Skip to content
This repository has been archived by the owner on Nov 17, 2023. It is now read-only.

[WIP][Dependency Update] Upgrade the libtiff to 4.0.10 #14623

Merged
merged 5 commits into from
Apr 10, 2019

Conversation

stu1130
Copy link
Contributor

@stu1130 stu1130 commented Apr 4, 2019

Description

please don't merge until I add publish test on CI for cuda part

Upgrade the libtiff package to 4.0.10 due to lots of issues at 4.0.9.

  1. tif_jbig.c JBIGDecode out-of-bounds write
  2. two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c

Please find more on CVE

Checklist

Essentials

  • Test build with Ubuntu 14.04
  • Test build with Ubuntu 16.04

Changes

  • gitlab didn't provide version 4.0.10 zip file so use mirror site from the official website

Comments

@stu1130 stu1130 requested a review from szha as a code owner April 4, 2019 23:07
Copy link
Member

@wkcn wkcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you for the fix!

@piyushghai
Copy link
Contributor

Thanks for your contributions @stu1130. The CI seems to be failing. Can you look into this ?
@mxnet-label-bot Add [Build, pr-awaiting-merge]

@marcoabreu marcoabreu added Build pr-awaiting-merge Review and CI is complete. Ready to Merge labels Apr 5, 2019
@wkcn wkcn merged commit fde4963 into apache:master Apr 10, 2019
wkcn added a commit that referenced this pull request Apr 10, 2019
@wkcn
Copy link
Member

wkcn commented Apr 10, 2019

Sorry that I merged the PR by mistake. Do we need to revert the PR, since the CI has been passed?

@szha
Copy link
Member

szha commented Apr 10, 2019

@wkcn the previous CI failures don't seem to be related to this. There is CI test for building the static library which dependes on this (I'm not sure if the CI has tests specifically for this dependency though). In any case, it doesn't seem like a revert is urgently necessary right now.

@wkcn
Copy link
Member

wkcn commented Apr 10, 2019

@szha Thank you! I will pay more attention next time.

@lanking520
Copy link
Member

The stattic build should trigger and verify the script to see if it is working.

@stu1130
Copy link
Contributor Author

stu1130 commented Apr 10, 2019

@wkcn Static build CPU 14.04 Python and Static build CPU 14.04 Scala in ubuntu cpu have tested against the script. I just want to make sure it also works in ubuntu 16.04. Since we're still using ubuntu 14.04 to build the package so no worry. Thanks for your hard work

haohuanw pushed a commit to haohuanw/incubator-mxnet that referenced this pull request Jun 23, 2019
* upgrade the libtiff to 4.0.10

* retrigger CI

* retrigger CI

* retrigger CI

* Retrigger CI
@CarlWilson111
Copy link

I triggered the vulnerability from the C library Libtiff 4.0.9, when I use an older version of incubator-mxnet, causing out-of-bounds write in the buffer. A call chain that accesses to the vulnerable function JBIGDecode() is as follows:

(python code)mxnet/image.py: def imread(filename, *args, **kwargs)
(libmxnet.so)imgcodecs/src/loadsave.cpp: Mat imread( const String& filename, int flags );
(libopencv.so)imgcodes/src/grfmt_tiff.cpp: bool  TiffDecoder::readData( Mat& img );
(libopencv.so)imgcodes/src/grfmt_tiff.cpp: bool TiffDecoder::readData_32FC1(Mat& img);
(libtiff.so)libtiff/tif_read.c: intTIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample);
(libtiff.so)libtiff/tif_read.c: static int  TIFFSeek(TIFF* tif, uint32 row, uint16 sample );

I have upgraded to incubator-mxnet's newest version to avoid the issues. Give the info in this report for sharing. It seems that our python projects should keep an eye on the CVEs of C libraries.

@CarlWilson111
Copy link

By the way, incubator-mxnet depends on libmxnet.so, I figured out the shared library comes from Libtiff 4.0.9 based on incubator-mxnet's development docs.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Build pr-awaiting-merge Review and CI is complete. Ready to Merge
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants