[gnome-continuous-yocto/gnomeostree-3.28-rocko: 7839/8267] tiff: Security fix CVE-2017-13726 and CVE-2017-13727



commit 89c81eedcaf45eecad9e5b20214d89e15db310c7
Author: Yi Zhao <yi zhao windriver com>
Date:   Thu Sep 21 11:21:39 2017 +0800

    tiff: Security fix CVE-2017-13726 and CVE-2017-13727
    
    References:
    https://nvd.nist.gov/vuln/detail/CVE-2017-13726
    https://nvd.nist.gov/vuln/detail/CVE-2017-13727
    
    Patches from:
    CVE-2017-13726:
    https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e
    
    CVE-2017-13727:
    https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc
    
    (From OE-Core rev: 8dc9d74b7e6816f59eb61dcda6a93c0753a5e4ab)
    
    Signed-off-by: Yi Zhao <yi zhao windriver com>
    Signed-off-by: Ross Burton <ross burton intel com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../libtiff/files/CVE-2017-13726.patch             |   54 ++++++++++++++++
 .../libtiff/files/CVE-2017-13727.patch             |   65 ++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.8.bb      |    2 +
 3 files changed, 121 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
new file mode 100644
index 0000000..c60ffa6
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13726.patch
@@ -0,0 +1,54 @@
+From 5317ce215936ce611846557bb104b49d3b4c8345 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even rouault spatialys com>
+Date: Wed, 23 Aug 2017 13:21:41 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not
+ finding the SubIFD tag by runtime check. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e]
+
+CVE: CVE-2017-13726
+
+Signed-off-by: Yi Zhao <yi zhao windriver com>
+---
+ ChangeLog              | 7 +++++++
+ libtiff/tif_dirwrite.c | 7 ++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 6980da8..3e299d9 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-08-23  Even Rouault <even.rouault at spatialys.com>
++
++      * libtiff/tif_dirwrite.c: replace assertion related to not finding the
++      SubIFD tag by runtime check.
++      Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
++      Reported by team OWL337
++
+ 2017-07-15  Even Rouault <even.rouault at spatialys.com>
+ 
+       * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 8d6686b..14090ae 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+                       TIFFDirEntry* nb;
+                       for (na=0, nb=dir; ; na++, nb++)
+                       {
+-                              assert(na<ndir);
++                              if( na == ndir )
++                                {
++                                    TIFFErrorExt(tif->tif_clientdata,module,
++                                                 "Cannot find SubIFD tag");
++                                    goto bad;
++                                }
+                               if (nb->tdir_tag==TIFFTAG_SUBIFD)
+                                       break;
+                       }
+-- 
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
new file mode 100644
index 0000000..e228c2f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
@@ -0,0 +1,65 @@
+From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even rouault spatialys com>
+Date: Wed, 23 Aug 2017 13:33:42 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
+ fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
+ TIFFWriteDirectoryTagSubifd()). Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
+
+SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
+
+CVE: CVE-2017-13727
+
+Signed-off-by: Yi Zhao <yi zhao windriver com>
+---
+ ChangeLog              | 10 +++++++++-
+ libtiff/tif_dirwrite.c |  9 ++++++++-
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 3e299d9..8f5efe9 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,7 +1,15 @@
+ 2017-08-23  Even Rouault <even.rouault at spatialys.com>
+ 
++      * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
++      on uint32 when selecting the value of SubIFD tag by runtime check
++      (in TIFFWriteDirectoryTagSubifd()).
++      Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
++      Reported by team OWL337
++
++2017-08-23  Even Rouault <even.rouault at spatialys.com>
++
+       * libtiff/tif_dirwrite.c: replace assertion related to not finding the
+-      SubIFD tag by runtime check.
++      SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+       Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
+       Reported by team OWL337
+ 
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 14090ae..f0a4baa 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
+               for (p=0; p < tif->tif_dir.td_nsubifd; p++)
+               {
+                         assert(pa != 0);
+-                      assert(*pa <= 0xFFFFFFFFUL);
++
++                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
++                        if( *pa > 0xFFFFFFFFUL)
++                        {
++                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
++                            _TIFFfree(o);
++                            return(0);
++                        }
+                       *pb++=(uint32)(*pa++);
+               }
+               n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
+-- 
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
index c8ad5d5..cb91baa 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.8.bb
@@ -10,6 +10,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2017-9936.patch \
            file://CVE-2017-10688.patch \
            file://CVE-2017-11335.patch \
+           file://CVE-2017-13726.patch \
+           file://CVE-2017-13727.patch \
           "
 
 SRC_URI[md5sum] = "2a7d1c1318416ddf36d5f6fa4600069b"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]