[gnome-continuous-yocto/gnomeostree-3.28-rocko: 1863/8267] tiff: Security fix CVE-2015-8784

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 1863/8267] tiff: Security fix CVE-2015-8784
Date: Sat, 16 Dec 2017 22:25:24 +0000 (UTC)
commit ecb7e5264925dfa7c352b9f32e53bad0fcc327b4
Author: Armin Kuster <akuster mvista com>
Date:   Wed Aug 10 15:11:17 2016 +0800

    tiff: Security fix CVE-2015-8784
    
    CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()
    
    External Reference:
    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8784
    
    (From OE-Core rev: 36097da9679ab2ce3c4044cd8ed64e5577e3f63e)
    
    Signed-off-by: Armin Kuster <akuster mvista com>
    Signed-off-by: Yi Zhao <yi zhao windriver com>
    Signed-off-by: Ross Burton <ross burton intel com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../libtiff/files/CVE-2015-8784.patch              |   73 ++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.6.bb      |    1 +
 2 files changed, 74 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
new file mode 100644
index 0000000..0caf800
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
@@ -0,0 +1,73 @@
+From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 27 Dec 2015 16:55:20 +0000
+Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
+ NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
+ (bugzilla #2508)
+
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
+hand applied Changelog changes
+
+CVE:  CVE-2015-8784
+Signed-off-by: Armin Kuster <akuster mvista com>
+
+---
+ ChangeLog          |  6 ++++++
+ libtiff/tif_next.c | 10 ++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+Index: tiff-4.0.4/ChangeLog
+===================================================================
+--- tiff-4.0.4.orig/ChangeLog
++++ tiff-4.0.4/ChangeLog
+@@ -1,5 +1,11 @@
+ 2015-12-27  Even Rouault <even.rouault at spatialys.com>
+ 
++      * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
++      triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
++      (bugzilla #2508)
++
++2015-12-27  Even Rouault <even.rouault at spatialys.com>
++
+       * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+       functions in non debug builds by replacing assert()s by regular if
+       checks (bugzilla #2522).
+Index: tiff-4.0.4/libtiff/tif_next.c
+===================================================================
+--- tiff-4.0.4.orig/libtiff/tif_next.c
++++ tiff-4.0.4/libtiff/tif_next.c
+@@ -37,7 +37,7 @@
+       case 0: op[0]  = (unsigned char) ((v) << 6); break;     \
+       case 1: op[0] |= (v) << 4; break;       \
+       case 2: op[0] |= (v) << 2; break;       \
+-      case 3: *op++ |= (v);      break;       \
++      case 3: *op++ |= (v);      op_offset++; break;  \
+       }                                       \
+ }
+ 
+@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
+                       uint32 imagewidth = tif->tif_dir.td_imagewidth;
+             if( isTiled(tif) )
+                 imagewidth = tif->tif_dir.td_tilewidth;
++            tmsize_t op_offset = 0;
+ 
+                       /*
+                        * The scanline is composed of a sequence of constant
+@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
+                                * bounds, potentially resulting in a security
+                                * issue.
+                                */
+-                              while (n-- > 0 && npixels < imagewidth)
++                              while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+                                       SETPIXEL(op, grey);
+                               if (npixels >= imagewidth)
+                                       break;
++                if (op_offset >= scanline ) {
++                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
++                        (long) tif->tif_row);
++                    return (0);
++                }
+                               if (cc == 0)
+                                       goto bad;
+                               n = *bp++, cc--;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 9879c8b..0506475 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -7,6 +7,7 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
            file://libtool2.patch \
            file://CVE-2015-8665_8683.patch \
            file://CVE-2015-8781.patch \
+           file://CVE-2015-8784.patch \
           "
 
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]