diff options
author | Yogita Urade <yogita.urade@windriver.com> | 2024-02-02 08:26:32 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-02-08 10:53:13 +0000 |
commit | eba805ace44c6884377e765860059d39c61405a2 (patch) | |
tree | 288eb6b51dc8ae7dbcc36e449ba84483feb52aea | |
parent | 57d82f92c1060c5f15072f5d266dbac11665ae26 (diff) | |
download | poky-eba805ace44c6884377e765860059d39c61405a2.tar.gz |
tiff: fix CVE-2023-52355 and CVE-2023-52356
CVE-2023-52355:
An out-of-memory flaw was found in libtiff that could be
triggered by passing a crafted tiff file to the
TIFFRasterScanlineSize64() API. This flaw allows a remote
attacker to cause a denial of service via a crafted input
with a size smaller than 379 KB.
Issue fixed by providing a documentation update.
CVE-2023-52356:
A segment fault (SEGV) flaw was found in libtiff that could
be triggered by passing a crafted tiff file to the
TIFFReadRGBATileExt() API. This flaw allows a remote attacker
to cause a heap-buffer overflow, leading to a denial of service.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52355
https://security-tracker.debian.org/tracker/CVE-2023-52355
https://gitlab.com/libtiff/libtiff/-/issues/621
https://gitlab.com/libtiff/libtiff/-/merge_requests/553
https://nvd.nist.gov/vuln/detail/CVE-2023-52356
https://gitlab.com/libtiff/libtiff/-/issues/622
https://gitlab.com/libtiff/libtiff/-/merge_requests/546
(From OE-Core rev: 831d7a2fffb3dec94571289292f0940bc7ecd70a)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
4 files changed, 318 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch new file mode 100644 index 0000000000..f5520fcafd --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0001.patch | |||
@@ -0,0 +1,238 @@ | |||
1 | From 335947359ce2dd3862cd9f7c49f92eba065dfed4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Thu, 1 Feb 2024 13:06:08 +0000 | ||
4 | Subject: [PATCH] manpage: Update TIFF documentation about TIFFOpenOptions.rst | ||
5 | and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes. | ||
6 | |||
7 | CVE: CVE-2023-52355 | ||
8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4] | ||
9 | |||
10 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
11 | --- | ||
12 | doc/functions/TIFFDeferStrileArrayWriting.rst | 5 +++ | ||
13 | doc/functions/TIFFError.rst | 3 ++ | ||
14 | doc/functions/TIFFOpen.rst | 13 +++--- | ||
15 | doc/functions/TIFFOpenOptions.rst | 44 ++++++++++++++++++- | ||
16 | doc/functions/TIFFStrileQuery.rst | 5 +++ | ||
17 | doc/libtiff.rst | 31 ++++++++++++- | ||
18 | 6 files changed, 91 insertions(+), 10 deletions(-) | ||
19 | |||
20 | diff --git a/doc/functions/TIFFDeferStrileArrayWriting.rst b/doc/functions/TIFFDeferStrileArrayWriting.rst | ||
21 | index 60ee746..705aebc 100644 | ||
22 | --- a/doc/functions/TIFFDeferStrileArrayWriting.rst | ||
23 | +++ b/doc/functions/TIFFDeferStrileArrayWriting.rst | ||
24 | @@ -61,6 +61,11 @@ Diagnostics | ||
25 | All error messages are directed to the :c:func:`TIFFErrorExtR` routine. | ||
26 | Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. | ||
27 | |||
28 | +Note | ||
29 | +---- | ||
30 | + | ||
31 | +This functionality was introduced with libtiff 4.1. | ||
32 | + | ||
33 | See also | ||
34 | -------- | ||
35 | |||
36 | diff --git a/doc/functions/TIFFError.rst b/doc/functions/TIFFError.rst | ||
37 | index 99924ad..cf4b37c 100644 | ||
38 | --- a/doc/functions/TIFFError.rst | ||
39 | +++ b/doc/functions/TIFFError.rst | ||
40 | @@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`. | ||
41 | Furthermore, a **custom defined data structure** *user_data* for the | ||
42 | error handler can be given along. | ||
43 | |||
44 | +Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the | ||
45 | +application-specific handler introduced with libtiff 4.5. | ||
46 | + | ||
47 | Note | ||
48 | ---- | ||
49 | |||
50 | diff --git a/doc/functions/TIFFOpen.rst b/doc/functions/TIFFOpen.rst | ||
51 | index db79d7b..adc474f 100644 | ||
52 | --- a/doc/functions/TIFFOpen.rst | ||
53 | +++ b/doc/functions/TIFFOpen.rst | ||
54 | @@ -94,8 +94,9 @@ TIFF structure without closing the file handle and afterwards the | ||
55 | file should be closed using its file descriptor *fd*. | ||
56 | |||
57 | :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`, | ||
58 | -but options, such as re-entrant error and warning handlers may be passed | ||
59 | -with the *opts* argument. The *opts* argument may be NULL. | ||
60 | +but options, such as re-entrant error and warning handlers and a limit in byte | ||
61 | +that libtiff internal memory allocation functions are allowed to request per call | ||
62 | +may be passed with the *opts* argument. The *opts* argument may be NULL. | ||
63 | Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument | ||
64 | parameters. The allocated memory for :c:type:`TIFFOpenOptions` | ||
65 | can be released straight after successful execution of the related | ||
66 | @@ -105,9 +106,7 @@ can be released straight after successful execution of the related | ||
67 | but opens a TIFF file with a Unicode filename. | ||
68 | |||
69 | :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`, | ||
70 | -but options, such as re-entrant error and warning handlers may be passed | ||
71 | -with the *opts* argument. The *opts* argument may be NULL. | ||
72 | -Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument. | ||
73 | +but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed. | ||
74 | |||
75 | :c:func:`TIFFSetFileName` sets the file name in the tif-structure | ||
76 | and returns the old file name. | ||
77 | @@ -326,5 +325,5 @@ See also | ||
78 | |||
79 | :doc:`libtiff` (3tiff), | ||
80 | :doc:`TIFFClose` (3tiff), | ||
81 | -:doc:`TIFFStrileQuery`, | ||
82 | -:doc:`TIFFOpenOptions` | ||
83 | \ No newline at end of file | ||
84 | +:doc:`TIFFStrileQuery` (3tiff), | ||
85 | +:doc:`TIFFOpenOptions` | ||
86 | diff --git a/doc/functions/TIFFOpenOptions.rst b/doc/functions/TIFFOpenOptions.rst | ||
87 | index 5c67566..23f2975 100644 | ||
88 | --- a/doc/functions/TIFFOpenOptions.rst | ||
89 | +++ b/doc/functions/TIFFOpenOptions.rst | ||
90 | @@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`TIFFOpenOptions` pointer. | ||
91 | :c:func:`TIFFOpenOptionsFree` releases the allocated memory for | ||
92 | :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions` | ||
93 | can be released straight after successful execution of the related | ||
94 | -TIFF open"Ext" functions like :c:func:`TIFFOpenExt`. | ||
95 | +TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`. | ||
96 | |||
97 | :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the | ||
98 | maximum single memory limit in byte that ``libtiff`` internal memory allocation | ||
99 | functions are allowed to request per call. | ||
100 | |||
101 | +.. note:: | ||
102 | + However, the ``libtiff`` external functions :c:func:`_TIFFmalloc` | ||
103 | + and :c:func:`_TIFFrealloc` **do not apply** this internal memory | ||
104 | + allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`! | ||
105 | + | ||
106 | :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to | ||
107 | an application-specific and per-TIFF handle (re-entrant) error handler. | ||
108 | Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data* | ||
109 | @@ -55,6 +60,43 @@ The *errorhandler_user_data* argument may be NULL. | ||
110 | :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler, | ||
111 | which is invoked through :c:func:`TIFFWarningExtR` | ||
112 | |||
113 | +Example | ||
114 | +------- | ||
115 | + | ||
116 | +:: | ||
117 | + | ||
118 | + #include "tiffio.h" | ||
119 | + | ||
120 | + typedef struct MyErrorHandlerUserDataStruct | ||
121 | + { | ||
122 | + /* ... any user data structure ... */ | ||
123 | + } MyErrorHandlerUserDataStruct; | ||
124 | + | ||
125 | + static int myErrorHandler(TIFF *tiff, void *user_data, const char *module, | ||
126 | + const char *fmt, va_list ap) | ||
127 | + { | ||
128 | + MyErrorHandlerUserDataStruct *errorhandler_user_data = | ||
129 | + (MyErrorHandlerUserDataStruct *)user_data; | ||
130 | + /*... code of myErrorHandler ...*/ | ||
131 | + return 1; | ||
132 | + } | ||
133 | + | ||
134 | + | ||
135 | + main() | ||
136 | + { | ||
137 | + tmsize_t limit = (256 * 1024 * 1024); | ||
138 | + MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */}; | ||
139 | + | ||
140 | + TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); | ||
141 | + TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); | ||
142 | + TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data); | ||
143 | + TIFF *tif = TIFFOpenExt("foo.tif", "r", opts); | ||
144 | + TIFFOpenOptionsFree(opts); | ||
145 | + /* ... go on here ... */ | ||
146 | + | ||
147 | + TIFFClose(tif); | ||
148 | + } | ||
149 | + | ||
150 | Note | ||
151 | ---- | ||
152 | |||
153 | diff --git a/doc/functions/TIFFStrileQuery.rst b/doc/functions/TIFFStrileQuery.rst | ||
154 | index f8631af..7931fe4 100644 | ||
155 | --- a/doc/functions/TIFFStrileQuery.rst | ||
156 | +++ b/doc/functions/TIFFStrileQuery.rst | ||
157 | @@ -66,6 +66,11 @@ Diagnostics | ||
158 | All error messages are directed to the :c:func:`TIFFErrorExtR` routine. | ||
159 | Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. | ||
160 | |||
161 | +Note | ||
162 | +---- | ||
163 | + | ||
164 | +This functionality was introduced with libtiff 4.1. | ||
165 | + | ||
166 | See also | ||
167 | -------- | ||
168 | |||
169 | diff --git a/doc/libtiff.rst b/doc/libtiff.rst | ||
170 | index 6a0054c..d96a860 100644 | ||
171 | --- a/doc/libtiff.rst | ||
172 | +++ b/doc/libtiff.rst | ||
173 | @@ -90,11 +90,15 @@ compatibility on machines with a segmented architecture. | ||
174 | :c:func:`realloc`, and :c:func:`free` routines in the C library.) | ||
175 | |||
176 | To deal with segmented pointer issues ``libtiff`` also provides | ||
177 | -:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove` | ||
178 | +:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp` | ||
179 | routines that mimic the equivalent ANSI C routines, but that are | ||
180 | intended for use with memory allocated through :c:func:`_TIFFmalloc` | ||
181 | and :c:func:`_TIFFrealloc`. | ||
182 | |||
183 | +With ``libtiff`` 4.5 a method was introduced to limit the internal | ||
184 | +memory allocation that functions are allowed to request per call | ||
185 | +(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`). | ||
186 | + | ||
187 | Error Handling | ||
188 | -------------- | ||
189 | |||
190 | @@ -106,6 +110,10 @@ routine that can be specified with a call to :c:func:`TIFFSetErrorHandler`. | ||
191 | Likewise warning messages are directed to a single handler routine | ||
192 | that can be specified with a call to :c:func:`TIFFSetWarningHandler` | ||
193 | |||
194 | +Further application-specific and per-TIFF handle (re-entrant) error handler | ||
195 | +and warning handler can be set. Please refer to :doc:`/functions/TIFFError` | ||
196 | +and :doc:`/functions/TIFFOpenOptions`. | ||
197 | + | ||
198 | Basic File Handling | ||
199 | ------------------- | ||
200 | |||
201 | @@ -139,7 +147,7 @@ a ``"w"`` argument: | ||
202 | main() | ||
203 | { | ||
204 | TIFF* tif = TIFFOpen("foo.tif", "w"); | ||
205 | - ... do stuff ... | ||
206 | + /* ... do stuff ... */ | ||
207 | TIFFClose(tif); | ||
208 | } | ||
209 | |||
210 | @@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c:func:`TIFFFlush` to flush any | ||
211 | buffered information to a file. Note that if you call :c:func:`TIFFClose` | ||
212 | you do not need to call :c:func:`TIFFFlush`. | ||
213 | |||
214 | +.. warning:: | ||
215 | + | ||
216 | + In order to prevent out-of-memory issues when opening a TIFF file | ||
217 | + :c:func:`TIFFOpenExt` can be used and then the maximum single memory | ||
218 | + limit in byte that ``libtiff`` internal memory allocation functions | ||
219 | + are allowed to request per call can be set with | ||
220 | + :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. | ||
221 | + | ||
222 | +Example | ||
223 | + | ||
224 | +:: | ||
225 | + | ||
226 | + tmsize_t limit = (256 * 1024 * 1024); | ||
227 | + TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); | ||
228 | + TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); | ||
229 | + TIFF *tif = TIFFOpenExt("foo.tif", "w", opts); | ||
230 | + TIFFOpenOptionsFree(opts); | ||
231 | + /* ... go on here ... */ | ||
232 | + | ||
233 | TIFF Directories | ||
234 | ---------------- | ||
235 | |||
236 | -- | ||
237 | 2.40.0 | ||
238 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch new file mode 100644 index 0000000000..19a1ef727a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52355-0002.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 16ab4a205cfc938c32686e8d697d048fabf97ed4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Timothy Lyanguzov <theta682@gmail.com> | ||
3 | Date: Thu, 1 Feb 2024 11:19:06 +0000 | ||
4 | Subject: [PATCH] Fix typo. | ||
5 | |||
6 | CVE: CVE-2023-52355 | ||
7 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4] | ||
8 | |||
9 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
10 | --- | ||
11 | doc/libtiff.rst | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/doc/libtiff.rst b/doc/libtiff.rst | ||
15 | index d96a860..4fedc3e 100644 | ||
16 | --- a/doc/libtiff.rst | ||
17 | +++ b/doc/libtiff.rst | ||
18 | @@ -169,7 +169,7 @@ you do not need to call :c:func:`TIFFFlush`. | ||
19 | |||
20 | In order to prevent out-of-memory issues when opening a TIFF file | ||
21 | :c:func:`TIFFOpenExt` can be used and then the maximum single memory | ||
22 | - limit in byte that ``libtiff`` internal memory allocation functions | ||
23 | + limit in bytes that ``libtiff`` internal memory allocation functions | ||
24 | are allowed to request per call can be set with | ||
25 | :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. | ||
26 | |||
27 | -- | ||
28 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch new file mode 100644 index 0000000000..75f5d8946a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Thu, 1 Feb 2024 11:38:14 +0000 | ||
4 | Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of | ||
5 | col/row (fixes #622) | ||
6 | |||
7 | CVE: CVE-2023-52356 | ||
8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] | ||
9 | |||
10 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
11 | --- | ||
12 | libtiff/tif_getimage.c | 15 +++++++++++++++ | ||
13 | 1 file changed, 15 insertions(+) | ||
14 | |||
15 | diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c | ||
16 | index 41f7dfd..9cd6eee 100644 | ||
17 | --- a/libtiff/tif_getimage.c | ||
18 | +++ b/libtiff/tif_getimage.c | ||
19 | @@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster, | ||
20 | if (TIFFRGBAImageOK(tif, emsg) && | ||
21 | TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) | ||
22 | { | ||
23 | + if (row >= img.height) | ||
24 | + { | ||
25 | + TIFFErrorExtR(tif, TIFFFileName(tif), | ||
26 | + "Invalid row passed to TIFFReadRGBAStrip()."); | ||
27 | + TIFFRGBAImageEnd(&img); | ||
28 | + return (0); | ||
29 | + } | ||
30 | |||
31 | img.row_offset = row; | ||
32 | img.col_offset = 0; | ||
33 | @@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster, | ||
34 | return (0); | ||
35 | } | ||
36 | |||
37 | + if (col >= img.width || row >= img.height) | ||
38 | + { | ||
39 | + TIFFErrorExtR(tif, TIFFFileName(tif), | ||
40 | + "Invalid row/col passed to TIFFReadRGBATile()."); | ||
41 | + TIFFRGBAImageEnd(&img); | ||
42 | + return (0); | ||
43 | + } | ||
44 | + | ||
45 | /* | ||
46 | * The TIFFRGBAImageGet() function doesn't allow us to get off the | ||
47 | * edge of the image, even to fill an otherwise valid tile. So we | ||
48 | -- | ||
49 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index eb8a096f19..a26e4694f6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | |||
@@ -13,6 +13,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
13 | file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \ | 13 | file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \ |
14 | file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \ | 14 | file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \ |
15 | file://CVE-2023-6228.patch \ | 15 | file://CVE-2023-6228.patch \ |
16 | file://CVE-2023-52355-0001.patch \ | ||
17 | file://CVE-2023-52355-0002.patch \ | ||
18 | file://CVE-2023-52356.patch \ | ||
16 | " | 19 | " |
17 | 20 | ||
18 | SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" | 21 | SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" |