diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-multimedia/libtiff')
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch | 137 | ||||
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch | 195 | ||||
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch | 73 | ||||
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch | 24 | ||||
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch | 49 | ||||
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch | 107 | ||||
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb (renamed from import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb) | 12 |
7 files changed, 4 insertions, 593 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch deleted file mode 100644 index 39c5059c7..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch +++ /dev/null @@ -1,137 +0,0 @@ -From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sat, 26 Dec 2015 17:32:03 +0000 -Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in - TIFFRGBAImage interface in case of unsupported values of - SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to - TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by - limingxing and CVE-2015-8683 reported by zzf of Alibaba. - -Upstream-Status: Backport -CVE: CVE-2015-8665 -CVE: CVE-2015-8683 -https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ChangeLog | 8 ++++++++ - libtiff/tif_getimage.c | 35 ++++++++++++++++++++++------------- - 2 files changed, 30 insertions(+), 13 deletions(-) - -Index: tiff-4.0.6/libtiff/tif_getimage.c -=================================================================== ---- tiff-4.0.6.orig/libtiff/tif_getimage.c -+++ tiff-4.0.6/libtiff/tif_getimage.c -@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102 - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d", -- "Samples/pixel", td->td_samplesperpixel); -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d and %s=%d", -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } -@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+ -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; - - /* Initialize to normal values */ - img->row_offset = 0; -@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img) - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >= 4) - img->put.contig = putRGBAAcontig8bittile; -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >= 4) - { - if (BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >= 3 ) - img->put.contig = putRGBcontig8bittile; - break; - case 16: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBAAcontig16bittile; - } -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBcontig16bittile; -@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=4 && buildMap(img)) { - if (img->bitspersample == 8) { - if (!img->Map) - img->put.contig = putRGBcontig8bitCMYKtile; -@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img) - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel == 3 && buildMap(img)) { - if (img->bitspersample == 8) - img->put.contig = initCIELabConversion(img); - break; -Index: tiff-4.0.6/ChangeLog -=================================================================== ---- tiff-4.0.6.orig/ChangeLog -+++ tiff-4.0.6/ChangeLog -@@ -1,3 +1,11 @@ -+2015-12-26 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples -+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in -+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and -+ CVE-2015-8683 reported by zzf of Alibaba. -+ - 2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> - - * libtiff 4.0.6 released. diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch deleted file mode 100644 index 0846f0f68..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch +++ /dev/null @@ -1,195 +0,0 @@ -From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sun, 27 Dec 2015 16:25:11 +0000 -Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in - decode functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). Fix potential out-of-bound reads in case of short - input data. - -Upstream-Status: Backport - -https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 -hand applied Changelog changes - -CVE: CVE-2015-8781 - -Signed-off-by: Armin Kuster <akuster@mvista.com> ---- - ChangeLog | 7 +++++++ - libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++----------- - 2 files changed, 51 insertions(+), 11 deletions(-) - -Index: tiff-4.0.4/ChangeLog -=================================================================== ---- tiff-4.0.4.orig/ChangeLog -+++ tiff-4.0.4/ChangeLog -@@ -1,3 +1,10 @@ -+2015-12-27 Even Rouault <even.rouault at spatialys.com> -+ -+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode -+ functions in non debug builds by replacing assert()s by regular if -+ checks (bugzilla #2522). -+ Fix potential out-of-bound reads in case of short input data. -+ - 2015-12-26 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage -Index: tiff-4.0.4/libtiff/tif_luv.c -=================================================================== ---- tiff-4.0.4.orig/libtiff/tif_luv.c -+++ tiff-4.0.4/libtiff/tif_luv.c -@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch deleted file mode 100644 index 0caf800e2..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch +++ /dev/null @@ -1,73 +0,0 @@ -From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Sun, 27 Dec 2015 16:55:20 +0000 -Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in - NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif - (bugzilla #2508) - -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c -hand applied Changelog changes - -CVE: CVE-2015-8784 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ChangeLog | 6 ++++++ - libtiff/tif_next.c | 10 ++++++++-- - 2 files changed, 14 insertions(+), 2 deletions(-) - -Index: tiff-4.0.4/ChangeLog -=================================================================== ---- tiff-4.0.4.orig/ChangeLog -+++ tiff-4.0.4/ChangeLog -@@ -1,5 +1,11 @@ - 2015-12-27 Even Rouault <even.rouault at spatialys.com> - -+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() -+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif -+ (bugzilla #2508) -+ -+2015-12-27 Even Rouault <even.rouault at spatialys.com> -+ - * libtiff/tif_luv.c: fix potential out-of-bound writes in decode - functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). -Index: tiff-4.0.4/libtiff/tif_next.c -=================================================================== ---- tiff-4.0.4.orig/libtiff/tif_next.c -+++ tiff-4.0.4/libtiff/tif_next.c -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -+ tmsize_t op_offset = 0; - - /* - * The scanline is composed of a sequence of constant -@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch deleted file mode 100644 index 4a08aba21..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch +++ /dev/null @@ -1,24 +0,0 @@ -Buffer overflow in the readextension function in gif2tiff.c -allows remote attackers to cause a denial of service via a crafted GIF file. - -External References: -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186 -https://bugzilla.redhat.com/show_bug.cgi?id=1319503 - -CVE: CVE-2016-3186 -Upstream-Status: Backport (RedHat) -https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff - -Signed-off-by: Yi Zhao <yi.zhao@windirver.com> - ---- tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:43:01.586048341 +0200 -+++ tiff-4.0.6/tools/gif2tiff.c 2016-04-06 15:48:05.523207710 +0200 -@@ -349,7 +349,7 @@ - int status = 1; - - (void) getc(infile); -- while ((count = getc(infile)) && count <= 255) -+ while ((count = getc(infile)) && count >= 0 && count <= 255) - if (fread(buf, 1, count, infile) != (size_t) count) { - fprintf(stderr, "short read from file %s (%s)\n", - filename, strerror(errno)); diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch deleted file mode 100644 index 63c665024..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch +++ /dev/null @@ -1,49 +0,0 @@ -From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 11 Jul 2016 21:26:03 +0000 -Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack - allocated array on a tiled separate TIFF with more than 8 samples per pixel. - Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 - (CVE-2016-5321, bugzilla #2558) - -CVE: CVE-2016-5321 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0 - -Signed-off-by: Yi Zhao <yi.zhao@windirver.com> ---- - ChangeLog | 7 +++++++ - tools/tiffcrop.c | 2 +- - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index e98d54d..4e0302f 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+2016-07-11 Even Rouault <even.rouault at spatialys.com> -+ -+ * tools/tiffcrop.c: Avoid access outside of stack allocated array -+ on a tiled separate TIFF with more than 8 samples per pixel. -+ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 -+ (CVE-2016-5321, bugzilla #2558) -+ - 2015-12-27 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index d959ae3..6fc8fc1 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -989,7 +989,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf, - nrow = (row + tl > imagelength) ? imagelength - row : tl; - for (col = 0; col < imagewidth; col += tw) - { -- for (s = 0; s < spp; s++) -+ for (s = 0; s < spp && s < MAX_SAMPLES; s++) - { /* Read each plane of a tile set into srcbuffs[s] */ - tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s); - if (tbytes < 0 && !ignore) --- -2.7.4 - diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch deleted file mode 100644 index 41eab91ab..000000000 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001 -From: erouault <erouault> -Date: Mon, 11 Jul 2016 21:38:31 +0000 -Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) - -CVE: CVE-2016-5323 -Upstream-Status: Backport -https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31 - -Signed-off-by: Yi Zhao <yi.zhao@windirver.com> ---- - ChangeLog | 2 +- - tools/tiffcrop.c | 16 ++++++++-------- - 2 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 4e0302f..62dc1b5 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -3,7 +3,7 @@ - * tools/tiffcrop.c: Avoid access outside of stack allocated array - on a tiled separate TIFF with more than 8 samples per pixel. - Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 -- (CVE-2016-5321, bugzilla #2558) -+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) - - 2016-07-10 Even Rouault <even.rouault at spatialys.com> - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 6fc8fc1..27abc0b 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols, - - matchbits = maskbits << (8 - src_bit - bps); - /* load up next sample from each plane */ -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - buff1 = ((*src) & matchbits) << (src_bit); -@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (16 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (32 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (64 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols, - - matchbits = maskbits << (8 - src_bit - bps); - /* load up next sample from each plane */ -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - buff1 = ((*src) & matchbits) << (src_bit); -@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (16 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (32 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, - src_bit = bit_offset % 8; - - matchbits = maskbits << (64 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) --- -2.7.4 - diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb index 8147bc4fb..729678208 100644 --- a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb +++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb @@ -2,18 +2,14 @@ SUMMARY = "Provides support for the Tag Image File Format (TIFF)" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" +CVE_PRODUCT = "libtiff" + SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ - file://CVE-2015-8665_8683.patch \ - file://CVE-2015-8781.patch \ - file://CVE-2015-8784.patch \ - file://CVE-2016-3186.patch \ - file://CVE-2016-5321.patch \ - file://CVE-2016-5323.patch \ " -SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72" -SRC_URI[sha256sum] = "4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c" +SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b" +SRC_URI[sha256sum] = "9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019" # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |