diff options
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch | 29 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch | 99 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch | 39 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.5.1.bb (renamed from meta/recipes-multimedia/libtiff/tiff_4.5.0.bb) | 13 |
4 files changed, 2 insertions, 178 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch deleted file mode 100644 index e356d377ea..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | CVE: CVE-2022-48281 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001 | ||
6 | From: Su Laus <sulau@freenet.de> | ||
7 | Date: Sat, 21 Jan 2023 15:58:10 +0000 | ||
8 | Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. | ||
9 | |||
10 | --- | ||
11 | tools/tiffcrop.c | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
15 | index 14fa18da..7db69883 100644 | ||
16 | --- a/tools/tiffcrop.c | ||
17 | +++ b/tools/tiffcrop.c | ||
18 | @@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image, | ||
19 | cropsize + NUM_BUFF_OVERSIZE_BYTES); | ||
20 | else | ||
21 | { | ||
22 | - prev_cropsize = seg_buffs[0].size; | ||
23 | + prev_cropsize = seg_buffs[i].size; | ||
24 | if (prev_cropsize < cropsize) | ||
25 | { | ||
26 | next_buff = _TIFFrealloc( | ||
27 | -- | ||
28 | GitLab | ||
29 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch deleted file mode 100644 index 5fdc1ed013..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 | ||
2 | From: Su_Laus <sulau@freenet.de> | ||
3 | Date: Tue, 14 Feb 2023 20:43:43 +0100 | ||
4 | Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. | ||
5 | Fix issue 527 | ||
6 | |||
7 | Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. | ||
8 | |||
9 | Closes #527 | ||
10 | |||
11 | CVE: CVE-2023-26965 | ||
12 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf] | ||
13 | Signed-off-by: Natasha Bailey <nat.bailey@windriver.com> | ||
14 | --- | ||
15 | tools/tiffcrop.c | 47 +++++++++++++---------------------------------- | ||
16 | 1 file changed, 13 insertions(+), 34 deletions(-) | ||
17 | |||
18 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
19 | index d7ad5ca8..d3e11ba2 100644 | ||
20 | --- a/tools/tiffcrop.c | ||
21 | +++ b/tools/tiffcrop.c | ||
22 | @@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, | ||
23 | uint32_t tw = 0, tl = 0; /* Tile width and length */ | ||
24 | tmsize_t tile_rowsize = 0; | ||
25 | unsigned char *read_buff = NULL; | ||
26 | - unsigned char *new_buff = NULL; | ||
27 | int readunit = 0; | ||
28 | - static tmsize_t prev_readsize = 0; | ||
29 | |||
30 | TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); | ||
31 | TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); | ||
32 | @@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, | ||
33 | } | ||
34 | |||
35 | read_buff = *read_ptr; | ||
36 | - /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ | ||
37 | - /* outside buffer */ | ||
38 | - if (!read_buff) | ||
39 | + /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit | ||
40 | + * outside buffer */ | ||
41 | + /* Reuse of read_buff from previous image is quite unsafe, because other | ||
42 | + * functions (like rotateImage() etc.) reallocate that buffer with different | ||
43 | + * size without updating the local prev_readsize value. */ | ||
44 | + if (read_buff) | ||
45 | { | ||
46 | - if (buffsize > 0xFFFFFFFFU - 3) | ||
47 | - { | ||
48 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
49 | - return (-1); | ||
50 | - } | ||
51 | - read_buff = | ||
52 | - (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
53 | + _TIFFfree(read_buff); | ||
54 | } | ||
55 | - else | ||
56 | + if (buffsize > 0xFFFFFFFFU - 3) | ||
57 | { | ||
58 | - if (prev_readsize < buffsize) | ||
59 | - { | ||
60 | - if (buffsize > 0xFFFFFFFFU - 3) | ||
61 | - { | ||
62 | - TIFFError("loadImage", | ||
63 | - "Unable to allocate/reallocate read buffer"); | ||
64 | - return (-1); | ||
65 | - } | ||
66 | - new_buff = | ||
67 | - _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
68 | - if (!new_buff) | ||
69 | - { | ||
70 | - free(read_buff); | ||
71 | - read_buff = (unsigned char *)limitMalloc( | ||
72 | - buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
73 | - } | ||
74 | - else | ||
75 | - read_buff = new_buff; | ||
76 | - } | ||
77 | + TIFFError("loadImage", "Required read buffer size too large"); | ||
78 | + return (-1); | ||
79 | } | ||
80 | + read_buff = | ||
81 | + (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); | ||
82 | if (!read_buff) | ||
83 | { | ||
84 | - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); | ||
85 | + TIFFError("loadImage", "Unable to allocate read buffer"); | ||
86 | return (-1); | ||
87 | } | ||
88 | |||
89 | @@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, | ||
90 | read_buff[buffsize + 1] = 0; | ||
91 | read_buff[buffsize + 2] = 0; | ||
92 | |||
93 | - prev_readsize = buffsize; | ||
94 | *read_ptr = read_buff; | ||
95 | |||
96 | /* N.B. The read functions used copy separate plane data into a buffer as | ||
97 | -- | ||
98 | 2.39.0 | ||
99 | |||
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch deleted file mode 100644 index 7db0a35f72..0000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001 | ||
2 | From: Even Rouault <even.rouault@spatialys.com> | ||
3 | Date: Sat, 29 Apr 2023 12:20:46 +0200 | ||
4 | Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a | ||
5 | strip whith a missing end-of-information marker (fixes #548) | ||
6 | |||
7 | CVE: CVE-2023-2731 | ||
8 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b] | ||
9 | |||
10 | --- | ||
11 | libtiff/tif_lzw.c | 5 +++++ | ||
12 | 1 file changed, 5 insertions(+) | ||
13 | |||
14 | diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c | ||
15 | index ba75a07e..d631fa10 100644 | ||
16 | --- a/libtiff/tif_lzw.c | ||
17 | +++ b/libtiff/tif_lzw.c | ||
18 | @@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s) | ||
19 | |||
20 | if (sp->read_error) | ||
21 | { | ||
22 | + TIFFErrorExtR(tif, module, | ||
23 | + "LZWDecode: Scanline %" PRIu32 " cannot be read due to " | ||
24 | + "previous error", | ||
25 | + tif->tif_row); | ||
26 | return 0; | ||
27 | } | ||
28 | |||
29 | @@ -742,6 +746,7 @@ after_loop: | ||
30 | return (1); | ||
31 | |||
32 | no_eoi: | ||
33 | + sp->read_error = 1; | ||
34 | TIFFErrorExtR(tif, module, | ||
35 | "LZWDecode: Strip %" PRIu32 " not terminated with EOI code", | ||
36 | tif->tif_curstrip); | ||
37 | -- | ||
38 | 2.34.1 | ||
39 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb index 2bde8fe9d6..5af3f84265 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb | |||
@@ -8,13 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3" | |||
8 | 8 | ||
9 | CVE_PRODUCT = "libtiff" | 9 | CVE_PRODUCT = "libtiff" |
10 | 10 | ||
11 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | 11 | SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz" |
12 | file://CVE-2022-48281.patch \ | ||
13 | file://CVE-2023-2731.patch \ | ||
14 | file://CVE-2023-26965.patch \ | ||
15 | " | ||
16 | 12 | ||
17 | SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464" | 13 | SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b" |
18 | 14 | ||
19 | # exclude betas | 15 | # exclude betas |
20 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" | 16 | UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" |
@@ -22,11 +18,6 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" | |||
22 | # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 | 18 | # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 |
23 | # and 4.3.0 doesn't have the issue | 19 | # and 4.3.0 doesn't have the issue |
24 | CVE_CHECK_IGNORE += "CVE-2015-7313" | 20 | CVE_CHECK_IGNORE += "CVE-2015-7313" |
25 | # These issues only affect libtiff post-4.3.0 but before 4.4.0, | ||
26 | # caused by 3079627e and fixed by b4e79bfa. | ||
27 | CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" | ||
28 | # Issue is in jbig which we don't enable | ||
29 | CVE_CHECK_IGNORE += "CVE-2022-1210" | ||
30 | 21 | ||
31 | inherit autotools multilib_header | 22 | inherit autotools multilib_header |
32 | 23 | ||