (i < *striplength) {
>> ++ tsize_t datalen;
>> ++ uint16 ri;
>> ++ uint16 v_samp;
>> ++ uint16 h_samp;
>> ++ int j;
>> ++ int ncomp;
>> ++
>> ++ /* marker header: one or more FFs */
>> ++ if (strip[i] != 0xff)
>> ++ return(0);
>> ++ i++;
>> ++ while (i < *striplength && strip[i] == 0xff)
>> ++ i++;
>> ++ if (i >= *striplength)
>> ++ return(0);
>> ++ /* SOI is the only pre-SOS marker without a length word */
>> ++ if (strip[i] == 0xd8)
>> ++ datalen = 0;
>> ++ else {
>> ++ if ((*striplength - i) <= 2)
>> ++ return(0);
>> ++ datalen = (strip[i+1] << 8) | strip[i+2];
>> ++ if (datalen < 2 || datalen >= (*striplength - i))
>> ++ return(0);
>> ++ }
>> + switch( strip[i] ){
>> +- case 0xd8:
>> +- /* SOI - start of image */
>> ++ case 0xd8: /* SOI - start of image */
>> + _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
>> + *bufferoffset+=2;
>> +- i+=2;
>> + break;
>> +- case 0xc0:
>> +- case 0xc1:
>> +- case 0xc3:
>> +- case 0xc9:
>> +- case 0xca:
>> ++ case 0xc0: /* SOF0 */
>> ++ case 0xc1: /* SOF1 */
>> ++ case 0xc3: /* SOF3 */
>> ++ case 0xc9: /* SOF9 */
>> ++ case 0xca: /* SOF10 */
>> + if(no==0){
>> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
>> +- for(j=0;j<buffer[*bufferoffset+9];j++){
>> +- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
>> +- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
>> +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
>> +- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
>> ++ ncomp = buffer[*bufferoffset+9];
>> ++ if (ncomp < 1 || ncomp > 4)
>> ++ return(0);
>> ++ v_samp=1;
>> ++ h_samp=1;
>> ++ for(j=0;j<ncomp;j++){
>> ++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
>> ++ if( (samp>>4) > h_samp)
>> ++ h_samp = (samp>>4);
>> ++ if( (samp & 0x0f) > v_samp)
>> ++ v_samp = (samp & 0x0f);
>> + }
>> + v_samp*=8;
>> + h_samp*=8;
>> +@@ -3381,45 +3404,43 @@
>> + (unsigned char) ((height>>8) & 0xff);
>> + buffer[*bufferoffset+6]=
>> + (unsigned char) (height & 0xff);
>> +- *bufferoffset+=strip[i+2]+2;
>> +- i+=strip[i+2]+2;
>> +-
>> ++ *bufferoffset+=datalen+2;
>> ++ /* insert a DRI marker */
>> + buffer[(*bufferoffset)++]=0xff;
>> + buffer[(*bufferoffset)++]=0xdd;
>> + buffer[(*bufferoffset)++]=0x00;
>> + buffer[(*bufferoffset)++]=0x04;
>> + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
>> + buffer[(*bufferoffset)++]= ri & 0xff;
>> +- } else {
>> +- i+=strip[i+2]+2;
>> + }
>> + break;
>> +- case 0xc4:
>> +- case 0xdb:
>> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
>> +- *bufferoffset+=strip[i+2]+2;
>> +- i+=strip[i+2]+2;
>> ++ case 0xc4: /* DHT */
>> ++ case 0xdb: /* DQT */
>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
>> ++ *bufferoffset+=datalen+2;
>> + break;
>> +- case 0xda:
>> ++ case 0xda: /* SOS */
>> + if(no==0){
>> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
>> +- *bufferoffset+=strip[i+2]+2;
>> +- i+=strip[i+2]+2;
>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
>> ++ *bufferoffset+=datalen+2;
>> + } else {
>> + buffer[(*bufferoffset)++]=0xff;
>> + buffer[(*bufferoffset)++]=
>> + (unsigned char)(0xd0 | ((no-1)%8));
>> +- i+=strip[i+2]+2;
>> + }
>> +- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
>> +- *bufferoffset+=(*striplength)-i-1;
>> ++ i += datalen + 1;
>> ++ /* copy remainder of strip */
>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
>> ++ *bufferoffset+= *striplength - i;
>> + return(1);
>> + default:
>> +- i+=strip[i+2]+2;
>> ++ /* ignore any other marker */
>> ++ break;
>> + }
>> ++ i += datalen + 1;
>> + }
>> +-
>> +
>> ++ /* failed to find SOS marker */
>> + return(0);
>> + }
>> + #endif
>> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>> index 256e75e..8e450df 100644
>> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>> @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz"
>> PR = "r0"
>>
>> SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
>> - file://libtool2.patch"
>> + file://libtool2.patch \
>> + file://libtiff-CVE-2013-1960.patch"
>>
>> SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
>> SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
>>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dora][PATCH 1/2] libtiff: fix CVE-2013-1960
2013-12-05 20:51 ` Mark Hatle
@ 2013-12-05 21:48 ` Saul Wold
0 siblings, 0 replies; 6+ messages in thread
From: Saul Wold @ 2013-12-05 21:48 UTC (permalink / raw)
To: Mark Hatle, openembedded-core
On 12/05/2013 12:51 PM, Mark Hatle wrote:
> On 11/22/13, 12:43 PM, Saul Wold wrote:
>> On 11/20/2013 11:05 PM, Mark Hatle wrote:
>>> From: Ming Liu <ming.liu@windriver.com>
>>>
>>> Heap-based buffer overflow in the tp_process_jpeg_strip function in
>>> tiff2pdf
>>> in libtiff 4.0.3 and earlier allows remote attackers to cause a
>>> denial of
>>> service (crash) and possibly execute arbitrary code via a crafted
>>> TIFF image
>>> file.
>>>
>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
>>>
>>> Signed-off-by: Ming Liu <ming.liu@windriver.com>
>>> Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
>>> ---
>>> .../libtiff/files/libtiff-CVE-2013-1960.patch | 151
>>> +++++++++++++++++++++
>>> meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
>>> 2 files changed, 153 insertions(+), 1 deletion(-)
>>> create mode 100644
>>> meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>>
>>
>> For some reason this patch is not applying cleanly.
>
> It applies to dora. I just retried it using the latest version. (Note,
> it does NOT apply to master.)
>
> I don't know if it's needed for master.
>
Yes, it would be needed for master since master is still using 4.0.3,
and then backported to dora.
Sau!
> --Mark
>
>> Sau!
>>
>>> diff --git
>>> a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>> b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>> new file mode 100644
>>> index 0000000..e4348f1
>>> --- /dev/null
>>> +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
>>> @@ -0,0 +1,151 @@
>>> +This patch comes from:
>>> http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
>>>
>>> +
>>> +Upstream-Status: Pending
>>> +
>>> +Signed-off-by: Ming Liu <ming.liu@windriver.com>
>>> +
>>> +diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
>>> +--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
>>> ++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
>>> +@@ -3341,33 +3341,56 @@
>>> + uint32 height){
>>> +
>>> + tsize_t i=0;
>>> +- uint16 ri =0;
>>> +- uint16 v_samp=1;
>>> +- uint16 h_samp=1;
>>> +- int j=0;
>>> +-
>>> +- i++;
>>> +-
>>> +- while(i<(*striplength)){
>>> ++
>>> ++ while (i < *striplength) {
>>> ++ tsize_t datalen;
>>> ++ uint16 ri;
>>> ++ uint16 v_samp;
>>> ++ uint16 h_samp;
>>> ++ int j;
>>> ++ int ncomp;
>>> ++
>>> ++ /* marker header: one or more FFs */
>>> ++ if (strip[i] != 0xff)
>>> ++ return(0);
>>> ++ i++;
>>> ++ while (i < *striplength && strip[i] == 0xff)
>>> ++ i++;
>>> ++ if (i >= *striplength)
>>> ++ return(0);
>>> ++ /* SOI is the only pre-SOS marker without a length word */
>>> ++ if (strip[i] == 0xd8)
>>> ++ datalen = 0;
>>> ++ else {
>>> ++ if ((*striplength - i) <= 2)
>>> ++ return(0);
>>> ++ datalen = (strip[i+1] << 8) | strip[i+2];
>>> ++ if (datalen < 2 || datalen >= (*striplength - i))
>>> ++ return(0);
>>> ++ }
>>> + switch( strip[i] ){
>>> +- case 0xd8:
>>> +- /* SOI - start of image */
>>> ++ case 0xd8: /* SOI - start of image */
>>> + _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), 2);
>>> + *bufferoffset+=2;
>>> +- i+=2;
>>> + break;
>>> +- case 0xc0:
>>> +- case 0xc1:
>>> +- case 0xc3:
>>> +- case 0xc9:
>>> +- case 0xca:
>>> ++ case 0xc0: /* SOF0 */
>>> ++ case 0xc1: /* SOF1 */
>>> ++ case 0xc3: /* SOF3 */
>>> ++ case 0xc9: /* SOF9 */
>>> ++ case 0xca: /* SOF10 */
>>> + if(no==0){
>>> +- _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), strip[i+2]+2);
>>> +- for(j=0;j<buffer[*bufferoffset+9];j++){
>>> +- if( (buffer[*bufferoffset+11+(2*j)]>>4) >
>>> h_samp)
>>> +- h_samp =
>>> (buffer[*bufferoffset+11+(2*j)]>>4);
>>> +- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f)
>>> > v_samp)
>>> +- v_samp =
>>> (buffer[*bufferoffset+11+(2*j)] & 0x0f);
>>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), datalen+2);
>>> ++ ncomp = buffer[*bufferoffset+9];
>>> ++ if (ncomp < 1 || ncomp > 4)
>>> ++ return(0);
>>> ++ v_samp=1;
>>> ++ h_samp=1;
>>> ++ for(j=0;j<ncomp;j++){
>>> ++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
>>> ++ if( (samp>>4) > h_samp)
>>> ++ h_samp = (samp>>4);
>>> ++ if( (samp & 0x0f) > v_samp)
>>> ++ v_samp = (samp & 0x0f);
>>> + }
>>> + v_samp*=8;
>>> + h_samp*=8;
>>> +@@ -3381,45 +3404,43 @@
>>> + (unsigned char)
>>> ((height>>8) & 0xff);
>>> + buffer[*bufferoffset+6]=
>>> + (unsigned char) (height
>>> & 0xff);
>>> +- *bufferoffset+=strip[i+2]+2;
>>> +- i+=strip[i+2]+2;
>>> +-
>>> ++ *bufferoffset+=datalen+2;
>>> ++ /* insert a DRI marker */
>>> + buffer[(*bufferoffset)++]=0xff;
>>> + buffer[(*bufferoffset)++]=0xdd;
>>> + buffer[(*bufferoffset)++]=0x00;
>>> + buffer[(*bufferoffset)++]=0x04;
>>> + buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
>>> + buffer[(*bufferoffset)++]= ri & 0xff;
>>> +- } else {
>>> +- i+=strip[i+2]+2;
>>> + }
>>> + break;
>>> +- case 0xc4:
>>> +- case 0xdb:
>>> +- _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), strip[i+2]+2);
>>> +- *bufferoffset+=strip[i+2]+2;
>>> +- i+=strip[i+2]+2;
>>> ++ case 0xc4: /* DHT */
>>> ++ case 0xdb: /* DQT */
>>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), datalen+2);
>>> ++ *bufferoffset+=datalen+2;
>>> + break;
>>> +- case 0xda:
>>> ++ case 0xda: /* SOS */
>>> + if(no==0){
>>> +- _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), strip[i+2]+2);
>>> +- *bufferoffset+=strip[i+2]+2;
>>> +- i+=strip[i+2]+2;
>>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), datalen+2);
>>> ++ *bufferoffset+=datalen+2;
>>> + } else {
>>> + buffer[(*bufferoffset)++]=0xff;
>>> + buffer[(*bufferoffset)++]=
>>> + (unsigned char)(0xd0 |
>>> ((no-1)%8));
>>> +- i+=strip[i+2]+2;
>>> + }
>>> +- _TIFFmemcpy(&(buffer[*bufferoffset]),
>>> &(strip[i-1]), (*striplength)-i-1);
>>> +- *bufferoffset+=(*striplength)-i-1;
>>> ++ i += datalen + 1;
>>> ++ /* copy remainder of strip */
>>> ++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]),
>>> *striplength - i);
>>> ++ *bufferoffset+= *striplength - i;
>>> + return(1);
>>> + default:
>>> +- i+=strip[i+2]+2;
>>> ++ /* ignore any other marker */
>>> ++ break;
>>> + }
>>> ++ i += datalen + 1;
>>> + }
>>> +-
>>> +
>>> ++ /* failed to find SOS marker */
>>> + return(0);
>>> + }
>>> + #endif
>>> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>>> b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>>> index 256e75e..8e450df 100644
>>> --- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>>> +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
>>> @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz"
>>> PR = "r0"
>>>
>>> SRC_URI =
>>> "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
>>> - file://libtool2.patch"
>>> + file://libtool2.patch \
>>> + file://libtiff-CVE-2013-1960.patch"
>>>
>>> SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
>>> SRC_URI[sha256sum] =
>>> "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
>>>
>>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-12-05 21:48 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-21 7:05 [dora][PATCH 0/2] Two CVE patches Mark Hatle
2013-11-21 7:05 ` [dora][PATCH 1/2] libtiff: fix CVE-2013-1960 Mark Hatle
2013-11-22 18:43 ` Saul Wold
2013-12-05 20:51 ` Mark Hatle
2013-12-05 21:48 ` Saul Wold
2013-11-21 7:05 ` [dora][master][PATCH 2/2] gst-ffmpeg: fix CVE-2013-3674 Mark Hatle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox