diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-08-02 11:05:52 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-08-16 03:55:12 -1000 |
commit | ebca640cbb023aaa9d5fa0516fb13c395136f60c (patch) | |
tree | 961b842edad37feb7af855abaf950befee62c02b | |
parent | b5f81a875de8a146c4f698d9bd06ac1a152a01f7 (diff) | |
download | poky-ebca640cbb023aaa9d5fa0516fb13c395136f60c.tar.gz |
tiff: fix multiple CVEs
Backport fixes for:
* CVE-2023-2908 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f
* CVE-2023-3316 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536
* CVE-2023-3618 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37 && https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8
(From OE-Core rev: 4929d08cefac9ae2ebbdf94ccdc51a0f67f28164)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
5 files changed, 177 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch new file mode 100644 index 0000000000..62a5e1831c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001 | ||
2 | From: xiaoxiaoafeifei <lliangliang2007@163.com> | ||
3 | Date: Fri, 21 Apr 2023 13:01:34 +0000 | ||
4 | Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`: | ||
5 | applying zero offset to null pointer | ||
6 | |||
7 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f] | ||
8 | CVE: CVE-2023-2908 | ||
9 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
10 | --- | ||
11 | libtiff/tif_dir.c | 4 ++-- | ||
12 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
15 | index 9d8267a..6389b40 100644 | ||
16 | --- a/libtiff/tif_dir.c | ||
17 | +++ b/libtiff/tif_dir.c | ||
18 | @@ -145,10 +145,10 @@ static uint16 | ||
19 | countInkNamesString(TIFF *tif, uint32 slen, const char *s) | ||
20 | { | ||
21 | uint16 i = 0; | ||
22 | - const char *ep = s + slen; | ||
23 | - const char *cp = s; | ||
24 | |||
25 | if (slen > 0) { | ||
26 | + const char *ep = s + slen; | ||
27 | + const char *cp = s; | ||
28 | do { | ||
29 | for (; cp < ep && *cp != '\0'; cp++) {} | ||
30 | if (cp >= ep) | ||
31 | -- | ||
32 | 2.25.1 | ||
33 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch new file mode 100644 index 0000000000..8db24fc714 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Fri, 3 Feb 2023 17:38:55 +0100 | ||
4 | Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515 | ||
5 | |||
6 | Closes #515 | ||
7 | |||
8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536] | ||
9 | CVE: CVE-2023-3316 | ||
10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
11 | --- | ||
12 | libtiff/tif_close.c | 11 +++++++---- | ||
13 | tools/tiffcrop.c | 5 ++++- | ||
14 | 2 files changed, 11 insertions(+), 5 deletions(-) | ||
15 | |||
16 | diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c | ||
17 | index e4228df..335e80f 100644 | ||
18 | --- a/libtiff/tif_close.c | ||
19 | +++ b/libtiff/tif_close.c | ||
20 | @@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif) | ||
21 | */ | ||
22 | |||
23 | void | ||
24 | -TIFFClose(TIFF* tif) | ||
25 | +TIFFClose(TIFF *tif) | ||
26 | { | ||
27 | - TIFFCloseProc closeproc = tif->tif_closeproc; | ||
28 | - thandle_t fd = tif->tif_clientdata; | ||
29 | + if (tif != NULL) | ||
30 | + { | ||
31 | + TIFFCloseProc closeproc = tif->tif_closeproc; | ||
32 | + thandle_t fd = tif->tif_clientdata; | ||
33 | |||
34 | TIFFCleanup(tif); | ||
35 | - (void) (*closeproc)(fd); | ||
36 | + (void)(*closeproc)(fd); | ||
37 | + } | ||
38 | } | ||
39 | |||
40 | /* vim: set ts=8 sts=8 sw=8 noet: */ | ||
41 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
42 | index a533089..f14bb0c 100644 | ||
43 | --- a/tools/tiffcrop.c | ||
44 | +++ b/tools/tiffcrop.c | ||
45 | @@ -2526,7 +2526,10 @@ main(int argc, char* argv[]) | ||
46 | } | ||
47 | } | ||
48 | |||
49 | - TIFFClose(out); | ||
50 | + if (out != NULL) | ||
51 | + { | ||
52 | + TIFFClose(out); | ||
53 | + } | ||
54 | |||
55 | return (0); | ||
56 | } /* end main */ | ||
57 | -- | ||
58 | 2.25.1 | ||
59 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch new file mode 100644 index 0000000000..35ed852519 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001 | ||
2 | From: zhailiangliang <zhailiangliang@loongson.cn> | ||
3 | Date: Tue, 7 Mar 2023 15:02:08 +0800 | ||
4 | Subject: [PATCH] Fix memory leak in tiffcrop.c | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] | ||
7 | CVE: CVE-2023-3618 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | tools/tiffcrop.c | 7 ++++++- | ||
11 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
14 | index f14bb0c..7121c7c 100644 | ||
15 | --- a/tools/tiffcrop.c | ||
16 | +++ b/tools/tiffcrop.c | ||
17 | @@ -7746,8 +7746,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
18 | |||
19 | read_buff = *read_buff_ptr; | ||
20 | |||
21 | + /* Memory is freed before crop_buff_ptr is overwritten */ | ||
22 | + if (*crop_buff_ptr != NULL) | ||
23 | + { | ||
24 | + _TIFFfree(*crop_buff_ptr); | ||
25 | + } | ||
26 | + | ||
27 | /* process full image, no crop buffer needed */ | ||
28 | - crop_buff = read_buff; | ||
29 | *crop_buff_ptr = read_buff; | ||
30 | crop->combined_width = image->width; | ||
31 | crop->combined_length = image->length; | ||
32 | -- | ||
33 | 2.25.1 | ||
34 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch new file mode 100644 index 0000000000..fd67305c0b --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Fri, 5 May 2023 19:43:46 +0200 | ||
4 | Subject: [PATCH] Consider error return of writeSelections(). Fixes #553 | ||
5 | |||
6 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8] | ||
7 | CVE: CVE-2023-3618 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | tools/tiffcrop.c | 14 ++++++++++---- | ||
11 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
12 | |||
13 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
14 | index 7121c7c..93b7f96 100644 | ||
15 | --- a/tools/tiffcrop.c | ||
16 | +++ b/tools/tiffcrop.c | ||
17 | @@ -2437,9 +2437,15 @@ main(int argc, char* argv[]) | ||
18 | { /* Whole image or sections not based on output page size */ | ||
19 | if (crop.selections > 0) | ||
20 | { | ||
21 | - writeSelections(in, &out, &crop, &image, &dump, seg_buffs, | ||
22 | - mp, argv[argc - 1], &next_page, total_pages); | ||
23 | - } | ||
24 | + if (writeSelections(in, &out, &crop, &image, &dump, | ||
25 | + seg_buffs, mp, argv[argc - 1], | ||
26 | + &next_page, total_pages)) | ||
27 | + { | ||
28 | + TIFFError("main", | ||
29 | + "Unable to write new image selections"); | ||
30 | + exit(EXIT_FAILURE); | ||
31 | + } | ||
32 | + } | ||
33 | else /* One file all images and sections */ | ||
34 | { | ||
35 | if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1], | ||
36 | @@ -7749,7 +7755,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
37 | /* Memory is freed before crop_buff_ptr is overwritten */ | ||
38 | if (*crop_buff_ptr != NULL) | ||
39 | { | ||
40 | - _TIFFfree(*crop_buff_ptr); | ||
41 | + _TIFFfree(*crop_buff_ptr); | ||
42 | } | ||
43 | |||
44 | /* process full image, no crop buffer needed */ | ||
45 | -- | ||
46 | 2.25.1 | ||
47 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index fcb2ce1ae4..e3daaf1007 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | |||
@@ -40,6 +40,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
40 | file://CVE-2023-25434-CVE-2023-25435.patch \ | 40 | file://CVE-2023-25434-CVE-2023-25435.patch \ |
41 | file://CVE-2023-26965.patch \ | 41 | file://CVE-2023-26965.patch \ |
42 | file://CVE-2023-26966.patch \ | 42 | file://CVE-2023-26966.patch \ |
43 | file://CVE-2023-2908.patch \ | ||
44 | file://CVE-2023-3316.patch \ | ||
45 | file://CVE-2023-3618-1.patch \ | ||
46 | file://CVE-2023-3618-2.patch \ | ||
43 | " | 47 | " |
44 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" | 48 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" |
45 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" | 49 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" |