tiff: fix CVE-2023-41175

libtiff: potential integer overflow in raw2tiff.c References: https://bugzilla.redhat.com/show_bug.cgi?id=2235264 https://security-tracker.debian.org/tracker/CVE-2023-41175 https://gitlab.com/libtiff/libtiff/-/issues/592 (From OE-Core rev: 4ee806cbc12fbc830b09ba6222e96b1e5f24539f) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yogita Urade <yogita.urade@windriver.com> 2023-09-15 07:34:49 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-09-20 08:57:26 +0100
commit: 558f2e49a50e5c9daebd586b6a02b598aa1f6dd0 (patch)
tree: 9fa28be062c828f099365d509999e87908510a9b /meta/recipes-multimedia/libtiff
parent: 1843db6ae3aa77aa1d4e68dd3b130c419df548f8 (diff)
download: poky-558f2e49a50e5c9daebd586b6a02b598aa1f6dd0.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
new file mode 100644
index 0000000000..cca30b2196
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
@@ -0,0 +1,63 @@
+From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Thu, 14 Sep 2023 04:36:58 +0000
+Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
+   #592)
+CVE: CVE-2023-41175
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index 4ee59e5..a811077 100644
+--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
+@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
+     int fd;
+     char *outfilename = NULL;
+     TIFF *out;
+    uint32_t temp_limit_check = 0;     /* temp for integer overflow checking*/
+     uint32_t row, col, band;
+     int c;
+@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
+     if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
+         return EXIT_FAILURE;
+    /* check for integer overflow in */
+    /* hdr_size + (*width) * (*length) * nbands * depth */
+
+    if ((width == 0) || (length == 0) ){
+        fprintf(stderr, "Too large nbands value specified.\n");
+        return (EXIT_FAILURE);
+    }
+
+    temp_limit_check = nbands * depth;
+
+    if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
+        fprintf(stderr, "Too large length size specified.\n");
+        return (EXIT_FAILURE);
+    }
+    temp_limit_check = temp_limit_check * length;
+
+    if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
+        fprintf(stderr, "Too large width size specified.\n");
+        return (EXIT_FAILURE);
+    }
+    temp_limit_check = temp_limit_check * width;
+
+    if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  {
+        fprintf(stderr, "Too large header size specified.\n");
+        return (EXIT_FAILURE);
+    }
+
+     if (outfilename == NULL)
+         outfilename = argv[optind + 1];
+     out = TIFFOpen(outfilename, "w");
+--
+2.35.5
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index d002e1b233..2b5e66b8f3 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -10,6 +10,7 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-40745.patch \
+           file://CVE-2023-41175.patch \
           "
 SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
author	Yogita Urade <yogita.urade@windriver.com>	2023-09-15 07:34:49 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-09-20 08:57:26 +0100
commit	558f2e49a50e5c9daebd586b6a02b598aa1f6dd0 (patch)
tree	9fa28be062c828f099365d509999e87908510a9b /meta/recipes-multimedia/libtiff
parent	1843db6ae3aa77aa1d4e68dd3b130c419df548f8 (diff)
download	poky-558f2e49a50e5c9daebd586b6a02b598aa1f6dd0.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch new file mode 100644 index 0000000000..cca30b2196 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
@@ -0,0 +1,63 @@
		1	From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
		2	From: Arie Haenel <arie.haenel@jct.ac.il>
		3	Date: Thu, 14 Sep 2023 04:36:58 +0000
		4	Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
		5	#592)
		6
		7	CVE: CVE-2023-41175
		8
		9	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
		10
		11	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		12	---
		13	tools/raw2tiff.c \| 28 ++++++++++++++++++++++++++++
		14	1 file changed, 28 insertions(+)
		15
		16	diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
		17	index 4ee59e5..a811077 100644
		18	--- a/tools/raw2tiff.c
		19	+++ b/tools/raw2tiff.c
		20	@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
		21	int fd;
		22	char *outfilename = NULL;
		23	TIFF *out;
		24	+ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
		25
		26	uint32_t row, col, band;
		27	int c;
		28	@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
		29	if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
		30	return EXIT_FAILURE;
		31
		32	+ /* check for integer overflow in */
		33	+ /* hdr_size + (width) (length) nbands * depth */
		34	+
		35	+ if ((width == 0) \|\| (length == 0) ){
		36	+ fprintf(stderr, "Too large nbands value specified.\n");
		37	+ return (EXIT_FAILURE);
		38	+ }
		39	+
		40	+ temp_limit_check = nbands * depth;
		41	+
		42	+ if ( !temp_limit_check \|\| length > ( UINT_MAX / temp_limit_check ) ) {
		43	+ fprintf(stderr, "Too large length size specified.\n");
		44	+ return (EXIT_FAILURE);
		45	+ }
		46	+ temp_limit_check = temp_limit_check * length;
		47	+
		48	+ if ( !temp_limit_check \|\| width > ( UINT_MAX / temp_limit_check ) ) {
		49	+ fprintf(stderr, "Too large width size specified.\n");
		50	+ return (EXIT_FAILURE);
		51	+ }
		52	+ temp_limit_check = temp_limit_check * width;
		53	+
		54	+ if ( !temp_limit_check \|\| hdr_size > ( UINT_MAX - temp_limit_check ) ) {
		55	+ fprintf(stderr, "Too large header size specified.\n");
		56	+ return (EXIT_FAILURE);
		57	+ }
		58	+
		59	if (outfilename == NULL)
		60	outfilename = argv[optind + 1];
		61	out = TIFFOpen(outfilename, "w");
		62	--
		63	2.35.5


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb index d002e1b233..2b5e66b8f3 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -10,6 +10,7 @@ CVE_PRODUCT = "libtiff"
10		10
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12	file://CVE-2023-40745.patch \	12	file://CVE-2023-40745.patch \
		13	file://CVE-2023-41175.patch \
13	"	14	"
14		15
15	SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"	16	SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"