[OE-core] [PATCH] tiff: Security fixes
Fix CVE-2017-99935, CVE-2017-18013, CVE-2018-5784 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9935 https://nvd.nist.gov/vuln/detail/CVE-2017-18013 https://nvd.nist.gov/vuln/detail/CVE-2018-5784 Patches from: CVE-2017-9935: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 CVE-2017-18013: https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 CVE-2018-5784: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef Signed-off-by: Yi Zhao--- .../libtiff/files/CVE-2017-18013.patch | 42 ++ .../libtiff/files/CVE-2017-9935.patch | 160 + .../libtiff/files/CVE-2018-5784.patch | 135 + meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | 3 + 4 files changed, 340 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch new file mode 100644 index 000..878e0de --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch @@ -0,0 +1,42 @@ +From 293c8b0298e91d20ba51291e2351ab7d110671d0 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer + dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01] + +CVE: CVE-2017-18013 + +Signed-off-by: Yi Zhao +--- + libtiff/tif_print.c | 8 + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 24d4b98..f494cfb 100644 +--- a/libtiff/tif_print.c b/libtiff/tif_print.c +@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, "%3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, "%3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +2.7.4 + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch new file mode 100644 index 000..60684dd --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch @@ -0,0 +1,160 @@ +From abb0055d21c52a9925314d5b0628fb2b6307619c Mon Sep 17 00:00:00 2001 +From: Brian May +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer
[OE-core] [PATCH] tiff: Security fixes
Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335 References: https://nvd.nist.gov/vuln/detail/CVE-2017-9147 https://nvd.nist.gov/vuln/detail/CVE-2017-9936 https://nvd.nist.gov/vuln/detail/CVE-2017-10668 https://nvd.nist.gov/vuln/detail/CVE-2017-11335 Patches from: CVE-2017-9147: https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06 CVE-2017-9936: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-10688: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-11355: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 Signed-off-by: Yi Zhao--- .../libtiff/files/CVE-2017-10688.patch | 91 + .../libtiff/files/CVE-2017-11335.patch | 54 ++ .../libtiff/files/CVE-2017-9147.patch | 206 + .../libtiff/files/CVE-2017-9936.patch | 49 + meta/recipes-multimedia/libtiff/tiff_4.0.8.bb | 4 + 5 files changed, 404 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch new file mode 100644 index 000..b0db969 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch @@ -0,0 +1,91 @@ +From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Fri, 30 Jun 2017 17:29:44 + +Subject: [PATCH] * libtiff/tif_dirwrite.c: in + TIFFWriteDirectoryTagChecked() functions associated with LONG8/SLONG8 + data type, replace assertion that the file is BigTIFF, by a non-fatal error. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team + OWL337 + +Upstream-Status: Backport +[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1] + +CVE: CVE-2017-10688 + +Signed-off-by: Yi Zhao +--- + ChangeLog | 8 + libtiff/tif_dirwrite.c | 20 + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 0240f0b..42eaeb7 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,11 @@ ++2017-06-30 Even Rouault ++ ++ * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagChecked() ++ functions associated with LONG8/SLONG8 data type, replace assertion that ++ the file is BigTIFF, by a non-fatal error. ++ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 ++ Reported by team OWL337 ++ + 2017-06-26 Even Rouault + + * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 2967da5..8d6686b 100644 +--- a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui + { + uint64 m; + assert(sizeof(uint64)==8); +- assert(tif->tif_flags_BIGTIFF); ++ if( !(tif->tif_flags_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + m=value; + if (tif->tif_flags_SWAB) + TIFFSwabLong8(); +@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di + { + assert(count<0x2000); + assert(sizeof(uint64)==8); +- assert(tif->tif_flags_BIGTIFF); ++ if( !(tif->tif_flags_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + if (tif->tif_flags_SWAB) + TIFFSwabArrayOfLong8(value,count); + return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); +@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u + { + int64 m; + assert(sizeof(int64)==8); +- assert(tif->tif_flags_BIGTIFF); ++ if( !(tif->tif_flags_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + m=value; + if (tif->tif_flags_SWAB) + TIFFSwabLong8((uint64*)()); +@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d + { + assert(count<0x2000); + assert(sizeof(int64)==8); +- assert(tif->tif_flags_BIGTIFF); ++ if(