[WIP][Dependency Update] Upgrade the libtiff to 4.0.10

[stu1130]

Description

please don't merge until I add publish test on CI for cuda part

Upgrade the libtiff package to 4.0.10 due to lots of issues at 4.0.9.

1. tif_jbig.c JBIGDecode out-of-bounds write
2. two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c

Please find more on CVE

Checklist

Essentials

• Test build with Ubuntu 14.04
• Test build with Ubuntu 16.04

Changes

• gitlab didn't provide version 4.0.10 zip file so use mirror site from the official website

Comments

[wkcn]

LGTM. Thank you for the fix!

[piyushghai]

Thanks for your contributions @stu1130. The CI seems to be failing. Can you look into this ?
@mxnet-label-bot Add [Build, pr-awaiting-merge]

[wkcn]

Sorry that I merged the PR by mistake. Do we need to revert the PR, since the CI has been passed?

[szha]

@wkcn the previous CI failures don't seem to be related to this. There is CI test for building the static library which dependes on this (I'm not sure if the CI has tests specifically for this dependency though). In any case, it doesn't seem like a revert is urgently necessary right now.

[wkcn]

@szha Thank you! I will pay more attention next time.

[lanking520]

The stattic build should trigger and verify the script to see if it is working.

[stu1130]

@wkcn Static build CPU 14.04 Python and Static build CPU 14.04 Scala in ubuntu cpu have tested against the script. I just want to make sure it also works in ubuntu 16.04. Since we're still using ubuntu 14.04 to build the package so no worry. Thanks for your hard work

[CarlWilson111]

I triggered the vulnerability from the C library Libtiff 4.0.9, when I use an older version of incubator-mxnet, causing out-of-bounds write in the buffer. A call chain that accesses to the vulnerable function JBIGDecode() is as follows:

(python code)mxnet/image.py: def imread(filename, *args, **kwargs)
(libmxnet.so)imgcodecs/src/loadsave.cpp: Mat imread( const String& filename, int flags );
(libopencv.so)imgcodes/src/grfmt_tiff.cpp: bool  TiffDecoder::readData( Mat& img );
(libopencv.so)imgcodes/src/grfmt_tiff.cpp: bool TiffDecoder::readData_32FC1(Mat& img);
(libtiff.so)libtiff/tif_read.c: intTIFFReadScanline(TIFF* tif, void* buf, uint32 row, uint16 sample);
(libtiff.so)libtiff/tif_read.c: static int  TIFFSeek(TIFF* tif, uint32 row, uint16 sample );

I have upgraded to incubator-mxnet's newest version to avoid the issues. Give the info in this report for sharing. It seems that our python projects should keep an eye on the CVEs of C libraries.

[CarlWilson111]

By the way, incubator-mxnet depends on libmxnet.so, I figured out the shared library comes from Libtiff 4.0.9 based on incubator-mxnet's development docs.