diff options
Diffstat (limited to 'poky/meta/recipes-multimedia/libtiff')
4 files changed, 131 insertions, 27 deletions
diff --git a/poky/meta/recipes-multimedia/libtiff/files/libtool2.patch b/poky/meta/recipes-multimedia/libtiff/files/libtool2.patch deleted file mode 100644 index 96233b46c..000000000 --- a/poky/meta/recipes-multimedia/libtiff/files/libtool2.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 5b893206e0a0d529ba2d0caf58cfffc03bccb598 Mon Sep 17 00:00:00 2001 -From: Marcin Juszkiewicz <hrw@openedhand.com> -Date: Sat, 14 Jun 2008 13:42:22 +0000 -Subject: [PATCH] tiff: make it work after libtool upgrade - -Upstream-Status: Inappropriate [configuration] - ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index c7b02e2..ae1c964 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -27,7 +27,7 @@ dnl Process this file with autoconf to produce a configure script. - AC_PREREQ(2.64) - AC_INIT([LibTIFF Software],[4.0.10],[tiff@lists.maptools.org],[tiff]) - AC_CONFIG_AUX_DIR(config) --AC_CONFIG_MACRO_DIR(m4) -+dnl AC_CONFIG_MACRO_DIR(m4) - AC_LANG(C) - - dnl Compute the canonical host (run-time) system type variable diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch new file mode 100644 index 000000000..6f1fd4d44 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch @@ -0,0 +1,52 @@ +CVE: CVE-2019-6128 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001 +From: Scott Gayou <github.scott@gmail.com> +Date: Wed, 23 Jan 2019 15:03:53 -0500 +Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. + +pal2rgb failed to free memory on a few errors. This was reported +here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. +--- + tools/pal2rgb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502ec..9492f1cf1 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); +-- +2.21.0 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch new file mode 100644 index 000000000..f244fb2f3 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch @@ -0,0 +1,77 @@ +CVE: CVE-2019-7663 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard <miniupnp@free.fr> +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow + +fixes bug 2833 +--- + tools/tiffcp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 2f406e2d..f0ee2c02 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (0x7fffffff / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; +-- +2.20.1 + + +From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard <miniupnp@free.fr> +Date: Mon, 11 Feb 2019 21:42:03 +0100 +Subject: [PATCH 2/2] tiffcp.c: use INT_MAX + +--- + tools/tiffcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index f0ee2c02..8c81aa4f 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -41,6 +41,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + + #include <ctype.h> + +@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + +- if (spp > (0x7fffffff / tilew)) ++ if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; +-- +2.20.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index 152fa819a..999496273 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb @@ -5,9 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ - file://libtool2.patch \ - " - + file://CVE-2019-6128.patch \ + file://CVE-2019-7663.patch" SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" |