Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / d7bf8c17eca8f8c89898a7794462c773c449e983^! / . / import-layers / yocto-poky / meta / recipes-multimedia / libtiff / files / CVE-2017-13727.patch
commitd7bf8c17eca8f8c89898a7794462c773c449e983[log] [tgz]
authorBrad Bishop <bradleyb@fuzziesquirrel.com>Sun Feb 25 22:55:05 2018 -0500
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Thu Mar 15 14:22:49 2018 +0000
treed18618fca85ca5f0c077032cc7b009344b60f663
parente2b5abdc9f28cdf8578e5b9be803c8e697443c20 [diff] [blame]
Yocto 2.4

Move OpenBMC to Yocto 2.4(rocko)

Tested: Built and verified Witherspoon and Palmetto images
Change-Id: I12057b18610d6fb0e6903c60213690301e9b0c67
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch
new file mode 100644
index 0000000..e228c2f
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-multimedia/libtiff/files/CVE-2017-13727.patch

@@ -0,0 +1,65 @@
+From a5e8245cc67646f7b448b4ca29258eaac418102c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 23 Aug 2017 13:33:42 +0000
+Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not
+ fitting on uint32 when selecting the value of SubIFD tag by runtime check (in
+ TIFFWriteDirectoryTagSubifd()). Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337
+
+SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+
+Upstream-Status: Backport
+[https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc]
+
+CVE: CVE-2017-13727
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ChangeLog              | 10 +++++++++-
+ libtiff/tif_dirwrite.c |  9 ++++++++-
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 3e299d9..8f5efe9 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,7 +1,15 @@
+ 2017-08-23  Even Rouault <even.rouault at spatialys.com>
+ 
++	* libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
++	on uint32 when selecting the value of SubIFD tag by runtime check
++	(in TIFFWriteDirectoryTagSubifd()).
++	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
++	Reported by team OWL337
++
++2017-08-23  Even Rouault <even.rouault at spatialys.com>
++
+ 	* libtiff/tif_dirwrite.c: replace assertion related to not finding the
+-	SubIFD tag by runtime check.
++	SubIFD tag by runtime check (in TIFFWriteDirectorySec())
+ 	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
+ 	Reported by team OWL337
+ 
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 14090ae..f0a4baa 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)
+ 		for (p=0; p < tif->tif_dir.td_nsubifd; p++)
+ 		{
+                         assert(pa != 0);
+-			assert(*pa <= 0xFFFFFFFFUL);
++
++                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */
++                        if( *pa > 0xFFFFFFFFUL)
++                        {
++                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");
++                            _TIFFfree(o);
++                            return(0);
++                        }
+ 			*pb++=(uint32)(*pa++);
+ 		}
+ 		n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);
+-- 
+2.7.4
+