diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2024-04-01 10:24:21 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-05 07:23:59 -0700 |
commit | 1921c279467ae185aecfe0e8b91da50b8a38d248 (patch) | |
tree | a9c2afee524fdbc324a54e1c9de82b8830d28fe1 | |
parent | ebebf9d948b21983271c1c92e419a97b7d52e5bf (diff) | |
download | poky-1921c279467ae185aecfe0e8b91da50b8a38d248.tar.gz |
tiff: fix CVE-2023-52356 CVE-2023-6277
import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277
import from
http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
(From OE-Core rev: 4728df36bb3888df4d3cc0db1fd66138e865c511)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
6 files changed, 527 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch new file mode 100644 index 0000000000..4eb7d79c8f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | CVE: CVE-2023-52356 | ||
2 | Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a | ||
3 | ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] | ||
4 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
5 | |||
6 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
7 | to match the current version of the file in the present Ubuntu release: | ||
8 | . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet); | ||
9 | -- Rodrigo Figueiredo Zaiden] | ||
10 | |||
11 | Backport of: | ||
12 | |||
13 | From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 | ||
14 | From: Even Rouault <even.rouault@spatialys.com> | ||
15 | Date: Tue, 31 Oct 2023 15:58:41 +0100 | ||
16 | Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of | ||
17 | col/row (fixes #622) | ||
18 | |||
19 | --- | ||
20 | libtiff/tif_getimage.c | 15 +++++++++++++++ | ||
21 | 1 file changed, 15 insertions(+) | ||
22 | |||
23 | |||
24 | --- tiff-4.3.0.orig/libtiff/tif_getimage.c | ||
25 | +++ tiff-4.3.0/libtiff/tif_getimage.c | ||
26 | @@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t | ||
27 | } | ||
28 | |||
29 | if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { | ||
30 | + if (row >= img.height) | ||
31 | + { | ||
32 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), | ||
33 | + "Invalid row passed to TIFFReadRGBAStrip()."); | ||
34 | + TIFFRGBAImageEnd(&img); | ||
35 | + return (0); | ||
36 | + } | ||
37 | |||
38 | img.row_offset = row; | ||
39 | img.col_offset = 0; | ||
40 | @@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t | ||
41 | return( 0 ); | ||
42 | } | ||
43 | |||
44 | + if (col >= img.width || row >= img.height) | ||
45 | + { | ||
46 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), | ||
47 | + "Invalid row/col passed to TIFFReadRGBATile()."); | ||
48 | + TIFFRGBAImageEnd(&img); | ||
49 | + return (0); | ||
50 | + } | ||
51 | + | ||
52 | /* | ||
53 | * The TIFFRGBAImageGet() function doesn't allow us to get off the | ||
54 | * edge of the image, even to fill an otherwise valid tile. So we | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch new file mode 100644 index 0000000000..453df897ac --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | CVE: CVE-2023-6277 | ||
2 | Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a | ||
3 | ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] | ||
4 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
5 | |||
6 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
7 | to match the current version of the file in the present Ubuntu release: | ||
8 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
9 | . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); | ||
10 | -- Rodrigo Figueiredo Zaiden] | ||
11 | |||
12 | Backport of: | ||
13 | |||
14 | From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 | ||
15 | From: Su Laus <sulau@freenet.de> | ||
16 | Date: Tue, 31 Oct 2023 15:43:29 +0000 | ||
17 | Subject: [PATCH] Prevent some out-of-memory attacks | ||
18 | |||
19 | Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. | ||
20 | |||
21 | At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. | ||
22 | |||
23 | See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 | ||
24 | --- | ||
25 | libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++- | ||
26 | 1 file changed, 90 insertions(+), 2 deletions(-) | ||
27 | |||
28 | --- tiff-4.3.0.orig/libtiff/tif_dirread.c | ||
29 | +++ tiff-4.3.0/libtiff/tif_dirread.c | ||
30 | @@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead | ||
31 | datasize=(*count)*typesize; | ||
32 | assert((tmsize_t)datasize>0); | ||
33 | |||
34 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
35 | + * size of requested memory is not greater than file size. | ||
36 | + */ | ||
37 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
38 | + if (datasize > filesize) | ||
39 | + { | ||
40 | + TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
41 | + "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
42 | + " is greather than filesize %" PRIu64 | ||
43 | + ". Memory not allocated, tag not read", | ||
44 | + direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
45 | + filesize); | ||
46 | + return (TIFFReadDirEntryErrAlloc); | ||
47 | + } | ||
48 | + | ||
49 | if( isMapped(tif) && datasize > (uint64_t)tif->tif_size ) | ||
50 | return TIFFReadDirEntryErrIo; | ||
51 | |||
52 | @@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
53 | if( !_TIFFFillStrilesInternal( tif, 0 ) ) | ||
54 | return -1; | ||
55 | |||
56 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
57 | + * size of requested memory is not greater than file size. */ | ||
58 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
59 | + uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); | ||
60 | + if (allocsize > filesize) | ||
61 | + { | ||
62 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
63 | + "Requested memory size for StripByteCounts of %" PRIu64 | ||
64 | + " is greather than filesize %" PRIu64 | ||
65 | + ". Memory not allocated", | ||
66 | + allocsize, filesize); | ||
67 | + return -1; | ||
68 | + } | ||
69 | + | ||
70 | if (td->td_stripbytecount_p) | ||
71 | _TIFFfree(td->td_stripbytecount_p); | ||
72 | td->td_stripbytecount_p = (uint64_t*) | ||
73 | @@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
74 | |||
75 | if (td->td_compression != COMPRESSION_NONE) { | ||
76 | uint64_t space; | ||
77 | - uint64_t filesize; | ||
78 | uint16_t n; | ||
79 | - filesize = TIFFGetFileSize(tif); | ||
80 | if (!(tif->tif_flags&TIFF_BIGTIFF)) | ||
81 | space=sizeof(TIFFHeaderClassic)+2+dircount*12+4; | ||
82 | else | ||
83 | @@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d | ||
84 | dircount16 = (uint16_t)dircount64; | ||
85 | dirsize = 20; | ||
86 | } | ||
87 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
88 | + * if size of requested memory is not greater than file size. */ | ||
89 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
90 | + uint64_t allocsize = (uint64_t)dircount16 * dirsize; | ||
91 | + if (allocsize > filesize) | ||
92 | + { | ||
93 | + TIFFWarningExt( | ||
94 | + tif->tif_clientdata, module, | ||
95 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
96 | + " is greather than filesize %" PRIu64 | ||
97 | + ". Memory not allocated, TIFF directory not read", | ||
98 | + allocsize, filesize); | ||
99 | + return 0; | ||
100 | + } | ||
101 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
102 | dirsize, "to read TIFF directory"); | ||
103 | if (origdir == NULL) | ||
104 | @@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d | ||
105 | "Sanity check on directory count failed, zero tag directories not supported"); | ||
106 | return 0; | ||
107 | } | ||
108 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
109 | + * if size of requested memory is not greater than file size. */ | ||
110 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
111 | + uint64_t allocsize = (uint64_t)dircount16 * dirsize; | ||
112 | + if (allocsize > filesize) | ||
113 | + { | ||
114 | + TIFFWarningExt( | ||
115 | + tif->tif_clientdata, module, | ||
116 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
117 | + " is greather than filesize %" PRIu64 | ||
118 | + ". Memory not allocated, TIFF directory not read", | ||
119 | + allocsize, filesize); | ||
120 | + return 0; | ||
121 | + } | ||
122 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
123 | dirsize, | ||
124 | "to read TIFF directory"); | ||
125 | @@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d | ||
126 | } | ||
127 | } | ||
128 | } | ||
129 | + /* No check against filesize needed here because "dir" should have same size | ||
130 | + * than "origdir" checked above. */ | ||
131 | dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16, | ||
132 | sizeof(TIFFDirEntry), | ||
133 | "to read TIFF directory"); | ||
134 | @@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn | ||
135 | return(0); | ||
136 | } | ||
137 | |||
138 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
139 | + * if size of requested memory is not greater than file size. */ | ||
140 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
141 | + uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); | ||
142 | + if (allocsize > filesize) | ||
143 | + { | ||
144 | + TIFFWarningExt(tif->tif_clientdata, module, | ||
145 | + "Requested memory size for StripArray of %" PRIu64 | ||
146 | + " is greather than filesize %" PRIu64 | ||
147 | + ". Memory not allocated", | ||
148 | + allocsize, filesize); | ||
149 | + _TIFFfree(data); | ||
150 | + return (0); | ||
151 | + } | ||
152 | resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array"); | ||
153 | if (resizeddata==0) { | ||
154 | _TIFFfree(data); | ||
155 | @@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI | ||
156 | } | ||
157 | bytecount = last_offset + last_bytecount - offset; | ||
158 | |||
159 | + /* Before allocating a huge amount of memory for corrupted files, check if | ||
160 | + * size of StripByteCount and StripOffset tags is not greater than | ||
161 | + * file size. | ||
162 | + */ | ||
163 | + uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; | ||
164 | + uint64_t filesize = TIFFGetFileSize(tif); | ||
165 | + if (allocsize > filesize) | ||
166 | + { | ||
167 | + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
168 | + "Requested memory size for StripByteCount and " | ||
169 | + "StripOffsets %" PRIu64 | ||
170 | + " is greather than filesize %" PRIu64 | ||
171 | + ". Memory not allocated", | ||
172 | + allocsize, filesize); | ||
173 | + return; | ||
174 | + } | ||
175 | + | ||
176 | newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t), | ||
177 | "for chopped \"StripByteCounts\" array"); | ||
178 | newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t), | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch new file mode 100644 index 0000000000..ad39c1c4dd --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch | |||
@@ -0,0 +1,151 @@ | |||
1 | CVE: CVE-2023-6277 | ||
2 | Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa | ||
3 | ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] | ||
4 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
5 | |||
6 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
7 | to match the current version of the file in the present Ubuntu release: | ||
8 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
9 | -- Rodrigo Figueiredo Zaiden] | ||
10 | |||
11 | Backport of: | ||
12 | |||
13 | From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001 | ||
14 | From: Even Rouault <even.rouault@spatialys.com> | ||
15 | Date: Tue, 31 Oct 2023 19:47:22 +0100 | ||
16 | Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough | ||
17 | RAM requests | ||
18 | |||
19 | Ammends 5320c9d89c054fa805d037d84c57da874470b01a | ||
20 | |||
21 | This fixes a performance regression caught by the GDAL regression test | ||
22 | suite. | ||
23 | --- | ||
24 | libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------ | ||
25 | 1 file changed, 48 insertions(+), 35 deletions(-) | ||
26 | |||
27 | --- tiff-4.3.0.orig/libtiff/tif_dirread.c | ||
28 | +++ tiff-4.3.0/libtiff/tif_dirread.c | ||
29 | @@ -866,19 +866,22 @@ static enum TIFFReadDirEntryErr TIFFRead | ||
30 | datasize=(*count)*typesize; | ||
31 | assert((tmsize_t)datasize>0); | ||
32 | |||
33 | - /* Before allocating a huge amount of memory for corrupted files, check if | ||
34 | - * size of requested memory is not greater than file size. | ||
35 | - */ | ||
36 | - uint64_t filesize = TIFFGetFileSize(tif); | ||
37 | - if (datasize > filesize) | ||
38 | + if (datasize > 100 * 1024 * 1024) | ||
39 | { | ||
40 | - TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
41 | - "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
42 | - " is greather than filesize %" PRIu64 | ||
43 | - ". Memory not allocated, tag not read", | ||
44 | - direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
45 | - filesize); | ||
46 | - return (TIFFReadDirEntryErrAlloc); | ||
47 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
48 | + * if size of requested memory is not greater than file size. | ||
49 | + */ | ||
50 | + const uint64_t filesize = TIFFGetFileSize(tif); | ||
51 | + if (datasize > filesize) | ||
52 | + { | ||
53 | + TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", | ||
54 | + "Requested memory size for tag %d (0x%x) %" PRIu32 | ||
55 | + " is greater than filesize %" PRIu64 | ||
56 | + ". Memory not allocated, tag not read", | ||
57 | + direntry->tdir_tag, direntry->tdir_tag, datasize, | ||
58 | + filesize); | ||
59 | + return (TIFFReadDirEntryErrAlloc); | ||
60 | + } | ||
61 | } | ||
62 | |||
63 | if( isMapped(tif) && datasize > (uint64_t)tif->tif_size ) | ||
64 | @@ -4608,18 +4611,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
65 | if( !_TIFFFillStrilesInternal( tif, 0 ) ) | ||
66 | return -1; | ||
67 | |||
68 | - /* Before allocating a huge amount of memory for corrupted files, check if | ||
69 | - * size of requested memory is not greater than file size. */ | ||
70 | - uint64_t filesize = TIFFGetFileSize(tif); | ||
71 | - uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); | ||
72 | - if (allocsize > filesize) | ||
73 | + const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); | ||
74 | + uint64_t filesize = 0; | ||
75 | + if (allocsize > 100 * 1024 * 1024) | ||
76 | { | ||
77 | - TIFFWarningExt(tif->tif_clientdata, module, | ||
78 | - "Requested memory size for StripByteCounts of %" PRIu64 | ||
79 | - " is greather than filesize %" PRIu64 | ||
80 | - ". Memory not allocated", | ||
81 | - allocsize, filesize); | ||
82 | - return -1; | ||
83 | + /* Before allocating a huge amount of memory for corrupted files, check | ||
84 | + * if size of requested memory is not greater than file size. */ | ||
85 | + filesize = TIFFGetFileSize(tif); | ||
86 | + if (allocsize > filesize) | ||
87 | + { | ||
88 | + TIFFWarningExt( | ||
89 | + tif->tif_clientdata, module, | ||
90 | + "Requested memory size for StripByteCounts of %" PRIu64 | ||
91 | + " is greater than filesize %" PRIu64 ". Memory not allocated", | ||
92 | + allocsize, filesize); | ||
93 | + return -1; | ||
94 | + } | ||
95 | } | ||
96 | |||
97 | if (td->td_stripbytecount_p) | ||
98 | @@ -4666,11 +4673,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD | ||
99 | return -1; | ||
100 | space+=datasize; | ||
101 | } | ||
102 | + if (filesize == 0) | ||
103 | + filesize = TIFFGetFileSize(tif); | ||
104 | if( filesize < space ) | ||
105 | - /* we should perhaps return in error ? */ | ||
106 | - space = filesize; | ||
107 | - else | ||
108 | - space = filesize - space; | ||
109 | + /* we should perhaps return in error ? */ | ||
110 | + space = filesize; | ||
111 | + else | ||
112 | + space = filesize - space; | ||
113 | if (td->td_planarconfig == PLANARCONFIG_SEPARATE) | ||
114 | space /= td->td_samplesperpixel; | ||
115 | for (strip = 0; strip < td->td_nstrips; strip++) | ||
116 | @@ -4940,19 +4949,23 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d | ||
117 | dircount16 = (uint16_t)dircount64; | ||
118 | dirsize = 20; | ||
119 | } | ||
120 | - /* Before allocating a huge amount of memory for corrupted files, check | ||
121 | - * if size of requested memory is not greater than file size. */ | ||
122 | - uint64_t filesize = TIFFGetFileSize(tif); | ||
123 | - uint64_t allocsize = (uint64_t)dircount16 * dirsize; | ||
124 | - if (allocsize > filesize) | ||
125 | + const uint64_t allocsize = (uint64_t)dircount16 * dirsize; | ||
126 | + if (allocsize > 100 * 1024 * 1024) | ||
127 | { | ||
128 | - TIFFWarningExt( | ||
129 | - tif->tif_clientdata, module, | ||
130 | - "Requested memory size for TIFF directory of %" PRIu64 | ||
131 | - " is greather than filesize %" PRIu64 | ||
132 | - ". Memory not allocated, TIFF directory not read", | ||
133 | - allocsize, filesize); | ||
134 | - return 0; | ||
135 | + /* Before allocating a huge amount of memory for corrupted files, | ||
136 | + * check if size of requested memory is not greater than file size. | ||
137 | + */ | ||
138 | + const uint64_t filesize = TIFFGetFileSize(tif); | ||
139 | + if (allocsize > filesize) | ||
140 | + { | ||
141 | + TIFFWarningExt( | ||
142 | + tif->tif_clientdata, module, | ||
143 | + "Requested memory size for TIFF directory of %" PRIu64 | ||
144 | + " is greater than filesize %" PRIu64 | ||
145 | + ". Memory not allocated, TIFF directory not read", | ||
146 | + allocsize, filesize); | ||
147 | + return 0; | ||
148 | + } | ||
149 | } | ||
150 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
151 | dirsize, "to read TIFF directory"); | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch new file mode 100644 index 0000000000..71eba2f34e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | CVE: CVE-2023-6277 | ||
2 | Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3 | ||
3 | ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] | ||
4 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
5 | |||
6 | Backport of: | ||
7 | |||
8 | From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001 | ||
9 | From: Even Rouault <even.rouault@spatialys.com> | ||
10 | Date: Tue, 31 Oct 2023 20:13:45 +0100 | ||
11 | Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize | ||
12 | check | ||
13 | |||
14 | CoverityScan rightly points that the max value for dircount16 * dirsize | ||
15 | is 4096 * 20. That's small enough not to do any check | ||
16 | --- | ||
17 | libtiff/tif_dirread.c | 18 ------------------ | ||
18 | 1 file changed, 18 deletions(-) | ||
19 | |||
20 | --- tiff-4.3.0.orig/libtiff/tif_dirread.c | ||
21 | +++ tiff-4.3.0/libtiff/tif_dirread.c | ||
22 | @@ -4949,24 +4949,6 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d | ||
23 | dircount16 = (uint16_t)dircount64; | ||
24 | dirsize = 20; | ||
25 | } | ||
26 | - const uint64_t allocsize = (uint64_t)dircount16 * dirsize; | ||
27 | - if (allocsize > 100 * 1024 * 1024) | ||
28 | - { | ||
29 | - /* Before allocating a huge amount of memory for corrupted files, | ||
30 | - * check if size of requested memory is not greater than file size. | ||
31 | - */ | ||
32 | - const uint64_t filesize = TIFFGetFileSize(tif); | ||
33 | - if (allocsize > filesize) | ||
34 | - { | ||
35 | - TIFFWarningExt( | ||
36 | - tif->tif_clientdata, module, | ||
37 | - "Requested memory size for TIFF directory of %" PRIu64 | ||
38 | - " is greater than filesize %" PRIu64 | ||
39 | - ". Memory not allocated, TIFF directory not read", | ||
40 | - allocsize, filesize); | ||
41 | - return 0; | ||
42 | - } | ||
43 | - } | ||
44 | origdir = _TIFFCheckMalloc(tif, dircount16, | ||
45 | dirsize, "to read TIFF directory"); | ||
46 | if (origdir == NULL) | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch new file mode 100644 index 0000000000..61f48726e4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | CVE: CVE-2023-6277 | ||
2 | Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a | ||
3 | ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] | ||
4 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
5 | |||
6 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
7 | to match the current version of the file in the present Ubuntu release: | ||
8 | . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); | ||
9 | . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); | ||
10 | -- Rodrigo Figueiredo Zaiden] | ||
11 | |||
12 | Backport of: | ||
13 | |||
14 | From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001 | ||
15 | From: Even Rouault <even.rouault@spatialys.com> | ||
16 | Date: Tue, 31 Oct 2023 21:30:58 +0100 | ||
17 | Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough | ||
18 | RAM requests | ||
19 | |||
20 | --- | ||
21 | libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------ | ||
22 | 1 file changed, 31 insertions(+), 23 deletions(-) | ||
23 | |||
24 | --- tiff-4.3.0.orig/libtiff/tif_dirread.c | ||
25 | +++ tiff-4.3.0/libtiff/tif_dirread.c | ||
26 | @@ -5905,19 +5905,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn | ||
27 | return(0); | ||
28 | } | ||
29 | |||
30 | - /* Before allocating a huge amount of memory for corrupted files, check | ||
31 | - * if size of requested memory is not greater than file size. */ | ||
32 | - uint64_t filesize = TIFFGetFileSize(tif); | ||
33 | - uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); | ||
34 | - if (allocsize > filesize) | ||
35 | + const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); | ||
36 | + if (allocsize > 100 * 1024 * 1024) | ||
37 | { | ||
38 | - TIFFWarningExt(tif->tif_clientdata, module, | ||
39 | - "Requested memory size for StripArray of %" PRIu64 | ||
40 | - " is greather than filesize %" PRIu64 | ||
41 | - ". Memory not allocated", | ||
42 | - allocsize, filesize); | ||
43 | - _TIFFfree(data); | ||
44 | - return (0); | ||
45 | + /* Before allocating a huge amount of memory for corrupted files, | ||
46 | + * check if size of requested memory is not greater than file size. | ||
47 | + */ | ||
48 | + const uint64_t filesize = TIFFGetFileSize(tif); | ||
49 | + if (allocsize > filesize) | ||
50 | + { | ||
51 | + TIFFWarningExt( | ||
52 | + tif->tif_clientdata, module, | ||
53 | + "Requested memory size for StripArray of %" PRIu64 | ||
54 | + " is greater than filesize %" PRIu64 | ||
55 | + ". Memory not allocated", | ||
56 | + allocsize, filesize); | ||
57 | + _TIFFfree(data); | ||
58 | + return (0); | ||
59 | + } | ||
60 | } | ||
61 | resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array"); | ||
62 | if (resizeddata==0) { | ||
63 | @@ -6018,17 +6023,20 @@ static void allocChoppedUpStripArrays(TI | ||
64 | * size of StripByteCount and StripOffset tags is not greater than | ||
65 | * file size. | ||
66 | */ | ||
67 | - uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; | ||
68 | - uint64_t filesize = TIFFGetFileSize(tif); | ||
69 | - if (allocsize > filesize) | ||
70 | + const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; | ||
71 | + if (allocsize > 100 * 1024 * 1024) | ||
72 | { | ||
73 | - TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
74 | - "Requested memory size for StripByteCount and " | ||
75 | - "StripOffsets %" PRIu64 | ||
76 | - " is greather than filesize %" PRIu64 | ||
77 | - ". Memory not allocated", | ||
78 | - allocsize, filesize); | ||
79 | - return; | ||
80 | + const uint64_t filesize = TIFFGetFileSize(tif); | ||
81 | + if (allocsize > filesize) | ||
82 | + { | ||
83 | + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", | ||
84 | + "Requested memory size for StripByteCount and " | ||
85 | + "StripOffsets %" PRIu64 | ||
86 | + " is greater than filesize %" PRIu64 | ||
87 | + ". Memory not allocated", | ||
88 | + allocsize, filesize); | ||
89 | + return; | ||
90 | + } | ||
91 | } | ||
92 | |||
93 | newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t), | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index d284100ab2..b4af179e76 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | |||
@@ -48,6 +48,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
48 | file://CVE-2023-40745.patch \ | 48 | file://CVE-2023-40745.patch \ |
49 | file://CVE-2023-41175.patch \ | 49 | file://CVE-2023-41175.patch \ |
50 | file://CVE-2023-6228.patch \ | 50 | file://CVE-2023-6228.patch \ |
51 | file://CVE-2023-52356.patch \ | ||
52 | file://CVE-2023-6277-1.patch \ | ||
53 | file://CVE-2023-6277-2.patch \ | ||
54 | file://CVE-2023-6277-3.patch \ | ||
55 | file://CVE-2023-6277-4.patch \ | ||
51 | " | 56 | " |
52 | 57 | ||
53 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" | 58 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" |