GNOME.org
 

[gnome-continuous-yocto/gnomeostree-3.28-rocko: 3225/8267] tiff: Security fix CVE-2016-3622

commit 3a6612a81197d2e1ebefcfd5cd9576d91d2ea08b
Author: Yi Zhao <yi zhao windriver com>
Date:   Wed Oct 26 16:26:48 2016 +0800

    tiff: Security fix CVE-2016-3622
    
    CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the
    tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to
    cause a denial of service (divide-by-zero error) via a crafted TIFF
    image.
    
    External References:
    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622
    http://www.openwall.com/lists/oss-security/2016/04/07/4
    
    Patch from:
    https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
    
    (From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb)
    
    Signed-off-by: Yi Zhao <yi zhao windriver com>
    Signed-off-by: Ross Burton <ross burton intel com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../libtiff/files/CVE-2016-3622.patch              |  129 ++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.6.bb      |    1 +
 2 files changed, 130 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
new file mode 100644
index 0000000..0c8b716
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
@@ -0,0 +1,129 @@
+From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
+From: bfriesen <bfriesen>
+Date: Sat, 24 Sep 2016 23:11:55 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
+ to read floating point images.
+
+* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+requirements of floating point predictor (3).  Fixes CVE-2016-3622
+"Divide By Zero in the tiff2rgba tool."
+
+CVE: CVE-2016-3622
+Upstream-Status: Backport
+https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
+
+Signed-off-by: Yi Zhao <yi zhao windirver com>
+---
+ ChangeLog              | 11 ++++++++++-
+ libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
+ libtiff/tif_predict.c  | 11 ++++++++++-
+ 3 files changed, 40 insertions(+), 20 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 26d6f47..a628277 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++2016-09-24  Bob Friesenhahn  <bfriesen simple dallas tx us>
++
++      * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
++      read floating point images.
++
++      * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
++      requirements of floating point predictor (3).  Fixes CVE-2016-3622
++      "Divide By Zero in the tiff2rgba tool."
++
+ 2016-08-15 Even Rouault <even.rouault at spatialys.com>
+ 
+       * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 386cee0..3e689ee 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+                           td->td_bitspersample);
+                       return (0);
+       }
++        if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
++                sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
++                return (0);
++        }
+       colorchannels = td->td_samplesperpixel - td->td_extrasamples;
+       if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
+               switch (colorchannels) {
+@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+                                   "Planarconfiguration", td->td_planarconfig);
+                               return (0);
+                       }
+-                      if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+-            {
+-                sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d, %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel,
+-                        "colorchannels", colorchannels);
+-                return 0;
+-            }
++                      if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
++                                sprintf(emsg,
++                                        "Sorry, can not handle image with %s=%d, %s=%d",
++                                        "Samples/pixel", td->td_samplesperpixel,
++                                        "colorchannels", colorchannels);
++                                return 0;
++                        }
+                       break;
+               case PHOTOMETRIC_CIELAB:
+-            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+-            {
+-                sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel,
+-                        "colorchannels", colorchannels,
+-                        "Bits/sample", td->td_bitspersample);
+-                return 0;
+-            }
++                        if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 
) {
++                                sprintf(emsg,
++                                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
++                                        "Samples/pixel", td->td_samplesperpixel,
++                                        "colorchannels", colorchannels,
++                                        "Bits/sample", td->td_bitspersample);
++                                return 0;
++                        }
+                       break;
+-              default:
++                default:
+                       sprintf(emsg, "Sorry, can not handle image with %s=%d",
+                           photoTag, photometric);
+                       return (0);
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index 081eb11..555f2f9 100644
+--- a/libtiff/tif_predict.c
++++ b/libtiff/tif_predict.c
+@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
+                                   td->td_sampleformat);
+                               return 0;
+                       }
++                        if (td->td_bitspersample != 16
++                            && td->td_bitspersample != 24
++                            && td->td_bitspersample != 32
++                            && td->td_bitspersample != 64) { /* Should 64 be allowed? */
++                                TIFFErrorExt(tif->tif_clientdata, module,
++                                             "Floating point \"Predictor\" not supported with %d-bit 
samples",
++                                             td->td_bitspersample);
++                              return 0;
++                            }
+                       break;
+               default:
+                       TIFFErrorExt(tif->tif_clientdata, module,
+@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
+               }
+               /*
+                * Allocate buffer to keep the decoded bytes before
+-               * rearranging in the ight order
++               * rearranging in the right order
+                */
+       }
+ 
+-- 
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 466dfbb..796d86e 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2016-3990.patch \
            file://CVE-2016-3991.patch \
            file://CVE-2016-3623.patch \
+           file://CVE-2016-3622.patch \
           "
 
 SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]