From patchwork Thu Jul 25 04:03:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 169669 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp11081921ilk; Wed, 24 Jul 2019 21:05:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqywex9bz1qtcQ1ykGj5JLUUM6S9zWuybTDyCOnaPfeiQ8NpdNcwfpBtTVM7Cbb4NimxSHhu X-Received: by 2002:a62:174a:: with SMTP id 71mr15038463pfx.140.1564027504108; Wed, 24 Jul 2019 21:05:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564027504; cv=none; d=google.com; s=arc-20160816; b=Q5lwWthUkisq9+hbqFtmNj8iZcZ9J8/GOS26pypFFyspiCm/LV3vxgogESx8LeT97F HPTz0wyJd1UPgZTqkGAyn0numQubGP3A7wvVV91GkZkBWnMcsLCm/HEAyNNjJnOjYimi c1dgFZOz48Gd0rKDUdNGfQsul8NtFeTCxSTRjCWgthhnfkl7K4hESHW8ddKNKFBlHffq 3kZSNUHOwJt+3AXjbCWgYNKvL7MDI3r1tAneQ0RicRfYOISoNmsI7hkh/1ecO2xo0ejK +0h8iTSa1Te5TxCXUdxu4TcANWCwMNrELTYLYmipysTBeZThwsfQGyzV4bR5Aq9+EM2C hqjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=bAbqvTsZHxp/a/m/a24aYetyCgc7Ex/jm5fYa1JxflI=; b=Misz0EczD4CUPulNiUjzAQZu3+NMDZy0EM7Td1XbSETTuWyKsTohBu0FWNNPBQzGft iS1SJ2RV/+9y3G0qASss4IYjXDRhT4MuxeXpzpGFnOiXcq9YmAvW7Bulz47uKteFTFyn EAOwWdUoyx76d9SreAisQXf2KMIU4cuq96wosepABO3ZPxwRpoFLOFgH94sngVGLlRZt 3TWC5SbI+5NQIvy5AWQdMXgzekRR8/g9Iz44z6QoiLriD0dysL7qvQBou/AG0f4htxef J/zAceCyfxC8shi2zixDcuVLCYXST/9HF9qIdMCnj1ZecpR5ziFM7/Z/jdXTF/y0CY+j H2QA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id u20si14947428plq.421.2019.07.24.21.05.03; Wed, 24 Jul 2019 21:05:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 3D93A7F1ED; Thu, 25 Jul 2019 04:04:19 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mail.openembedded.org (Postfix) with ESMTP id B63957F18F for ; Thu, 25 Jul 2019 04:03:38 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Jul 2019 21:03:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,305,1559545200"; d="scan'208";a="189233235" Received: from andromeda02.png.intel.com ([10.221.183.11]) by fmsmga001.fm.intel.com with ESMTP; 24 Jul 2019 21:03:39 -0700 From: Anuj Mittal To: akuster808@gmail.com, openembedded-core@lists.openembedded.org Date: Thu, 25 Jul 2019 12:03:04 +0800 Message-Id: <1564027386-8107-9-git-send-email-anuj.mittal@intel.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1564027386-8107-1-git-send-email-anuj.mittal@intel.com> References: <1564027386-8107-1-git-send-email-anuj.mittal@intel.com> Subject: [OE-core] [warrior][PATCH 09/11] tiff: fix CVE-2019-7663 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton (From OE-Core rev: d06d6910d1ec9374bb15e02809e64e81198731b6) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../libtiff/tiff/CVE-2019-7663.patch | 77 ++++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 3 +- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch new file mode 100644 index 0000000..f244fb2 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch @@ -0,0 +1,77 @@ +CVE: CVE-2019-7663 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow + +fixes bug 2833 +--- + tools/tiffcp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 2f406e2d..f0ee2c02 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (0x7fffffff / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; +-- +2.20.1 + + +From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 21:42:03 +0100 +Subject: [PATCH 2/2] tiffcp.c: use INT_MAX + +--- + tools/tiffcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index f0ee2c02..8c81aa4f 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + +- if (spp > (0x7fffffff / tilew)) ++ if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; +-- +2.20.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index a82d744..8e3e227 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb @@ -6,7 +6,8 @@ CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ - file://CVE-2019-6128.patch" + file://CVE-2019-6128.patch \ + file://CVE-2019-7663.patch \ " SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"