diff options
author | Chee Yang Lee <chee.yang.lee@intel.com> | 2023-03-02 13:26:06 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-03-20 17:20:44 +0000 |
commit | 857a8bdd9c98c71a4932ca7886f2c688c8668ccb (patch) | |
tree | 407517c674f4ab6ddf60d553281ac047d81b2cdd /meta/recipes-multimedia | |
parent | b7da7c8996257d3b249688744fb394f49168749c (diff) | |
download | poky-857a8bdd9c98c71a4932ca7886f2c688c8668ccb.tar.gz |
tiff: fix multiple CVEs
import patch from debian to fix
CVE-2022-48281
http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.2.0-1+deb11u4.debian.tar.xz
import patch from fedora to fix
CVE-2023-0800
CVE-2023-0801
CVE-2023-0802
CVE-2023-0803
CVE-2023-0804
https://src.fedoraproject.org/rpms/libtiff/c/91856895aadf3cce6353f40c2feef9bf0b486440
(From OE-Core rev: f2782b4cac461909cf432db13516e443fee8c3de)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit d9ce9b37236f5c16ffba4572ad720aeb50edeee9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
3 files changed, 156 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch new file mode 100644 index 0000000000..4f8dc35251 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Sat, 21 Jan 2023 15:58:10 +0000 | ||
4 | Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. | ||
5 | |||
6 | |||
7 | Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.2.0-1+deb11u4.debian.tar.xz] | ||
8 | CVE: CVE-2022-48281 | ||
9 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
10 | --- | ||
11 | tools/tiffcrop.c | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | Index: tiff-4.2.0/tools/tiffcrop.c | ||
15 | =================================================================== | ||
16 | --- tiff-4.2.0.orig/tools/tiffcrop.c | ||
17 | +++ tiff-4.2.0/tools/tiffcrop.c | ||
18 | @@ -7516,7 +7516,7 @@ processCropSelections(struct image_data | ||
19 | crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
20 | else | ||
21 | { | ||
22 | - prev_cropsize = seg_buffs[0].size; | ||
23 | + prev_cropsize = seg_buffs[1].size; | ||
24 | if (prev_cropsize < cropsize) | ||
25 | { | ||
26 | next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch new file mode 100644 index 0000000000..8372bc35f2 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch | |||
@@ -0,0 +1,128 @@ | |||
1 | From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001 | ||
2 | From: Su Laus <sulau@freenet.de> | ||
3 | Date: Sun, 5 Feb 2023 15:53:15 +0000 | ||
4 | Subject: [PATCH] tiffcrop: added check for assumption on composite images | ||
5 | (fixes #496) | ||
6 | |||
7 | tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action. | ||
8 | |||
9 | Closes #496, #497, #498, #500, #501. | ||
10 | |||
11 | Upstream-Status: Backport [import from fedora https://src.fedoraproject.org/rpms/libtiff/c/91856895aadf3cce6353f40c2feef9bf0b486440 ] | ||
12 | CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 | ||
13 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
14 | --- | ||
15 | tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++-- | ||
16 | 1 file changed, 66 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
19 | index 84e26ac6..480b927c 100644 | ||
20 | --- a/tools/tiffcrop.c | ||
21 | +++ b/tools/tiffcrop.c | ||
22 | @@ -5329,18 +5329,39 @@ | ||
23 | |||
24 | crop->regionlist[i].buffsize = buffsize; | ||
25 | crop->bufftotal += buffsize; | ||
26 | + /* For composite images with more than one region, the | ||
27 | + * combined_length or combined_width always needs to be equal, | ||
28 | + * respectively. | ||
29 | + * Otherwise, even the first section/region copy | ||
30 | + * action might cause buffer overrun. */ | ||
31 | if (crop->img_mode == COMPOSITE_IMAGES) | ||
32 | { | ||
33 | switch (crop->edge_ref) | ||
34 | { | ||
35 | case EDGE_LEFT: | ||
36 | case EDGE_RIGHT: | ||
37 | + if (i > 0 && zlength != crop->combined_length) | ||
38 | + { | ||
39 | + TIFFError( | ||
40 | + "computeInputPixelOffsets", | ||
41 | + "Only equal length regions can be combined for " | ||
42 | + "-E left or right"); | ||
43 | + return (-1); | ||
44 | + } | ||
45 | crop->combined_length = zlength; | ||
46 | crop->combined_width += zwidth; | ||
47 | break; | ||
48 | case EDGE_BOTTOM: | ||
49 | case EDGE_TOP: /* width from left, length from top */ | ||
50 | default: | ||
51 | + if (i > 0 && zwidth != crop->combined_width) | ||
52 | + { | ||
53 | + TIFFError("computeInputPixelOffsets", | ||
54 | + "Only equal width regions can be " | ||
55 | + "combined for -E " | ||
56 | + "top or bottom"); | ||
57 | + return (-1); | ||
58 | + } | ||
59 | crop->combined_width = zwidth; | ||
60 | crop->combined_length += zlength; | ||
61 | break; | ||
62 | @@ -6546,6 +6567,46 @@ | ||
63 | crop->combined_width = 0; | ||
64 | crop->combined_length = 0; | ||
65 | |||
66 | + /* If there is more than one region, check beforehand whether all the width | ||
67 | + * and length values of the regions are the same, respectively. */ | ||
68 | + switch (crop->edge_ref) | ||
69 | + { | ||
70 | + default: | ||
71 | + case EDGE_TOP: | ||
72 | + case EDGE_BOTTOM: | ||
73 | + for (i = 1; i < crop->selections; i++) | ||
74 | + { | ||
75 | + uint32_t crop_width0 = | ||
76 | + crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; | ||
77 | + uint32_t crop_width1 = | ||
78 | + crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; | ||
79 | + if (crop_width0 != crop_width1) | ||
80 | + { | ||
81 | + TIFFError("extractCompositeRegions", | ||
82 | + "Only equal width regions can be combined for -E " | ||
83 | + "top or bottom"); | ||
84 | + return (1); | ||
85 | + } | ||
86 | + } | ||
87 | + break; | ||
88 | + case EDGE_LEFT: | ||
89 | + case EDGE_RIGHT: | ||
90 | + for (i = 1; i < crop->selections; i++) | ||
91 | + { | ||
92 | + uint32_t crop_length0 = | ||
93 | + crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; | ||
94 | + uint32_t crop_length1 = | ||
95 | + crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; | ||
96 | + if (crop_length0 != crop_length1) | ||
97 | + { | ||
98 | + TIFFError("extractCompositeRegions", | ||
99 | + "Only equal length regions can be combined for " | ||
100 | + "-E left or right"); | ||
101 | + return (1); | ||
102 | + } | ||
103 | + } | ||
104 | + } | ||
105 | + | ||
106 | for (i = 0; i < crop->selections; i++) | ||
107 | { | ||
108 | /* rows, columns, width, length are expressed in pixels */ | ||
109 | @@ -6570,7 +6631,8 @@ | ||
110 | default: | ||
111 | case EDGE_TOP: | ||
112 | case EDGE_BOTTOM: | ||
113 | - if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) | ||
114 | + if ((crop->selections > i + 1) && | ||
115 | + (crop_width != crop->regionlist[i + 1].width)) | ||
116 | { | ||
117 | TIFFError ("extractCompositeRegions", | ||
118 | "Only equal width regions can be combined for -E top or bottom"); | ||
119 | @@ -6651,7 +6713,8 @@ | ||
120 | break; | ||
121 | case EDGE_LEFT: /* splice the pieces of each row together, side by side */ | ||
122 | case EDGE_RIGHT: | ||
123 | - if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) | ||
124 | + if ((crop->selections > i + 1) && | ||
125 | + (crop_length != crop->regionlist[i + 1].length)) | ||
126 | { | ||
127 | TIFFError ("extractCompositeRegions", | ||
128 | "Only equal length regions can be combined for -E left or right"); | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index ef4fa97585..4bd485a10a 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | |||
@@ -32,6 +32,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
32 | file://0001-tiffcrop-S-option-Make-decision-simpler.patch \ | 32 | file://0001-tiffcrop-S-option-Make-decision-simpler.patch \ |
33 | file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \ | 33 | file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \ |
34 | file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \ | 34 | file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \ |
35 | file://CVE-2022-48281.patch \ | ||
36 | file://CVE-2023-0800_0801_0802_0803_0804.patch \ | ||
35 | " | 37 | " |
36 | 38 | ||
37 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" | 39 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" |