diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2022-07-23 15:27:06 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-08-01 16:27:29 +0100 |
commit | 7ac005ba752e10126a7ca75e386968f3d627e54b (patch) | |
tree | 15235ba95f74a4fdab81e6a4bbe802fd0925655f | |
parent | 43ff43bd86c852de2c34d23773cbc8e9a50d2349 (diff) | |
download | poky-7ac005ba752e10126a7ca75e386968f3d627e54b.tar.gz |
tiff: Security fixes CVE-2022-1354 and CVE-2022-1355
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-1354
https://security-tracker.debian.org/tracker/CVE-2022-1354
https://nvd.nist.gov/vuln/detail/CVE-2022-1355
https://security-tracker.debian.org/tracker/CVE-2022-1355
Patches from:
CVE-2022-1354:
https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798
CVE-2022-1355:
https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2
(From OE-Core rev: 6c373c041f1dd45458866408d1ca16d47cacbd86)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch | 212 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch | 62 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 2 |
3 files changed, 276 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch new file mode 100644 index 0000000000..71b85cac10 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch | |||
@@ -0,0 +1,212 @@ | |||
1 | From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sun, 5 Dec 2021 14:37:46 +0100 | ||
4 | Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319) | ||
5 | |||
6 | to avoid having the size of the strip arrays inconsistent with the | ||
7 | number of strips returned by TIFFNumberOfStrips(), which may cause | ||
8 | out-ouf-bounds array read afterwards. | ||
9 | |||
10 | One of the OJPEG hack that alters SamplesPerPixel may influence the | ||
11 | number of strips. Hence compute tif_dir.td_nstrips only afterwards. | ||
12 | |||
13 | CVE: CVE-2022-1354 | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | [https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798] | ||
17 | |||
18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
19 | --- | ||
20 | libtiff/tif_dirread.c | 162 ++++++++++++++++++++++-------------------- | ||
21 | 1 file changed, 83 insertions(+), 79 deletions(-) | ||
22 | |||
23 | diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c | ||
24 | index 8f434ef5..14c031d1 100644 | ||
25 | --- a/libtiff/tif_dirread.c | ||
26 | +++ b/libtiff/tif_dirread.c | ||
27 | @@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif) | ||
28 | MissingRequired(tif,"ImageLength"); | ||
29 | goto bad; | ||
30 | } | ||
31 | - /* | ||
32 | - * Setup appropriate structures (by strip or by tile) | ||
33 | - */ | ||
34 | - if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { | ||
35 | - tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); | ||
36 | - tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; | ||
37 | - tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; | ||
38 | - tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; | ||
39 | - tif->tif_flags &= ~TIFF_ISTILED; | ||
40 | - } else { | ||
41 | - tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); | ||
42 | - tif->tif_flags |= TIFF_ISTILED; | ||
43 | - } | ||
44 | - if (!tif->tif_dir.td_nstrips) { | ||
45 | - TIFFErrorExt(tif->tif_clientdata, module, | ||
46 | - "Cannot handle zero number of %s", | ||
47 | - isTiled(tif) ? "tiles" : "strips"); | ||
48 | - goto bad; | ||
49 | - } | ||
50 | - tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; | ||
51 | - if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) | ||
52 | - tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; | ||
53 | - if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { | ||
54 | -#ifdef OJPEG_SUPPORT | ||
55 | - if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && | ||
56 | - (isTiled(tif)==0) && | ||
57 | - (tif->tif_dir.td_nstrips==1)) { | ||
58 | - /* | ||
59 | - * XXX: OJPEG hack. | ||
60 | - * If a) compression is OJPEG, b) it's not a tiled TIFF, | ||
61 | - * and c) the number of strips is 1, | ||
62 | - * then we tolerate the absence of stripoffsets tag, | ||
63 | - * because, presumably, all required data is in the | ||
64 | - * JpegInterchangeFormat stream. | ||
65 | - */ | ||
66 | - TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); | ||
67 | - } else | ||
68 | -#endif | ||
69 | - { | ||
70 | - MissingRequired(tif, | ||
71 | - isTiled(tif) ? "TileOffsets" : "StripOffsets"); | ||
72 | - goto bad; | ||
73 | - } | ||
74 | - } | ||
75 | + | ||
76 | /* | ||
77 | * Second pass: extract other information. | ||
78 | */ | ||
79 | @@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif) | ||
80 | } /* -- if (!dp->tdir_ignore) */ | ||
81 | } /* -- for-loop -- */ | ||
82 | |||
83 | - if( tif->tif_mode == O_RDWR && | ||
84 | - tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && | ||
85 | - tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && | ||
86 | - tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && | ||
87 | - tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && | ||
88 | - tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && | ||
89 | - tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && | ||
90 | - tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && | ||
91 | - tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) | ||
92 | - { | ||
93 | - /* Directory typically created with TIFFDeferStrileArrayWriting() */ | ||
94 | - TIFFSetupStrips(tif); | ||
95 | - } | ||
96 | - else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) | ||
97 | - { | ||
98 | - if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) | ||
99 | - { | ||
100 | - if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), | ||
101 | - tif->tif_dir.td_nstrips, | ||
102 | - &tif->tif_dir.td_stripoffset_p)) | ||
103 | - { | ||
104 | - goto bad; | ||
105 | - } | ||
106 | - } | ||
107 | - if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) | ||
108 | - { | ||
109 | - if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), | ||
110 | - tif->tif_dir.td_nstrips, | ||
111 | - &tif->tif_dir.td_stripbytecount_p)) | ||
112 | - { | ||
113 | - goto bad; | ||
114 | - } | ||
115 | - } | ||
116 | - } | ||
117 | - | ||
118 | /* | ||
119 | * OJPEG hack: | ||
120 | * - If a) compression is OJPEG, and b) photometric tag is missing, | ||
121 | @@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif) | ||
122 | } | ||
123 | } | ||
124 | |||
125 | + /* | ||
126 | + * Setup appropriate structures (by strip or by tile) | ||
127 | + * We do that only after the above OJPEG hack which alters SamplesPerPixel | ||
128 | + * and thus influences the number of strips in the separate planarconfig. | ||
129 | + */ | ||
130 | + if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { | ||
131 | + tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); | ||
132 | + tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; | ||
133 | + tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; | ||
134 | + tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; | ||
135 | + tif->tif_flags &= ~TIFF_ISTILED; | ||
136 | + } else { | ||
137 | + tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); | ||
138 | + tif->tif_flags |= TIFF_ISTILED; | ||
139 | + } | ||
140 | + if (!tif->tif_dir.td_nstrips) { | ||
141 | + TIFFErrorExt(tif->tif_clientdata, module, | ||
142 | + "Cannot handle zero number of %s", | ||
143 | + isTiled(tif) ? "tiles" : "strips"); | ||
144 | + goto bad; | ||
145 | + } | ||
146 | + tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; | ||
147 | + if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) | ||
148 | + tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; | ||
149 | + if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { | ||
150 | +#ifdef OJPEG_SUPPORT | ||
151 | + if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && | ||
152 | + (isTiled(tif)==0) && | ||
153 | + (tif->tif_dir.td_nstrips==1)) { | ||
154 | + /* | ||
155 | + * XXX: OJPEG hack. | ||
156 | + * If a) compression is OJPEG, b) it's not a tiled TIFF, | ||
157 | + * and c) the number of strips is 1, | ||
158 | + * then we tolerate the absence of stripoffsets tag, | ||
159 | + * because, presumably, all required data is in the | ||
160 | + * JpegInterchangeFormat stream. | ||
161 | + */ | ||
162 | + TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); | ||
163 | + } else | ||
164 | +#endif | ||
165 | + { | ||
166 | + MissingRequired(tif, | ||
167 | + isTiled(tif) ? "TileOffsets" : "StripOffsets"); | ||
168 | + goto bad; | ||
169 | + } | ||
170 | + } | ||
171 | + | ||
172 | + if( tif->tif_mode == O_RDWR && | ||
173 | + tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && | ||
174 | + tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && | ||
175 | + tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && | ||
176 | + tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && | ||
177 | + tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && | ||
178 | + tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && | ||
179 | + tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && | ||
180 | + tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) | ||
181 | + { | ||
182 | + /* Directory typically created with TIFFDeferStrileArrayWriting() */ | ||
183 | + TIFFSetupStrips(tif); | ||
184 | + } | ||
185 | + else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) | ||
186 | + { | ||
187 | + if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) | ||
188 | + { | ||
189 | + if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), | ||
190 | + tif->tif_dir.td_nstrips, | ||
191 | + &tif->tif_dir.td_stripoffset_p)) | ||
192 | + { | ||
193 | + goto bad; | ||
194 | + } | ||
195 | + } | ||
196 | + if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) | ||
197 | + { | ||
198 | + if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), | ||
199 | + tif->tif_dir.td_nstrips, | ||
200 | + &tif->tif_dir.td_stripbytecount_p)) | ||
201 | + { | ||
202 | + goto bad; | ||
203 | + } | ||
204 | + } | ||
205 | + } | ||
206 | + | ||
207 | /* | ||
208 | * Make sure all non-color channels are extrasamples. | ||
209 | * If it's not the case, define them as such. | ||
210 | -- | ||
211 | 2.25.1 | ||
212 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch new file mode 100644 index 0000000000..e59f5aad55 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Sat, 2 Apr 2022 22:33:31 +0200 | ||
4 | Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) | ||
5 | |||
6 | CVE: CVE-2022-1355 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | [https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2] | ||
10 | |||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | tools/tiffcp.c | 25 ++++++++++++++++++++----- | ||
14 | 1 file changed, 20 insertions(+), 5 deletions(-) | ||
15 | |||
16 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
17 | index fd129bb7..8d944ff6 100644 | ||
18 | --- a/tools/tiffcp.c | ||
19 | +++ b/tools/tiffcp.c | ||
20 | @@ -274,19 +274,34 @@ main(int argc, char* argv[]) | ||
21 | deftilewidth = atoi(optarg); | ||
22 | break; | ||
23 | case 'B': | ||
24 | - *mp++ = 'b'; *mp = '\0'; | ||
25 | + if (strlen(mode) < (sizeof(mode) - 1)) | ||
26 | + { | ||
27 | + *mp++ = 'b'; *mp = '\0'; | ||
28 | + } | ||
29 | break; | ||
30 | case 'L': | ||
31 | - *mp++ = 'l'; *mp = '\0'; | ||
32 | + if (strlen(mode) < (sizeof(mode) - 1)) | ||
33 | + { | ||
34 | + *mp++ = 'l'; *mp = '\0'; | ||
35 | + } | ||
36 | break; | ||
37 | case 'M': | ||
38 | - *mp++ = 'm'; *mp = '\0'; | ||
39 | + if (strlen(mode) < (sizeof(mode) - 1)) | ||
40 | + { | ||
41 | + *mp++ = 'm'; *mp = '\0'; | ||
42 | + } | ||
43 | break; | ||
44 | case 'C': | ||
45 | - *mp++ = 'c'; *mp = '\0'; | ||
46 | + if (strlen(mode) < (sizeof(mode) - 1)) | ||
47 | + { | ||
48 | + *mp++ = 'c'; *mp = '\0'; | ||
49 | + } | ||
50 | break; | ||
51 | case '8': | ||
52 | - *mp++ = '8'; *mp = '\0'; | ||
53 | + if (strlen(mode) < (sizeof(mode)-1)) | ||
54 | + { | ||
55 | + *mp++ = '8'; *mp = '\0'; | ||
56 | + } | ||
57 | break; | ||
58 | case 'x': | ||
59 | pageInSeq = 1; | ||
60 | -- | ||
61 | 2.25.1 | ||
62 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index c2d4b35d49..149516508f 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | |||
@@ -19,6 +19,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
19 | file://0005-fix-the-FPE-in-tiffcrop-393.patch \ | 19 | file://0005-fix-the-FPE-in-tiffcrop-393.patch \ |
20 | file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \ | 20 | file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \ |
21 | file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \ | 21 | file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \ |
22 | file://CVE-2022-1354.patch \ | ||
23 | file://CVE-2022-1355.patch \ | ||
22 | " | 24 | " |
23 | 25 | ||
24 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" | 26 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" |