It was meant to happen eventually - someone had to confuse krogoth for kergoth sooner or later... :)
On Mon, Apr 25, 2016 at 05:29:41PM -0700, Armin Kuster wrote: > From: Armin Kuster <akus...@mvista.com> > > same fix for both CVE's > > tiff <= 4.0.6 > > Signed-off-by: Armin Kuster <akus...@mvista.com> > --- > .../libtiff/files/CVE-2015-8665_8683.patch | 137 > +++++++++++++++++++++ > meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 1 + > 2 files changed, 138 insertions(+) > create mode 100644 > meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch > > diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch > b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch > new file mode 100644 > index 0000000..39c5059 > --- /dev/null > +++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch > @@ -0,0 +1,137 @@ > +From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 > +From: erouault <erouault> > +Date: Sat, 26 Dec 2015 17:32:03 +0000 > +Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in > + TIFFRGBAImage interface in case of unsupported values of > + SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to > + TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by > + limingxing and CVE-2015-8683 reported by zzf of Alibaba. > + > +Upstream-Status: Backport > +CVE: CVE-2015-8665 > +CVE: CVE-2015-8683 > +https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 > + > +Signed-off-by: Armin Kuster <akus...@mvista.com> > + > +--- > + ChangeLog | 8 ++++++++ > + libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- > + 2 files changed, 30 insertions(+), 13 deletions(-) > + > +Index: tiff-4.0.6/libtiff/tif_getimage.c > +=================================================================== > +--- tiff-4.0.6.orig/libtiff/tif_getimage.c > ++++ tiff-4.0.6/libtiff/tif_getimage.c > +@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 > + "Planarconfiguration", td->td_planarconfig); > + return (0); > + } > +- if( td->td_samplesperpixel != 3 ) > ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) > + { > + sprintf(emsg, > +- "Sorry, can not handle image with %s=%d", > +- "Samples/pixel", td->td_samplesperpixel); > ++ "Sorry, can not handle image with %s=%d, %s=%d", > ++ "Samples/pixel", td->td_samplesperpixel, > ++ "colorchannels", colorchannels); > + return 0; > + } > + break; > + case PHOTOMETRIC_CIELAB: > +- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) > ++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || > td->td_bitspersample != 8 ) > + { > + sprintf(emsg, > +- "Sorry, can not handle image with %s=%d and %s=%d", > ++ "Sorry, can not handle image with %s=%d, %s=%d and > %s=%d", > + "Samples/pixel", td->td_samplesperpixel, > ++ "colorchannels", colorchannels, > + "Bits/sample", td->td_bitspersample); > + return 0; > + } > +@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T > + int colorchannels; > + uint16 *red_orig, *green_orig, *blue_orig; > + int n_color; > ++ > ++ if( !TIFFRGBAImageOK(tif, emsg) ) > ++ return 0; > + > + /* Initialize to normal values */ > + img->row_offset = 0; > +@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) > + case PHOTOMETRIC_RGB: > + switch (img->bitspersample) { > + case 8: > +- if (img->alpha == > EXTRASAMPLE_ASSOCALPHA) > ++ if (img->alpha == > EXTRASAMPLE_ASSOCALPHA && > ++ img->samplesperpixel >= 4) > + img->put.contig = > putRGBAAcontig8bittile; > +- else if (img->alpha == > EXTRASAMPLE_UNASSALPHA) > ++ else if (img->alpha == > EXTRASAMPLE_UNASSALPHA && > ++ img->samplesperpixel > >= 4) > + { > + if (BuildMapUaToAa(img)) > + img->put.contig = > putRGBUAcontig8bittile; > + } > +- else > ++ else if( img->samplesperpixel >= 3 ) > + img->put.contig = > putRGBcontig8bittile; > + break; > + case 16: > +- if (img->alpha == > EXTRASAMPLE_ASSOCALPHA) > ++ if (img->alpha == > EXTRASAMPLE_ASSOCALPHA && > ++ img->samplesperpixel >=4 ) > + { > + if (BuildMapBitdepth16To8(img)) > + img->put.contig = > putRGBAAcontig16bittile; > + } > +- else if (img->alpha == > EXTRASAMPLE_UNASSALPHA) > ++ else if (img->alpha == > EXTRASAMPLE_UNASSALPHA && > ++ img->samplesperpixel > >=4 ) > + { > + if (BuildMapBitdepth16To8(img) > && > + BuildMapUaToAa(img)) > + img->put.contig = > putRGBUAcontig16bittile; > + } > +- else > ++ else if( img->samplesperpixel >=3 ) > + { > + if (BuildMapBitdepth16To8(img)) > + img->put.contig = > putRGBcontig16bittile; > +@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) > + } > + break; > + case PHOTOMETRIC_SEPARATED: > +- if (buildMap(img)) { > ++ if (img->samplesperpixel >=4 && buildMap(img)) { > + if (img->bitspersample == 8) { > + if (!img->Map) > + img->put.contig = > putRGBcontig8bitCMYKtile; > +@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) > + } > + break; > + case PHOTOMETRIC_CIELAB: > +- if (buildMap(img)) { > ++ if (img->samplesperpixel == 3 && buildMap(img)) { > + if (img->bitspersample == 8) > + img->put.contig = > initCIELabConversion(img); > + break; > +Index: tiff-4.0.6/ChangeLog > +=================================================================== > +--- tiff-4.0.6.orig/ChangeLog > ++++ tiff-4.0.6/ChangeLog > +@@ -1,3 +1,11 @@ > ++2015-12-26 Even Rouault <even.rouault at spatialys.com> > ++ > ++ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage > ++ interface in case of unsupported values of SamplesPerPixel/ExtraSamples > ++ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in > ++ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and > ++ CVE-2015-8683 reported by zzf of Alibaba. > ++ > + 2015-09-12 Bob Friesenhahn <bfrie...@simple.dallas.tx.us> > + > + * libtiff 4.0.6 released. > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb > b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb > index e2e24e0..810a5e4 100644 > --- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb > +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb > @@ -5,6 +5,7 @@ HOMEPAGE = "http://www.remotesensing.org/libtiff/"; > > SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ > file://libtool2.patch \ > + file://CVE-2015-8665_8683.patch \ > " > > SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" > -- > 2.3.5 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
