tiff: Security fixes CVE-2022-1354 and CVE-2022-1355

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-1354
https://security-tracker.debian.org/tracker/CVE-2022-1354

https://nvd.nist.gov/vuln/detail/CVE-2022-1355
https://security-tracker.debian.org/tracker/CVE-2022-1355

Patches from:

CVE-2022-1354:
https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798

CVE-2022-1355:
https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2

(From OE-Core rev: 6c373c041f1dd45458866408d1ca16d47cacbd86)

(From OE-Core rev: 8414d39f3f89cc1176bd55c9455ad942db8ea4b1)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 62 insertions, 0 deletions

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
new file mode 100644
index 0000000000..e59f5aad55
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
@@ -0,0 +1,62 @@
+From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Apr 2022 22:33:31 +0200
+Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
+
+CVE: CVE-2022-1355
+
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ tools/tiffcp.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index fd129bb7..8d944ff6 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -274,19 +274,34 @@ main(int argc, char* argv[])
+                        deftilewidth = atoi(optarg);
+                        break;
+                case 'B':
+-                       *mp++ = 'b'; *mp = '\0';
++                       if (strlen(mode) < (sizeof(mode) - 1))
++                       {
++                               *mp++ = 'b'; *mp = '\0';
++                       }
+                        break;
+                case 'L':
+-                       *mp++ = 'l'; *mp = '\0';
++                       if (strlen(mode) < (sizeof(mode) - 1))
++                       {
++                               *mp++ = 'l'; *mp = '\0';
++                       }
+                        break;
+                case 'M':
+-                       *mp++ = 'm'; *mp = '\0';
++                       if (strlen(mode) < (sizeof(mode) - 1))
++                       {
++                               *mp++ = 'm'; *mp = '\0';
++                       }
+                        break;
+                case 'C':
+-                       *mp++ = 'c'; *mp = '\0';
++                       if (strlen(mode) < (sizeof(mode) - 1))
++                       {
++                               *mp++ = 'c'; *mp = '\0';
++                       }
+                        break;
+                case '8':
+-                       *mp++ = '8'; *mp = '\0';
++                       if (strlen(mode) < (sizeof(mode)-1))
++                       {
++                               *mp++ = '8'; *mp = '\0';
++                       }
+                        break;
+                case 'x':
+                        pageInSeq = 1;
+-- 
+2.25.1
+