tiff: backport a fix for CVE-2023-2731

This patch fixes an issue in libtiff's LZWDecode function which could cause a null pointer dereference. (From OE-Core rev: 7da5abf23232f61bf8009b4b8e97632768867e07) Signed-off-by: Natasha Bailey <nat.bailey@windriver.com> Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Natasha Bailey <nat.bailey@windriver.com> 2023-05-30 15:16:06 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-06-01 08:05:11 +0100
commit: 2f56bdb289b6487ac1e1781cdd620d5ccd1f7d9c (patch)
tree: d84362cf6bedcf840e5dc734933501be3a53be5a /meta/recipes-multimedia/libtiff
parent: 47bc65bf556e099c5130a5fe25b69834022cfd37 (diff)
download: poky-2f56bdb289b6487ac1e1781cdd620d5ccd1f7d9c.tar.gz
2 files changed, 42 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
new file mode 100644
index 0000000000..7db0a35f72
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
@@ -0,0 +1,39 @@
+From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 29 Apr 2023 12:20:46 +0200
+Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
+ strip whith a missing end-of-information marker (fixes #548)
+CVE: CVE-2023-2731
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]
+---
+ libtiff/tif_lzw.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index ba75a07e..d631fa10 100644
+--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
+@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
+ 
+     if (sp->read_error)
+     {
+        TIFFErrorExtR(tif, module,
+                      "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
+                      "previous error",
+                      tif->tif_row);
+         return 0;
+     }
+ 
+@@ -742,6 +746,7 @@ after_loop:
+     return (1);
+ 
+ no_eoi:
+    sp->read_error = 1;
+     TIFFErrorExtR(tif, module,
+                   "LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
+                   tif->tif_curstrip);
+-- 
+2.34.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index f8a2482a84..ca4a3eff91 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
-           file://CVE-2022-48281.patch"
+           file://CVE-2022-48281.patch \
+           file://CVE-2023-2731.patch \
+"
 SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
author	Natasha Bailey <nat.bailey@windriver.com>	2023-05-30 15:16:06 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-06-01 08:05:11 +0100
commit	2f56bdb289b6487ac1e1781cdd620d5ccd1f7d9c (patch)
tree	d84362cf6bedcf840e5dc734933501be3a53be5a /meta/recipes-multimedia/libtiff
parent	47bc65bf556e099c5130a5fe25b69834022cfd37 (diff)
download	poky-2f56bdb289b6487ac1e1781cdd620d5ccd1f7d9c.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch new file mode 100644 index 0000000000..7db0a35f72 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
@@ -0,0 +1,39 @@
		1	From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
		2	From: Even Rouault <even.rouault@spatialys.com>
		3	Date: Sat, 29 Apr 2023 12:20:46 +0200
		4	Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
		5	strip whith a missing end-of-information marker (fixes #548)
		6
		7	CVE: CVE-2023-2731
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]
		9
		10	---
		11	libtiff/tif_lzw.c \| 5 +++++
		12	1 file changed, 5 insertions(+)
		13
		14	diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
		15	index ba75a07e..d631fa10 100644
		16	--- a/libtiff/tif_lzw.c
		17	+++ b/libtiff/tif_lzw.c
		18	@@ -423,6 +423,10 @@ static int LZWDecode(TIFF tif, uint8_t op0, tmsize_t occ0, uint16_t s)
		19
		20	if (sp->read_error)
		21	{
		22	+ TIFFErrorExtR(tif, module,
		23	+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
		24	+ "previous error",
		25	+ tif->tif_row);
		26	return 0;
		27	}
		28
		29	@@ -742,6 +746,7 @@ after_loop:
		30	return (1);
		31
		32	no_eoi:
		33	+ sp->read_error = 1;
		34	TIFFErrorExtR(tif, module,
		35	"LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
		36	tif->tif_curstrip);
		37	--
		38	2.34.1
		39


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb index f8a2482a84..ca4a3eff91 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
9	CVE_PRODUCT = "libtiff"	9	CVE_PRODUCT = "libtiff"
10		10
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12	file://CVE-2022-48281.patch"	12	file://CVE-2022-48281.patch \
		13	file://CVE-2023-2731.patch \
		14	"
13		15
14	SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"	16	SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
15		17