diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-03-22 18:34:35 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-05 06:34:42 -0700 |
commit | e555aefeef5e87927560aa941bb937511425f7a6 (patch) | |
tree | f0c2cd8de187737acd21705e794434b0deac3373 /meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch | |
parent | 1c2fbec01fafc81c6cb2e62f8b18625d81a8066a (diff) | |
download | poky-e555aefeef5e87927560aa941bb937511425f7a6.tar.gz |
libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356
import patches from ubuntu to fix
CVE-2023-6277
CVE-2023-52356
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
&
https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa
&
https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3
&
https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a
&
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
(From OE-Core rev: 15abae1f6a9861e28ce35b015cb3ddc434f9fca4)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch new file mode 100644 index 0000000000..1b651e6529 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | [Ubuntu note: Backport of the following patch from upstream, with a few changes | ||
2 | to match the current version of the file in the present Ubuntu release: | ||
3 | . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet); | ||
4 | -- Rodrigo Figueiredo Zaiden] | ||
5 | |||
6 | Backport of: | ||
7 | |||
8 | From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 | ||
9 | From: Even Rouault <even.rouault@spatialys.com> | ||
10 | Date: Tue, 31 Oct 2023 15:58:41 +0100 | ||
11 | Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of | ||
12 | col/row (fixes #622) | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] | ||
16 | CVE: CVE-2023-52356 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | libtiff/tif_getimage.c | 15 +++++++++++++++ | ||
20 | 1 file changed, 15 insertions(+) | ||
21 | |||
22 | |||
23 | --- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c | ||
24 | +++ tiff-4.1.0+git191117/libtiff/tif_getimage.c | ||
25 | @@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r | ||
26 | } | ||
27 | |||
28 | if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { | ||
29 | + if (row >= img.height) | ||
30 | + { | ||
31 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), | ||
32 | + "Invalid row passed to TIFFReadRGBAStrip()."); | ||
33 | + TIFFRGBAImageEnd(&img); | ||
34 | + return (0); | ||
35 | + } | ||
36 | |||
37 | img.row_offset = row; | ||
38 | img.col_offset = 0; | ||
39 | @@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co | ||
40 | return( 0 ); | ||
41 | } | ||
42 | |||
43 | + if (col >= img.width || row >= img.height) | ||
44 | + { | ||
45 | + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), | ||
46 | + "Invalid row/col passed to TIFFReadRGBATile()."); | ||
47 | + TIFFRGBAImageEnd(&img); | ||
48 | + return (0); | ||
49 | + } | ||
50 | + | ||
51 | /* | ||
52 | * The TIFFRGBAImageGet() function doesn't allow us to get off the | ||
53 | * edge of the image, even to fill an otherwise valid tile. So we | ||