diff options
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch | 35 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch | 63 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.6.0.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.5.1.bb) | 4 |
3 files changed, 1 insertions, 101 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch deleted file mode 100644 index 73f1f37bab..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch +++ /dev/null | |||
@@ -1,35 +0,0 @@ | |||
1 | From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Arie Haenel <arie.haenel@jct.ac.il> | ||
3 | Date: Thu, 14 Sep 2023 04:31:35 +0000 | ||
4 | Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images | ||
5 | (fixes #591) | ||
6 | |||
7 | CVE: CVE-2023-40745 | ||
8 | |||
9 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5] | ||
10 | |||
11 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
12 | --- | ||
13 | tools/tiffcp.c | 7 +++++++ | ||
14 | 1 file changed, 7 insertions(+) | ||
15 | |||
16 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c | ||
17 | index 3b2d1dd..57fa6e8 100644 | ||
18 | --- a/tools/tiffcp.c | ||
19 | +++ b/tools/tiffcp.c | ||
20 | @@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) | ||
21 | "Width * Samples/Pixel)"); | ||
22 | return 0; | ||
23 | } | ||
24 | + | ||
25 | + if ( (imagew - tilew * spp) > INT_MAX ){ | ||
26 | + TIFFError(TIFFFileName(in), | ||
27 | + "Error, image raster scan line size is too large"); | ||
28 | + return 0; | ||
29 | + } | ||
30 | + | ||
31 | iskew = imagew - tilew * spp; | ||
32 | tilebuf = limitMalloc(tilesize); | ||
33 | if (tilebuf == 0) | ||
34 | -- | ||
35 | 2.35.5 | ||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch deleted file mode 100644 index cca30b2196..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001 | ||
2 | From: Arie Haenel <arie.haenel@jct.ac.il> | ||
3 | Date: Thu, 14 Sep 2023 04:36:58 +0000 | ||
4 | Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes | ||
5 | #592) | ||
6 | |||
7 | CVE: CVE-2023-41175 | ||
8 | |||
9 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] | ||
10 | |||
11 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
12 | --- | ||
13 | tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++ | ||
14 | 1 file changed, 28 insertions(+) | ||
15 | |||
16 | diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c | ||
17 | index 4ee59e5..a811077 100644 | ||
18 | --- a/tools/raw2tiff.c | ||
19 | +++ b/tools/raw2tiff.c | ||
20 | @@ -101,6 +101,7 @@ int main(int argc, char *argv[]) | ||
21 | int fd; | ||
22 | char *outfilename = NULL; | ||
23 | TIFF *out; | ||
24 | + uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/ | ||
25 | |||
26 | uint32_t row, col, band; | ||
27 | int c; | ||
28 | @@ -221,6 +222,33 @@ int main(int argc, char *argv[]) | ||
29 | if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) | ||
30 | return EXIT_FAILURE; | ||
31 | |||
32 | + /* check for integer overflow in */ | ||
33 | + /* hdr_size + (*width) * (*length) * nbands * depth */ | ||
34 | + | ||
35 | + if ((width == 0) || (length == 0) ){ | ||
36 | + fprintf(stderr, "Too large nbands value specified.\n"); | ||
37 | + return (EXIT_FAILURE); | ||
38 | + } | ||
39 | + | ||
40 | + temp_limit_check = nbands * depth; | ||
41 | + | ||
42 | + if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { | ||
43 | + fprintf(stderr, "Too large length size specified.\n"); | ||
44 | + return (EXIT_FAILURE); | ||
45 | + } | ||
46 | + temp_limit_check = temp_limit_check * length; | ||
47 | + | ||
48 | + if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { | ||
49 | + fprintf(stderr, "Too large width size specified.\n"); | ||
50 | + return (EXIT_FAILURE); | ||
51 | + } | ||
52 | + temp_limit_check = temp_limit_check * width; | ||
53 | + | ||
54 | + if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { | ||
55 | + fprintf(stderr, "Too large header size specified.\n"); | ||
56 | + return (EXIT_FAILURE); | ||
57 | + } | ||
58 | + | ||
59 | if (outfilename == NULL) | ||
60 | outfilename = argv[optind + 1]; | ||
61 | out = TIFFOpen(outfilename, "w"); | ||
62 | -- | ||
63 | 2.35.5 | ||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index 2b5e66b8f3..49984f1125 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | |||
@@ -9,11 +9,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3" | |||
9 | CVE_PRODUCT = "libtiff" | 9 | CVE_PRODUCT = "libtiff" |
10 | 10 | ||
11 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 11 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ |
12 | file://CVE-2023-40745.patch \ | ||
13 | file://CVE-2023-41175.patch \ | ||
14 | " | 12 | " |
15 | 13 | ||
16 | SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b" | 14 | SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" |
17 | 15 | ||
18 | # exclude betas | 16 | # exclude betas |
19 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" | 17 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |