diff options
author | Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | 2022-05-16 19:09:56 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-05-20 10:08:00 +0100 |
commit | 37bbb105c93213cb8bf78c054b4e682378c9f50c (patch) | |
tree | 2f2dc6b208435f707e45767174d4af2d30c46d5d | |
parent | fec7f76cfcf94947b8437fde0703da3d645ed2dc (diff) | |
download | poky-37bbb105c93213cb8bf78c054b4e682378c9f50c.tar.gz |
tiff: Add patches to fix multiple CVEs
Add patches to fix below CVE issues
CVE-2022-0865
CVE-2022-0907
CVE-2022-0908
CVE-2022-0909
CVE-2022-0924
(From OE-Core rev: 7c71434832caf6a15f8fb884d028a8c1bf4090a9)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
6 files changed, 267 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch new file mode 100644 index 0000000000..e2d136f587 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Thu, 24 Feb 2022 22:26:02 +0100 | ||
4 | Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD | ||
5 | in memory-mapped mode and when bit reversal is needed (fixes #385) | ||
6 | |||
7 | CVE: CVE-2022-0865 | ||
8 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0865.patch/] | ||
9 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
10 | Comment: No change in any hunk | ||
11 | |||
12 | --- | ||
13 | libtiff/tif_jbig.c | 10 ++++++++++ | ||
14 | 1 file changed, 10 insertions(+) | ||
15 | |||
16 | diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c | ||
17 | index 74086338..8bfa4cef 100644 | ||
18 | --- a/libtiff/tif_jbig.c | ||
19 | +++ b/libtiff/tif_jbig.c | ||
20 | @@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) | ||
21 | */ | ||
22 | tif->tif_flags |= TIFF_NOBITREV; | ||
23 | tif->tif_flags &= ~TIFF_MAPPED; | ||
24 | + /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and | ||
25 | + * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial | ||
26 | + * value to be consistent with the state of a non-memory mapped file. | ||
27 | + */ | ||
28 | + if (tif->tif_flags&TIFF_BUFFERMMAP) { | ||
29 | + tif->tif_rawdata = NULL; | ||
30 | + tif->tif_rawdatasize = 0; | ||
31 | + tif->tif_flags &= ~TIFF_BUFFERMMAP; | ||
32 | + tif->tif_flags |= TIFF_MYBUFFER; | ||
33 | + } | ||
34 | |||
35 | /* Setup the function pointers for encode, decode, and cleanup. */ | ||
36 | tif->tif_setupdecode = JBIGSetupDecode; | ||
37 | -- | ||
38 | GitLab | ||
39 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch new file mode 100644 index 0000000000..da3ead5481 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001 | ||
2 | From: Augustus <wangdw.augustus@qq.com> | ||
3 | Date: Mon, 7 Mar 2022 18:21:49 +0800 | ||
4 | Subject: [PATCH] add checks for return value of limitMalloc (#392) | ||
5 | |||
6 | CVE: CVE-2022-0907 | ||
7 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0907.patch/] | ||
8 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
9 | Comment: No change in any hunk | ||
10 | |||
11 | --- | ||
12 | tools/tiffcrop.c | 33 +++++++++++++++++++++------------ | ||
13 | 1 file changed, 21 insertions(+), 12 deletions(-) | ||
14 | |||
15 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
16 | index f2e5474a..9b8acc7e 100644 | ||
17 | --- a/tools/tiffcrop.c | ||
18 | +++ b/tools/tiffcrop.c | ||
19 | @@ -7337,7 +7337,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) | ||
20 | if (!sect_buff) | ||
21 | { | ||
22 | sect_buff = (unsigned char *)_TIFFmalloc(sectsize); | ||
23 | - *sect_buff_ptr = sect_buff; | ||
24 | + if (!sect_buff) | ||
25 | + { | ||
26 | + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
27 | + return (-1); | ||
28 | + } | ||
29 | _TIFFmemset(sect_buff, 0, sectsize); | ||
30 | } | ||
31 | else | ||
32 | @@ -7353,15 +7357,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) | ||
33 | else | ||
34 | sect_buff = new_buff; | ||
35 | |||
36 | + if (!sect_buff) | ||
37 | + { | ||
38 | + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
39 | + return (-1); | ||
40 | + } | ||
41 | _TIFFmemset(sect_buff, 0, sectsize); | ||
42 | } | ||
43 | } | ||
44 | |||
45 | - if (!sect_buff) | ||
46 | - { | ||
47 | - TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); | ||
48 | - return (-1); | ||
49 | - } | ||
50 | prev_sectsize = sectsize; | ||
51 | *sect_buff_ptr = sect_buff; | ||
52 | |||
53 | @@ -7628,7 +7632,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
54 | if (!crop_buff) | ||
55 | { | ||
56 | crop_buff = (unsigned char *)_TIFFmalloc(cropsize); | ||
57 | - *crop_buff_ptr = crop_buff; | ||
58 | + if (!crop_buff) | ||
59 | + { | ||
60 | + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
61 | + return (-1); | ||
62 | + } | ||
63 | _TIFFmemset(crop_buff, 0, cropsize); | ||
64 | prev_cropsize = cropsize; | ||
65 | } | ||
66 | @@ -7644,15 +7652,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, | ||
67 | } | ||
68 | else | ||
69 | crop_buff = new_buff; | ||
70 | + if (!crop_buff) | ||
71 | + { | ||
72 | + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
73 | + return (-1); | ||
74 | + } | ||
75 | _TIFFmemset(crop_buff, 0, cropsize); | ||
76 | } | ||
77 | } | ||
78 | |||
79 | - if (!crop_buff) | ||
80 | - { | ||
81 | - TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); | ||
82 | - return (-1); | ||
83 | - } | ||
84 | *crop_buff_ptr = crop_buff; | ||
85 | |||
86 | if (crop->crop_mode & CROP_INVERT) | ||
87 | @@ -9211,3 +9219,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui | ||
88 | * fill-column: 78 | ||
89 | * End: | ||
90 | */ | ||
91 | + | ||
92 | -- | ||
93 | GitLab | ||
94 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch new file mode 100644 index 0000000000..e65af6c600 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Thu, 17 Feb 2022 15:28:43 +0100 | ||
4 | Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null | ||
5 | source pointer and size of zero (fixes #383) | ||
6 | |||
7 | CVE: CVE-2022-0908 | ||
8 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0908.patch/] | ||
9 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
10 | Comment: No change in any hunk | ||
11 | |||
12 | --- | ||
13 | libtiff/tif_dirread.c | 5 ++++- | ||
14 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
17 | index 50ebf8ac..2ec44a4f 100644 | ||
18 | --- a/libtiff/tif_dirread.c | ||
19 | +++ b/libtiff/tif_dirread.c | ||
20 | @@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) | ||
21 | _TIFFfree(data); | ||
22 | return(0); | ||
23 | } | ||
24 | - _TIFFmemcpy(o,data,(uint32)dp->tdir_count); | ||
25 | + if (dp->tdir_count > 0 ) | ||
26 | + { | ||
27 | + _TIFFmemcpy(o,data,(uint32)dp->tdir_count); | ||
28 | + } | ||
29 | o[(uint32)dp->tdir_count]=0; | ||
30 | if (data!=0) | ||
31 | _TIFFfree(data); | ||
32 | -- | ||
33 | GitLab | ||
34 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch new file mode 100644 index 0000000000..d487f1bd95 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001 | ||
2 | From: 4ugustus <wangdw.augustus@qq.com> | ||
3 | Date: Tue, 8 Mar 2022 16:22:04 +0000 | ||
4 | Subject: [PATCH] fix the FPE in tiffcrop (#393) | ||
5 | |||
6 | CVE: CVE-2022-0909 | ||
7 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0909.patch/] | ||
8 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
9 | Comment: No change in any hunk | ||
10 | |||
11 | --- | ||
12 | libtiff/tif_dir.c | 4 ++-- | ||
13 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
14 | |||
15 | diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c | ||
16 | index 57055ca9..59b346ca 100644 | ||
17 | --- a/libtiff/tif_dir.c | ||
18 | +++ b/libtiff/tif_dir.c | ||
19 | @@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) | ||
20 | break; | ||
21 | case TIFFTAG_XRESOLUTION: | ||
22 | dblval = va_arg(ap, double); | ||
23 | - if( dblval < 0 ) | ||
24 | + if( dblval != dblval || dblval < 0 ) | ||
25 | goto badvaluedouble; | ||
26 | td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); | ||
27 | break; | ||
28 | case TIFFTAG_YRESOLUTION: | ||
29 | dblval = va_arg(ap, double); | ||
30 | - if( dblval < 0 ) | ||
31 | + if( dblval != dblval || dblval < 0 ) | ||
32 | goto badvaluedouble; | ||
33 | td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); | ||
34 | break; | ||
35 | -- | ||
36 | GitLab | ||
37 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch new file mode 100644 index 0000000000..ddb035c972 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 | ||
2 | From: 4ugustus <wangdw.augustus@qq.com> | ||
3 | Date: Thu, 10 Mar 2022 08:48:00 +0000 | ||
4 | Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) | ||
5 | |||
6 | CVE: CVE-2022-0924 | ||
7 | Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/] | ||
8 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
9 | Comment: No change in any hunk | ||
10 | |||
11 | --- | ||
12 | tools/tiffcp.c | 17 ++++++++++++++++- | ||
13 | 1 file changed, 16 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
16 | index 224583e0..aa32b118 100644 | ||
17 | --- a/tools/tiffcp.c | ||
18 | +++ b/tools/tiffcp.c | ||
19 | @@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt | ||
20 | tdata_t obuf; | ||
21 | tstrip_t strip = 0; | ||
22 | tsample_t s; | ||
23 | + uint16 bps = 0, bytes_per_sample; | ||
24 | |||
25 | obuf = _TIFFmalloc(stripsize); | ||
26 | if (obuf == NULL) | ||
27 | return (0); | ||
28 | _TIFFmemset(obuf, 0, stripsize); | ||
29 | (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); | ||
30 | + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); | ||
31 | + if( bps == 0 ) | ||
32 | + { | ||
33 | + TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); | ||
34 | + _TIFFfree(obuf); | ||
35 | + return 0; | ||
36 | + } | ||
37 | + if( (bps % 8) != 0 ) | ||
38 | + { | ||
39 | + TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); | ||
40 | + _TIFFfree(obuf); | ||
41 | + return 0; | ||
42 | + } | ||
43 | + bytes_per_sample = bps/8; | ||
44 | for (s = 0; s < spp; s++) { | ||
45 | uint32 row; | ||
46 | for (row = 0; row < imagelength; row += rowsperstrip) { | ||
47 | @@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt | ||
48 | |||
49 | cpContigBufToSeparateBuf( | ||
50 | obuf, (uint8*) buf + row*rowsize + s, | ||
51 | - nrows, imagewidth, 0, 0, spp, 1); | ||
52 | + nrows, imagewidth, 0, 0, spp, bytes_per_sample); | ||
53 | if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { | ||
54 | TIFFError(TIFFFileName(out), | ||
55 | "Error, can't write strip %u", | ||
56 | -- | ||
57 | GitLab | ||
58 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index e3ffb12f9e..75bc20de78 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | |||
@@ -18,7 +18,12 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
18 | file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \ | 18 | file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \ |
19 | file://561599c99f987dc32ae110370cfdd7df7975586b.patch \ | 19 | file://561599c99f987dc32ae110370cfdd7df7975586b.patch \ |
20 | file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \ | 20 | file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \ |
21 | file://CVE-2022-0865.patch \ | ||
22 | file://CVE-2022-0908.patch \ | ||
23 | file://CVE-2022-0907.patch \ | ||
24 | file://CVE-2022-0909.patch \ | ||
21 | file://CVE-2022-0891.patch \ | 25 | file://CVE-2022-0891.patch \ |
26 | file://CVE-2022-0924.patch \ | ||
22 | " | 27 | " |
23 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" | 28 | SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" |
24 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" | 29 | SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" |