subject:"\[OE\-core\] \[PATCH\] tiff\: Security fixes"

[OE-core] [PATCH] tiff: Security fixes

2018-03-19 Thread Yi Zhao

Fix CVE-2017-99935, CVE-2017-18013, CVE-2018-5784

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9935
https://nvd.nist.gov/vuln/detail/CVE-2017-18013
https://nvd.nist.gov/vuln/detail/CVE-2018-5784

Patches from:
CVE-2017-9935:
https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
CVE-2017-18013:
https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
CVE-2018-5784:
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef

Signed-off-by: Yi Zhao 
---
 .../libtiff/files/CVE-2017-18013.patch |  42 ++
 .../libtiff/files/CVE-2017-9935.patch  | 160 +
 .../libtiff/files/CVE-2018-5784.patch  | 135 +
 meta/recipes-multimedia/libtiff/tiff_4.0.9.bb  |   3 +
 4 files changed, 340 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2018-5784.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
new file mode 100644
index 000..878e0de
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-18013.patch
@@ -0,0 +1,42 @@
+From 293c8b0298e91d20ba51291e2351ab7d110671d0 Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sun, 31 Dec 2017 15:09:41 +0100
+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer
+ dereference on corrupted file. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
+
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01]
+
+CVE: CVE-2017-18013
+
+Signed-off-by: Yi Zhao 
+---
+ libtiff/tif_print.c | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 24d4b98..f494cfb 100644
+--- a/libtiff/tif_print.c
 b/libtiff/tif_print.c
+@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+   fprintf(fd, "%3lu: [%8I64u, %8I64u]\n",
+   (unsigned long) s,
+-  (unsigned __int64) td->td_stripoffset[s],
+-  (unsigned __int64) td->td_stripbytecount[s]);
++  td->td_stripoffset ? (unsigned __int64) 
td->td_stripoffset[s] : 0,
++  td->td_stripbytecount ? (unsigned __int64) 
td->td_stripbytecount[s] : 0);
+ #else
+   fprintf(fd, "%3lu: [%8llu, %8llu]\n",
+   (unsigned long) s,
+-  (unsigned long long) td->td_stripoffset[s],
+-  (unsigned long long) td->td_stripbytecount[s]);
++  td->td_stripoffset ? (unsigned long long) 
td->td_stripoffset[s] : 0,
++  td->td_stripbytecount ? (unsigned long long) 
td->td_stripbytecount[s] : 0);
+ #endif
+   }
+ }
+-- 
+2.7.4
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
new file mode 100644
index 000..60684dd
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-9935.patch
@@ -0,0 +1,160 @@
+From abb0055d21c52a9925314d5b0628fb2b6307619c Mon Sep 17 00:00:00 2001
+From: Brian May 
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935
+
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+
+We than read the transfer function for every page.  Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+
+It is also strange that we declare the transfer

[OE-core] [PATCH] tiff: Security fixes

2017-08-21 Thread Yi Zhao

Fix CVE-2017-9147, CVE-2017-9936, CVE-2017-10668, CVE-2017-11335

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9147
https://nvd.nist.gov/vuln/detail/CVE-2017-9936
https://nvd.nist.gov/vuln/detail/CVE-2017-10668
https://nvd.nist.gov/vuln/detail/CVE-2017-11335

Patches from:
CVE-2017-9147:
https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
CVE-2017-9936:
https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a
CVE-2017-10688:
https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
CVE-2017-11355:
https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556

Signed-off-by: Yi Zhao 
---
 .../libtiff/files/CVE-2017-10688.patch |  91 +
 .../libtiff/files/CVE-2017-11335.patch |  54 ++
 .../libtiff/files/CVE-2017-9147.patch  | 206 +
 .../libtiff/files/CVE-2017-9936.patch  |  49 +
 meta/recipes-multimedia/libtiff/tiff_4.0.8.bb  |   4 +
 5 files changed, 404 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-11335.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9147.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-9936.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
new file mode 100644
index 000..b0db969
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2017-10688.patch
@@ -0,0 +1,91 @@
+From 333ba5599e87bd7747516d7863d61764e4ca2d92 Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Fri, 30 Jun 2017 17:29:44 +
+Subject: [PATCH] * libtiff/tif_dirwrite.c: in
+ TIFFWriteDirectoryTagChecked() functions associated with LONG8/SLONG8
+ data type, replace assertion that the file is BigTIFF, by a non-fatal error.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team
+ OWL337
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1]
+
+CVE: CVE-2017-10688
+
+Signed-off-by: Yi Zhao 
+---
+ ChangeLog  |  8 
+ libtiff/tif_dirwrite.c | 20 
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 0240f0b..42eaeb7 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,11 @@
++2017-06-30  Even Rouault 
++
++  * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagChecked()
++  functions associated with LONG8/SLONG8 data type, replace assertion that
++  the file is BigTIFF, by a non-fatal error.
++  Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
++  Reported by team OWL337
++
+ 2017-06-26  Even Rouault 
+ 
+   * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 2967da5..8d6686b 100644
+--- a/libtiff/tif_dirwrite.c
 b/libtiff/tif_dirwrite.c
+@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* 
ndir, TIFFDirEntry* dir, ui
+ {
+   uint64 m;
+   assert(sizeof(uint64)==8);
+-  assert(tif->tif_flags_BIGTIFF);
++  if( !(tif->tif_flags_BIGTIFF) ) {
++  
TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not 
allowed for ClassicTIFF");
++  return(0);
++  }
+   m=value;
+   if (tif->tif_flags_SWAB)
+   TIFFSwabLong8();
+@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, 
uint32* ndir, TIFFDirEntry* di
+ {
+   assert(count<0x2000);
+   assert(sizeof(uint64)==8);
+-  assert(tif->tif_flags_BIGTIFF);
++  if( !(tif->tif_flags_BIGTIFF) ) {
++  
TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not 
allowed for ClassicTIFF");
++  return(0);
++  }
+   if (tif->tif_flags_SWAB)
+   TIFFSwabArrayOfLong8(value,count);
+   
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
+@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* 
ndir, TIFFDirEntry* dir, u
+ {
+   int64 m;
+   assert(sizeof(int64)==8);
+-  assert(tif->tif_flags_BIGTIFF);
++  if( !(tif->tif_flags_BIGTIFF) ) {
++  
TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 
not allowed for ClassicTIFF");
++  return(0);
++  }
+   m=value;
+   if (tif->tif_flags_SWAB)
+   TIFFSwabLong8((uint64*)());
+@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, 
uint32* ndir, TIFFDirEntry* d
+ {
+   assert(count<0x2000);
+   assert(sizeof(int64)==8);
+-  assert(tif->tif_flags_BIGTIFF);
++  if(

[OE-core] [PATCH] tiff: Security fixes

[OE-core] [PATCH] tiff: Security fixes

2 matches

Site Navigation

Mail list logo

Footer information